From 1cf1ec55bc7647e737d7ec41bfe1def721269c02 Mon Sep 17 00:00:00 2001
From: Daniel Silverstone <dsilvers@digital-scurf.org>
Date: Tue, 6 Aug 2019 13:15:23 +0100
Subject: Support SSL verification through new about: handler

In doing this, also propagate why the certificates were bad
so that the page can display a reason.  We will need FatMessages
for all these.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
---
 content/fetch.h         | 18 +-----------------
 content/fetchers/curl.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 17 deletions(-)

(limited to 'content')

diff --git a/content/fetch.h b/content/fetch.h
index 7c02fb0d7..66be857f8 100644
--- a/content/fetch.h
+++ b/content/fetch.h
@@ -28,6 +28,7 @@
 #include "utils/config.h"
 #include "utils/nsurl.h"
 #include "utils/inet.h"
+#include "netsurf/ssl_certs.h"
 
 struct content;
 struct fetch;
@@ -88,23 +89,6 @@ struct fetch_multipart_data {
 	bool file; /**< Item is a file */
 };
 
-/**
- * ssl certificate information for certificate error message
- */
-struct ssl_cert_info {
-	long version;		/**< Certificate version */
-	char not_before[32];	/**< Valid from date */
-	char not_after[32];	/**< Valid to date */
-	int sig_type;		/**< Signature type */
-	char serialnum[64];	/**< Serial number */
-	char issuer[256];	/**< Issuer details */
-	char subject[256];	/**< Subject details */
-	int cert_type;		/**< Certificate type */
-};
-
-/** maximum number of X509 certificates in chain for TLS connection */
-#define MAX_SSL_CERTS 10
-
 typedef void (*fetch_callback)(const fetch_msg *msg, void *p);
 
 /**
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index f5649e0c3..345f16ce1 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -555,6 +555,49 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
 		ssl_certs[depth].cert_type =
 			X509_certificate_type(certs[depth].cert,
 					      X509_get_pubkey(certs[depth].cert));
+
+		/* error code (if any) */
+		switch (certs[depth].err) {
+		case X509_V_OK:
+			ssl_certs[depth].err = SSL_CERT_ERR_OK;
+			break;
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+			/* fallthrough */
+		case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+			ssl_certs[depth].err = SSL_CERT_ERR_BAD_ISSUER;
+			break;
+		case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+			/* fallthrough */
+		case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+			/* fallthrough */
+		case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+			/* fallthrough */
+		case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+			ssl_certs[depth].err = SSL_CERT_ERR_BAD_SIG;
+			break;
+		case X509_V_ERR_CERT_NOT_YET_VALID:
+			/* fallthrough */
+		case X509_V_ERR_CRL_NOT_YET_VALID:
+			ssl_certs[depth].err = SSL_CERT_ERR_TOO_YOUNG;
+			break;
+		case X509_V_ERR_CERT_HAS_EXPIRED:
+			/* fallthrough */
+		case X509_V_ERR_CRL_HAS_EXPIRED:
+			ssl_certs[depth].err = SSL_CERT_ERR_TOO_OLD;
+			break;
+		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+			ssl_certs[depth].err = SSL_CERT_ERR_SELF_SIGNED;
+			break;
+		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+			ssl_certs[depth].err = SSL_CERT_ERR_CHAIN_SELF_SIGNED;
+			break;
+		case X509_V_ERR_CERT_REVOKED:
+			ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
+			break;
+		default:
+			ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
+			break;
+		}
 	}
 
 	msg.type = FETCH_CERTS;
-- 
cgit v1.2.3