core: add "tls-ca-path" option

Some organizations will want to use private Certificate Authorities to serve content to their clients. While it's possible to add the CA to the system-wide CA store, that has two drawbacks: 1) Compromise of that cert means it can be used for other web traffic 2) All of ca-certificates is trusted This patch allows a much stronger scenario where *only* the CAs in tls-ca-path are used for verification from the given repository. https://bugzilla.gnome.org/show_bug.cgi?id=726256
2014-06-26 19:39:26 -04:00 · 2014-06-26 19:39:26 -04:00 · f60bac45fd
parent e8f508ac6b
commit f60bac45fd
4 changed files with 34 additions and 0 deletions
--- a/doc/ostree.repo-config.xml
+++ b/doc/ostree.repo-config.xml
@ -152,6 +152,11 @@ Boston, MA 02111-1307, USA.
        <term><varname>tls-client-key-path</varname></term>
        <listitem><para>Path to file containing client-side certificate key, to present when making requests to this repository.</para></listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><varname>tls-ca-path</varname></term>
+        <listitem><para>Path to file containing trusted anchors instead of the system CA database.</para></listitem>
+      </varlistentry>
    </variablelist>

  </refsect1>
--- a/src/libostree/ostree-fetcher.c
+++ b/src/libostree/ostree-fetcher.c
@ -233,6 +233,16 @@ _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
    }
 }

+void
+_ostree_fetcher_set_tls_database (OstreeFetcher *self,
+                                  GTlsDatabase  *db)
+{
+  if (db)
+    g_object_set ((GObject*)self->session, "tls-database", db, NULL);
+  else
+    g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", TRUE, NULL);
+}
+
 static void
 on_request_sent (GObject        *object, GAsyncResult   *result, gpointer        user_data);

--- a/src/libostree/ostree-fetcher.h
+++ b/src/libostree/ostree-fetcher.h
@ -57,6 +57,9 @@ OstreeFetcher *_ostree_fetcher_new (GFile                     *tmpdir,
 void _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
                                     GTlsCertificate *cert);

+void _ostree_fetcher_set_tls_database (OstreeFetcher *self,
+                                       GTlsDatabase *db);
+
 char * _ostree_fetcher_query_state_text (OstreeFetcher              *self);

 guint64 _ostree_fetcher_bytes_transferred (OstreeFetcher       *self);
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@ -1129,6 +1129,22 @@ ostree_repo_pull (OstreeRepo               *self,
      }
  }

+  {
+    gs_free char *tls_ca_path = NULL;
+    gs_unref_object GTlsDatabase *db = NULL;
+
+    if (!ot_keyfile_get_value_with_default (config, remote_key,
+                                            "tls-ca-path",
+                                            NULL, &tls_ca_path, error))
+      goto out;
+
+    db = g_tls_file_database_new (tls_ca_path, error);
+    if (!db)
+      goto out;
+
+    _ostree_fetcher_set_tls_database (pull_data->fetcher, db);
+  }
+
  if (!pull_data->base_uri)
    {
      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,