LibProtocol+LibGemini+LibHTTP: Provide root certificates to LibTLS

Now we (almost) verify all the sites we browse.
Certificate verification failures should not be unexpected, as the
existing CA certificates are likely not complete.

Libraries/LibGemini/GeminiJob.cpp

@@ -39,6 +39,7 @@ void GeminiJob::start()
 {
     ASSERT(!m_socket);
     m_socket = TLS::TLSv12::construct(this);
+    m_socket->set_root_certificates(m_override_ca_certificates ? *m_override_ca_certificates : DefaultRootCACertificates::the().certificates());
     m_socket->on_tls_connected = [this] {
 #ifdef GEMINIJOB_DEBUG
         dbg() << "GeminiJob: on_connected callback";

Libraries/LibGemini/GeminiJob.h

@@ -37,8 +37,9 @@ namespace Gemini {
 class GeminiJob final : public Job {
     C_OBJECT(GeminiJob)
 public:
-    explicit GeminiJob(const GeminiRequest& request)
+    explicit GeminiJob(const GeminiRequest& request, const Vector<Certificate>* override_certificates = nullptr)
         : Job(request)
+        , m_override_ca_certificates(override_certificates)
     {
     }
 
@@ -67,6 +68,7 @@ protected:
 
 private:
     RefPtr<TLS::TLSv12> m_socket;
+    const Vector<Certificate>* m_override_ca_certificates { nullptr };
 };
 
 }

Libraries/LibHTTP/HttpsJob.cpp

@@ -40,6 +40,7 @@ void HttpsJob::start()
 {
     ASSERT(!m_socket);
     m_socket = TLS::TLSv12::construct(this);
+    m_socket->set_root_certificates(m_override_ca_certificates ? *m_override_ca_certificates : DefaultRootCACertificates::the().certificates());
     m_socket->on_tls_connected = [this] {
 #ifdef HTTPSJOB_DEBUG
         dbg() << "HttpsJob: on_connected callback";

Libraries/LibHTTP/HttpsJob.h

@@ -38,8 +38,9 @@ namespace HTTP {
 class HttpsJob final : public Job {
     C_OBJECT(HttpsJob)
 public:
-    explicit HttpsJob(const HttpRequest& request)
+    explicit HttpsJob(const HttpRequest& request, const Vector<Certificate>* override_certs = nullptr)
         : Job(request)
+        , m_override_ca_certificates(override_certs)
     {
     }
 
@@ -68,6 +69,7 @@ protected:
 
 private:
     RefPtr<TLS::TLSv12> m_socket;
+    const Vector<Certificate>* m_override_ca_certificates { nullptr };
 };
 
 }

Services/ProtocolServer/main.cpp

@@ -27,6 +27,7 @@
 #include <LibCore/EventLoop.h>
 #include <LibCore/LocalServer.h>
 #include <LibIPC/ClientConnection.h>
+#include <LibTLS/Certificate.h>
 #include <ProtocolServer/ClientConnection.h>
 #include <ProtocolServer/GeminiProtocol.h>
 #include <ProtocolServer/HttpProtocol.h>
@@ -38,6 +39,10 @@ int main(int, char**)
         perror("pledge");
         return 1;
     }
+
+    // Ensure the certificates are read out here.
+    (void)DefaultRootCACertificates::the();
+
     Core::EventLoop event_loop;
     // FIXME: Establish a connection to LookupServer and then drop "unix"?
     if (pledge("stdio inet shared_buffer accept unix", nullptr) < 0) {