feat: add ReplicatorConfiguration.trustedRootCertificates (#411)

Co-authored-by: Gabriel Terwesten <gabriel@terwesten.net>
cbl-dart · Sep 2, 2022 · f58fa34 · f58fa34
1 parent e7a259e
commit f58fa34
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 5 deletions.
diff --git a/packages/cbl/lib/src/replication/configuration.dart b/packages/cbl/lib/src/replication/configuration.dart
@@ -86,6 +86,7 @@ class ReplicatorConfiguration {
     this.continuous = false,
     this.authenticator,
     this.pinnedServerCertificate,
+    this.trustedRootCertificates,
     this.headers,
     this.channels,
     this.documentIds,
@@ -121,6 +122,7 @@ class ReplicatorConfiguration {
         continuous = config.continuous,
         authenticator = config.authenticator,
         pinnedServerCertificate = config.pinnedServerCertificate,
+        trustedRootCertificates = config.trustedRootCertificates,
         headers = config.headers,
         channels = config.channels,
         documentIds = config.documentIds,
@@ -151,9 +153,13 @@ class ReplicatorConfiguration {
   /// The [Authenticator] to authenticate with a remote target.
   Authenticator? authenticator;
 
-  /// The remote target's SSL certificate.
+  /// The remote target's SSL certificate (PEM or DER).
   Uint8List? pinnedServerCertificate;
 
+  /// A set of trusted root certificates to use for verifying the SSL
+  /// certificate of the remote target (PEM).
+  Uint8List? trustedRootCertificates;
+
   /// Extra HTTP headers to send in all requests to the remote target.
   Map<String, String>? headers;
 
@@ -314,6 +320,7 @@ class ReplicatorConfiguration {
         if (continuous) 'CONTINUOUS',
         if (authenticator != null) 'authenticator: $authenticator',
         if (pinnedServerCertificate != null) 'PINNED-SERVER-CERTIFICATE',
+        if (trustedRootCertificates != null) 'TRUSTED-ROOT-CERTIFICATES',
         if (headers != null) 'headers: $headers',
         if (channels != null) 'channels: $channels',
         if (documentIds != null) 'documentIds: $documentIds',

diff --git a/packages/cbl/lib/src/replication/ffi_replicator.dart b/packages/cbl/lib/src/replication/ffi_replicator.dart
@@ -100,6 +100,7 @@ class FfiReplicator
       authenticator: authenticator,
       headers: headersDict?.pointer.cast(),
       pinnedServerCertificate: config.pinnedServerCertificate?.toData(),
+      trustedRootCertificates: config.trustedRootCertificates?.toData(),
       channels: channelsArray?.pointer.cast(),
       documentIDs: documentIDsArray?.pointer.cast(),
       pushFilter: pushFilterCallback?.pointer,

diff --git a/packages/cbl/lib/src/replication/proxy_replicator.dart b/packages/cbl/lib/src/replication/proxy_replicator.dart
@@ -84,6 +84,7 @@ class ProxyReplicator extends ProxyObject
         continuous: config.continuous,
         authenticator: config.authenticator,
         pinnedServerCertificate: config.pinnedServerCertificate?.toData(),
+        trustedRootCertificates: config.trustedRootCertificates?.toData(),
         headers: config.headers,
         channels: config.channels,
         documentIds: config.documentIds,

diff --git a/packages/cbl/lib/src/service/cbl_service.dart b/packages/cbl/lib/src/service/cbl_service.dart
@@ -569,6 +569,7 @@ class CblService {
       continuous: request.continuous,
       authenticator: request.authenticator,
       pinnedServerCertificate: request.pinnedServerCertificate?.toTypedList(),
+      trustedRootCertificates: request.trustedRootCertificates?.toTypedList(),
       headers: request.headers,
       channels: request.channels,
       documentIds: request.documentIds,

diff --git a/packages/cbl/lib/src/service/cbl_service_api.dart b/packages/cbl/lib/src/service/cbl_service_api.dart
@@ -1402,6 +1402,7 @@ class CreateReplicator extends Request<int> {
     this.continuous = false,
     this.authenticator,
     Data? pinnedServerCertificate,
+    Data? trustedRootCertificates,
     this.headers,
     this.channels,
     this.documentIds,
@@ -1412,7 +1413,10 @@ class CreateReplicator extends Request<int> {
     this.heartbeat,
     this.maxAttempts,
     this.maxAttemptWaitTime,
-  }) : _pinnedServerCertificate = pinnedServerCertificate?.let(MessageData.new);
+  })  : _pinnedServerCertificate =
+            pinnedServerCertificate?.let(MessageData.new),
+        _trustedRootCertificates =
+            trustedRootCertificates?.let(MessageData.new);
 
   CreateReplicator._({
     required this.databaseId,
@@ -1422,6 +1426,7 @@ class CreateReplicator extends Request<int> {
     required this.continuous,
     this.authenticator,
     MessageData? pinnedServerCertificate,
+    MessageData? trustedRootCertificates,
     this.headers,
     this.channels,
     this.documentIds,
@@ -1432,7 +1437,8 @@ class CreateReplicator extends Request<int> {
     this.heartbeat,
     this.maxAttempts,
     this.maxAttemptWaitTime,
-  }) : _pinnedServerCertificate = pinnedServerCertificate;
+  })  : _pinnedServerCertificate = pinnedServerCertificate,
+        _trustedRootCertificates = trustedRootCertificates;
 
   final int databaseId;
   final EncodingFormat? propertiesFormat;
@@ -1442,6 +1448,8 @@ class CreateReplicator extends Request<int> {
   final Authenticator? authenticator;
   Data? get pinnedServerCertificate => _pinnedServerCertificate?.data;
   final MessageData? _pinnedServerCertificate;
+  Data? get trustedRootCertificates => _trustedRootCertificates?.data;
+  final MessageData? _trustedRootCertificates;
   final Map<String, String>? headers;
   final List<String>? channels;
   final List<String>? documentIds;
@@ -1462,6 +1470,7 @@ class CreateReplicator extends Request<int> {
         'continuous': continuous,
         'authenticator': context.serializePolymorphic(authenticator),
         'pinnedServerCertificate': context.serialize(_pinnedServerCertificate),
+        'trustedRootCertificates': context.serialize(_trustedRootCertificates),
         'headers': headers,
         'channels': context.serialize(channels),
         'documentIds': context.serialize(documentIds),
@@ -1487,6 +1496,8 @@ class CreateReplicator extends Request<int> {
         authenticator: context.deserializePolymorphic(map['authenticator']),
         pinnedServerCertificate:
             context.deserializeAs(map['pinnedServerCertificate']),
+        trustedRootCertificates:
+            context.deserializeAs(map['trustedRootCertificates']),
         headers: map.getAs<StringMap?>('headers')?.cast(),
         channels: context.deserializeAs(map['channels']),
         documentIds: context.deserializeAs(map['documentIds']),
@@ -1500,10 +1511,16 @@ class CreateReplicator extends Request<int> {
       );
 
   @override
-  void willSend() => _pinnedServerCertificate?.willSend();
+  void willSend() {
+    _pinnedServerCertificate?.willSend();
+    _trustedRootCertificates?.willSend();
+  }
 
   @override
-  void didReceive() => _pinnedServerCertificate?.didReceive();
+  void didReceive() {
+    _pinnedServerCertificate?.didReceive();
+    _trustedRootCertificates?.didReceive();
+  }
 }
 
 class CallReplicationFilter extends Request<bool> {

diff --git a/packages/cbl_e2e_tests/lib/src/replication/configuration_test.dart b/packages/cbl_e2e_tests/lib/src/replication/configuration_test.dart
@@ -24,6 +24,7 @@ void main() {
       expect(config.continuous, false);
       expect(config.authenticator, isNull);
       expect(config.pinnedServerCertificate, isNull);
+      expect(config.trustedRootCertificates, isNull);
       expect(config.headers, isNull);
       expect(config.channels, isNull);
       expect(config.documentIds, isNull);
@@ -73,6 +74,7 @@ void main() {
         continuous: true,
         authenticator: SessionAuthenticator(sessionId: 'sessionId'),
         pinnedServerCertificate: Uint8List(0),
+        trustedRootCertificates: Uint8List(0),
         headers: {'Client': 'cbl-dart', 'Authentication': 'AUTH'},
         channels: ['A'],
         documentIds: ['ID'],
@@ -96,6 +98,7 @@ void main() {
       expect(copy.continuous, source.continuous);
       expect(copy.authenticator, source.authenticator);
       expect(copy.pinnedServerCertificate, source.pinnedServerCertificate);
+      expect(copy.trustedRootCertificates, source.trustedRootCertificates);
       expect(copy.headers, source.headers);
       expect(copy.channels, source.channels);
       expect(copy.documentIds, source.documentIds);
@@ -135,6 +138,7 @@ void main() {
         continuous: true,
         authenticator: SessionAuthenticator(sessionId: 'sessionId'),
         pinnedServerCertificate: Uint8List(0),
+        trustedRootCertificates: Uint8List(0),
         headers: {'Client': 'cbl-dart', 'Authentication': 'AUTH'},
         channels: ['A'],
         documentIds: ['ID'],
@@ -160,6 +164,7 @@ void main() {
         'authenticator: SessionAuthenticator(sessionId: ******nId, '
         'cookieName: SyncGatewaySession), '
         'PINNED-SERVER-CERTIFICATE, '
+        'TRUSTED-ROOT-CERTIFICATES, '
         'headers: {Client: cbl-dart, Authentication: REDACTED}, '
         'channels: [A], '
         'documentIds: [ID], '

diff --git a/packages/cbl_e2e_tests/lib/src/replication/replicator_test.dart b/packages/cbl_e2e_tests/lib/src/replication/replicator_test.dart
@@ -31,6 +31,7 @@ void main() {
         ),
         headers: {'Client': 'test'},
         pinnedServerCertificate: Uint8List(0),
+        trustedRootCertificates: Uint8List(0),
         channels: ['channel'],
         documentIds: ['id'],
         pullFilter: (document, isDeleted) => true,