[ostree] core: add "tls-ca-path" option

[Colin Walters <walters src gnome org>]

commit f60bac45fdf9e9b1b8f663f859ffdee190f2fd0c
Author: Colin Walters <walters verbum org>
Date:   Thu Jun 26 19:39:26 2014 -0400

    core: add "tls-ca-path" option
    
    Some organizations will want to use private Certificate Authorities to
    serve content to their clients.  While it's possible to add the CA
    to the system-wide CA store, that has two drawbacks:
    
    1) Compromise of that cert means it can be used for other web traffic
    2) All of ca-certificates is trusted
    
    This patch allows a much stronger scenario where *only* the CAs in
    tls-ca-path are used for verification from the given repository.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=726256

 doc/ostree.repo-config.xml       |    5 +++++
 src/libostree/ostree-fetcher.c   |   10 ++++++++++
 src/libostree/ostree-fetcher.h   |    3 +++
 src/libostree/ostree-repo-pull.c |   16 ++++++++++++++++
 4 files changed, 34 insertions(+), 0 deletions(-)
---
diff --git a/doc/ostree.repo-config.xml b/doc/ostree.repo-config.xml
index 621879c..bbacdd0 100644
--- a/doc/ostree.repo-config.xml
+++ b/doc/ostree.repo-config.xml
@@ -152,6 +152,11 @@ Boston, MA 02111-1307, USA.
         <term><varname>tls-client-key-path</varname></term>
         <listitem><para>Path to file containing client-side certificate key, to present when making requests 
to this repository.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>tls-ca-path</varname></term>
+        <listitem><para>Path to file containing trusted anchors instead of the system CA 
database.</para></listitem>
+      </varlistentry>
     </variablelist>
 
   </refsect1>
diff --git a/src/libostree/ostree-fetcher.c b/src/libostree/ostree-fetcher.c
index 6172a91..b6dc761 100644
--- a/src/libostree/ostree-fetcher.c
+++ b/src/libostree/ostree-fetcher.c
@@ -233,6 +233,16 @@ _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
     }
 }
 
+void
+_ostree_fetcher_set_tls_database (OstreeFetcher *self,
+                                  GTlsDatabase  *db)
+{
+  if (db)
+    g_object_set ((GObject*)self->session, "tls-database", db, NULL);
+  else
+    g_object_set ((GObject*)self->session, "ssl-use-system-ca-file", TRUE, NULL);
+}
+
 static void
 on_request_sent (GObject        *object, GAsyncResult   *result, gpointer        user_data);
 
diff --git a/src/libostree/ostree-fetcher.h b/src/libostree/ostree-fetcher.h
index 0288392..850d317 100644
--- a/src/libostree/ostree-fetcher.h
+++ b/src/libostree/ostree-fetcher.h
@@ -57,6 +57,9 @@ OstreeFetcher *_ostree_fetcher_new (GFile                     *tmpdir,
 void _ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
                                      GTlsCertificate *cert);
 
+void _ostree_fetcher_set_tls_database (OstreeFetcher *self,
+                                       GTlsDatabase *db);
+
 char * _ostree_fetcher_query_state_text (OstreeFetcher              *self);
 
 guint64 _ostree_fetcher_bytes_transferred (OstreeFetcher       *self);
diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
index 837e556..7d3ad26 100644
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@@ -1129,6 +1129,22 @@ ostree_repo_pull (OstreeRepo               *self,
       }
   }
 
+  {
+    gs_free char *tls_ca_path = NULL;
+    gs_unref_object GTlsDatabase *db = NULL;
+
+    if (!ot_keyfile_get_value_with_default (config, remote_key,
+                                            "tls-ca-path",
+                                            NULL, &tls_ca_path, error))
+      goto out;
+
+    db = g_tls_file_database_new (tls_ca_path, error);
+    if (!db)
+      goto out;
+
+    _ostree_fetcher_set_tls_database (pull_data->fetcher, db);
+  }
+
   if (!pull_data->base_uri)
     {
       g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,