From cae4e785be149467095897e7b0e18ba7d4d60b50 Mon Sep 17 00:00:00 2001
From: Roxie Linden <roxie@lindenlab.com>
Date: Tue, 18 May 2010 22:18:54 -0700
Subject: Allow update of the default CAs on install

---
 indra/newview/llsechandler_basic.cpp | 45 ++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

(limited to 'indra/newview')

diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index df55ccf142..edf5ce9b60 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -585,6 +585,11 @@ LLBasicCertificateStore::LLBasicCertificateStore(const std::string& filename)
 void LLBasicCertificateStore::load_from_file(const std::string& filename)
 {
 	// scan the PEM file extracting each certificate
+	if (!LLFile::isfile(filename))
+	{
+		return;
+	}
+	
 	BIO* file_bio = BIO_new(BIO_s_file());
 	if(file_bio)
 	{
@@ -1148,30 +1153,26 @@ void LLSecAPIBasicHandler::init()
 															"bin_conf.dat");	
 		std::string store_file = gDirUtilp->getExpandedFilename(LL_PATH_USER_SETTINGS,
 														"CA.pem");
-		// copy the CA file to a user writable location so we can manipulate it.
-		// for this provider, by using a user writable file, there is a risk that
-		// an attacking program can modify the file, but OS dependent providers
-		// will reduce that risk.
-		// by using a user file, modifications will be limited to one user if
-		// we read-only the main file
-		if (!LLFile::isfile(store_file))
-		{
-
-			std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
-			llifstream ca_file(ca_file_path.c_str(), llifstream::binary | llifstream::in);
-			llofstream copied_store_file(store_file.c_str(), llofstream::binary | llofstream::out);
-
-			while(!ca_file.fail())
-			{
-				char buffer[BUFFER_READ_SIZE];
-				ca_file.read(buffer, sizeof(buffer));
-				copied_store_file.write(buffer, ca_file.gcount());
-			}
-			ca_file.close();
-			copied_store_file.close();
-		}
+		
+		
 		LL_INFOS("SECAPI") << "Loading certificate store from " << store_file << LL_ENDL;
 		mStore = new LLBasicCertificateStore(store_file);
+		
+		// grab the application CA.pem file that contains the well-known certs shipped
+		// with the product
+		std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
+		llinfos << "app path " << ca_file_path << llendl;
+		LLBasicCertificateStore app_ca_store = LLBasicCertificateStore(ca_file_path);	
+		
+		// push the applicate CA files into the store, therefore adding any new CA certs that 
+		// updated
+		for(LLCertificateVector::iterator i = app_ca_store.begin();
+			i != app_ca_store.end();
+			i++)
+		{
+			mStore->add(*i);
+		}
+		
 	}
 	_readProtectedData(); // initialize mProtectedDataMap
 						  // may throw LLProtectedDataException if saved datamap is not decryptable
-- 
cgit v1.2.3