Add a flag for custom certificates

[surf.git] / surf.c

diff --git a/surf.c b/surf.c
index 40f514f..59cea07 100644 (file)
--- a/surf.c
+++ b/surf.c
@@ -5,6 +5,7 @@
 #include <sys/file.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <glib.h>
 #include <libgen.h>
 #include <limits.h>
 #include <pwd.h>
@@ -106,9 +107,10 @@ typedef struct Client {
        WebKitWebInspector *inspector;
        WebKitFindController *finder;
        WebKitHitTestResult *mousepos;
+       GTlsCertificate *cert, *failedcert;
        GTlsCertificateFlags tlserr;
        Window xid;
-       int progress, fullscreen, https, insecure;
+       int progress, fullscreen, https, insecure, errorpage;
        const char *title, *overtitle, *targeturi;
        const char *needle;
        struct Client *next;
@@ -216,6 +218,7 @@ static void destroywin(GtkWidget* w, Client *c);
 static void pasteuri(GtkClipboard *clipboard, const char *text, gpointer d);
 static void reload(Client *c, const Arg *a);
 static void print(Client *c, const Arg *a);
+static void showcert(Client *c, const Arg *a);
 static void clipboard(Client *c, const Arg *a);
 static void zoom(Client *c, const Arg *a);
 static void scroll(Client *c, const Arg *a);
@@ -233,7 +236,7 @@ static void clicknewwindow(Client *c, const Arg *a, WebKitHitTestResult *h);
 static void clickexternplayer(Client *c, const Arg *a, WebKitHitTestResult *h);
 
 static char winid[64];
-static char togglestats[11];
+static char togglestats[12];
 static char pagestats[2];
 static Atom atoms[AtomLast];
 static Window embed;
@@ -587,8 +590,9 @@ gettogglestats(Client *c)
        togglestats[6] = curconfig[Plugins].val.b ?         'V' : 'v';
        togglestats[7] = curconfig[Style].val.b ?           'M' : 'm';
        togglestats[8] = curconfig[FrameFlattening].val.b ? 'F' : 'f';
-       togglestats[9] = curconfig[StrictTLS].val.b ?       'T' : 't';
-       togglestats[10] = '\0';
+       togglestats[9] = curconfig[Certificate].val.b ?     'X' : 'x';
+       togglestats[10] = curconfig[StrictTLS].val.b ?      'T' : 't';
+       togglestats[11] = '\0';
 }
 
 void
@@ -878,7 +882,7 @@ newwindow(Client *c, const Arg *a, int noembed)
 {
        int i = 0;
        char tmp[64];
-       const char *cmd[28], *uri;
+       const char *cmd[29], *uri;
        const Arg arg = { .v = cmd };
 
        cmd[i++] = argv0;
@@ -917,7 +921,8 @@ newwindow(Client *c, const Arg *a, int noembed)
                cmd[i++] = fulluseragent;
        }
        if (showxid)
-               cmd[i++] = "-x";
+               cmd[i++] = "-w";
+       cmd[i++] = curconfig[Certificate].val.b ? "-X" : "-x" ;
        /* do not keep zoom level */
        cmd[i++] = "--";
        if ((uri = a->v))
@@ -1294,7 +1299,9 @@ loadfailedtls(WebKitWebView *v, gchar *uri, GTlsCertificate *cert,
        GString *errmsg = g_string_new(NULL);
        gchar *html, *pem;
 
+       c->failedcert = g_object_ref(cert);
        c->tlserr = err;
+       c->errorpage = 1;
 
        if (err & G_TLS_CERTIFICATE_UNKNOWN_CA)
                g_string_append(errmsg,
@@ -1322,7 +1329,9 @@ loadfailedtls(WebKitWebView *v, gchar *uri, GTlsCertificate *cert,
 
        g_object_get(cert, "certificate-pem", &pem, NULL);
        html = g_strdup_printf("<p>Could not validate TLS for “%s”<br>%s</p>"
-                              "<p><pre>%s</pre><p>", uri, errmsg->str, pem);
+                              "<p>You can inspect the following certificate "
+                              "with Ctrl+Shift+x (default keybinding).</p>"
+                              "<p><pre>%s</pre></p>", uri, errmsg->str, pem);
        g_free(pem);
        g_string_free(errmsg, TRUE);
 
@@ -1344,6 +1353,10 @@ loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c)
                c->title = title;
                c->https = c->insecure = 0;
                seturiparameters(c, geturi(c));
+               if (c->errorpage)
+                       c->errorpage = 0;
+               else
+                       g_clear_object(&c->failedcert);
                break;
        case WEBKIT_LOAD_REDIRECTED:
                setatom(c, AtomUri, title);
@@ -1351,7 +1364,7 @@ loadchanged(WebKitWebView *v, WebKitLoadEvent e, Client *c)
                seturiparameters(c, geturi(c));
                break;
        case WEBKIT_LOAD_COMMITTED:
-               c->https = webkit_web_view_get_tls_info(c->view, NULL,
+               c->https = webkit_web_view_get_tls_info(c->view, &c->cert,
                                                        &c->tlserr);
                break;
        case WEBKIT_LOAD_FINISHED:
@@ -1604,6 +1617,30 @@ print(Client *c, const Arg *a)
                                          GTK_WINDOW(c->win));
 }
 
+void
+showcert(Client *c, const Arg *a)
+{
+       GTlsCertificate *cert = c->failedcert ? c->failedcert : c->cert;
+       GcrCertificate *gcrt;
+       GByteArray *crt;
+       GtkWidget *win;
+       GcrCertificateWidget *wcert;
+
+       if (!cert)
+               return;
+
+       g_object_get(cert, "certificate", &crt, NULL);
+       gcrt = gcr_simple_certificate_new(crt->data, crt->len);
+       g_byte_array_unref(crt);
+
+       win = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+       wcert = gcr_certificate_widget_new(gcrt);
+       g_object_unref(gcrt);
+
+       gtk_container_add(GTK_CONTAINER(win), GTK_WIDGET(wcert));
+       gtk_widget_show_all(win);
+}
+
 void
 clipboard(Client *c, const Arg *a)
 {
@@ -1864,9 +1901,15 @@ main(int argc, char *argv[])
        case 'v':
                die("surf-"VERSION", ©2009-2017 surf engineers, "
                    "see LICENSE for details\n");
-       case 'x':
+       case 'w':
                showxid = 1;
                break;
+       case 'x':
+               defconfig CSETB(Certificate, 0);
+               break;
+       case 'X':
+               defconfig CSETB(Certificate, 1);
+               break;
        case 'z':
                defconfig CSETF(ZoomLevel, strtof(EARGF(usage()), NULL));
                break;