Certificate Pinning

[hendursaga]

certificate-exception-mode is fine for those instances where I really don't care if I get MITM'd, but it would be nice if I could at least manually pin certs, even if it's just TOFU. This is especially helpful with Gemini (see https://github.com/atlas-engineer/nyxt/issues/2189). https://github.com/atlas-engineer/nyxt/issues/2146#issuecomment-1067957562 hints at a way we could inspect the certs' details, to see if they match an allow list or even deny list. Not sure where exactly to, say, hook to override throwing an error or perhaps somewhere in WebKit there's an internal whitelist we could use, or something like that.

Thoughts? Should it be part of certificate-exception? Especially considering it's a default mode..

[aartaka]

Yes, it should be part of certificate-exception, I suppose!

[hendursaga]

on-signal-load-failed-with-tls-errors appears to be the most relevant code for this, although do note this is renderer-specific - looking at past PRs and issues, it looks like there's no way around that..

[hendursaga]

A relatively straight-forward solution would include parsing the GTlsCertificate object passed via webkit_web_context_allow_tls_certificate_for_host. Unfortunately it's "just" a pointer, and I'm not sure how to get a structured Lisp form from that.. @aartaka how might I do this, and do I do it in Nyxt or upstream to cl-webkit or what?

[jmercouris]

Ideally you would want to update cl-webkit to learn how to deal with what is behind the pointer.

[hendursaga]

@jmercouris hmm? I see we just upgraded to cl-webkit version 3.5.3, but nothing pertinent here seems to have changed..? I don't see any defctypes or define-foreign-types concerning GTlsCertificate..

[jmercouris]

This is correct, it was in regards to another change. I meant that you would have to write the code that updates cl-webkit :-)

[Ambrevar]

Technically it does not belong to cl-webkit but to cl-cffi-gtk.

There are two forks. This one (which Nyxt uses) has the enum:

https://github.com/Ferada/cl-cffi-gtk/blob/master/gio/gio.tls-connection.lisp

But the repo is archived. This one does not:

https://github.com/crategus/cl-cffi-gtk

But it might not be compatible with Nyxt considering how it has diverged.

What needs to be implemented? Probably this;

https://developer-old.gnome.org/gio/stable/GTlsCertificate.html

We could also just leverage GObject Introspection. Many options here :)

[hendursaga]

Thanks @Ambrevar I was about to post pretty much the same analysis! I'm working on learning more about GObject Introspection, that seems to be the path forward, especially considering https://github.com/joachifm/cl-webkit/issues/33