commit 31b3662c5484a7906c60f6eaedaec5fdd4adf444
from: Omar Polo <op@omarpolo.com>
date: Tue Feb 09 15:01:12 2021 UTC

gg: add support for client certs

commit - 57ec3e776e0333167134b5b186f9c72870eb228d
commit + 31b3662c5484a7906c60f6eaedaec5fdd4adf444
blob - 38ecf0a9ba48826f53f043161ae9c89bd27d3715
blob + ad47822a9b871beab8e34e4ad26466b12203fa71
--- gg.1
+++ gg.1
@@ -21,6 +21,7 @@
 .Nm
 .Bk -words
 .Op Fl 23bchNVv
+.Op Fl C Pa cert.pem Fl K Pa key.pem
 .Op Fl H Ar hostname
 .Ar IRI
 .Ek
@@ -37,6 +38,8 @@ Use only TLSv1.2.
 Use only TLSv1.3.
 .It Fl b
 Print only the body of the response.
+.It Fl C Pa cert.pem
+Load the client certificate, must be in PEM format.
 .It Fl c
 Print only the response code.
 .It Fl H Ar hostname
@@ -46,6 +49,8 @@ for SNI, instead of the one extracted from the IRI.
 The IRI hostname will still be used for the DNS resolution.
 .It Fl h
 Print only the response header.
+.It Fl K Pa key.pem
+Load the client certificate key, must be in PEM format.
 .It Fl N
 Don't check whether the peer certificate name matches the requested
 hostname.
blob - 97fb71683db2443945279974d51dea3658516673
blob + eb5098ac5d9020814a5e072b48005558a51e7f5d
--- gg.c
+++ gg.c
@@ -19,6 +19,7 @@
 #include "gmid.h"
 
 int flag2, flag3, bflag, cflag, hflag, Nflag, Vflag, vflag;
+const char *cert, *key;
 
 int
 main(int argc, char **argv)
@@ -35,7 +36,7 @@ main(int argc, char **argv)
 	ssize_t len;
 
 	hostname = NULL;
-	while ((ch = getopt(argc, argv, "23cbH:hNVv")) != -1) {
+	while ((ch = getopt(argc, argv, "23C:cbH:hK:NVv")) != -1) {
 		switch (ch) {
 		case '2':
 			flag2 = 1;
@@ -46,6 +47,9 @@ main(int argc, char **argv)
 		case 'b':
 			bflag = 1;
 			break;
+		case 'C':
+			cert = optarg;
+			break;
 		case 'c':
 			cflag = 1;
 			break;
@@ -55,6 +59,9 @@ main(int argc, char **argv)
 		case 'h':
 			hflag = 1;
 			break;
+		case 'K':
+			key = optarg;
+			break;
 		case 'N':
 			Nflag = 1;
 			break;
@@ -79,6 +86,9 @@ main(int argc, char **argv)
 	if (flag2 + flag3 > 1)
 		errx(1, "only -2 or -3 can be specified at the same time.");
 
+	if ((cert != NULL && key == NULL) || (cert == NULL && key != NULL))
+		errx(1, "missing certificate or key");
+
 	if (argc != 1)
 		errx(1, "missing IRI");
 
@@ -107,6 +117,9 @@ main(int argc, char **argv)
 	if (flag3 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_3) == -1)
 		errx(1, "cannot set TLSv1.3");
 
+	if (cert != NULL && tls_config_set_keypair_file(conf, cert, key))
+		errx(1, "couldn't load cert: %s", cert);
+
 	if ((ctx = tls_client()) == NULL)
 		errx(1, "tls_client creation failed");