@gjsify/tls 0.1.0

package/README.md

@@ -0,0 +1,27 @@
+# @gjsify/tls
+
+GJS partial implementation of the Node.js `tls` module using Gio.TlsClientConnection.
+
+Part of the [gjsify](https://github.com/gjsify/gjsify) project — Node.js and Web APIs for GJS (GNOME JavaScript).
+
+## Installation
+
+```bash
+npm install @gjsify/tls
+# or
+yarn add @gjsify/tls
+```
+
+## Usage
+
+```typescript
+import { TLSSocket, connect } from '@gjsify/tls';
+
+const socket = connect({ host: 'example.com', port: 443 }, () => {
+  console.log('Connected');
+});
+```
+
+## License
+
+MIT

package/lib/esm/index.js

@@ -0,0 +1,377 @@
+import Gio from "@girs/gio-2.0";
+import GLib from "@girs/glib-2.0";
+import { Socket, Server } from "node:net";
+import { createNodeError, deferEmit } from "@gjsify/utils";
+const DEFAULT_MIN_VERSION = "TLSv1.2";
+const DEFAULT_MAX_VERSION = "TLSv1.3";
+const DEFAULT_CIPHERS = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
+function getCiphers() {
+  return [
+    "aes-128-gcm",
+    "aes-256-gcm",
+    "chacha20-poly1305",
+    "aes-128-cbc",
+    "aes-256-cbc"
+  ];
+}
+function unfqdn(host) {
+  return host.endsWith(".") ? host.slice(0, -1) : host;
+}
+function splitHost(host) {
+  return unfqdn(host).toLowerCase().split(".");
+}
+function checkWildcard(hostParts, pattern) {
+  const patParts = splitHost(pattern);
+  if (patParts.length !== hostParts.length) return false;
+  if (patParts[0] === "*") {
+    return patParts.slice(1).join(".") === hostParts.slice(1).join(".");
+  }
+  return patParts.every((p, i) => p === hostParts[i]);
+}
+function checkServerIdentity(hostname, cert) {
+  const subject = cert.subject;
+  const altNames = cert.subjectaltname;
+  const dnsNames = [];
+  const ips = [];
+  hostname = String(hostname);
+  if (altNames) {
+    const parts = altNames.split(", ");
+    for (const name of parts) {
+      if (name.startsWith("DNS:")) {
+        dnsNames.push(name.slice(4));
+      } else if (name.startsWith("IP Address:")) {
+        ips.push(name.slice(11).trim());
+      }
+    }
+  }
+  let valid = false;
+  let reason = "Unknown reason";
+  hostname = unfqdn(hostname);
+  const isIPv4 = /^(\d{1,3}\.){3}\d{1,3}$/.test(hostname);
+  const isIPv6 = hostname.includes(":");
+  if (isIPv4 || isIPv6) {
+    valid = ips.some((ip) => ip.toLowerCase() === hostname.toLowerCase());
+    if (!valid)
+      reason = `IP: ${hostname} is not in the cert's list: ${ips.join(", ")}`;
+  } else if (dnsNames.length > 0 || subject?.CN) {
+    const hostParts = splitHost(hostname);
+    if (dnsNames.length > 0) {
+      valid = dnsNames.some((pattern) => checkWildcard(hostParts, pattern));
+      if (!valid)
+        reason = `Host: ${hostname}. is not in the cert's altnames: ${altNames}`;
+    } else {
+      const cn = subject.CN;
+      if (Array.isArray(cn)) {
+        valid = cn.some((c) => checkWildcard(hostParts, c));
+      } else if (cn) {
+        valid = checkWildcard(hostParts, cn);
+      }
+      if (!valid)
+        reason = `Host: ${hostname}. is not cert's CN: ${cn}`;
+    }
+  } else {
+    reason = "Cert does not contain a DNS name";
+  }
+  if (!valid) {
+    const err = new Error(reason);
+    err.reason = reason;
+    err.host = hostname;
+    err.cert = cert;
+    return err;
+  }
+  return void 0;
+}
+class TLSSocket extends Socket {
+  encrypted = true;
+  authorized = false;
+  authorizationError;
+  alpnProtocol = false;
+  /** @internal */
+  _tlsConnection = null;
+  constructor(socket, options) {
+    super();
+  }
+  /**
+   * @internal Wire the TLS connection's I/O streams into this socket
+   * so that read/write operations go through the encrypted channel.
+   */
+  _setupTlsStreams(tlsConn) {
+    this._tlsConnection = tlsConn;
+    this._inputStream = tlsConn.get_input_stream();
+    this._outputStream = tlsConn.get_output_stream();
+    this._connection = tlsConn;
+  }
+  /** Get the peer certificate info. */
+  getPeerCertificate(_detailed) {
+    if (!this._tlsConnection) return {};
+    try {
+      const cert = this._tlsConnection.get_peer_certificate();
+      if (!cert) return {};
+      return {
+        subject: {},
+        issuer: {},
+        valid_from: "",
+        valid_to: ""
+      };
+    } catch {
+      return {};
+    }
+  }
+  /** Get the negotiated TLS protocol version. */
+  getProtocol() {
+    if (!this._tlsConnection) return null;
+    try {
+      const proto = this._tlsConnection.get_protocol_version();
+      switch (proto) {
+        case Gio.TlsProtocolVersion.TLS_1_0:
+          return "TLSv1";
+        case Gio.TlsProtocolVersion.TLS_1_1:
+          return "TLSv1.1";
+        case Gio.TlsProtocolVersion.TLS_1_2:
+          return "TLSv1.2";
+        case Gio.TlsProtocolVersion.TLS_1_3:
+          return "TLSv1.3";
+        default:
+          return null;
+      }
+    } catch {
+      return null;
+    }
+  }
+  /** Get the cipher info. */
+  getCipher() {
+    if (!this._tlsConnection) return null;
+    try {
+      const name = this._tlsConnection.get_ciphersuite_name();
+      return { name: name || "unknown", version: this.getProtocol() || "unknown" };
+    } catch {
+      return null;
+    }
+  }
+  /** Get the negotiated ALPN protocol. */
+  getAlpnProtocol() {
+    if (!this._tlsConnection) return false;
+    try {
+      const proto = this._tlsConnection.get_negotiated_protocol();
+      return proto || false;
+    } catch {
+      return false;
+    }
+  }
+}
+function connect(options, callback) {
+  const socket = new TLSSocket(void 0, options);
+  if (callback) {
+    socket.once("secureConnect", callback);
+  }
+  const port = options.port || 443;
+  const host = options.host || "localhost";
+  const servername = options.servername || host;
+  const rejectUnauthorized = options.rejectUnauthorized !== false;
+  socket.once("connect", () => {
+    const rawConnection = socket._connection;
+    if (!rawConnection) {
+      socket.destroy(new Error("No underlying connection for TLS upgrade"));
+      return;
+    }
+    try {
+      const connectable = Gio.NetworkAddress.new(servername, port);
+      const tlsConn = Gio.TlsClientConnection.new(
+        rawConnection,
+        connectable
+      );
+      tlsConn.set_server_identity(connectable);
+      if (options.ALPNProtocols && options.ALPNProtocols.length > 0) {
+        try {
+          tlsConn.set_advertised_protocols(options.ALPNProtocols);
+        } catch {
+        }
+      }
+      if (!rejectUnauthorized) {
+        tlsConn.connect(
+          "accept-certificate",
+          () => true
+        );
+      }
+      const cancellable = new Gio.Cancellable();
+      tlsConn.handshake_async(
+        GLib.PRIORITY_DEFAULT,
+        cancellable,
+        (_source, asyncResult) => {
+          try {
+            tlsConn.handshake_finish(asyncResult);
+            socket.authorized = true;
+            socket._setupTlsStreams(tlsConn);
+            socket.alpnProtocol = socket.getAlpnProtocol();
+            socket._reading = false;
+            socket._startReading();
+            socket.emit("secureConnect");
+          } catch (err) {
+            socket.authorized = false;
+            socket.authorizationError = err instanceof Error ? err.message : String(err);
+            if (rejectUnauthorized) {
+              socket.destroy(err instanceof Error ? err : new Error(String(err)));
+            } else {
+              socket._setupTlsStreams(tlsConn);
+              socket.emit("secureConnect");
+            }
+          }
+        }
+      );
+    } catch (err) {
+      socket.destroy(err instanceof Error ? err : new Error(String(err)));
+    }
+  });
+  socket.connect({ port, host });
+  return socket;
+}
+function createSecureContext(options) {
+  return { context: options || {} };
+}
+const rootCertificates = [];
+function buildGioCertificate(cert, key) {
+  const certStr = Array.isArray(cert) ? cert.map((c) => typeof c === "string" ? c : c.toString("utf-8")).join("\n") : typeof cert === "string" ? cert : cert.toString("utf-8");
+  const keyStr = key ? Array.isArray(key) ? key.map((k) => typeof k === "string" ? k : k.toString("utf-8")).join("\n") : typeof key === "string" ? key : key.toString("utf-8") : "";
+  const pem = keyStr ? `${certStr}
+${keyStr}` : certStr;
+  return Gio.TlsCertificate.new_from_pem(pem, pem.length);
+}
+class TLSServer extends Server {
+  _tlsCertificate = null;
+  _tlsOptions;
+  _sniContexts = /* @__PURE__ */ new Map();
+  constructor(options, secureConnectionListener) {
+    super();
+    this._tlsOptions = options || {};
+    if (secureConnectionListener) {
+      this.on("secureConnection", secureConnectionListener);
+    }
+    if (this._tlsOptions.cert) {
+      try {
+        this._tlsCertificate = buildGioCertificate(this._tlsOptions.cert, this._tlsOptions.key);
+      } catch (err) {
+        deferEmit(this, "error", createNodeError(err, "createServer", {}));
+      }
+    }
+  }
+  /**
+   * Add a context for SNI (Server Name Indication).
+   */
+  addContext(hostname, context) {
+    if (context.cert) {
+      try {
+        const cert = buildGioCertificate(context.cert, context.key);
+        this._sniContexts.set(hostname, cert);
+      } catch (err) {
+        this.emit("error", createNodeError(err, "addContext", {}));
+      }
+    }
+  }
+  listen(...args) {
+    this.on("connection", (socket) => {
+      this._upgradeTls(socket);
+    });
+    return super.listen(...args);
+  }
+  /**
+   * Upgrade a raw TCP socket to TLS using Gio.TlsServerConnection.
+   */
+  _upgradeTls(socket) {
+    const rawConnection = socket._connection;
+    if (!rawConnection) {
+      const err = new Error("Cannot upgrade socket: no underlying connection");
+      this.emit("tlsClientError", err, socket);
+      socket.destroy();
+      return;
+    }
+    if (!this._tlsCertificate) {
+      const err = new Error("TLS server has no certificate configured");
+      this.emit("tlsClientError", err, socket);
+      socket.destroy();
+      return;
+    }
+    try {
+      const tlsConn = Gio.TlsServerConnection.new(
+        rawConnection,
+        this._tlsCertificate
+      );
+      if (this._tlsOptions.requestCert) {
+        tlsConn.authenticationMode = this._tlsOptions.rejectUnauthorized !== false ? Gio.TlsAuthenticationMode.REQUIRED : Gio.TlsAuthenticationMode.REQUESTED;
+      } else {
+        tlsConn.authenticationMode = Gio.TlsAuthenticationMode.NONE;
+      }
+      if (this._tlsOptions.rejectUnauthorized === false) {
+        tlsConn.connect(
+          "accept-certificate",
+          () => true
+        );
+      }
+      if (this._tlsOptions.ALPNProtocols && this._tlsOptions.ALPNProtocols.length > 0) {
+        try {
+          tlsConn.set_advertised_protocols(this._tlsOptions.ALPNProtocols);
+        } catch {
+        }
+      }
+      const cancellable = new Gio.Cancellable();
+      tlsConn.handshake_async(
+        GLib.PRIORITY_DEFAULT,
+        cancellable,
+        (_source, asyncResult) => {
+          try {
+            tlsConn.handshake_finish(asyncResult);
+            const tlsSocket = new TLSSocket();
+            tlsSocket.encrypted = true;
+            tlsSocket.authorized = true;
+            tlsSocket._setupTlsStreams(tlsConn);
+            tlsSocket.alpnProtocol = tlsSocket.getAlpnProtocol();
+            tlsSocket._startReading();
+            this.emit("secureConnection", tlsSocket);
+          } catch (err) {
+            const nodeErr = createNodeError(err, "handshake", {});
+            this.emit("tlsClientError", nodeErr, socket);
+            socket.destroy();
+          }
+        }
+      );
+    } catch (err) {
+      const nodeErr = createNodeError(err, "tls_wrap", {});
+      this.emit("tlsClientError", nodeErr, socket);
+      socket.destroy();
+    }
+  }
+}
+function createServer(optionsOrListener, secureConnectionListener) {
+  if (typeof optionsOrListener === "function") {
+    return new TLSServer(void 0, optionsOrListener);
+  }
+  return new TLSServer(optionsOrListener, secureConnectionListener);
+}
+var index_default = {
+  TLSSocket,
+  TLSServer,
+  Server: TLSServer,
+  connect,
+  createServer,
+  createSecureContext,
+  checkServerIdentity,
+  getCiphers,
+  rootCertificates,
+  DEFAULT_MIN_VERSION,
+  DEFAULT_MAX_VERSION,
+  DEFAULT_CIPHERS
+};
+export {
+  DEFAULT_CIPHERS,
+  DEFAULT_MAX_VERSION,
+  DEFAULT_MIN_VERSION,
+  TLSServer as Server,
+  TLSServer,
+  TLSSocket,
+  checkServerIdentity,
+  connect,
+  createSecureContext,
+  createServer,
+  index_default as default,
+  getCiphers,
+  rootCertificates
+};

package/lib/types/index.d.ts

@@ -0,0 +1,121 @@
+import Gio from '@girs/gio-2.0';
+import { Socket, Server } from 'node:net';
+export declare const DEFAULT_MIN_VERSION = "TLSv1.2";
+export declare const DEFAULT_MAX_VERSION = "TLSv1.3";
+export declare const DEFAULT_CIPHERS = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
+/** Returns a list of supported TLS cipher names (subset; implementation-defined). */
+export declare function getCiphers(): string[];
+export interface PeerCertificate {
+    subject?: {
+        CN?: string | string[];
+        [key: string]: unknown;
+    };
+    subjectaltname?: string;
+    [key: string]: unknown;
+}
+/**
+ * Verifies that the certificate `cert` is valid for `hostname`.
+ * Returns an Error if the check fails, or undefined on success.
+ *
+ * Reference: Node.js lib/tls.js exports.checkServerIdentity
+ */
+export declare function checkServerIdentity(hostname: string, cert: PeerCertificate): Error | undefined;
+export interface SecureContextOptions {
+    ca?: string | Buffer | Array<string | Buffer>;
+    cert?: string | Buffer | Array<string | Buffer>;
+    key?: string | Buffer | Array<string | Buffer>;
+    rejectUnauthorized?: boolean;
+}
+export interface TlsConnectOptions extends SecureContextOptions {
+    host?: string;
+    port?: number;
+    socket?: Socket;
+    servername?: string;
+    ALPNProtocols?: string[];
+}
+/**
+ * TLSSocket wraps a net.Socket with TLS via Gio.TlsConnection.
+ */
+export declare class TLSSocket extends Socket {
+    encrypted: boolean;
+    authorized: boolean;
+    authorizationError?: string;
+    alpnProtocol: string | false;
+    /** @internal */
+    _tlsConnection: Gio.TlsConnection | null;
+    constructor(socket?: Socket, options?: SecureContextOptions);
+    /**
+     * @internal Wire the TLS connection's I/O streams into this socket
+     * so that read/write operations go through the encrypted channel.
+     */
+    _setupTlsStreams(tlsConn: Gio.TlsConnection): void;
+    /** Get the peer certificate info. */
+    getPeerCertificate(_detailed?: boolean): any;
+    /** Get the negotiated TLS protocol version. */
+    getProtocol(): string | null;
+    /** Get the cipher info. */
+    getCipher(): {
+        name: string;
+        version: string;
+    } | null;
+    /** Get the negotiated ALPN protocol. */
+    getAlpnProtocol(): string | false;
+}
+/**
+ * Create a TLS client connection.
+ *
+ * Connects via TCP first (using net.Socket.connect), then upgrades
+ * the connection to TLS using Gio.TlsClientConnection.
+ */
+export declare function connect(options: TlsConnectOptions, callback?: () => void): TLSSocket;
+/**
+ * Create a TLS secure context.
+ */
+export declare function createSecureContext(options?: SecureContextOptions): {
+    context: any;
+};
+export declare const rootCertificates: string[];
+export interface TlsServerOptions extends SecureContextOptions {
+    requestCert?: boolean;
+    rejectUnauthorized?: boolean;
+    ALPNProtocols?: string[];
+}
+/**
+ * TLSServer wraps a net.Server to accept TLS connections.
+ */
+export declare class TLSServer extends Server {
+    private _tlsCertificate;
+    private _tlsOptions;
+    private _sniContexts;
+    constructor(options?: TlsServerOptions, secureConnectionListener?: (socket: TLSSocket) => void);
+    /**
+     * Add a context for SNI (Server Name Indication).
+     */
+    addContext(hostname: string, context: SecureContextOptions): void;
+    listen(...args: unknown[]): this;
+    /**
+     * Upgrade a raw TCP socket to TLS using Gio.TlsServerConnection.
+     */
+    private _upgradeTls;
+}
+/**
+ * Create a TLS server.
+ */
+export declare function createServer(options?: TlsServerOptions, secureConnectionListener?: (socket: TLSSocket) => void): TLSServer;
+export declare function createServer(secureConnectionListener?: (socket: TLSSocket) => void): TLSServer;
+export { TLSServer as Server };
+declare const _default: {
+    TLSSocket: typeof TLSSocket;
+    TLSServer: typeof TLSServer;
+    Server: typeof TLSServer;
+    connect: typeof connect;
+    createServer: typeof createServer;
+    createSecureContext: typeof createSecureContext;
+    checkServerIdentity: typeof checkServerIdentity;
+    getCiphers: typeof getCiphers;
+    rootCertificates: string[];
+    DEFAULT_MIN_VERSION: string;
+    DEFAULT_MAX_VERSION: string;
+    DEFAULT_CIPHERS: string;
+};
+export default _default;

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@gjsify/tls",
+  "version": "0.1.0",
+  "description": "Node.js tls module for Gjs",
+  "type": "module",
+  "module": "lib/esm/index.js",
+  "types": "lib/types/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./lib/types/index.d.ts",
+      "default": "./lib/esm/index.js"
+    }
+  },
+  "scripts": {
+    "clear": "rm -rf lib tsconfig.tsbuildinfo tsconfig.types.tsbuildinfo test.gjs.mjs test.node.mjs || exit 0",
+    "check": "tsc --noEmit",
+    "build": "yarn build:gjsify && yarn build:types",
+    "build:gjsify": "gjsify build --library 'src/**/*.{ts,js}' --exclude 'src/**/*.spec.{mts,ts}' 'src/test.{mts,ts}'",
+    "build:types": "tsc",
+    "build:test": "yarn build:test:gjs && yarn build:test:node",
+    "build:test:gjs": "gjsify build src/test.mts --app gjs --outfile test.gjs.mjs",
+    "build:test:node": "gjsify build src/test.mts --app node --outfile test.node.mjs",
+    "test": "yarn build:gjsify && yarn build:test && yarn test:node && yarn test:gjs",
+    "test:gjs": "gjs -m test.gjs.mjs",
+    "test:node": "node test.node.mjs"
+  },
+  "keywords": [
+    "gjs",
+    "node",
+    "tls"
+  ],
+  "devDependencies": {
+    "@gjsify/cli": "^0.1.0",
+    "@gjsify/unit": "^0.1.0",
+    "@types/node": "^25.5.0",
+    "typescript": "^6.0.2"
+  },
+  "dependencies": {
+    "@girs/gio-2.0": "^2.88.0-4.0.0-beta.42",
+    "@girs/glib-2.0": "^2.88.0-4.0.0-beta.42",
+    "@gjsify/net": "^0.1.0",
+    "@gjsify/utils": "^0.1.0"
+  }
+}