From 812e3eceddc4d968de4ccec1e5d43d3555d1a27b Mon Sep 17 00:00:00 2001 From: AnotherTest Date: Fri, 30 Oct 2020 11:57:32 +0330 Subject: [PATCH] LibProtocol+LibGemini+LibHTTP: Provide root certificates to LibTLS Now we (almost) verify all the sites we browse. Certificate verification failures should not be unexpected, as the existing CA certificates are likely not complete. --- Libraries/LibGemini/GeminiJob.cpp | 1 + Libraries/LibGemini/GeminiJob.h | 4 +++- Libraries/LibHTTP/HttpsJob.cpp | 1 + Libraries/LibHTTP/HttpsJob.h | 4 +++- Services/ProtocolServer/main.cpp | 5 +++++ 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Libraries/LibGemini/GeminiJob.cpp b/Libraries/LibGemini/GeminiJob.cpp index dd5a27dbc4..68464cc102 100644 --- a/Libraries/LibGemini/GeminiJob.cpp +++ b/Libraries/LibGemini/GeminiJob.cpp @@ -39,6 +39,7 @@ void GeminiJob::start() { ASSERT(!m_socket); m_socket = TLS::TLSv12::construct(this); + m_socket->set_root_certificates(m_override_ca_certificates ? *m_override_ca_certificates : DefaultRootCACertificates::the().certificates()); m_socket->on_tls_connected = [this] { #ifdef GEMINIJOB_DEBUG dbg() << "GeminiJob: on_connected callback"; diff --git a/Libraries/LibGemini/GeminiJob.h b/Libraries/LibGemini/GeminiJob.h index aaf744495a..6d14371afc 100644 --- a/Libraries/LibGemini/GeminiJob.h +++ b/Libraries/LibGemini/GeminiJob.h @@ -37,8 +37,9 @@ namespace Gemini { class GeminiJob final : public Job { C_OBJECT(GeminiJob) public: - explicit GeminiJob(const GeminiRequest& request) + explicit GeminiJob(const GeminiRequest& request, const Vector* override_certificates = nullptr) : Job(request) + , m_override_ca_certificates(override_certificates) { } @@ -67,6 +68,7 @@ protected: private: RefPtr m_socket; + const Vector* m_override_ca_certificates { nullptr }; }; } diff --git a/Libraries/LibHTTP/HttpsJob.cpp b/Libraries/LibHTTP/HttpsJob.cpp index 29cd0ac39c..87e4b086e9 100644 --- a/Libraries/LibHTTP/HttpsJob.cpp +++ b/Libraries/LibHTTP/HttpsJob.cpp @@ -40,6 +40,7 @@ void HttpsJob::start() { ASSERT(!m_socket); m_socket = TLS::TLSv12::construct(this); + m_socket->set_root_certificates(m_override_ca_certificates ? *m_override_ca_certificates : DefaultRootCACertificates::the().certificates()); m_socket->on_tls_connected = [this] { #ifdef HTTPSJOB_DEBUG dbg() << "HttpsJob: on_connected callback"; diff --git a/Libraries/LibHTTP/HttpsJob.h b/Libraries/LibHTTP/HttpsJob.h index 02ad33d814..e78e1b8746 100644 --- a/Libraries/LibHTTP/HttpsJob.h +++ b/Libraries/LibHTTP/HttpsJob.h @@ -38,8 +38,9 @@ namespace HTTP { class HttpsJob final : public Job { C_OBJECT(HttpsJob) public: - explicit HttpsJob(const HttpRequest& request) + explicit HttpsJob(const HttpRequest& request, const Vector* override_certs = nullptr) : Job(request) + , m_override_ca_certificates(override_certs) { } @@ -68,6 +69,7 @@ protected: private: RefPtr m_socket; + const Vector* m_override_ca_certificates { nullptr }; }; } diff --git a/Services/ProtocolServer/main.cpp b/Services/ProtocolServer/main.cpp index df027e45dc..8b4b92a0f7 100644 --- a/Services/ProtocolServer/main.cpp +++ b/Services/ProtocolServer/main.cpp @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -38,6 +39,10 @@ int main(int, char**) perror("pledge"); return 1; } + + // Ensure the certificates are read out here. + (void)DefaultRootCACertificates::the(); + Core::EventLoop event_loop; // FIXME: Establish a connection to LookupServer and then drop "unix"? if (pledge("stdio inet shared_buffer accept unix", nullptr) < 0) {