diff options
| author | Colin Walters <walters@verbum.org> | 2014-06-26 19:39:26 -0400 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2014-06-27 13:16:47 -0400 |
| commit | f60bac45fdf9e9b1b8f663f859ffdee190f2fd0c (patch) | |
| tree | df499738793f519cf7570154ad0020873f9d11e3 | |
| parent | e8f508ac6b9c055b58bb1cae412061d224ee0add (diff) | |
| download | ostree-f60bac45fdf9e9b1b8f663f859ffdee190f2fd0c.tar.gz | |
core: add "tls-ca-path" option
Some organizations will want to use private Certificate Authorities to
serve content to their clients. While it's possible to add the CA
to the system-wide CA store, that has two drawbacks:
1) Compromise of that cert means it can be used for other web traffic
2) All of ca-certificates is trusted
This patch allows a much stronger scenario where *only* the CAs in
tls-ca-path are used for verification from the given repository.
https://bugzilla.gnome.org/show_bug.cgi?id=726256
| -rw-r--r-- | doc/ostree.repo-config.xml | 5 | ||||
| -rw-r--r-- | src/libostree/ostree-fetcher.c | 10 | ||||
| -rw-r--r-- | src/libostree/ostree-fetcher.h | 3 | ||||
| -rw-r--r-- | src/libostree/ostree-repo-pull.c | 16 |
4 files changed, 34 insertions, 0 deletions
diff --git a/doc/ostree.repo-config.xml b/doc/ostree.repo-config.xml index 621879c9..bbacdd08 100644 --- a/doc/ostree.repo-config.xml +++ b/doc/ostree.repo-config.xml @@ -152,6 +152,11 @@ Boston, MA 02111-1307, USA. <term><varname>tls-client-key-path</varname></term> <listitem><para>Path to file containing client-side certificate key, to present when making requests to this repository.</para></listitem> </varlistentry> + + <varlistentry> + <term><varname>tls-ca-path</varname></term> + <listitem><para>Path to file containing trusted anchors instead of the system CA database.</para></listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/src/libostree/ostree-fetcher.c b/src/libostree/ostree-fetcher.c index 6172a91f..b6dc761f 100644 --- a/src/libostree/ostree-fetcher.c +++ b/src/libostree/ostree-fetcher.c @@ -233,6 +233,16 @@ _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher, } } +void +_ostree_fetcher_set_tls_database (OstreeFetcher *self, + GTlsDatabase *db) +{ + if (db) + g_object_set ((GObject*)self->session, "tls-database", db, NULL); + else + g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", TRUE, NULL); +} + static void on_request_sent (GObject *object, GAsyncResult *result, gpointer user_data); diff --git a/src/libostree/ostree-fetcher.h b/src/libostree/ostree-fetcher.h index 0288392f..850d3178 100644 --- a/src/libostree/ostree-fetcher.h +++ b/src/libostree/ostree-fetcher.h @@ -57,6 +57,9 @@ OstreeFetcher *_ostree_fetcher_new (GFile *tmpdir, void _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher, GTlsCertificate *cert); +void _ostree_fetcher_set_tls_database (OstreeFetcher *self, + GTlsDatabase *db); + char * _ostree_fetcher_query_state_text (OstreeFetcher *self); guint64 _ostree_fetcher_bytes_transferred (OstreeFetcher *self); diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c index 837e5561..7d3ad262 100644 --- a/src/libostree/ostree-repo-pull.c +++ b/src/libostree/ostree-repo-pull.c @@ -1129,6 +1129,22 @@ ostree_repo_pull (OstreeRepo *self, } } + { + gs_free char *tls_ca_path = NULL; + gs_unref_object GTlsDatabase *db = NULL; + + if (!ot_keyfile_get_value_with_default (config, remote_key, + "tls-ca-path", + NULL, &tls_ca_path, error)) + goto out; + + db = g_tls_file_database_new (tls_ca_path, error); + if (!db) + goto out; + + _ostree_fetcher_set_tls_database (pull_data->fetcher, db); + } + if (!pull_data->base_uri) { g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, |