ProtocolServer+LibTLS: Pipe certificate requests from LibTLS to clients

This makes gemini.circumlunar.space (and some more gemini pages) work again :^)
2025-07-27 02:07:36 +00:00 · 2020-08-02 05:27:42 +04:30 · 2020-08-02 05:27:42 +04:30 · 97256ad977
commit 97256ad977
parent 9d3ffa096a
22 changed files with 161 additions and 3 deletions
--- a/Libraries/LibTLS/TLSv12.cpp
+++ b/Libraries/LibTLS/TLSv12.cpp
@ -27,6 +27,7 @@
 #include <LibCore/DateTime.h>
 #include <LibCore/Timer.h>
 #include <LibCrypto/ASN1/DER.h>
+#include <LibCrypto/ASN1/PEM.h>
 #include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>

@ -721,4 +722,28 @@ TLSv12::TLSv12(Core::Object* parent, Version version)
    }
 }

+bool TLSv12::add_client_key(const ByteBuffer& certificate_pem_buffer, const ByteBuffer& rsa_key) // FIXME: This should not be bound to RSA
+{
+    if (certificate_pem_buffer.is_empty() || rsa_key.is_empty()) {
+        return true;
+    }
+    auto decoded_certificate = decode_pem(certificate_pem_buffer.span(), 0);
+    if (decoded_certificate.is_empty()) {
+        dbg() << "Certificate not PEM";
+        return false;
+    }
+
+    auto maybe_certificate = parse_asn1(decoded_certificate);
+    if (!maybe_certificate.has_value()) {
+        dbg() << "Invalid certificate";
+        return false;
+    }
+
+    Crypto::PK::RSA rsa(rsa_key);
+    auto certificate = maybe_certificate.value();
+    certificate.private_key = rsa.private_key();
+
+    return add_client_key(certificate);
+}
+
 }
--- a/Libraries/LibTLS/TLSv12.h
+++ b/Libraries/LibTLS/TLSv12.h
@ -206,6 +206,7 @@ struct Certificate {
    CertificateKeyAlgorithm ec_algorithm;
    ByteBuffer exponent;
    Crypto::PK::RSAPublicKey<Crypto::UnsignedBigInteger> public_key;
+    Crypto::PK::RSAPrivateKey<Crypto::UnsignedBigInteger> private_key;
    String issuer_country;
    String issuer_state;
    String issuer_location;
@ -318,6 +319,13 @@ public:
    bool load_certificates(const ByteBuffer& pem_buffer);
    bool load_private_key(const ByteBuffer& pem_buffer);

+    bool add_client_key(const ByteBuffer& certificate_pem_buffer, const ByteBuffer& key_pem_buffer);
+    bool add_client_key(Certificate certificate)
+    {
+        m_context.client_certificates.append(move(certificate));
+        return true;
+    }
+
    ByteBuffer finish_build();

    const StringView& alpn() const { return m_context.negotiated_alpn; }
@ -349,6 +357,7 @@ public:
    Function<void(AlertDescription)> on_tls_error;
    Function<void()> on_tls_connected;
    Function<void()> on_tls_finished;
+    Function<void(TLSv12&)> on_tls_certificate_request;

 private:
    explicit TLSv12(Core::Object* parent, Version version = Version::V12);