tttls1.3 0.3.1 → 0.3.3

data/lib/tttls1.3/message/extension/ech.rb

@@ -26,12 +26,12 @@ module TTTLS13
       #         };
       #     } ECHClientHello;
       class ECHClientHello
-        attr_accessor :extension_type
-        attr_accessor :type
-        attr_accessor :cipher_suite
-        attr_accessor :config_id
-        attr_accessor :enc
-        attr_accessor :payload
+        attr_reader :extension_type
+        attr_reader :type
+        attr_reader :cipher_suite
+        attr_reader :config_id
+        attr_reader :enc
+        attr_reader :payload
 
         # @param type [TTTLS13::Message::Extension::ECHClientHelloType]
         # @param cipher_suite [HpkeSymmetricCipherSuite]
@@ -100,8 +100,9 @@ module TTTLS13
           #
           # @return [TTTLS13::Message::Extensions::ECHClientHello]
           def deserialize_outer_ech(binary)
-            raise Error::ErrorAlerts, :internal_error \
-              if binary.nil? || binary.length < 5
+            raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+            return nil if binary.length < 5
 
             kdf_id = \
               HpkeSymmetricCipherSuite::HpkeKdfId.decode(binary.slice(0, 2))
@@ -111,17 +112,14 @@ module TTTLS13
             cid = Convert.bin2i(binary.slice(4, 1))
             enc_len = Convert.bin2i(binary.slice(5, 2))
             i = 7
-            raise Error::ErrorAlerts, :internal_error \
-              if i + enc_len > binary.length
+            return nil if i + enc_len > binary.length
 
             enc = binary.slice(i, enc_len)
             i += enc_len
-            raise Error::ErrorAlerts, :internal_error \
-              if i + 2 > binary.length
+            return nil if i + 2 > binary.length
 
             payload_len = Convert.bin2i(binary.slice(i, 2))
-            raise Error::ErrorAlerts, :internal_error \
-              if i + payload_len > binary.length
+            return nil if i + payload_len > binary.length
 
             payload = binary.slice(i, payload_len)
             ECHClientHello.new(
@@ -139,7 +137,7 @@ module TTTLS13
           #
           # @return [TTTLS13::Message::Extensions::ECHClientHello]
           def deserialize_inner_ech(binary)
-            raise Error::ErrorAlerts, :internal_error unless binary.empty?
+            raise Error::ErrorAlerts, :illegal_parameter unless binary.empty?
 
             ECHClientHello.new(type: ECHClientHelloType::INNER)
           end
@@ -172,8 +170,8 @@ module TTTLS13
       #         ECHConfigList retry_configs;
       #     } ECHEncryptedExtensions;
       class ECHEncryptedExtensions
-        attr_accessor :extension_type
-        attr_accessor :retry_configs
+        attr_reader :extension_type
+        attr_reader :retry_configs
 
         # @param retry_configs [Array of ECHConfig]
         def initialize(retry_configs)
@@ -195,9 +193,8 @@ module TTTLS13
         #
         # @return [TTTLS13::Message::Extensions::ECHEncryptedExtensions]
         def self.deserialize(binary)
-          raise Error::ErrorAlerts, :decode_error \
-            if binary.nil? ||
-               binary.length != binary.slice(0, 2).unpack1('n') + 2
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+          return nil if binary.length != binary.slice(0, 2).unpack1('n') + 2
 
           ECHEncryptedExtensions.new(
             ECHConfig.decode_vectors(binary.slice(2..))
@@ -210,8 +207,8 @@ module TTTLS13
       #         opaque confirmation[8];
       #     } ECHHelloRetryRequest;
       class ECHHelloRetryRequest
-        attr_accessor :extension_type
-        attr_accessor :confirmation
+        attr_reader :extension_type
+        attr_reader :confirmation
 
         # @param confirmation [String]
         def initialize(confirmation)
@@ -230,8 +227,8 @@ module TTTLS13
         #
         # @return [TTTLS13::Message::Extensions::ECHHelloRetryRequest]
         def self.deserialize(binary)
-          raise Error::ErrorAlerts, :decode_error \
-            if binary.nil? || binary.length != 8
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+          return nil if binary.length != 8
 
           ECHHelloRetryRequest.new(binary)
         end

data/lib/tttls1.3/message/extension/ech_outer_extensions.rb

@@ -0,0 +1,52 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    module Extension
+      # NOTE:
+      #     ExtensionType OuterExtensions<2..254>;
+      class ECHOuterExtensions
+        attr_reader :extension_type
+        attr_reader :outer_extensions
+
+        # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+        def initialize(outer_extensions)
+          @extension_type = ExtensionType::ECH_OUTER_EXTENSIONS
+          @outer_extensions = outer_extensions
+        end
+
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [String]
+        def serialize
+          binary = @outer_extensions.join.prefix_uint8_length
+          @extension_type + binary.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHOuterExtensions]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+          return nil if binary.length < 2
+
+          exlist_len = Convert.bin2i(binary.slice(0, 1))
+          i = 1
+          outer_extensions = []
+          while i < exlist_len + 1
+            outer_extensions << binary.slice(i, 2)
+            i += 2
+          end
+          return nil unless outer_extensions.length * 2 == exlist_len
+
+          ECHOuterExtensions.new(outer_extensions)
+        end
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/extension/signature_algorithms.rb

@@ -21,8 +21,8 @@ module TTTLS13
           SignatureScheme::RSA_PKCS1_SHA512
         ].freeze
 
-        attr_accessor :extension_type # for signature_algorithms_cert getter
-        attr_reader   :supported_signature_algorithms
+        attr_reader :extension_type # for signature_algorithms_cert getter
+        attr_reader :supported_signature_algorithms
 
         # @param supported_signature_algorithms [Array of SignatureScheme]
         def initialize(supported_signature_algorithms)

data/lib/tttls1.3/message/extension/supported_versions.rb

@@ -6,9 +6,9 @@ module TTTLS13
   module Message
     module Extension
       class SupportedVersions
-        attr_reader   :extension_type
-        attr_accessor :msg_type
-        attr_accessor :versions
+        attr_reader :extension_type
+        attr_reader :msg_type
+        attr_reader :versions
 
         # @param msg_type [TTTLS13::Message::ContentType]
         # @param versions [Array of ProtocolVersion]

data/lib/tttls1.3/message/extension/unknown_extension.rb

@@ -9,8 +9,8 @@ module TTTLS13
       # Client/Server MUST ignore unrecognized extensions,
       # but transcript MUST include unrecognized extensions.
       class UnknownExtension
-        attr_accessor :extension_type
-        attr_accessor :extension_data
+        attr_reader :extension_type
+        attr_reader :extension_data
 
         # @param extension_type [String]
         # @param extension_data [String]

data/lib/tttls1.3/message/extensions.rb

@@ -105,6 +105,34 @@ module TTTLS13
         store(ex.extension_type, ex)
       end
 
+      # removing and replacing extensions from EncodedClientHelloInner
+      # with a single "ech_outer_extensions"
+      #
+      # for example
+      # - before
+      #   - self.keys:  [A B C D E]
+      #   - param    :  [D B]
+      # - after remove_and_replace!
+      #   - self.keys:  [A C E B D]
+      #   - return   :  [A C E ech_outer_extensions[B D]]
+      # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+      #
+      # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+      def remove_and_replace!(outer_extensions)
+        tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+        tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+        clear
+        replaced = Message::Extensions.new
+
+        tmp1.each_value { |v| self << v; replaced << v }
+        tmp2.each_value { |v| self << v }
+        replaced << Message::Extension::ECHOuterExtensions.new(tmp2.keys) \
+          unless tmp2.keys.empty?
+
+        replaced
+      end
+
       class << self
         private
 
@@ -173,6 +201,8 @@ module TTTLS13
             else
               Extension::UnknownExtension.deserialize(binary, extension_type)
             end
+          when ExtensionType::ECH_OUTER_EXTENSIONS
+            Extension::ECHOuterExtensions.deserialize(binary)
           else
             Extension::UnknownExtension.deserialize(binary, extension_type)
           end

data/lib/tttls1.3/message.rb

@@ -74,6 +74,7 @@ module TTTLS13
       KEY_SHARE                              = "\x00\x33"
       # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-11.1
       ENCRYPTED_CLIENT_HELLO                 = "\xfe\x0d"
+      ECH_OUTER_EXTENSIONS                   = "\xfd\x00"
     end
 
     DEFINED_EXTENSIONS = ExtensionType.constants.map do |c|

data/lib/tttls1.3/server.rb

@@ -66,13 +66,15 @@ module TTTLS13
   private_constant :DEFAULT_SERVER_SETTINGS
 
   # rubocop: disable Metrics/ClassLength
-  class Server < Connection
+  class Server
+    include Logging
+
+    attr_reader :transcript
+
     # @param socket [Socket]
     # @param settings [Hash]
     def initialize(socket, **settings)
-      super(socket)
-
-      @endpoint = :server
+      @connection = Connection.new(socket, :server)
       @settings = DEFAULT_SERVER_SETTINGS.merge(settings)
       logger.level = @settings[:loglevel]
 
@@ -144,7 +146,7 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def accept
-      transcript = Transcript.new
+      @transcript = Transcript.new
       key_schedule = nil # TTTLS13::KeySchedule
       priv_key = nil # OpenSSL::PKey::$Object
       hs_wcipher = nil # TTTLS13::Cryptograph::$Object
@@ -159,24 +161,27 @@ module TTTLS13
         end
       end
 
-      @state = ServerState::START
+      @connection.state = ServerState::START
       loop do
-        case @state
+        case @connection.state
         when ServerState::START
           logger.debug('ServerState::START')
 
-          receivable_ccs = transcript.include?(CH1)
-          ch, = transcript[CH] = recv_client_hello(receivable_ccs)
+          receivable_ccs = @transcript.include?(CH1)
+          ch, = @transcript[CH] = recv_client_hello(receivable_ccs)
 
           # support only TLS 1.3
-          terminate(:protocol_version) unless ch.negotiated_tls_1_3?
+          @connection.terminate(:protocol_version) unless ch.negotiated_tls_1_3?
 
           # validate parameters
-          terminate(:illegal_parameter) unless ch.appearable_extensions?
-          terminamte(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
+            unless ch.appearable_extensions?
+          @connection.terminate(:illegal_parameter) \
             unless ch.legacy_compression_methods == ["\x00"]
-          terminate(:illegal_parameter) unless ch.valid_key_share?
-          terminate(:unrecognized_name) unless recognized_server_name?(ch, @crt)
+          @connection.terminate(:illegal_parameter) \
+            unless ch.valid_key_share?
+          @connection.terminate(:unrecognized_name) \
+            unless recognized_server_name?(ch, @crt)
 
           # alpn
           ch_alpn = ch.extensions[
@@ -186,109 +191,109 @@ module TTTLS13
             @alpn = ch_alpn.protocol_name_list
                            .find { |p| @settings[:alpn].include?(p) }
 
-            terminate(:no_application_protocol) if @alpn.nil?
+            @connection.terminate(:no_application_protocol) if @alpn.nil?
           end
 
           # record_size_limit
           ch_rsl = ch.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
           @send_record_size = ch_rsl.record_size_limit unless ch_rsl.nil?
 
-          @state = ServerState::RECVD_CH
+          @connection.state = ServerState::RECVD_CH
         when ServerState::RECVD_CH
           logger.debug('ServerState::RECVD_CH')
 
           # select parameters
-          ch, = transcript[CH]
+          ch, = @transcript[CH]
           @cipher_suite = select_cipher_suite(ch)
           @named_group = select_named_group(ch)
           @signature_scheme = select_signature_scheme(ch, @crt)
-          terminate(:handshake_failure) \
+          @connection.terminate(:handshake_failure) \
             if @cipher_suite.nil? || @signature_scheme.nil?
 
           # send HRR
           if @named_group.nil?
-            ch1, = transcript[CH1] = transcript.delete(CH)
+            ch1, = @transcript[CH1] = @transcript.delete(CH)
             hrr = send_hello_retry_request(ch1, @cipher_suite)
-            transcript[HRR] = [hrr, hrr.serialize]
-            @state = ServerState::START
+            @transcript[HRR] = [hrr, hrr.serialize]
+            @connection.state = ServerState::START
             next
           end
-          @state = ServerState::NEGOTIATED
+          @connection.state = ServerState::NEGOTIATED
         when ServerState::NEGOTIATED
           logger.debug('ServerState::NEGOTIATED')
 
-          ch, = transcript[CH]
+          ch, = @transcript[CH]
           extensions, priv_key = gen_sh_extensions(@named_group)
           sh = send_server_hello(
             extensions,
             @cipher_suite,
             ch.legacy_session_id
           )
-          transcript[SH] = [sh, sh.serialize]
-          send_ccs if @settings[:compatibility_mode]
+          @transcript[SH] = [sh, sh.serialize]
+          @connection.send_ccs if @settings[:compatibility_mode]
 
           # generate shared secret
           ke = ch.extensions[Message::ExtensionType::KEY_SHARE]
                 &.key_share_entry
                 &.find { |kse| kse.group == @named_group }
                 &.key_exchange
-          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
+          shared_secret = Endpoint.gen_shared_secret(ke, priv_key, @named_group)
           key_schedule = KeySchedule.new(
             psk: @psk,
             shared_secret: shared_secret,
             cipher_suite: @cipher_suite,
-            transcript: transcript
+            transcript: @transcript
           )
-          @alert_wcipher = hs_wcipher = gen_cipher(
+          @connection.alert_wcipher = hs_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_handshake_write_key,
             key_schedule.server_handshake_write_iv
           )
           sslkeylogfile&.write_server_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_handshake_traffic_secret
           )
-          hs_rcipher = gen_cipher(
+          hs_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_handshake_write_key,
             key_schedule.client_handshake_write_iv
           )
           sslkeylogfile&.write_client_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_handshake_traffic_secret
           )
-          @state = ServerState::WAIT_FLIGHT2
+          @connection.state = ServerState::WAIT_FLIGHT2
         when ServerState::WAIT_EOED
           logger.debug('ServerState::WAIT_EOED')
         when ServerState::WAIT_FLIGHT2
           logger.debug('ServerState::WAIT_FLIGHT2')
 
-          ch, = transcript[CH]
+          ch, = @transcript[CH]
           rsl = @send_record_size \
             if ch.extensions.include?(Message::ExtensionType::RECORD_SIZE_LIMIT)
           ee = gen_encrypted_extensions(ch, @alpn, rsl)
-          transcript[EE] = [ee, ee.serialize]
+          @transcript[EE] = [ee, ee.serialize]
           # TODO: [Send CertificateRequest]
 
           # status_request
           ocsp_response = fetch_ocsp_response \
             if ch.extensions.include?(Message::ExtensionType::STATUS_REQUEST)
           ct = gen_certificate(@crt, ch, @chain, ocsp_response)
-          transcript[CT] = [ct, ct.serialize]
+          @transcript[CT] = [ct, ct.serialize]
           digest = CipherSuite.digest(@cipher_suite)
-          hash = transcript.hash(digest, CT)
+          hash = @transcript.hash(digest, CT)
           cv = gen_certificate_verify(@key, @signature_scheme, hash)
-          transcript[CV] = [cv, cv.serialize]
+          @transcript[CV] = [cv, cv.serialize]
           finished_key = key_schedule.server_finished_key
-          signature = sign_finished(
+          signature = Endpoint.sign_finished(
             digest: digest,
             finished_key: finished_key,
-            hash: transcript.hash(digest, CV)
+            hash: @transcript.hash(digest, CV)
           )
           sf = Message::Finished.new(signature)
-          transcript[SF] = [sf, sf.serialize]
+          @transcript[SF] = [sf, sf.serialize]
           send_server_parameters([ee, ct, cv, sf], hs_wcipher)
-          @state = ServerState::WAIT_FINISHED
+          @connection.state = ServerState::WAIT_FINISHED
         when ServerState::WAIT_CERT
           logger.debug('ServerState::WAIT_CERT')
         when ServerState::WAIT_CV
@@ -296,35 +301,36 @@ module TTTLS13
         when ServerState::WAIT_FINISHED
           logger.debug('ServerState::WAIT_FINISHED')
 
-          cf, = transcript[CF] = recv_finished(hs_rcipher)
+          cf, = @transcript[CF] = recv_finished(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          verified = verified_finished?(
+          verified = Endpoint.verified_finished?(
             finished: cf,
             digest: digest,
             finished_key: key_schedule.client_finished_key,
-            hash: transcript.hash(digest, EOED)
+            hash: @transcript.hash(digest, EOED)
           )
-          terminate(:decrypt_error) unless verified
-          @alert_wcipher = @ap_wcipher = gen_cipher(
+          @connection.terminate(:decrypt_error) unless verified
+          @connection.ap_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_application_write_key,
             key_schedule.server_application_write_iv
           )
+          @connection.alert_wcipher = @connection.ap_wcipher
           sslkeylogfile&.write_server_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_application_traffic_secret
           )
-          @ap_rcipher = gen_cipher(
+          @connection.ap_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_application_write_key,
             key_schedule.client_application_write_iv
           )
           sslkeylogfile&.write_client_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_application_traffic_secret
           )
           @exporter_secret = key_schedule.exporter_secret
-          @state = ServerState::CONNECTED
+          @connection.state = ServerState::CONNECTED
         when ServerState::CONNECTED
           logger.debug('ServerState::CONNECTED')
 
@@ -339,6 +345,59 @@ module TTTLS13
     # rubocop: enable Metrics/MethodLength
     # rubocop: enable Metrics/PerceivedComplexity
 
+    # @raise [TTTLS13::Error::ConfigError]
+    #
+    # @return [String]
+    def read
+      @connection.read(nil)
+    end
+
+    # @param binary [String]
+    def write(binary)
+      @connection.write(binary)
+    end
+
+    # @return [Boolean]
+    def eof?
+      @connection.eof?
+    end
+
+    def close
+      @connection.close
+    end
+
+    # @return [TTTLS13::CipherSuite, nil]
+    def negotiated_cipher_suite
+      @cipher_suite
+    end
+
+    # @return [TTTLS13::NamedGroup, nil]
+    def negotiated_named_group
+      @named_group
+    end
+
+    # @return [TTTLS13::SignatureScheme, nil]
+    def negotiated_signature_scheme
+      @signature_scheme
+    end
+
+    # @return [String]
+    def negotiated_alpn
+      @alpn
+    end
+
+    # @param label [String]
+    # @param context [String]
+    # @param key_length [Integer]
+    #
+    # @return [String, nil]
+    def exporter(label, context, key_length)
+      return nil if @exporter_secret.nil? || @cipher_suite.nil?
+
+      digest = CipherSuite.digest(@cipher_suite)
+      Endpoint.exporter(@exporter_secret, digest, label, context, key_length)
+    end
+
     private
 
     # @return [Boolean]
@@ -365,11 +424,12 @@ module TTTLS13
     # @return [TTTLS13::Message::ClientHello]
     # @return [String]
     def recv_client_hello(receivable_ccs)
-      ch, orig_msg = recv_message(
+      ch, orig_msg = @connection.recv_message(
         receivable_ccs: receivable_ccs,
         cipher: Cryptograph::Passer.new
       )
-      terminate(:unexpected_message) unless ch.is_a?(Message::ClientHello)
+      @connection.terminate(:unexpected_message) \
+        unless ch.is_a?(Message::ClientHello)
 
       [ch, orig_msg]
     end
@@ -385,8 +445,8 @@ module TTTLS13
         cipher_suite: cipher_suite,
         extensions: extensions
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [sh],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [sh],
+                                  Cryptograph::Passer.new)
 
       sh
     end
@@ -420,8 +480,8 @@ module TTTLS13
         cipher_suite: cipher_suite,
         extensions: exs
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [sh],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [sh],
+                                  Cryptograph::Passer.new)
 
       sh
     end
@@ -431,8 +491,8 @@ module TTTLS13
     #
     # @return [Array of TTTLS13::Message::$Object]
     def send_server_parameters(messages, cipher)
-      send_handshakes(Message::ContentType::APPLICATION_DATA,
-                      messages.reject(&:nil?), cipher)
+      @connection.send_handshakes(Message::ContentType::APPLICATION_DATA,
+                                  messages.reject(&:nil?), cipher)
 
       messages
     end
@@ -505,8 +565,10 @@ module TTTLS13
     # @return [TTTLS13::Message::Finished]
     # @return [String]
     def recv_finished(cipher)
-      cf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless cf.is_a?(Message::Finished)
+      cf, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless cf.is_a?(Message::Finished)
 
       [cf, orig_msg]
     end
@@ -563,7 +625,7 @@ module TTTLS13
     #
     # @return [String]
     def sign_certificate_verify(key:, signature_scheme:, hash:)
-      do_sign_certificate_verify(
+      Endpoint.sign_certificate_verify(
         key: key,
         signature_scheme: signature_scheme,
         context: 'TLS 1.3, server CertificateVerify',
@@ -600,7 +662,7 @@ module TTTLS13
       algorithms = ch.extensions[Message::ExtensionType::SIGNATURE_ALGORITHMS]
                     &.supported_signature_algorithms || []
 
-      do_select_signature_algorithms(algorithms, crt).find do |ss|
+      Endpoint.select_signature_algorithms(algorithms, crt).find do |ss|
         @settings[:signature_algorithms].include?(ss)
       end
     end
@@ -614,7 +676,7 @@ module TTTLS13
                      &.server_name
       return true if server_name.nil?
 
-      matching_san?(crt, server_name)
+      Endpoint.matching_san?(crt, server_name)
     end
 
     # @return [OpenSSL::OCSP::Response, nil]

data/lib/tttls1.3/utils.rb

@@ -91,6 +91,43 @@ module TTTLS13
       def bin2i(binary)
         OpenSSL::BN.new(binary, 2).to_i
       end
+
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
+      def obj2html(obj)
+        if obj.is_a?(OpenSSL::X509::Certificate)
+          obj.to_pem.gsub("\n", '<br>')
+        elsif obj.is_a?(Numeric) ||
+              obj.is_a?(TrueClass) || obj.is_a?(FalseClass)
+          obj.pretty_print_inspect
+        elsif obj.is_a?(String) && obj.empty?
+          ''
+        elsif obj.is_a? String
+          '0x' + obj.unpack1('H*')
+        elsif obj.is_a? NilClass
+          ''
+        elsif obj.is_a? Array
+          '<ul>' + obj.map { |i| '<li>' + obj2html(i) + '</li>' }.join + '</ul>'
+        elsif obj.is_a? Hash
+          obj.map do |k, v|
+            '<details><summary>' + obj2html(k) + '</summary>' \
+            + obj2html(v) \
+            + '</details>'
+          end.join
+        elsif obj.is_a?(Object) && !obj.instance_variables.empty?
+          obj.instance_variables.map do |i|
+            '<details><summary>' + i[1..] + '</summary>' \
+            + obj2html(obj.instance_variable_get(i)) \
+            + '</details>'
+          end.join
+        else
+          obj.class.name
+        end
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
     end
   end
 end