Add support for using custom certificates per url

2017-04-28 12:58:36 +02:00 · 2017-04-28 12:58:36 +02:00 · 3c2c0a6525
parent eb32dd6eca
commit 3c2c0a6525
2 changed files with 66 additions and 0 deletions
--- a/config.def.h
+++ b/config.def.h
@ -3,12 +3,14 @@ static int surfuseragent    = 1;  /* Append Surf version to default WebKit user
 static char *fulluseragent  = ""; /* Or override the whole user agent string */
 static char *scriptfile     = "~/.surf/script.js";
 static char *styledir       = "~/.surf/styles/";
+static char *certdir        = "~/.surf/certificates/";
 static char *cachedir       = "~/.surf/cache/";
 static char *cookiefile     = "~/.surf/cookies.txt";

 /* Webkit default features */
 static Parameter defconfig[ParameterLast] = {
 	SETB(AcceleratedCanvas,  1),
+	SETB(Certificate,        0),
 	SETB(CaretBrowsing,      0),
 	SETV(CookiePolicies,     "@Aa"),
 	SETB(DiskCache,          1),
@ -95,6 +97,15 @@ static SiteSpecific styles[] = {
 	{ ".*",                 "default.css" },
 };

+/* certificates */
+/*
+ * Provide custom certificate for urls
+ */
+static SiteSpecific certs[] = {
+	/* regexp               file in $certdir */
+	{ "://suckless\\.org/", "suckless.org.crt" },
+};
+
 #define MODKEY GDK_CONTROL_MASK

 /* hotkeys */
--- a/surf.c
+++ b/surf.c
@ -60,6 +60,7 @@ enum {
 typedef enum {
 	AcceleratedCanvas,
 	CaretBrowsing,
+	Certificate,
 	CookiePolicies,
 	DiskCache,
 	DNSPrefetch,
@ -162,6 +163,8 @@ static WebKitCookieAcceptPolicy cookiepolicy_get(void);
 static char cookiepolicy_set(const WebKitCookieAcceptPolicy p);
 static void seturiparameters(Client *c, const char *uri);
 static void setparameter(Client *c, int refresh, ParamName p, const Arg *a);
+static const char *getcert(const char *uri);
+static void setcert(Client *c, const char *file);
 static const char *getstyle(const char *uri);
 static void setstyle(Client *c, const char *file);
 static void runscript(Client *c);
@ -291,9 +294,19 @@ setup(void)
 	cookiefile = buildfile(cookiefile);
 	scriptfile = buildfile(scriptfile);
 	cachedir   = buildpath(cachedir);
+	certdir    = buildpath(certdir);

 	gdkkb = gdk_seat_get_keyboard(gdk_display_get_default_seat(gdpy));

+	for (i = 0; i < LENGTH(certs); ++i) {
+		if (regcomp(&(certs[i].re), certs[i].regex, REG_EXTENDED)) {
+			fprintf(stderr, "Could not compile regex: %s\n",
+			        certs[i].regex);
+			certs[i].regex = NULL;
+		}
+		certs[i].file = g_strconcat(certdir, "/", certs[i].file, NULL);
+	}
+
 	if (!stylefile) {
 		styledir = buildpath(styledir);
 		for (i = 0; i < LENGTH(styles); ++i) {
@ -642,6 +655,10 @@ setparameter(Client *c, int refresh, ParamName p, const Arg *a)
 		webkit_settings_set_enable_caret_browsing(s, a->b);
 		refresh = 0;
 		break;
+	case Certificate:
+		if (a->b)
+			setcert(c, geturi(c));
+		return; /* do not update */
 	case CookiePolicies:
 		webkit_cookie_manager_set_accept_policy(
 		    webkit_web_context_get_cookie_manager(
@ -737,6 +754,44 @@ setparameter(Client *c, int refresh, ParamName p, const Arg *a)
 		reload(c, a);
 }

+const char *
+getcert(const char *uri)
+{
+	int i;
+
+	for (i = 0; i < LENGTH(certs); ++i) {
+		if (certs[i].regex &&
+		    !regexec(&(certs[i].re), uri, 0, NULL, 0))
+			return certs[i].file;
+	}
+
+	return NULL;
+}
+
+void
+setcert(Client *c, const char *uri)
+{
+	const char *file = getcert(uri);
+	char *host;
+	GTlsCertificate *cert;
+
+	if (!file)
+		return;
+
+	if (!(cert = g_tls_certificate_new_from_file(file, NULL))) {
+		fprintf(stderr, "Could not read certificate file: %s\n", file);
+		return;
+	}
+
+	uri = strstr(uri, "://") + sizeof("://") - 1;
+	host = strndup(uri, strstr(uri, "/") - uri);
+
+	webkit_web_context_allow_tls_certificate_for_host(
+	    webkit_web_view_get_context(c->view), cert, host);
+
+	free(host);
+}
+
 const char *
 getstyle(const char *uri)
 {