From fa593a3e1502f9289b961b92229434fc0cfc6dee Mon Sep 17 00:00:00 2001 From: "Jasper St. Pierre" Date: Mon, 12 Sep 2011 15:30:02 -0400 Subject: [PATCH] extensionSystem: Use the system cert list libsoup won't check for a valid cert by default, so copy some logic from glib-networking to check against the system cert list. Additionally, allow a fallback for developers, ~/.local/share/extensions.gnome.org.crt, for easy local development of the website. https://bugzilla.gnome.org/show_bug.cgi?id=658870 --- configure.ac | 25 +++++++++++++++++++++++++ js/misc/config.js.in | 3 ++- js/ui/extensionSystem.js | 10 ++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f2db9eb91..35c567d24 100644 --- a/configure.ac +++ b/configure.ac @@ -210,6 +210,31 @@ AC_ARG_ENABLE(jhbuild-wrapper-script, AS_HELP_STRING([--jhbuild-wrapper-script=yes],[Make "gnome-shell" script work for jhbuild]),,enable_jhbuild_wrapper_script=no) AM_CONDITIONAL(USE_JHBUILD_WRAPPER_SCRIPT, test "x$enable_jhbuild_wrapper_script" = xyes) +AC_MSG_CHECKING([location of system Certificate Authority list]) +AC_ARG_WITH(ca-certificates, + [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@], + [path to system Certificate Authority list])]) + +if test "$with_ca_certificates" = "no"; then + AC_MSG_RESULT([disabled]) +else + if test -z "$with_ca_certificates"; then + for f in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-certificates.crt; do + if test -f "$f"; then + with_ca_certificates="$f" + fi + done + if test -z "$with_ca_certificates"; then + AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable]) + fi + fi + + AC_MSG_RESULT($with_ca_certificates) + AC_DEFINE_UNQUOTED(SHELL_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list]) +fi +AC_SUBST(SHELL_SYSTEM_CA_FILE,["$with_ca_certificates"]) + AC_CONFIG_FILES([ Makefile data/Makefile diff --git a/js/misc/config.js.in b/js/misc/config.js.in index 25a0e7287..85ab7b57a 100644 --- a/js/misc/config.js.in +++ b/js/misc/config.js.in @@ -7,4 +7,5 @@ const PACKAGE_VERSION = '@PACKAGE_VERSION@'; const GJS_VERSION = '@GJS_VERSION@'; /* 1 if gnome-bluetooth is available, 0 otherwise */ const HAVE_BLUETOOTH = @HAVE_BLUETOOTH@; - +/* The system TLS CA list */ +const SHELL_SYSTEM_CA_FILE = '@SHELL_SYSTEM_CA_FILE@'; diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js index d6e399abf..cc2510f23 100644 --- a/js/ui/extensionSystem.js +++ b/js/ui/extensionSystem.js @@ -44,6 +44,16 @@ const _httpSession = new Soup.SessionAsync(); if (Soup.Session.prototype.add_feature != null) Soup.Session.prototype.add_feature.call(_httpSession, new Soup.ProxyResolverDefault()); +function _getCertFile() { + let localCert = GLib.build_filenamev([global.userdatadir, 'extensions.gnome.org.crt']); + if (GLib.file_test(localCert, GLib.FileTest.EXISTS)) + return localCert; + else + return Config.SHELL_SYSTEM_CA_FILE; +} + +_httpSession.ssl_ca_file = _getCertFile(); + // Maps uuid -> metadata object const extensionMeta = {}; // Maps uuid -> importer object (extension directory tree)