From 24d3da64e5f304c0687c114517467942dd5d3474 Mon Sep 17 00:00:00 2001
From: devgianlu <altomanigianluca@gmail.com>
Date: Fri, 14 Feb 2025 12:24:03 +0100
Subject: [PATCH] LibWebSocket: Support specifying root certificate path

---
 Libraries/LibWebSocket/ConnectionInfo.h            |  4 ++++
 .../LibWebSocket/Impl/WebSocketImplSerenity.cpp    |  5 ++++-
 Services/RequestServer/ConnectionFromClient.cpp    |  3 +++
 Utilities/dns.cpp                                  | 14 +++++++++++---
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/Libraries/LibWebSocket/ConnectionInfo.h b/Libraries/LibWebSocket/ConnectionInfo.h
index 36b43d7af64..62d7c7aa6ce 100644
--- a/Libraries/LibWebSocket/ConnectionInfo.h
+++ b/Libraries/LibWebSocket/ConnectionInfo.h
@@ -30,6 +30,9 @@ public:
     HTTP::HeaderMap const& headers() const { return m_headers; }
     void set_headers(HTTP::HeaderMap headers) { m_headers = move(headers); }
 
+    Optional<ByteString> const& root_certificates_path() const { return m_root_certificates_path; }
+    void set_root_certificates_path(Optional<ByteString> root_certificates_path) { m_root_certificates_path = move(root_certificates_path); }
+
     // secure flag - defined in RFC 6455 Section 3
     bool is_secure() const;
 
@@ -42,6 +45,7 @@ private:
     Vector<ByteString> m_protocols {};
     Vector<ByteString> m_extensions {};
     HTTP::HeaderMap m_headers;
+    Optional<ByteString> m_root_certificates_path;
 };
 
 }
diff --git a/Libraries/LibWebSocket/Impl/WebSocketImplSerenity.cpp b/Libraries/LibWebSocket/Impl/WebSocketImplSerenity.cpp
index 9d18a27627d..4f80c6dc08d 100644
--- a/Libraries/LibWebSocket/Impl/WebSocketImplSerenity.cpp
+++ b/Libraries/LibWebSocket/Impl/WebSocketImplSerenity.cpp
@@ -45,8 +45,11 @@ void WebSocketImplSerenity::connect(ConnectionInfo const& connection_info)
     auto socket_result = [&]() -> ErrorOr<NonnullOwnPtr<Core::BufferedSocketBase>> {
         auto host = connection_info.url().serialized_host().to_byte_string();
         if (connection_info.is_secure()) {
+            TLS::Options options;
+            options.set_root_certificates_path(connection_info.root_certificates_path());
+
             return TRY(Core::BufferedSocket<TLS::TLSv12>::create(
-                TRY(TLS::TLSv12::connect(host, connection_info.url().port_or_default()))));
+                TRY(TLS::TLSv12::connect(host, connection_info.url().port_or_default(), move(options)))));
         }
 
         return TRY(Core::BufferedTCPSocket::create(
diff --git a/Services/RequestServer/ConnectionFromClient.cpp b/Services/RequestServer/ConnectionFromClient.cpp
index 2b204999e4e..2c38d14d1b2 100644
--- a/Services/RequestServer/ConnectionFromClient.cpp
+++ b/Services/RequestServer/ConnectionFromClient.cpp
@@ -656,6 +656,9 @@ void ConnectionFromClient::websocket_connect(i64 websocket_id, URL::URL const& u
     connection_info.set_extensions(extensions);
     connection_info.set_headers(additional_request_headers);
 
+    if (!g_default_certificate_path.is_empty())
+        connection_info.set_root_certificates_path(g_default_certificate_path);
+
     auto connection = WebSocket::WebSocket::create(move(connection_info));
     connection->on_open = [this, websocket_id]() {
         async_websocket_connected(websocket_id);
diff --git a/Utilities/dns.cpp b/Utilities/dns.cpp
index 20640ab4b8b..9f5623302e7 100644
--- a/Utilities/dns.cpp
+++ b/Utilities/dns.cpp
@@ -81,15 +81,23 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
             } else {
                 return MUST(resolver.lookup(server_address)->await())->cached_addresses().first().visit([&](auto& address) -> DNS::Resolver::SocketResult {
                     if (use_tls) {
-                        auto tls = MUST(TLS::TLSv12::connect({ address, 853 }, server_address));
+                        TLS::Options options;
+                        options.set_root_certificates_path(cert_path);
+
+                        auto tls = MUST(TLS::TLSv12::connect({ address, 853 }, server_address, move(options)));
                         return { move(tls), DNS::Resolver::ConnectionMode::TCP };
                     }
                     return { MUST(Core::BufferedSocket<Core::UDPSocket>::create(MUST(Core::UDPSocket::connect({ address, 53 })))), DNS::Resolver::ConnectionMode::UDP };
                 });
             }
 
-            if (use_tls)
-                return DNS::Resolver::SocketResult { MUST(TLS::TLSv12::connect(addr, server_address)), DNS::Resolver::ConnectionMode::TCP };
+            if (use_tls) {
+                TLS::Options options;
+                options.set_root_certificates_path(cert_path);
+
+                return DNS::Resolver::SocketResult { MUST(TLS::TLSv12::connect(addr, server_address, move(options))), DNS::Resolver::ConnectionMode::TCP };
+            }
+
             return DNS::Resolver::SocketResult { MUST(Core::BufferedSocket<Core::UDPSocket>::create(MUST(Core::UDPSocket::connect(addr)))), DNS::Resolver::ConnectionMode::UDP };
         }
     };