[gnome-keyring] Use a single ca certificates file by default
- From: Stefan Walter <stefw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-keyring] Use a single ca certificates file by default
- Date: Thu, 9 Feb 2012 20:23:26 +0000 (UTC)
commit de327ab6ea69bbecf4b9ee9f3ff2c38da76817f0
Author: Stef Walter <stefw collabora co uk>
Date: Thu Feb 9 10:33:01 2012 +0100
Use a single ca certificates file by default
* Defaults to either /etc/pki/tls/certs/ca-bundle.crt or
/etc/ssl/certs/ca-certificates.crt like glib-networking
* Also like glib-networking a different file can be specified
with --with-ca-certificates=/path/to/file
* To disable root CA list, use --with-ca-certificates=no
* As before a full directory of certificate files can still
be specified with: --with-root-certs=/etc/ssl/certs
configure.ac | 55 ++++++++++++++++----------
daemon/gkd-pkcs11.c | 2 -
pkcs11/roots-store/gkm-roots-module.c | 69 ++++++++++++++++++++++++---------
3 files changed, 84 insertions(+), 42 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index 5e38e0d..fd734eb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -365,34 +365,47 @@ AM_CONDITIONAL(WITH_GPG, test "$enable_gpg_agent" != "no")
#
AC_MSG_CHECKING([location of system Certificate Authority list])
+
AC_ARG_WITH(root-certs,
- [AC_HELP_STRING([--with-root-certs=@<:@path@:>@],
- [path to system Certificate Authority list])])
-if test "$with_root_certs" = "no"; then
- AC_MSG_RESULT([disabled])
- root_status="none"
- with_root_certs="no"
+ [AC_HELP_STRING([--with-root-certs=@<:@path@:>@],
+ [directory for system Certificate Authorities])])
+
+AC_ARG_WITH(ca-certificates,
+ [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+ [file for system Certificate Authorities])])
+
+# Explicitly disabled root certificate authority list
+if test "$with_root_certs" = "no" -o "$with_ca_certificates" = "no"; then
+ root_status="disabled"
+
+# A directory specified for the root certificate authority list
+elif test -n "$with_root_certs"; then
+ AC_DEFINE_UNQUOTED(ROOT_CA_DIRECTORY, ["$with_root_certs"], [Directory path for CA list])
+ root_status="directory: $with_root_certs"
+
+# A file specified for the root certificate list
+elif test -n "$with_ca_certificates"; then
+ AC_DEFINE_UNQUOTED(ROOT_CA_FILE, ["$with_ca_certificates"], [File path for CA list])
+ root_status="file: $with_ca_certificates"
+
+# Automatically find certificate authority list
else
- if test -z "$with_root_certs"; then
- for f in /etc/pki/tls/certs /etc/ssl/certs; do
- if test -d "$f"; then
- with_root_certs="$f"
- fi
- done
- if test -z "$with_root_certs"; then
- AC_MSG_ERROR([could not find. Use --with-root-certs=path to set, or --without-root-certs to disable])
+ for f in /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/ssl/certs/ca-certificates.crt; do
+ if test -f "$f"; then
+ with_ca_certificates="$f"
fi
+ done
+ if test -z "$with_ca_certificates"; then
+ AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
fi
- AC_MSG_RESULT($with_root_certs)
- if ! test -d "$with_root_certs"; then
- AC_MSG_ERROR([No such directory '$with_root_certs'. Use --with-root-certs=path to set, or --without-root-certs to disable])
- fi
-
- root_status="yes ($with_root_certs)"
- AC_DEFINE_UNQUOTED([ROOT_CERTIFICATES], ["$with_root_certs"], [path to system Certificate Authority list])
+ AC_DEFINE_UNQUOTED(ROOT_CA_FILE, ["$with_ca_certificates"], [File path for CA list])
+ root_status="file: $with_ca_certificates"
fi
+AC_MSG_RESULT(["$root_status"])
+
# --------------------------------------------------------------------
# libgcrypt
#
diff --git a/daemon/gkd-pkcs11.c b/daemon/gkd-pkcs11.c
index 9cc7717..2e46742 100644
--- a/daemon/gkd-pkcs11.c
+++ b/daemon/gkd-pkcs11.c
@@ -92,9 +92,7 @@ gkd_pkcs11_initialize (void)
/* Add all of those into the wrapper layer */
gkm_wrap_layer_add_module (ssh_store);
-#ifdef ROOT_CERTIFICATES
gkm_wrap_layer_add_module (roots_store);
-#endif
gkm_wrap_layer_add_module (secret_store);
gkm_wrap_layer_add_module (gnome2_store);
gkm_wrap_layer_add_module (xdg_store);
diff --git a/pkcs11/roots-store/gkm-roots-module.c b/pkcs11/roots-store/gkm-roots-module.c
index e337623..a36c15b 100644
--- a/pkcs11/roots-store/gkm-roots-module.c
+++ b/pkcs11/roots-store/gkm-roots-module.c
@@ -36,9 +36,10 @@
struct _GkmRootsModule {
GkmModule parent;
- GkmFileTracker *tracker;
GHashTable *certificates;
- gchar *directory;
+ GkmFileTracker *tracker;
+ gboolean is_directory;
+ gchar *path;
};
static const CK_SLOT_INFO gkm_roots_module_slot_info = {
@@ -266,8 +267,14 @@ gkm_roots_module_real_parse_argument (GkmModule *base, const gchar *name, const
{
GkmRootsModule *self = GKM_ROOTS_MODULE (base);
if (g_str_equal (name, "directory")) {
- g_free (self->directory);
- self->directory = g_strdup (value);
+ g_free (self->path);
+ self->path = g_strdup (value);
+ self->is_directory = TRUE;
+
+ } else if (g_str_equal (name, "file")) {
+ g_free (self->path);
+ self->path = g_strdup (value);
+ self->is_directory = FALSE;
}
}
@@ -280,37 +287,61 @@ gkm_roots_module_real_refresh_token (GkmModule *base)
return CKR_OK;
}
-static GObject*
-gkm_roots_module_constructor (GType type, guint n_props, GObjectConstructParam *props)
+static void
+gkm_roots_module_constructed (GObject *obj)
{
- GkmRootsModule *self = GKM_ROOTS_MODULE (G_OBJECT_CLASS (gkm_roots_module_parent_class)->constructor(type, n_props, props));
+ GkmRootsModule *self;
+ const gchar *exclude;
GkmManager *manager;
+ gchar *directory;
+ gchar *basename;
+
+ G_OBJECT_CLASS (gkm_roots_module_parent_class)->constructed (obj);
- g_return_val_if_fail (self, NULL);
+ self = GKM_ROOTS_MODULE (obj);
-#ifdef ROOT_CERTIFICATES
- if (!self->directory)
- self->directory = g_strdup (ROOT_CERTIFICATES);
+#ifdef ROOT_CA_FILE
+ if (!self->path) {
+ self->path = g_strdup (ROOT_CA_FILE);
+ self->is_directory = FALSE;
+ }
#endif
- if (self->directory) {
- self->tracker = gkm_file_tracker_new (self->directory, "*", "*.0");
+#ifdef ROOT_CA_DIRECTORY
+ if (!self->path) {
+ self->path = g_strdup (ROOT_CA_DIRECTORY);
+ self->is_directory = TRUE;
+ }
+#endif
+
+ if (self->path) {
+ if (self->is_directory) {
+ directory = g_strdup (self->path);
+ basename = g_strdup ("*");
+ exclude = "*.0";
+ } else {
+ directory = g_path_get_dirname (self->path);
+ basename = g_path_get_basename (self->path);
+ exclude = NULL;
+ }
+
+ self->tracker = gkm_file_tracker_new (directory, basename, exclude);
g_signal_connect (self->tracker, "file-added", G_CALLBACK (file_load), self);
g_signal_connect (self->tracker, "file-changed", G_CALLBACK (file_load), self);
g_signal_connect (self->tracker, "file-removed", G_CALLBACK (file_remove), self);
+
+ g_free (directory);
+ g_free (basename);
}
manager = gkm_module_get_manager (GKM_MODULE (self));
gkm_manager_add_property_index (manager, "unique", TRUE);
gkm_manager_add_property_index (manager, "path", FALSE);
-
- return G_OBJECT (self);
}
static void
gkm_roots_module_init (GkmRootsModule *self)
{
self->certificates = g_hash_table_new_full (g_direct_hash, g_direct_equal, g_object_unref, NULL);
-
}
static void
@@ -337,8 +368,8 @@ gkm_roots_module_finalize (GObject *obj)
g_hash_table_destroy (self->certificates);
self->certificates = NULL;
- g_free (self->directory);
- self->directory = NULL;
+ g_free (self->path);
+ self->path = NULL;
G_OBJECT_CLASS (gkm_roots_module_parent_class)->finalize (obj);
}
@@ -349,7 +380,7 @@ gkm_roots_module_class_init (GkmRootsModuleClass *klass)
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
GkmModuleClass *module_class = GKM_MODULE_CLASS (klass);
- gobject_class->constructor = gkm_roots_module_constructor;
+ gobject_class->constructed = gkm_roots_module_constructed;
gobject_class->dispose = gkm_roots_module_dispose;
gobject_class->finalize = gkm_roots_module_finalize;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]