From 31b3662c5484a7906c60f6eaedaec5fdd4adf444 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Tue, 9 Feb 2021 15:01:12 +0000
Subject: [PATCH] gg: add support for client certs

---
 gg.1 |  5 +++++
 gg.c | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/gg.1 b/gg.1
index 38ecf0a..ad47822 100644
--- a/gg.1
+++ b/gg.1
@@ -21,6 +21,7 @@
 .Nm
 .Bk -words
 .Op Fl 23bchNVv
+.Op Fl C Pa cert.pem Fl K Pa key.pem
 .Op Fl H Ar hostname
 .Ar IRI
 .Ek
@@ -37,6 +38,8 @@ Use only TLSv1.2.
 Use only TLSv1.3.
 .It Fl b
 Print only the body of the response.
+.It Fl C Pa cert.pem
+Load the client certificate, must be in PEM format.
 .It Fl c
 Print only the response code.
 .It Fl H Ar hostname
@@ -46,6 +49,8 @@ for SNI, instead of the one extracted from the IRI.
 The IRI hostname will still be used for the DNS resolution.
 .It Fl h
 Print only the response header.
+.It Fl K Pa key.pem
+Load the client certificate key, must be in PEM format.
 .It Fl N
 Don't check whether the peer certificate name matches the requested
 hostname.
diff --git a/gg.c b/gg.c
index 97fb716..eb5098a 100644
--- a/gg.c
+++ b/gg.c
@@ -19,6 +19,7 @@
 #include "gmid.h"
 
 int flag2, flag3, bflag, cflag, hflag, Nflag, Vflag, vflag;
+const char *cert, *key;
 
 int
 main(int argc, char **argv)
@@ -35,7 +36,7 @@ main(int argc, char **argv)
 	ssize_t len;
 
 	hostname = NULL;
-	while ((ch = getopt(argc, argv, "23cbH:hNVv")) != -1) {
+	while ((ch = getopt(argc, argv, "23C:cbH:hK:NVv")) != -1) {
 		switch (ch) {
 		case '2':
 			flag2 = 1;
@@ -46,6 +47,9 @@ main(int argc, char **argv)
 		case 'b':
 			bflag = 1;
 			break;
+		case 'C':
+			cert = optarg;
+			break;
 		case 'c':
 			cflag = 1;
 			break;
@@ -55,6 +59,9 @@ main(int argc, char **argv)
 		case 'h':
 			hflag = 1;
 			break;
+		case 'K':
+			key = optarg;
+			break;
 		case 'N':
 			Nflag = 1;
 			break;
@@ -79,6 +86,9 @@ main(int argc, char **argv)
 	if (flag2 + flag3 > 1)
 		errx(1, "only -2 or -3 can be specified at the same time.");
 
+	if ((cert != NULL && key == NULL) || (cert == NULL && key != NULL))
+		errx(1, "missing certificate or key");
+
 	if (argc != 1)
 		errx(1, "missing IRI");
 
@@ -107,6 +117,9 @@ main(int argc, char **argv)
 	if (flag3 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_3) == -1)
 		errx(1, "cannot set TLSv1.3");
 
+	if (cert != NULL && tls_config_set_keypair_file(conf, cert, key))
+		errx(1, "couldn't load cert: %s", cert);
+
 	if ((ctx = tls_client()) == NULL)
 		errx(1, "tls_client creation failed");