[gnome-keyring] Use a single ca certificates file by default

[Stefan Walter <stefw src gnome org>]

commit de327ab6ea69bbecf4b9ee9f3ff2c38da76817f0
Author: Stef Walter <stefw collabora co uk>
Date:   Thu Feb 9 10:33:01 2012 +0100

    Use a single ca certificates file by default
    
     * Defaults to either /etc/pki/tls/certs/ca-bundle.crt or
       /etc/ssl/certs/ca-certificates.crt like glib-networking
     * Also like glib-networking a different file can be specified
       with --with-ca-certificates=/path/to/file
     * To disable root CA list, use --with-ca-certificates=no
     * As before a full directory of certificate files can still
       be specified with: --with-root-certs=/etc/ssl/certs

 configure.ac                          |   55 ++++++++++++++++----------
 daemon/gkd-pkcs11.c                   |    2 -
 pkcs11/roots-store/gkm-roots-module.c |   69 ++++++++++++++++++++++++---------
 3 files changed, 84 insertions(+), 42 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index 5e38e0d..fd734eb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -365,34 +365,47 @@ AM_CONDITIONAL(WITH_GPG, test "$enable_gpg_agent" != "no")
 #
 
 AC_MSG_CHECKING([location of system Certificate Authority list])
+
 AC_ARG_WITH(root-certs,
-		[AC_HELP_STRING([--with-root-certs=@<:@path@:>@],
-			[path to system Certificate Authority list])])
-if test "$with_root_certs" = "no"; then
-	AC_MSG_RESULT([disabled])
-	root_status="none"
-	with_root_certs="no"
+            [AC_HELP_STRING([--with-root-certs=@<:@path@:>@],
+                            [directory for system Certificate Authorities])])
+
+AC_ARG_WITH(ca-certificates,
+            [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                            [file for system Certificate Authorities])])
+
+# Explicitly disabled root certificate authority list
+if test "$with_root_certs" = "no" -o "$with_ca_certificates" = "no"; then
+	root_status="disabled"
+
+# A directory specified for the root certificate authority list
+elif test -n "$with_root_certs"; then
+	AC_DEFINE_UNQUOTED(ROOT_CA_DIRECTORY, ["$with_root_certs"], [Directory path for CA list])
+	root_status="directory: $with_root_certs"
+
+# A file specified for the root certificate list
+elif test -n "$with_ca_certificates"; then
+	AC_DEFINE_UNQUOTED(ROOT_CA_FILE, ["$with_ca_certificates"], [File path for CA list])
+	root_status="file: $with_ca_certificates"
+
+# Automatically find certificate authority list
 else
-	if test -z "$with_root_certs"; then
-		for f in /etc/pki/tls/certs /etc/ssl/certs; do
-			if test -d "$f"; then
-				with_root_certs="$f"
-			fi
-		done
-		if test -z "$with_root_certs"; then
-			AC_MSG_ERROR([could not find. Use --with-root-certs=path to set, or --without-root-certs to disable])
+	for f in /etc/pki/tls/certs/ca-bundle.crt \
+	         /etc/ssl/certs/ca-certificates.crt; do
+		if test -f "$f"; then
+			with_ca_certificates="$f"
 		fi
+	done
+	if test -z "$with_ca_certificates"; then
+		AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
 	fi
 
-	AC_MSG_RESULT($with_root_certs)
-	if ! test -d "$with_root_certs"; then
-		AC_MSG_ERROR([No such directory '$with_root_certs'. Use --with-root-certs=path to set, or --without-root-certs to disable])
-	fi
-
-	root_status="yes ($with_root_certs)"
-	AC_DEFINE_UNQUOTED([ROOT_CERTIFICATES], ["$with_root_certs"], [path to system Certificate Authority list])
+	AC_DEFINE_UNQUOTED(ROOT_CA_FILE, ["$with_ca_certificates"], [File path for CA list])
+	root_status="file: $with_ca_certificates"
 fi
 
+AC_MSG_RESULT(["$root_status"])
+
 # --------------------------------------------------------------------
 # libgcrypt
 #
diff --git a/daemon/gkd-pkcs11.c b/daemon/gkd-pkcs11.c
index 9cc7717..2e46742 100644
--- a/daemon/gkd-pkcs11.c
+++ b/daemon/gkd-pkcs11.c
@@ -92,9 +92,7 @@ gkd_pkcs11_initialize (void)
 
 	/* Add all of those into the wrapper layer */
 	gkm_wrap_layer_add_module (ssh_store);
-#ifdef ROOT_CERTIFICATES
 	gkm_wrap_layer_add_module (roots_store);
-#endif
 	gkm_wrap_layer_add_module (secret_store);
 	gkm_wrap_layer_add_module (gnome2_store);
 	gkm_wrap_layer_add_module (xdg_store);
diff --git a/pkcs11/roots-store/gkm-roots-module.c b/pkcs11/roots-store/gkm-roots-module.c
index e337623..a36c15b 100644
--- a/pkcs11/roots-store/gkm-roots-module.c
+++ b/pkcs11/roots-store/gkm-roots-module.c
@@ -36,9 +36,10 @@
 
 struct _GkmRootsModule {
 	GkmModule parent;
-	GkmFileTracker *tracker;
 	GHashTable *certificates;
-	gchar *directory;
+	GkmFileTracker *tracker;
+	gboolean is_directory;
+	gchar *path;
 };
 
 static const CK_SLOT_INFO gkm_roots_module_slot_info = {
@@ -266,8 +267,14 @@ gkm_roots_module_real_parse_argument (GkmModule *base, const gchar *name, const
 {
 	GkmRootsModule *self = GKM_ROOTS_MODULE (base);
 	if (g_str_equal (name, "directory")) {
-		g_free (self->directory);
-		self->directory = g_strdup (value);
+		g_free (self->path);
+		self->path = g_strdup (value);
+		self->is_directory = TRUE;
+
+	} else if (g_str_equal (name, "file")) {
+		g_free (self->path);
+		self->path = g_strdup (value);
+		self->is_directory = FALSE;
 	}
 }
 
@@ -280,37 +287,61 @@ gkm_roots_module_real_refresh_token (GkmModule *base)
 	return CKR_OK;
 }
 
-static GObject*
-gkm_roots_module_constructor (GType type, guint n_props, GObjectConstructParam *props)
+static void
+gkm_roots_module_constructed (GObject *obj)
 {
-	GkmRootsModule *self = GKM_ROOTS_MODULE (G_OBJECT_CLASS (gkm_roots_module_parent_class)->constructor(type, n_props, props));
+	GkmRootsModule *self;
+	const gchar *exclude;
 	GkmManager *manager;
+	gchar *directory;
+	gchar *basename;
+
+	G_OBJECT_CLASS (gkm_roots_module_parent_class)->constructed (obj);
 
-	g_return_val_if_fail (self, NULL);
+	self = GKM_ROOTS_MODULE (obj);
 
-#ifdef ROOT_CERTIFICATES
-	if (!self->directory)
-		self->directory = g_strdup (ROOT_CERTIFICATES);
+#ifdef ROOT_CA_FILE
+	if (!self->path) {
+		self->path = g_strdup (ROOT_CA_FILE);
+		self->is_directory = FALSE;
+	}
 #endif
-	if (self->directory) {
-		self->tracker = gkm_file_tracker_new (self->directory, "*", "*.0");
+#ifdef ROOT_CA_DIRECTORY
+	if (!self->path) {
+		self->path = g_strdup (ROOT_CA_DIRECTORY);
+		self->is_directory = TRUE;
+	}
+#endif
+
+	if (self->path) {
+		if (self->is_directory) {
+			directory = g_strdup (self->path);
+			basename = g_strdup ("*");
+			exclude = "*.0";
+		} else {
+			directory = g_path_get_dirname (self->path);
+			basename = g_path_get_basename (self->path);
+			exclude = NULL;
+		}
+
+		self->tracker = gkm_file_tracker_new (directory, basename, exclude);
 		g_signal_connect (self->tracker, "file-added", G_CALLBACK (file_load), self);
 		g_signal_connect (self->tracker, "file-changed", G_CALLBACK (file_load), self);
 		g_signal_connect (self->tracker, "file-removed", G_CALLBACK (file_remove), self);
+
+		g_free (directory);
+		g_free (basename);
 	}
 
 	manager = gkm_module_get_manager (GKM_MODULE (self));
 	gkm_manager_add_property_index (manager, "unique", TRUE);
 	gkm_manager_add_property_index (manager, "path", FALSE);
-
-	return G_OBJECT (self);
 }
 
 static void
 gkm_roots_module_init (GkmRootsModule *self)
 {
 	self->certificates = g_hash_table_new_full (g_direct_hash, g_direct_equal, g_object_unref, NULL);
-
 }
 
 static void
@@ -337,8 +368,8 @@ gkm_roots_module_finalize (GObject *obj)
 	g_hash_table_destroy (self->certificates);
 	self->certificates = NULL;
 
-	g_free (self->directory);
-	self->directory = NULL;
+	g_free (self->path);
+	self->path = NULL;
 
 	G_OBJECT_CLASS (gkm_roots_module_parent_class)->finalize (obj);
 }
@@ -349,7 +380,7 @@ gkm_roots_module_class_init (GkmRootsModuleClass *klass)
 	GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
 	GkmModuleClass *module_class = GKM_MODULE_CLASS (klass);
 
-	gobject_class->constructor = gkm_roots_module_constructor;
+	gobject_class->constructed = gkm_roots_module_constructed;
 	gobject_class->dispose = gkm_roots_module_dispose;
 	gobject_class->finalize = gkm_roots_module_finalize;