libbrillo: Use the restricted certificates.

Instead of using the default CA certificates, libbrillo should use the
restricted list of certificates installed in
/system/etc/security/cacerts_google.

Bug: 25797832
Test: manual: Enable the verbose mode of libcurl.
  * The certificates used are correct.
  * POSTing to a google server works.
  * POSTing to a CA in the default CA list but not in the restricted
    list fails on the certificate verification step.
Test: manual: The ledflasher example works.

Change-Id: If3b836a2fa461ba3103e05c60e5630c8c919d1f3

2 files changed, 2 insertions, 2 deletions

diff --git a/brillo/http/http_transport_curl.cc b/brillo/http/http_transport_curl.cc
index 048429e..e2f314a 100644
--- a/brillo/http/http_transport_curl.cc
+++ b/brillo/http/http_transport_curl.cc
@@ -17,7 +17,7 @@ namespace {
 
 const char kCACertificatePath[] =
 #ifdef __ANDROID__
-    "/system/etc/security/cacerts";
+    "/system/etc/security/cacerts_google";
 #else
     "/usr/share/brillo-ca-certificates";
 #endif
diff --git a/brillo/streams/tls_stream.cc b/brillo/streams/tls_stream.cc
index 70d1e13..f82db1a 100644
--- a/brillo/streams/tls_stream.cc
+++ b/brillo/streams/tls_stream.cc
@@ -58,7 +58,7 @@ int ssl_ctx_private_data_index = -1;
 // Default trusted certificate store location.
 const char kCACertificatePath[] =
 #ifdef __ANDROID__
-    "/system/etc/security/cacerts";
+    "/system/etc/security/cacerts_google";
 #else
     "/usr/share/chromeos-ca-certificates";
 #endif