[gnome-shell] extensionSystem: Use the system cert list

[Jasper St. Pierre <jstpierre src gnome org>]

commit fa593a3e1502f9289b961b92229434fc0cfc6dee
Author: Jasper St. Pierre <jstpierre mecheye net>
Date:   Mon Sep 12 15:30:02 2011 -0400

    extensionSystem: Use the system cert list
    
    libsoup won't check for a valid cert by default, so copy some logic from
    glib-networking to check against the system cert list. Additionally, allow a
    fallback for developers, ~/.local/share/extensions.gnome.org.crt, for easy
    local development of the website.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=658870

 configure.ac             |   25 +++++++++++++++++++++++++
 js/misc/config.js.in     |    3 ++-
 js/ui/extensionSystem.js |   10 ++++++++++
 3 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index f2db9eb..35c567d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -210,6 +210,31 @@ AC_ARG_ENABLE(jhbuild-wrapper-script,
   AS_HELP_STRING([--jhbuild-wrapper-script=yes],[Make "gnome-shell" script work for jhbuild]),,enable_jhbuild_wrapper_script=no)
 AM_CONDITIONAL(USE_JHBUILD_WRAPPER_SCRIPT, test "x$enable_jhbuild_wrapper_script" = xyes)
 
+AC_MSG_CHECKING([location of system Certificate Authority list])
+AC_ARG_WITH(ca-certificates,
+            [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                            [path to system Certificate Authority list])])
+
+if test "$with_ca_certificates" = "no"; then
+    AC_MSG_RESULT([disabled])
+else
+    if test -z "$with_ca_certificates"; then
+        for f in /etc/pki/tls/certs/ca-bundle.crt \
+                 /etc/ssl/certs/ca-certificates.crt; do
+             if test -f "$f"; then
+                with_ca_certificates="$f"
+             fi
+        done
+        if test -z "$with_ca_certificates"; then
+            AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+        fi
+   fi
+
+   AC_MSG_RESULT($with_ca_certificates)
+   AC_DEFINE_UNQUOTED(SHELL_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+fi
+AC_SUBST(SHELL_SYSTEM_CA_FILE,["$with_ca_certificates"])
+
 AC_CONFIG_FILES([
   Makefile
   data/Makefile
diff --git a/js/misc/config.js.in b/js/misc/config.js.in
index 25a0e72..85ab7b5 100644
--- a/js/misc/config.js.in
+++ b/js/misc/config.js.in
@@ -7,4 +7,5 @@ const PACKAGE_VERSION = '@PACKAGE_VERSION@';
 const GJS_VERSION = '@GJS_VERSION@';
 /* 1 if gnome-bluetooth is available, 0 otherwise */
 const HAVE_BLUETOOTH = @HAVE_BLUETOOTH@;
-
+/* The system TLS CA list */
+const SHELL_SYSTEM_CA_FILE = '@SHELL_SYSTEM_CA_FILE@';
diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
index d6e399a..cc2510f 100644
--- a/js/ui/extensionSystem.js
+++ b/js/ui/extensionSystem.js
@@ -44,6 +44,16 @@ const _httpSession = new Soup.SessionAsync();
 if (Soup.Session.prototype.add_feature != null)
     Soup.Session.prototype.add_feature.call(_httpSession, new Soup.ProxyResolverDefault());
 
+function _getCertFile() {
+    let localCert = GLib.build_filenamev([global.userdatadir, 'extensions.gnome.org.crt']);
+    if (GLib.file_test(localCert, GLib.FileTest.EXISTS))
+        return localCert;
+    else
+        return Config.SHELL_SYSTEM_CA_FILE;
+}
+
+_httpSession.ssl_ca_file = _getCertFile();
+
 // Maps uuid -> metadata object
 const extensionMeta = {};
 // Maps uuid -> importer object (extension directory tree)