p3dcert now uses compiled-in ca_bundle_data as well

direct/src/p3d/coreapi.pdef

@@ -71,9 +71,3 @@ class p3dcert(package):
     config(display_name = "Authorization Dialog")
 
     file('p3dcert.exe')
-
-    # Also add the certificate authority file.
-    cvar = ConfigVariableFilename('ca-bundle-filename')
-    filename = Filename(cvar.getValue())
-    if not filename.empty():
-        file(filename, newName = 'ca-bundle.crt', extract = True)

direct/src/plugin/p3dCert.cxx

@@ -16,6 +16,8 @@
 #include "wx/cmdline.h"
 #include "wx/filename.h"
 
+#include "ca_bundle_data_src.c"
+         
 #ifdef __WXMAC__
 #include <Carbon/Carbon.h>
 extern "C" { void CPSEnableForegroundOperation(ProcessSerialNumber* psn); }
@@ -359,25 +361,8 @@ verify_cert() {
   X509_STORE *store = X509_STORE_new();
   X509_STORE_set_default_paths(store);
 
-  // Find the ca-bundle.crt.
+  // Add in the well-known certificate authorities.
-  char *p3dcert_root = getenv("P3DCERT_ROOT");
+  load_certificates_from_der_ram(store, (const char *)ca_bundle_data, ca_bundle_data_len);
-  if (p3dcert_root != NULL) {
-    wxString ca_filename(p3dcert_root, wxConvUTF8);
-    ca_filename += wxT("/ca-bundle.crt");
-    
-    // Read the trusted certificates.
-    FILE *fp = fopen(ca_filename.mb_str(), "r");
-    if (fp == NULL) {
-      cerr << "Couldn't read " << ca_filename.mb_str() << "\n";
-    } else {
-      X509 *c = PEM_read_X509(fp, NULL, NULL, (void *)"");
-      while (c != NULL) {
-        X509_STORE_add_cert(store, c);
-        c = PEM_read_X509(fp, NULL, NULL, (void *)"");
-      }
-      fclose(fp);
-    }
-  }
 
   // Create the X509_STORE_CTX for verifying the cert and chain.
   X509_STORE_CTX *ctx = X509_STORE_CTX_new();
@@ -398,6 +383,44 @@ verify_cert() {
        << ", verify_result = " << _verify_result << "\n";
 }
 
+////////////////////////////////////////////////////////////////////
+//     Function: AuthDialog::load_certificates_from_der_ram
+//       Access: Public
+//  Description: Reads a chain of trusted certificates from the
+//               indicated data buffer and adds them to the X509_STORE
+//               object.  The data buffer should be DER-formatted.
+//               Returns the number of certificates read on success,
+//               or 0 on failure.
+//
+//               You should call this only with trusted,
+//               locally-stored certificates; not with certificates
+//               received from an untrusted source.
+////////////////////////////////////////////////////////////////////
+int AuthDialog::
+load_certificates_from_der_ram(X509_STORE *store,
+                               const char *data, size_t data_size) {
+  int count = 0;
+
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+  // Beginning in 0.9.8, d2i_X509() accepted a const unsigned char **.
+  const unsigned char *bp, *bp_end;
+#else
+  // Prior to 0.9.8, d2i_X509() accepted an unsigned char **.
+  unsigned char *bp, *bp_end;
+#endif
+
+  bp = (unsigned char *)data;
+  bp_end = bp + data_size;
+  X509 *x509 = d2i_X509(NULL, &bp, bp_end - bp);
+  while (x509 != NULL) {
+    X509_STORE_add_cert(store, x509);
+    ++count;
+    x509 = d2i_X509(NULL, &bp, bp_end - bp);
+  }
+
+  return count;
+}
+
 ////////////////////////////////////////////////////////////////////
 //     Function: AuthDialog::layout
 //       Access: Private

direct/src/plugin/p3dCert.h

@@ -69,6 +69,8 @@ private:
   void read_cert_file(const wxString &cert_filename);
   void get_friendly_name();
   void verify_cert();
+  int load_certificates_from_der_ram(X509_STORE *store,
+                                     const char *data, size_t data_size);
 
   void layout();
   void get_text(wxString &header, wxString &text);