X-Git-Url: https://git.danieliu.xyz/?a=blobdiff_plain;f=surf.c;h=ba9506310d7c4b2935922df60512e615396c919c;hb=9eda6f5dd556552c29dd43095dd5a9bf026a8a5f;hp=88dfd75ccac6a46b08c7a94b674a583fa190b92e;hpb=db7922f173b803d14039f286146c949ded1538cb;p=surf.git

diff --git a/surf.c b/surf.c
index 88dfd75..ba95063 100644
--- a/surf.c
+++ b/surf.c
@@ -5,6 +5,7 @@
 #include <sys/file.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <glib.h>
 #include <libgen.h>
 #include <limits.h>
 #include <pwd.h>
@@ -22,6 +23,7 @@
 #include <glib/gstdio.h>
 #include <gtk/gtk.h>
 #include <gtk/gtkx.h>
+#include <gcr/gcr.h>
 #include <JavaScriptCore/JavaScript.h>
 #include <webkit2/webkit2.h>
 #include <X11/X.h>
@@ -105,9 +107,10 @@ typedef struct Client {
 	WebKitWebInspector *inspector;
 	WebKitFindController *finder;
 	WebKitHitTestResult *mousepos;
+	GTlsCertificate *cert, *failedcert;
 	GTlsCertificateFlags tlserr;
 	Window xid;
-	int progress, fullscreen, https, insecure;
+	int progress, fullscreen, https, insecure, errorpage;
 	const char *title, *overtitle, *targeturi;
 	const char *needle;
 	struct Client *next;
@@ -187,6 +190,9 @@ static GdkFilterReturn processx(GdkXEvent *xevent, GdkEvent *event,
 static gboolean winevent(GtkWidget *w, GdkEvent *e, Client *c);
 static void showview(WebKitWebView *v, Client *c);
 static GtkWidget *createwindow(Client *c);
+static gboolean loadfailedtls(WebKitWebView *v, gchar *uri,
+                              GTlsCertificate *cert,
+                              GTlsCertificateFlags err, Client *c);
 static void loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c);
 static void progresschanged(WebKitWebView *v, GParamSpec *ps, Client *c);
 static void titlechanged(WebKitWebView *view, GParamSpec *ps, Client *c);
@@ -212,6 +218,7 @@ static void destroywin(GtkWidget* w, Client *c);
 static void pasteuri(GtkClipboard *clipboard, const char *text, gpointer d);
 static void reload(Client *c, const Arg *a);
 static void print(Client *c, const Arg *a);
+static void showcert(Client *c, const Arg *a);
 static void clipboard(Client *c, const Arg *a);
 static void zoom(Client *c, const Arg *a);
 static void scroll(Client *c, const Arg *a);
@@ -1070,6 +1077,8 @@ newview(Client *c, WebKitWebView *rv)
 			 G_CALLBACK(decidepolicy), c);
 	g_signal_connect(G_OBJECT(v), "insecure-content-detected",
 			 G_CALLBACK(insecurecontent), c);
+	g_signal_connect(G_OBJECT(v), "load-failed-with-tls-errors",
+			 G_CALLBACK(loadfailedtls), c);
 	g_signal_connect(G_OBJECT(v), "load-changed",
 			 G_CALLBACK(loadchanged), c);
 	g_signal_connect(G_OBJECT(v), "mouse-target-changed",
@@ -1281,6 +1290,55 @@ createwindow(Client *c)
 	return w;
 }
 
+gboolean
+loadfailedtls(WebKitWebView *v, gchar *uri, GTlsCertificate *cert,
+              GTlsCertificateFlags err, Client *c)
+{
+	GString *errmsg = g_string_new(NULL);
+	gchar *html, *pem;
+
+	c->failedcert = g_object_ref(cert);
+	c->tlserr = err;
+	c->errorpage = 1;
+
+	if (err & G_TLS_CERTIFICATE_UNKNOWN_CA)
+		g_string_append(errmsg,
+		    "The signing certificate authority is not known.<br>");
+	if (err & G_TLS_CERTIFICATE_BAD_IDENTITY)
+		g_string_append(errmsg,
+		    "The certificate does not match the expected identity "
+		    "of the site that it was retrieved from.<br>");
+	if (err & G_TLS_CERTIFICATE_NOT_ACTIVATED)
+		g_string_append(errmsg,
+		    "The certificate's activation time "
+		    "is still in the future.<br>");
+	if (err & G_TLS_CERTIFICATE_EXPIRED)
+		g_string_append(errmsg, "The certificate has expired.<br>");
+	if (err & G_TLS_CERTIFICATE_REVOKED)
+		g_string_append(errmsg,
+		    "The certificate has been revoked according to "
+		    "the GTlsConnection's certificate revocation list.<br>");
+	if (err & G_TLS_CERTIFICATE_INSECURE)
+		g_string_append(errmsg,
+		    "The certificate's algorithm is considered insecure.<br>");
+	if (err & G_TLS_CERTIFICATE_GENERIC_ERROR)
+		g_string_append(errmsg,
+		    "Some error occurred validating the certificate.<br>");
+
+	g_object_get(cert, "certificate-pem", &pem, NULL);
+	html = g_strdup_printf("<p>Could not validate TLS for â%sâ<br>%s</p>"
+	                       "<p>You can inspect the following certificate "
+	                       "with Ctrl+Shift+x (default keybinding).</p>"
+	                       "<p><pre>%s</pre></p>", uri, errmsg->str, pem);
+	g_free(pem);
+	g_string_free(errmsg, TRUE);
+
+	webkit_web_view_load_alternate_html(c->view, html, uri, NULL);
+	g_free(html);
+
+	return TRUE;
+}
+
 void
 loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c)
 {
@@ -1293,6 +1351,10 @@ loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c)
 		c->title = title;
 		c->https = c->insecure = 0;
 		seturiparameters(c, geturi(c));
+		if (c->errorpage)
+			c->errorpage = 0;
+		else
+			g_clear_object(&c->failedcert);
 		break;
 	case WEBKIT_LOAD_REDIRECTED:
 		setatom(c, AtomUri, title);
@@ -1300,7 +1362,7 @@ loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c)
 		seturiparameters(c, geturi(c));
 		break;
 	case WEBKIT_LOAD_COMMITTED:
-		c->https = webkit_web_view_get_tls_info(c->view, NULL,
+		c->https = webkit_web_view_get_tls_info(c->view, &c->cert,
 		                                        &c->tlserr);
 		break;
 	case WEBKIT_LOAD_FINISHED:
@@ -1553,6 +1615,30 @@ print(Client *c, const Arg *a)
 	                                  GTK_WINDOW(c->win));
 }
 
+void
+showcert(Client *c, const Arg *a)
+{
+	GTlsCertificate *cert = c->failedcert ? c->failedcert : c->cert;
+	GcrCertificate *gcrt;
+	GByteArray *crt;
+	GtkWidget *win;
+	GcrCertificateWidget *wcert;
+
+	if (!cert)
+		return;
+
+	g_object_get(cert, "certificate", &crt, NULL);
+	gcrt = gcr_simple_certificate_new(crt->data, crt->len);
+	g_byte_array_unref(crt);
+
+	win = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+	wcert = gcr_certificate_widget_new(gcrt);
+	g_object_unref(gcrt);
+
+	gtk_container_add(GTK_CONTAINER(win), GTK_WIDGET(wcert));
+	gtk_widget_show_all(win);
+}
+
 void
 clipboard(Client *c, const Arg *a)
 {
