From b71416efdc83585c7fbdf265b719e0a65edb3d77 Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Thu, 30 Apr 2015 16:17:30 -0400
Subject: [PATCH] security: re-enable ca_list and regenerate it.

Previous commit doesn't fix well the issue.
We really need the ca_list.pem.
It wasn't generated if not existing (removed code).
This patch re-adds this code and call it when tls is initialized
and when a ring account is registered.

Refs #72156

Change-Id: I39fc773bbf2d23a8975359590d60535287ebedfd
---
 src/ringdht/ringaccount.cpp | 26 +++++++++++++++++++++++++-
 src/ringdht/ringaccount.h   |  2 ++
 src/security/certstore.cpp  |  6 ++++--
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/src/ringdht/ringaccount.cpp b/src/ringdht/ringaccount.cpp
index 4bb7055442..24e756fd4e 100644
--- a/src/ringdht/ringaccount.cpp
+++ b/src/ringdht/ringaccount.cpp
@@ -102,7 +102,7 @@ RingAccount::RingAccount(const std::string& accountID, bool /* presenceEnabled *
     idPath_ = fileutils::get_data_dir()+DIR_SEPARATOR_STR+getAccountID();
     fileutils::check_dir(idPath_.c_str());
     caPath_ = idPath_ + DIR_SEPARATOR_STR "certs";
-    //DEPRECATED? caListPath_ = idPath_ + DIR_SEPARATOR_STR "ca_list.pem";
+    caListPath_ = idPath_ + DIR_SEPARATOR_STR "ca_list.pem";
 }
 
 RingAccount::~RingAccount()
@@ -709,6 +709,7 @@ void RingAccount::doRegister_()
         Manager::instance().registerEventHandler((uintptr_t)this, [this]{ handleEvents(); });
         setRegistrationState(RegistrationState::TRYING);
 
+        regenerateCAList();
         dht_.bootstrap(loadNodes());
         if (!hostname_.empty()) {
             std::stringstream ss(hostname_);
@@ -1049,6 +1050,7 @@ RingAccount::loadValues() const
 void
 RingAccount::initTlsConfiguration()
 {
+    regenerateCAList();
 }
 
 static std::unique_ptr<gnutls_dh_params_int, decltype(gnutls_dh_params_deinit)&>
@@ -1200,4 +1202,26 @@ RingAccount::sendTrustRequest(const std::string& to)
                       dht::TrustRequest(DHT_TYPE_NS));
 }
 
+void
+RingAccount::regenerateCAList()
+{
+    std::ofstream list(caListPath_, std::ios::trunc | std::ios::binary);
+    if (!list.is_open()) {
+        RING_ERR("Could write CA list");
+        return;
+    }
+
+    {
+        std::ifstream file(tlsCaListFile_, std::ios::binary);
+        list << file.rdbuf();
+    }
+
+    for (const auto& ca : fileutils::readDirectory(caPath_)) {
+        std::ifstream file(ca, std::ios::binary);
+        if (!file)
+            continue;
+        list << file.rdbuf();
+    }
+}
+
 } // namespace ring
diff --git a/src/ringdht/ringaccount.h b/src/ringdht/ringaccount.h
index a5dfcaa12d..91f6cae598 100644
--- a/src/ringdht/ringaccount.h
+++ b/src/ringdht/ringaccount.h
@@ -291,6 +291,8 @@ class RingAccount : public SIPAccountBase {
          */
         bool mapPortUPnP();
 
+        void regenerateCAList();
+
         dht::DhtRunner dht_ {};
 
         dht::InfoHash callKey_;
diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp
index 378e1380fb..4dc03b9c8a 100644
--- a/src/security/certstore.cpp
+++ b/src/security/certstore.cpp
@@ -370,7 +370,8 @@ TrustStore::setStoreCertStatus(const crypto::Certificate& crt,
              status == TrustStore::Status::ALLOWED ? "ALLOWED" : "BANNED");
 }
 
-/*
+
+#if 0
 void
 TrustStore::generateCAList(const std::string& out_path)
 {
@@ -380,6 +381,7 @@ TrustStore::generateCAList(const std::string& out_path)
         ss << cert.second.first->toString();
     auto res = ss.str();
     fileutils::saveFile(out_path, {std::begin(res), std::end(res)});
-}*/
+}
+#endif
 
 }} // namespace ring::tls
-- 
GitLab