Getting CA certificates into the registry

Juan Lang juan.lang at gmail.com
Wed Jul 25 11:20:36 CDT 2007 

(Apologies if you get this twice - I wasn't subscribed to wine-devel
on this account, and apparently it didn't get moderated through.)

Folks, I'm hoping for feedback on how to get CA certificates into
Wine's registry.  We'll need them in order to verify signatures on
things.  A number of apps depend on this [1].

We have a few choices:
1. Include them in a .inf file and install them with wine.  There are
two problems with this that I see:  Signatures are opaque (asn.1
encoded) and thus hard to verify, and there's a potential maintenance
hassle.  It's by far the simplest though.

2. We search for certificates installed locally and import them into
the registry.  The trouble with this is that different distros, and
even different versions of the same distro, install them in different
locations.  There are also usually several potential sources on the
same machine, installed by different apps, and it's not clear which
certs are meant to be trusted and which are not.  (For example, there
are several "example" certs installed on my system, and I can identify
them as such, but a tool would not be able to tell the difference.)
We could write a script that checks in several likely locations, but
that seems dangerous:  one of those locations might inadvertently be
world-writable, so an attacker could possibly put untrustworthy
certificates there.
2.a. We write a tool to import local certs, but make you specify the
path.  Ugly, but punts the problem to the user.

3. We do what the distros do: get the certificates from Mozilla's CVS,
and munge them into the right format.  (Google for mkcabundle.pl)
This is similar to what we do for the unicode tables, but it does
introduce a dependency on CVS (or perhaps wget from a web CVS front
end.)

I suppose I should mention there's another option:
4. We don't load certs in Wine at all, and don't implement certificate
chain verification, but dynamically load openssl or gnutls and ask
them to do it for us.  I don't think this is simpler than the
alternatives, as I've already put a fair amount of work into crypt32,
but if none of the other options is acceptable I can look into it.

I'd very much appreciate feedback on which option seems the best, or,
most likely to get committed ;)  Thanks,
--Juan

[1] Here's a partial list - there are more:
Bug 5423, AOL AIM won't install, http://bugs.winehq.org/show_bug.cgi?id=5423
Bug 7892, iTunes startup, http://bugs.winehq.org/show_bug.cgi?id=7892
Bug 8870, Outlook can't open signed messages,
http://bugs.winehq.org/show_bug.cgi?id=8870

More information about the wine-devel mailing list