From 080aa567a58d17174e8d3adc8943b9daa4394cf5 Mon Sep 17 00:00:00 2001 From: Andrew Kaster Date: Mon, 5 Feb 2024 09:34:51 -0700 Subject: [PATCH] RequestServer+LibTLS: Allow applications to specify multiple root certs --- .../src/main/cpp/RequestServerService.cpp | 8 +++---- .../Android/src/main/cpp/WebSocketService.cpp | 8 +++---- Ladybird/RequestServer/main.cpp | 12 +++++++---- Ladybird/WebSocket/main.cpp | 12 +++++++---- Userland/Libraries/LibTLS/Certificate.h | 4 ++-- Userland/Libraries/LibTLS/TLSv12.cpp | 21 ++++++++++++------- Userland/Services/RequestServer/main.cpp | 1 + Userland/Services/WebSocket/main.cpp | 1 + 8 files changed, 41 insertions(+), 26 deletions(-) diff --git a/Ladybird/Android/src/main/cpp/RequestServerService.cpp b/Ladybird/Android/src/main/cpp/RequestServerService.cpp index 231db0e05f1bff..d815b4b108696c 100644 --- a/Ladybird/Android/src/main/cpp/RequestServerService.cpp +++ b/Ladybird/Android/src/main/cpp/RequestServerService.cpp @@ -21,13 +21,13 @@ #include // FIXME: Share b/w RequestServer and WebSocket -ErrorOr find_certificates(StringView serenity_resource_root) +ErrorOr find_certificates(StringView serenity_resource_root) { - auto cert_path = TRY(String::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root)); + auto cert_path = ByteString::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root); if (!FileSystem::exists(cert_path)) { auto app_dir = LexicalPath::dirname(TRY(Core::System::current_executable_path())); - cert_path = TRY(String::formatted("{}/cacert.pem", LexicalPath(app_dir).parent())); + cert_path = ByteString::formatted("{}/cacert.pem", LexicalPath(app_dir).parent()); if (!FileSystem::exists(cert_path)) return Error::from_string_view("Don't know how to load certs!"sv); } @@ -37,7 +37,7 @@ ErrorOr find_certificates(StringView serenity_resource_root) ErrorOr service_main(int ipc_socket, int fd_passing_socket) { // Ensure the certificates are read out here. - DefaultRootCACertificates::set_default_certificate_path(TRY(find_certificates(s_serenity_resource_root))); + DefaultRootCACertificates::set_default_certificate_paths(Vector { TRY(find_certificates(s_serenity_resource_root)) }); [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop; diff --git a/Ladybird/Android/src/main/cpp/WebSocketService.cpp b/Ladybird/Android/src/main/cpp/WebSocketService.cpp index 87f7516812d93a..561dd768dd9a2f 100644 --- a/Ladybird/Android/src/main/cpp/WebSocketService.cpp +++ b/Ladybird/Android/src/main/cpp/WebSocketService.cpp @@ -17,13 +17,13 @@ #include // FIXME: Share b/w RequestServer and WebSocket -ErrorOr find_certificates(StringView serenity_resource_root) +ErrorOr find_certificates(StringView serenity_resource_root) { - auto cert_path = TRY(String::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root)); + auto cert_path = ByteString::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root); if (!FileSystem::exists(cert_path)) { auto app_dir = LexicalPath::dirname(TRY(Core::System::current_executable_path())); - cert_path = TRY(String::formatted("{}/cacert.pem", LexicalPath(app_dir).parent())); + cert_path = ByteString::formatted("{}/cacert.pem", LexicalPath(app_dir).parent()); if (!FileSystem::exists(cert_path)) return Error::from_string_view("Don't know how to load certs!"sv); } @@ -33,7 +33,7 @@ ErrorOr find_certificates(StringView serenity_resource_root) ErrorOr service_main(int ipc_socket, int fd_passing_socket) { // Ensure the certificates are read out here. - DefaultRootCACertificates::set_default_certificate_path(TRY(find_certificates(s_serenity_resource_root))); + DefaultRootCACertificates::set_default_certificate_paths(Vector { TRY(find_certificates(s_serenity_resource_root)) }); [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop; diff --git a/Ladybird/RequestServer/main.cpp b/Ladybird/RequestServer/main.cpp index edbfc38c6b4db6..ab71fac878bb50 100644 --- a/Ladybird/RequestServer/main.cpp +++ b/Ladybird/RequestServer/main.cpp @@ -21,13 +21,13 @@ #include // FIXME: Share b/w RequestServer and WebSocket -ErrorOr find_certificates(StringView serenity_resource_root) +ErrorOr find_certificates(StringView serenity_resource_root) { - auto cert_path = TRY(String::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root)); + auto cert_path = ByteString::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root); if (!FileSystem::exists(cert_path)) { auto app_dir = LexicalPath::dirname(TRY(Core::System::current_executable_path())); - cert_path = TRY(String::formatted("{}/cacert.pem", LexicalPath(app_dir).parent())); + cert_path = ByteString::formatted("{}/cacert.pem", LexicalPath(app_dir).parent()); if (!FileSystem::exists(cert_path)) return Error::from_string_view("Don't know how to load certs!"sv); } @@ -40,14 +40,18 @@ ErrorOr serenity_main(Main::Arguments arguments) int fd_passing_socket { -1 }; StringView serenity_resource_root; + Vector certificates; Core::ArgsParser args_parser; args_parser.add_option(fd_passing_socket, "File descriptor of the fd passing socket", "fd-passing-socket", 'c', "fd-passing-socket"); + args_parser.add_option(certificates, "Path to a certificate file", "certificate", 'C', "certificate"); args_parser.add_option(serenity_resource_root, "Absolute path to directory for serenity resources", "serenity-resource-root", 'r', "serenity-resource-root"); args_parser.parse(arguments); // Ensure the certificates are read out here. - DefaultRootCACertificates::set_default_certificate_path(TRY(find_certificates(serenity_resource_root))); + if (certificates.is_empty()) + certificates.append(TRY(find_certificates(serenity_resource_root))); + DefaultRootCACertificates::set_default_certificate_paths(certificates.span()); [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop; diff --git a/Ladybird/WebSocket/main.cpp b/Ladybird/WebSocket/main.cpp index b9ed5795adc848..bb7046ebd60b64 100644 --- a/Ladybird/WebSocket/main.cpp +++ b/Ladybird/WebSocket/main.cpp @@ -17,13 +17,13 @@ #include // FIXME: Share b/w RequestServer and WebSocket -ErrorOr find_certificates(StringView serenity_resource_root) +ErrorOr find_certificates(StringView serenity_resource_root) { - auto cert_path = TRY(String::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root)); + auto cert_path = ByteString::formatted("{}/res/ladybird/cacert.pem", serenity_resource_root); if (!FileSystem::exists(cert_path)) { auto app_dir = LexicalPath::dirname(TRY(Core::System::current_executable_path())); - cert_path = TRY(String::formatted("{}/cacert.pem", LexicalPath(app_dir).parent())); + cert_path = ByteString::formatted("{}/cacert.pem", LexicalPath(app_dir).parent()); if (!FileSystem::exists(cert_path)) return Error::from_string_view("Don't know how to load certs!"sv); } @@ -36,14 +36,18 @@ ErrorOr serenity_main(Main::Arguments arguments) int fd_passing_socket { -1 }; StringView serenity_resource_root; + Vector certificates; Core::ArgsParser args_parser; args_parser.add_option(fd_passing_socket, "File descriptor of the fd passing socket", "fd-passing-socket", 'c', "fd-passing-socket"); + args_parser.add_option(certificates, "Path to a certificate file", "certificate", 'C', "certificate"); args_parser.add_option(serenity_resource_root, "Absolute path to directory for serenity resources", "serenity-resource-root", 'r', "serenity-resource-root"); args_parser.parse(arguments); // Ensure the certificates are read out here. - DefaultRootCACertificates::set_default_certificate_path(TRY(find_certificates(serenity_resource_root))); + if (certificates.is_empty()) + certificates.append(TRY(find_certificates(serenity_resource_root))); + DefaultRootCACertificates::set_default_certificate_paths(certificates.span()); [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop; diff --git a/Userland/Libraries/LibTLS/Certificate.h b/Userland/Libraries/LibTLS/Certificate.h index 77043d0715dc89..a6f2f62bf030c1 100644 --- a/Userland/Libraries/LibTLS/Certificate.h +++ b/Userland/Libraries/LibTLS/Certificate.h @@ -292,11 +292,11 @@ class DefaultRootCACertificates { Vector const& certificates() const { return m_ca_certificates; } static ErrorOr> parse_pem_root_certificate_authorities(ByteBuffer&); - static ErrorOr> load_certificates(StringView custom_cert_path = {}); + static ErrorOr> load_certificates(Span custom_cert_paths = {}); static DefaultRootCACertificates& the(); - static void set_default_certificate_path(String); + static void set_default_certificate_paths(Span paths); private: Vector m_ca_certificates; diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp index 355ff1e48f3686..8af2d9b410f9a1 100644 --- a/Userland/Libraries/LibTLS/TLSv12.cpp +++ b/Userland/Libraries/LibTLS/TLSv12.cpp @@ -547,16 +547,19 @@ Vector TLSv12::parse_pem_certificate(ReadonlyBytes certificate_pem_ return { move(certificate) }; } -static String s_default_ca_certificate_path; +static Vector s_default_ca_certificate_paths; -void DefaultRootCACertificates::set_default_certificate_path(String path) +void DefaultRootCACertificates::set_default_certificate_paths(Span paths) { - s_default_ca_certificate_path = move(path); + s_default_ca_certificate_paths.clear(); + s_default_ca_certificate_paths.ensure_capacity(paths.size()); + for (auto& path : paths) + s_default_ca_certificate_paths.unchecked_append(path); } DefaultRootCACertificates::DefaultRootCACertificates() { - auto load_result = load_certificates(s_default_ca_certificate_path); + auto load_result = load_certificates(s_default_ca_certificate_paths); if (load_result.is_error()) { dbgln("Failed to load CA Certificates: {}", load_result.error()); return; @@ -571,7 +574,7 @@ DefaultRootCACertificates& DefaultRootCACertificates::the() return s_the; } -ErrorOr> DefaultRootCACertificates::load_certificates(StringView custom_cert_path) +ErrorOr> DefaultRootCACertificates::load_certificates(Span custom_cert_paths) { auto cacert_file_or_error = Core::File::open("/etc/cacert.pem"sv, Core::File::OpenMode::Read); ByteBuffer data; @@ -588,9 +591,11 @@ ErrorOr> DefaultRootCACertificates::load_certificates(String TRY(data.try_append(TRY(user_cert_file->read_until_eof()))); } - if (!custom_cert_path.is_empty() && FileSystem::exists(custom_cert_path)) { - auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read)); - TRY(data.try_append(TRY(custom_cert_file->read_until_eof()))); + for (auto& custom_cert_path : custom_cert_paths) { + if (FileSystem::exists(custom_cert_path)) { + auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read)); + TRY(data.try_append(TRY(custom_cert_file->read_until_eof()))); + } } return TRY(parse_pem_root_certificate_authorities(data)); diff --git a/Userland/Services/RequestServer/main.cpp b/Userland/Services/RequestServer/main.cpp index 30d83dee1aee30..f2bbe7e50ebc7d 100644 --- a/Userland/Services/RequestServer/main.cpp +++ b/Userland/Services/RequestServer/main.cpp @@ -34,6 +34,7 @@ ErrorOr serenity_main(Main::Arguments) TRY(Core::System::pledge("stdio inet accept unix rpath sendfd recvfd")); // Ensure the certificates are read out here. + // FIXME: Allow specifying extra certificates on the command line, or in other configuration. [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop; diff --git a/Userland/Services/WebSocket/main.cpp b/Userland/Services/WebSocket/main.cpp index 054bb7e6811408..40c9ff5df23311 100644 --- a/Userland/Services/WebSocket/main.cpp +++ b/Userland/Services/WebSocket/main.cpp @@ -17,6 +17,7 @@ ErrorOr serenity_main(Main::Arguments) TRY(Core::System::pledge("stdio inet unix rpath sendfd recvfd")); // Ensure the certificates are read out here. + // FIXME: Allow specifying extra certificates on the command line, or in other configuration. [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); Core::EventLoop event_loop;