@gjsify/tls 0.3.20 → 0.4.0

package/lib/esm/_virtual/_rolldown/runtime.js

@@ -0,0 +1 @@
+var e=Object.defineProperty,__name=(t,n)=>e(t,`name`,{value:n,configurable:!0});export{__name};

package/lib/esm/index.js

@@ -1,3 +1,2 @@
-import e from"@girs/gio-2.0";import t from"@girs/glib-2.0";import{Server as n,Socket as r}from"node:net";import{createNodeError as i,deferEmit as a}from"@gjsify/utils";const o=`TLSv1.2`,s=`TLSv1.3`,c=`TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384`;function l(){return[`aes-128-gcm`,`aes-256-gcm`,`chacha20-poly1305`,`aes-128-cbc`,`aes-256-cbc`]}function u(e){return e.endsWith(`.`)?e.slice(0,-1):e}function d(e){return u(e).toLowerCase().split(`.`)}function f(e,t){let n=d(t);return n.length===e.length?n[0]===`*`?n.slice(1).join(`.`)===e.slice(1).join(`.`):n.every((t,n)=>t===e[n]):!1}function p(e,t){let n=t.subject,r=t.subjectaltname,i=[],a=[];if(e=String(e),r){let e=r.split(`, `);for(let t of e)t.startsWith(`DNS:`)?i.push(t.slice(4)):t.startsWith(`IP Address:`)&&a.push(t.slice(11).trim())}let o=!1,s=`Unknown reason`;e=u(e);let c=/^(\d{1,3}\.){3}\d{1,3}$/.test(e),l=e.includes(`:`);if(c||l)o=a.some(t=>t.toLowerCase()===e.toLowerCase()),o||(s=`IP: ${e} is not in the cert's list: ${a.join(`, `)}`);else if(i.length>0||n?.CN){let t=d(e);if(i.length>0)o=i.some(e=>f(t,e)),o||(s=`Host: ${e}. is not in the cert's altnames: ${r}`);else{let r=n.CN;Array.isArray(r)?o=r.some(e=>f(t,e)):r&&(o=f(t,r)),o||(s=`Host: ${e}. is not cert's CN: ${r}`)}}else s=`Cert does not contain a DNS name`;if(!o){let n=Error(s);return n.reason=s,n.host=e,n.cert=t,n}}var m=class extends r{encrypted=!0;authorized=!1;authorizationError;alpnProtocol=!1;_tlsConnection=null;constructor(e,t){super()}_setupTlsStreams(e){this._tlsConnection=e,this._inputStream=e.get_input_stream(),this._outputStream=e.get_output_stream(),this._connection=e}getPeerCertificate(e){if(!this._tlsConnection)return{};try{return this._tlsConnection.get_peer_certificate()?{subject:{},issuer:{},valid_from:``,valid_to:``}:{}}catch{return{}}}getProtocol(){if(!this._tlsConnection)return null;try{switch(this._tlsConnection.get_protocol_version()){case e.TlsProtocolVersion.TLS_1_0:return`TLSv1`;case e.TlsProtocolVersion.TLS_1_1:return`TLSv1.1`;case e.TlsProtocolVersion.TLS_1_2:return`TLSv1.2`;case e.TlsProtocolVersion.TLS_1_3:return`TLSv1.3`;default:return null}}catch{return null}}getCipher(){if(!this._tlsConnection)return null;try{return{name:this._tlsConnection.get_ciphersuite_name()||`unknown`,version:this.getProtocol()||`unknown`}}catch{return null}}getAlpnProtocol(){if(!this._tlsConnection)return!1;try{return this._tlsConnection.get_negotiated_protocol()||!1}catch{return!1}}};function h(n,r){let i=new m(void 0,n);r&&i.once(`secureConnect`,r);let a=n.port||443,o=n.host||`localhost`,s=n.servername||o,c=n.rejectUnauthorized!==!1;return i.once(`connect`,()=>{let r=i._connection;if(!r){i.destroy(Error(`No underlying connection for TLS upgrade`));return}try{let o=e.NetworkAddress.new(s,a),l=e.TlsClientConnection.new(r,o);if(l.set_server_identity(o),n.ALPNProtocols&&n.ALPNProtocols.length>0)try{l.set_advertised_protocols(n.ALPNProtocols)}catch{}c||l.connect(`accept-certificate`,()=>!0);let u=new e.Cancellable;l.handshake_async(t.PRIORITY_DEFAULT,u,(e,t)=>{try{l.handshake_finish(t),i.authorized=!0,i._setupTlsStreams(l),i.alpnProtocol=i.getAlpnProtocol(),i._reading=!1,i._startReading(),i.emit(`secureConnect`)}catch(e){i.authorized=!1,i.authorizationError=e instanceof Error?e.message:String(e),c?i.destroy(e instanceof Error?e:Error(String(e))):(i._setupTlsStreams(l),i.emit(`secureConnect`))}})}catch(e){i.destroy(e instanceof Error?e:Error(String(e)))}}),i.connect({port:a,host:o}),i}function g(e){return{context:e||{}}}const _=[];function v(t,n){let r=Array.isArray(t)?t.map(e=>typeof e==`string`?e:e.toString(`utf-8`)).join(`
-`):typeof t==`string`?t:t.toString(`utf-8`),i=n?Array.isArray(n)?n.map(e=>typeof e==`string`?e:e.toString(`utf-8`)).join(`
-`):typeof n==`string`?n:n.toString(`utf-8`):``,a=i?`${r}\n${i}`:r;return e.TlsCertificate.new_from_pem(a,a.length)}var y=class extends n{_tlsCertificate=null;_tlsOptions;_sniContexts=new Map;constructor(e,t){if(super(),this._tlsOptions=e||{},t&&this.on(`secureConnection`,t),this._tlsOptions.cert)try{this._tlsCertificate=v(this._tlsOptions.cert,this._tlsOptions.key)}catch(e){a(this,`error`,i(e,`createServer`,{}))}}addContext(e,t){if(t.cert)try{let n=v(t.cert,t.key);this._sniContexts.set(e,n)}catch(e){this.emit(`error`,i(e,`addContext`,{}))}}listen(...e){return this.on(`connection`,e=>{this._upgradeTls(e)}),super.listen(...e)}_upgradeTls(n){let r=n._connection;if(!r){let e=Error(`Cannot upgrade socket: no underlying connection`);this.emit(`tlsClientError`,e,n),n.destroy();return}if(!this._tlsCertificate){let e=Error(`TLS server has no certificate configured`);this.emit(`tlsClientError`,e,n),n.destroy();return}try{let a=e.TlsServerConnection.new(r,this._tlsCertificate);if(this._tlsOptions.requestCert?a.authenticationMode=this._tlsOptions.rejectUnauthorized===!1?e.TlsAuthenticationMode.REQUESTED:e.TlsAuthenticationMode.REQUIRED:a.authenticationMode=e.TlsAuthenticationMode.NONE,this._tlsOptions.rejectUnauthorized===!1&&a.connect(`accept-certificate`,()=>!0),this._tlsOptions.ALPNProtocols&&this._tlsOptions.ALPNProtocols.length>0)try{a.set_advertised_protocols(this._tlsOptions.ALPNProtocols)}catch{}let o=new e.Cancellable;a.handshake_async(t.PRIORITY_DEFAULT,o,(e,t)=>{try{a.handshake_finish(t);let e=new m;e.encrypted=!0,e.authorized=!0,e._setupTlsStreams(a),e.alpnProtocol=e.getAlpnProtocol(),e._startReading(),this.emit(`secureConnection`,e)}catch(e){let t=i(e,`handshake`,{});this.emit(`tlsClientError`,t,n),n.destroy()}})}catch(e){let t=i(e,`tls_wrap`,{});this.emit(`tlsClientError`,t,n),n.destroy()}}};function b(e,t){return typeof e==`function`?new y(void 0,e):new y(e,t)}var x={TLSSocket:m,TLSServer:y,Server:y,connect:h,createServer:b,createSecureContext:g,checkServerIdentity:p,getCiphers:l,rootCertificates:_,DEFAULT_MIN_VERSION:o,DEFAULT_MAX_VERSION:s,DEFAULT_CIPHERS:c};export{c as DEFAULT_CIPHERS,s as DEFAULT_MAX_VERSION,o as DEFAULT_MIN_VERSION,y as Server,y as TLSServer,m as TLSSocket,p as checkServerIdentity,h as connect,g as createSecureContext,b as createServer,x as default,l as getCiphers,_ as rootCertificates};
+import"./_virtual/_rolldown/runtime.js";import e from"@girs/gio-2.0";import t from"@girs/glib-2.0";import{Server as n,Socket as r}from"node:net";import{createNodeError as i,deferEmit as a}from"@gjsify/utils";const o=`TLSv1.2`,s=`TLSv1.3`,c=`TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384`;function getCiphers(){return[`aes-128-gcm`,`aes-256-gcm`,`chacha20-poly1305`,`aes-128-cbc`,`aes-256-cbc`]}function pemToString(e){if(Array.isArray(e))return e.map(pemToString).join(`
+`);if(typeof e==`string`)return e;if(e&&typeof e.toString==`function`)try{return e.toString(`utf-8`)}catch{return new TextDecoder(`utf-8`).decode(e)}return String(e)}function splitPemBlocks(e){let t=[],n=/-----BEGIN [^-]+-----[\s\S]*?-----END [^-]+-----/g,r;for(;(r=n.exec(e))!==null;)t.push(r[0]);return t}function buildGioCertificate(t,n){let r=pemToString(t),i=n?pemToString(n):``,a=i?`${r}\n${i}`:r;return e.TlsCertificate.new_from_pem(a,a.length)}function buildCaCertificates(t){let n=[];if(Array.isArray(t))for(let e of t)n.push(...splitPemBlocks(pemToString(e)));else n.push(...splitPemBlocks(pemToString(t)));let r=[];for(let t of n)try{r.push(e.TlsCertificate.new_from_pem(t,t.length))}catch{}return r}function parseDistinguishedName(e){if(!e)return{};let t={};for(let n of e.split(/,(?![^=]*=)/)){let e=n.indexOf(`=`);if(e<0)continue;let r=n.slice(0,e).trim(),i=n.slice(e+1).trim(),a=t[r];a===void 0?t[r]=i:Array.isArray(a)?a.push(i):t[r]=[a,i]}return t}function formatCertDate(e){if(!e)return``;try{return e.format(`%b %d %H:%M:%S %Y GMT`)??``}catch{return``}}function formatAltNames(e){let t=[];try{let n=e.get_dns_names();if(n)for(let e of n){let n=e.get_data();n&&t.push(`DNS:${new TextDecoder(`utf-8`).decode(n)}`)}}catch{}try{let n=e.get_ip_addresses();if(n)for(let e of n)t.push(`IP Address:${e.to_string()}`)}catch{}return t.join(`, `)}function fingerprintFromBytes(e,n){try{let r=new t.Checksum(n);r.update(e);let i=r.get_string();if(!i)return``;let a=[];for(let e=0;e<i.length;e+=2)a.push(i.slice(e,e+2).toUpperCase());return a.join(`:`)}catch{return``}}function pemToDer(e){let t=/-----BEGIN CERTIFICATE-----([\s\S]*?)-----END CERTIFICATE-----/.exec(e);if(!t)return new Uint8Array;let n=t[1].replace(/[\s\r\n]+/g,``);try{let e=globalThis.atob;if(!e)return new Uint8Array;let t=e(n),r=new Uint8Array(t.length);for(let e=0;e<t.length;e++)r[e]=t.charCodeAt(e);return r}catch{return new Uint8Array}}function tlsCertToPeerCert(e,n){let r={};try{r.subject=parseDistinguishedName(e.get_subject_name())}catch{}try{r.issuer=parseDistinguishedName(e.get_issuer_name())}catch{}r.subjectaltname=formatAltNames(e);try{r.valid_from=formatCertDate(e.get_not_valid_before()),r.valid_to=formatCertDate(e.get_not_valid_after())}catch{}try{let n=e,i=n.certificate_pem??n.certificatePem;if(i){let e=pemToDer(i);r.raw=e,r.fingerprint=fingerprintFromBytes(e,t.ChecksumType.SHA1),r.fingerprint256=fingerprintFromBytes(e,t.ChecksumType.SHA256)}}catch{}if(n)try{let t=e.get_issuer();t&&!t.is_same(e)?r.issuerCertificate=tlsCertToPeerCert(t,!0):t&&(r.issuerCertificate=r)}catch{}return r}function unfqdn(e){return e.endsWith(`.`)?e.slice(0,-1):e}function splitHost(e){return unfqdn(e).toLowerCase().split(`.`)}function isPrintableAscii(e){for(let t=0;t<e.length;t++){let n=e.charCodeAt(t);if(n<33||n>126)return!1}return!0}function checkHostMatch(e,t){if(!t)return!1;let n=splitHost(t);if(e.length!==n.length||n.includes(``)||!n.every(isPrintableAscii))return!1;for(let t=e.length-1;t>0;t--)if(e[t]!==n[t])return!1;let r=e[0],i=n[0],a=i.split(`*`,3);if(a.length===1||i.includes(`xn--`))return r===i;if(a.length>2||n.length<=2)return!1;let o=a[0],s=a[1];return!(o.length+s.length>r.length||!r.startsWith(o)||!r.endsWith(s))}function checkServerIdentity(e,t){let n=t.subject,r=t.subjectaltname,i=[],a=[];if(e=String(e),r){let e=r.split(`, `);for(let t of e)t.startsWith(`DNS:`)?i.push(t.slice(4)):t.startsWith(`IP Address:`)&&a.push(t.slice(11).trim())}let o=!1,s=`Unknown reason`;e=unfqdn(e);let c=/^(\d{1,3}\.){3}\d{1,3}$/.test(e),l=e.includes(`:`);if(c||l)o=a.some(t=>t.toLowerCase()===e.toLowerCase()),o||(s=`IP: ${e} is not in the cert's list: ${a.join(`, `)}`);else if(i.length>0||n?.CN){let t=splitHost(e);if(i.length>0)o=i.some(e=>checkHostMatch(t,e.trim())),o||(s=`Host: ${e}. is not in the cert's altnames: ${r}`);else{let r=n?.CN;Array.isArray(r)?o=r.some(e=>checkHostMatch(t,e)):r&&(o=checkHostMatch(t,r)),o||(s=`Host: ${e}. is not cert's CN: ${r}`)}}else s=`Cert does not contain a DNS name`;if(!o){let n=Error(s);return n.reason=s,n.host=e,n.cert=t,n.code=`ERR_TLS_CERT_ALTNAME_INVALID`,n}}function createSecureContext(e){let t=e??{},n=null;if(t.cert)try{n=buildGioCertificate(t.cert,t.key)}catch{n=null}let r=t.ca?buildCaCertificates(t.ca):[],i={certificate:n,caCertificates:r,options:t};return i.context=i,i}var TLSSocket=class extends r{encrypted=!0;authorized=!1;authorizationError;alpnProtocol=!1;servername;_tlsConnection=null;_secureContext=null;constructor(e,t){super()}_setupTlsStreams(e){this._tlsConnection=e;let t=this;t._inputStream=e.get_input_stream(),t._outputStream=e.get_output_stream(),t._connection=e}getPeerCertificate(e=!1){if(!this._tlsConnection)return{};try{let t=this._tlsConnection.get_peer_certificate();return t?tlsCertToPeerCert(t,e):{}}catch{return{}}}getProtocol(){if(!this._tlsConnection)return null;try{switch(this._tlsConnection.get_protocol_version()){case e.TlsProtocolVersion.TLS_1_0:return`TLSv1`;case e.TlsProtocolVersion.TLS_1_1:return`TLSv1.1`;case e.TlsProtocolVersion.TLS_1_2:return`TLSv1.2`;case e.TlsProtocolVersion.TLS_1_3:return`TLSv1.3`;default:return null}}catch{return null}}getCipher(){if(!this._tlsConnection)return null;try{return{name:this._tlsConnection.get_ciphersuite_name()||`unknown`,version:this.getProtocol()||`unknown`}}catch{return null}}getAlpnProtocol(){if(!this._tlsConnection)return!1;try{return this._tlsConnection.get_negotiated_protocol()||!1}catch{return!1}}};function connect(n,r){let i=new TLSSocket(void 0,n);r&&i.once(`secureConnect`,r);let a=n.port||443,o=n.host||`localhost`,s=n.servername||o,c=n.rejectUnauthorized!==!1,l=n.secureContext??createSecureContext(n);i._secureContext=l,i.servername=s;let u=n.checkServerIdentity;return i.once(`connect`,()=>{let r=i._connection;if(!r){i.destroy(Error(`No underlying connection for TLS upgrade`));return}try{let o=e.NetworkAddress.new(s,a),d=e.TlsClientConnection.new(r,o);if(d.set_server_identity(o),l.certificate)try{d.set_certificate(l.certificate)}catch(e){console.warn(`[tls] failed to set client certificate:`,e)}if(n.ALPNProtocols&&n.ALPNProtocols.length>0)try{d.set_advertised_protocols(n.ALPNProtocols)}catch{}d.connect(`accept-certificate`,(t,n,r)=>{if(!c)return!0;if(l.caCertificates.length===0)return!1;for(let t of l.caCertificates)try{if(n.verify(o,t)===e.TlsCertificateFlags.NO_FLAGS)return!0}catch{}return!1});let f=new e.Cancellable;d.handshake_async(t.PRIORITY_DEFAULT,f,(e,t)=>{try{if(d.handshake_finish(t),i.authorized=!0,i._setupTlsStreams(d),i.alpnProtocol=i.getAlpnProtocol(),u){let e=u(s,i.getPeerCertificate());if(e&&(i.authorized=!1,i.authorizationError=e.message,c)){i.destroy(e);return}}let e=i;e._reading=!1,e._startReading(),i.emit(`secureConnect`)}catch(e){i.authorized=!1,i.authorizationError=e instanceof Error?e.message:String(e),c?i.destroy(e instanceof Error?e:Error(String(e))):(i._setupTlsStreams(d),i.emit(`secureConnect`))}})}catch(e){i.destroy(e instanceof Error?e:Error(String(e)))}}),i.connect({port:a,host:o}),i}const l=[];var TLSServer=class extends n{_tlsCertificate=null;_tlsOptions;_sniContexts=new Map;_secureContext;constructor(e,t){super(),this._tlsOptions=e??{},this._secureContext=createSecureContext(this._tlsOptions),this._tlsCertificate=this._secureContext.certificate,t&&this.on(`secureConnection`,t),this._tlsOptions.cert&&!this._tlsCertificate&&a(this,`error`,i(Error(`Failed to parse TLS certificate`),`createServer`,{}))}addContext(e,t){try{let n=createSecureContext(t);this._sniContexts.set(e.toLowerCase(),n)}catch(e){this.emit(`error`,i(e,`addContext`,{}))}}_resolveSniContext(e,t){let n=this._secureContext;if(!e){t(n);return}let r=e.toLowerCase(),i=this._sniContexts.get(r);if(i){t(i);return}let a=splitHost(r);for(let[e,n]of this._sniContexts)if(checkHostMatch(a,e)){t(n);return}if(this._tlsOptions.SNICallback)try{this._tlsOptions.SNICallback(e,(e,r)=>{if(e||!r){t(n);return}t(r)});return}catch{t(n);return}t(n)}listen(...e){return this.on(`connection`,e=>{this._upgradeTls(e)}),super.listen(...e)}_upgradeTls(n){let r=n._connection;if(!r){let e=Error(`Cannot upgrade socket: no underlying connection`);this.emit(`tlsClientError`,e,n),n.destroy();return}if(!this._tlsCertificate&&this._sniContexts.size===0&&!this._tlsOptions.SNICallback){let e=Error(`TLS server has no certificate configured`);this.emit(`tlsClientError`,e,n),n.destroy();return}this._resolveSniContext(null,a=>{let o=a.certificate??this._tlsCertificate;if(!o){let e=Error(`SNI resolution returned no certificate`);this.emit(`tlsClientError`,e,n),n.destroy();return}try{let s=e.TlsServerConnection.new(r,o);this._tlsOptions.requestCert?s.authenticationMode=this._tlsOptions.rejectUnauthorized===!1?e.TlsAuthenticationMode.REQUESTED:e.TlsAuthenticationMode.REQUIRED:s.authenticationMode=e.TlsAuthenticationMode.NONE;let c=!!this._tlsOptions.requestCert&&this._tlsOptions.rejectUnauthorized!==!1,l=this._secureContext.caCertificates;if(s.connect(`accept-certificate`,(t,n,r)=>{if(!c)return!0;if(l.length===0)return!1;for(let t of l)try{if(n.verify(null,t)===e.TlsCertificateFlags.NO_FLAGS)return!0}catch{}return!1}),this._tlsOptions.ALPNProtocols&&this._tlsOptions.ALPNProtocols.length>0)try{s.set_advertised_protocols(this._tlsOptions.ALPNProtocols)}catch{}let u=new e.Cancellable;s.handshake_async(t.PRIORITY_DEFAULT,u,(e,t)=>{try{s.handshake_finish(t);let e=new TLSSocket;e.encrypted=!0,e.authorized=!0,e._secureContext=a,e._setupTlsStreams(s),e.alpnProtocol=e.getAlpnProtocol(),e._startReading(),this.emit(`secureConnection`,e)}catch(e){let t=i(e,`handshake`,{});this.emit(`tlsClientError`,t,n),n.destroy()}})}catch(e){let t=i(e,`tls_wrap`,{});this.emit(`tlsClientError`,t,n),n.destroy()}})}};function createServer(e,t){return typeof e==`function`?new TLSServer(void 0,e):new TLSServer(e,t)}const u={TLSSocket,TLSServer,Server:TLSServer,connect,createServer,createSecureContext,checkServerIdentity,getCiphers,rootCertificates:l,DEFAULT_MIN_VERSION:o,DEFAULT_MAX_VERSION:s,DEFAULT_CIPHERS:c};export{c as DEFAULT_CIPHERS,s as DEFAULT_MAX_VERSION,o as DEFAULT_MIN_VERSION,TLSServer as Server,TLSServer,TLSSocket,checkServerIdentity,connect,createSecureContext,createServer,u as default,getCiphers,l as rootCertificates};

package/lib/types/cert.spec.d.ts

@@ -0,0 +1,2 @@
+declare const _default: () => Promise<void>;
+export default _default;

package/lib/types/index.d.ts

@@ -5,33 +5,74 @@ export declare const DEFAULT_MAX_VERSION = "TLSv1.3";
 export declare const DEFAULT_CIPHERS = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
 /** Returns a list of supported TLS cipher names (subset; implementation-defined). */
 export declare function getCiphers(): string[];
+type PemInput = string | Buffer | Uint8Array | Array<string | Buffer | Uint8Array>;
+export interface CertSubject {
+    CN?: string | string[];
+    [key: string]: unknown;
+}
 export interface PeerCertificate {
-    subject?: {
-        CN?: string | string[];
-        [key: string]: unknown;
-    };
+    subject?: CertSubject;
+    issuer?: CertSubject;
     subjectaltname?: string;
+    valid_from?: string;
+    valid_to?: string;
+    fingerprint?: string;
+    fingerprint256?: string;
+    serialNumber?: string;
+    raw?: Uint8Array;
+    issuerCertificate?: PeerCertificate;
     [key: string]: unknown;
 }
+/** Error returned by checkServerIdentity, with Node-compatible shape. */
+export interface CertAltNameError extends Error {
+    reason: string;
+    host: string;
+    cert: PeerCertificate;
+    code: 'ERR_TLS_CERT_ALTNAME_INVALID';
+}
 /**
  * Verifies that the certificate `cert` is valid for `hostname`.
- * Returns an Error if the check fails, or undefined on success.
+ * Returns an Error (with code 'ERR_TLS_CERT_ALTNAME_INVALID') if the check
+ * fails, or `undefined` on success.
  *
- * Reference: Node.js lib/tls.js exports.checkServerIdentity
+ * Reference: Node.js lib/tls.js exports.checkServerIdentity (RFC 6125 §6.4.3).
  */
-export declare function checkServerIdentity(hostname: string, cert: PeerCertificate): Error | undefined;
+export declare function checkServerIdentity(hostname: string, cert: PeerCertificate): CertAltNameError | undefined;
 export interface SecureContextOptions {
-    ca?: string | Buffer | Array<string | Buffer>;
-    cert?: string | Buffer | Array<string | Buffer>;
-    key?: string | Buffer | Array<string | Buffer>;
+    ca?: PemInput;
+    cert?: PemInput;
+    key?: PemInput;
+    passphrase?: string;
     rejectUnauthorized?: boolean;
+    ciphers?: string;
+    minVersion?: string;
+    maxVersion?: string;
+    ALPNProtocols?: string[];
+}
+/** Internal "secure context" — parsed TLS material shared by tls.connect/createServer. */
+export interface SecureContext {
+    certificate: Gio.TlsCertificate | null;
+    caCertificates: Gio.TlsCertificate[];
+    options: SecureContextOptions;
+    /**
+     * Node-compat handle (Node returns a `SecureContext` with an internal native
+     * `context` field). We have no native handle, so this points back at the
+     * SecureContext object itself — `ctx.context !== undefined` matches Node.
+     */
+    context: SecureContext;
 }
+/** Build a SecureContext from PEM material. Buffer/Uint8Array/string all accepted. */
+export declare function createSecureContext(options?: SecureContextOptions): SecureContext;
 export interface TlsConnectOptions extends SecureContextOptions {
     host?: string;
     port?: number;
     socket?: Socket;
     servername?: string;
     ALPNProtocols?: string[];
+    /** Pre-built secure context from createSecureContext(). */
+    secureContext?: SecureContext;
+    /** Custom server-identity check (runs after the GnuTLS-level check). */
+    checkServerIdentity?: (host: string, cert: PeerCertificate) => Error | undefined;
 }
 /**
  * TLSSocket wraps a net.Socket with TLS via Gio.TlsConnection.
@@ -41,24 +82,31 @@ export declare class TLSSocket extends Socket {
     authorized: boolean;
     authorizationError?: string;
     alpnProtocol: string | false;
+    servername: string | undefined;
     /** @internal */
     _tlsConnection: Gio.TlsConnection | null;
-    constructor(socket?: Socket, options?: SecureContextOptions);
+    /** @internal — preserved for diagnostics + future cert-chain verification. */
+    _secureContext: SecureContext | null;
+    constructor(_socket?: Socket, _options?: SecureContextOptions);
     /**
      * @internal Wire the TLS connection's I/O streams into this socket
      * so that read/write operations go through the encrypted channel.
      */
     _setupTlsStreams(tlsConn: Gio.TlsConnection): void;
-    /** Get the peer certificate info. */
-    getPeerCertificate(_detailed?: boolean): any;
+    /**
+     * Get the peer certificate. When `detailed` is true, walks the issuer chain
+     * via `Gio.TlsCertificate.get_issuer()` and populates `issuerCertificate`
+     * recursively (with a self-reference on the root for compatibility).
+     */
+    getPeerCertificate(detailed?: boolean): PeerCertificate;
     /** Get the negotiated TLS protocol version. */
     getProtocol(): string | null;
-    /** Get the cipher info. */
+    /** Get the negotiated cipher suite name + version. */
     getCipher(): {
         name: string;
         version: string;
     } | null;
-    /** Get the negotiated ALPN protocol. */
+    /** Get the negotiated ALPN protocol (or false if none). */
     getAlpnProtocol(): string | false;
 }
 /**
@@ -68,34 +116,41 @@ export declare class TLSSocket extends Socket {
  * the connection to TLS using Gio.TlsClientConnection.
  */
 export declare function connect(options: TlsConnectOptions, callback?: () => void): TLSSocket;
-/**
- * Create a TLS secure context.
- */
-export declare function createSecureContext(options?: SecureContextOptions): {
-    context: any;
-};
 export declare const rootCertificates: string[];
+export type SNICallback = (servername: string, cb: (err: Error | null, ctx?: SecureContext) => void) => void;
 export interface TlsServerOptions extends SecureContextOptions {
     requestCert?: boolean;
     rejectUnauthorized?: boolean;
     ALPNProtocols?: string[];
+    SNICallback?: SNICallback;
 }
 /**
- * TLSServer wraps a net.Server to accept TLS connections.
+ * TLSServer accepts incoming TCP connections and upgrades each to TLS via
+ * `Gio.TlsServerConnection`. Supports mTLS via `requestCert`+`rejectUnauthorized`,
+ * SNI selection via `addContext`/`SNICallback`, and ALPN negotiation.
  */
 export declare class TLSServer extends Server {
     private _tlsCertificate;
     private _tlsOptions;
     private _sniContexts;
+    /** @internal — exposed for tests. */
+    _secureContext: SecureContext;
     constructor(options?: TlsServerOptions, secureConnectionListener?: (socket: TLSSocket) => void);
     /**
-     * Add a context for SNI (Server Name Indication).
+     * Add an additional context for SNI (Server Name Indication). Uses RFC 6125
+     * matching against the requested server name.
      */
     addContext(hostname: string, context: SecureContextOptions): void;
-    listen(...args: unknown[]): this;
     /**
-     * Upgrade a raw TCP socket to TLS using Gio.TlsServerConnection.
+     * Resolve a SecureContext for the given server name. Order:
+     *   1. exact match in `_sniContexts`
+     *   2. RFC 6125 wildcard match in `_sniContexts`
+     *   3. SNICallback (if provided)
+     *   4. fall through to the server's default context
      */
+    private _resolveSniContext;
+    listen(...args: unknown[]): this;
+    /** Upgrade a raw TCP socket to TLS using Gio.TlsServerConnection. */
     private _upgradeTls;
 }
 /**
@@ -104,7 +159,7 @@ export declare class TLSServer extends Server {
 export declare function createServer(options?: TlsServerOptions, secureConnectionListener?: (socket: TLSSocket) => void): TLSServer;
 export declare function createServer(secureConnectionListener?: (socket: TLSSocket) => void): TLSServer;
 export { TLSServer as Server };
-declare const _default: {
+declare const tlsExports: {
     TLSSocket: typeof TLSSocket;
     TLSServer: typeof TLSServer;
     Server: typeof TLSServer;
@@ -118,4 +173,4 @@ declare const _default: {
     DEFAULT_MAX_VERSION: string;
     DEFAULT_CIPHERS: string;
 };
-export default _default;
+export default tlsExports;

package/lib/types/tls.gjs.spec.d.ts

@@ -0,0 +1,2 @@
+declare const _default: () => Promise<void>;
+export default _default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gjsify/tls",
-  "version": "0.3.20",
+  "version": "0.4.0",
   "description": "Node.js tls module for Gjs",
   "type": "module",
   "module": "lib/esm/index.js",
@@ -30,15 +30,15 @@
     "tls"
   ],
   "devDependencies": {
-    "@gjsify/cli": "^0.3.20",
-    "@gjsify/unit": "^0.3.20",
+    "@gjsify/cli": "^0.4.0",
+    "@gjsify/unit": "^0.4.0",
     "@types/node": "^25.6.2",
     "typescript": "^6.0.3"
   },
   "dependencies": {
-    "@girs/gio-2.0": "2.88.0-4.0.0-rc.14",
-    "@girs/glib-2.0": "2.88.0-4.0.0-rc.14",
-    "@gjsify/net": "^0.3.20",
-    "@gjsify/utils": "^0.3.20"
+    "@girs/gio-2.0": "2.88.0-4.0.0-rc.15",
+    "@girs/glib-2.0": "2.88.0-4.0.0-rc.15",
+    "@gjsify/net": "^0.4.0",
+    "@gjsify/utils": "^0.4.0"
   }
 }

package/src/cert.spec.ts

@@ -0,0 +1,230 @@
+// SPDX-License-Identifier: MIT
+// Ported from refs/node-test/parallel/test-tls-check-server-identity.js,
+//   refs/node-test/parallel/test-tls-canonical-ip.js,
+//   refs/node-test/parallel/test-tls-checkserveridentity-no-altnames.js.
+// Original: Copyright (c) Node.js contributors. MIT.
+// Rewritten for @gjsify/unit — behavior preserved, assertion dialect adapted.
+//
+// Focused coverage of RFC 6125 (§6.4.3) hostname matching + getPeerCertificate
+// shape + createSecureContext PEM acceptance. Complements index.spec.ts.
+
+import { describe, it, expect, on } from '@gjsify/unit';
+import {
+  checkServerIdentity,
+  createSecureContext,
+} from 'node:tls';
+import type { PeerCertificate } from 'node:tls';
+
+function fakeCert(parts: Record<string, unknown>): PeerCertificate {
+  return parts as unknown as PeerCertificate;
+}
+
+// Self-signed PEM (cert + key) minted with `openssl req -x509 -newkey rsa:2048
+//   -keyout key.pem -out cert.pem -days 3650 -nodes -subj /CN=test.example`.
+// 2048-bit RSA, SHA256, no SAN. Used only for parser smoke-tests — never
+// trusted as a CA. Inlined so tests stay hermetic (no fixtures).
+const SAMPLE_CERT_PEM = `-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUO9v7luuPxFHsLdVr//dOTh474OQwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMdGVzdC5leGFtcGxlMB4XDTI2MDUwOTA2NDIyMVoXDTM2
+MDUwNjA2NDIyMVowFzEVMBMGA1UEAwwMdGVzdC5leGFtcGxlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnMdp3rW+bkeYoW9at2aRt70gub5siMsNOYw
+0obCo1LOkJokEOX2+9kaOUwaCmntcJdU3+JYQe7MGYwI+H9OWxnLRYJUneYB81a8
+CfJ7Uk+5FVNzQQFnYvL0G5NSq2w8K6UwV0jgXXFLEfTZOqdFdVVcwAOgCrc4LbpX
+E+5IflPoIuwBW2brYx/fIyJu2gH0uRG92R5m/3UxOqlVzIerL3YM3UTSepDtyCek
+ooD03UwLl3fYuza2iuMnxJAPshaSwiHbAopnaBSEvKMGHkLyl4zTmaioGXVRObtZ
+XAorC7ujI4F8edcmPRwAaNToHS8cRlGQJjXACfAodwNKWpbHYwIDAQABo1MwUTAd
+BgNVHQ4EFgQULhAoOyRjZxBRF8FlwTySSAXnFo0wHwYDVR0jBBgwFoAULhAoOyRj
+ZxBRF8FlwTySSAXnFo0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAiePCYXf6PAF/m3SE9PYNLiq+ALeJ+kQgXUYp5S4vsfk2T+XmbtP0uNnTQpsT
+4GaytjMFIQiNO6mHww8SFnrEr9btcNGCg17gyK7T3XukbsXIgOYvYjJboxb6Ww1T
+YFEXqPv55of/I5+UPH88WOYR1JsPE6lR4s3MfaMMRXTIZwpob2sxEfqHfti1DrHV
+nmzZpIvZi3II+gpx6aYE8m3DjgPrxbXw78Ular/VyYAyy9XVFpcl2nrAQgpErZIr
+kweGVVMKE8qMF9SO1/pER4T7A9ZBJol00hMCL+5Rw0Pw4lCLXgGX1J9VyZ+ScLxz
+aNy5t6tyGuGk0sol4dLG8nzHGA==
+-----END CERTIFICATE-----`;
+
+const SAMPLE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2cx2netb5uR5i
+hb1q3ZpG3vSC5vmyIyw05jDShsKjUs6QmiQQ5fb72Ro5TBoKae1wl1Tf4lhB7swZ
+jAj4f05bGctFglSd5gHzVrwJ8ntST7kVU3NBAWdi8vQbk1KrbDwrpTBXSOBdcUsR
+9Nk6p0V1VVzAA6AKtzgtulcT7kh+U+gi7AFbZutjH98jIm7aAfS5Eb3ZHmb/dTE6
+qVXMh6svdgzdRNJ6kO3IJ6SigPTdTAuXd9i7NraK4yfEkA+yFpLCIdsCimdoFIS8
+owYeQvKXjNOZqKgZdVE5u1lcCisLu6MjgXx51yY9HABo1OgdLxxGUZAmNcAJ8Ch3
+A0palsdjAgMBAAECggEADTZAcBYmjSAWDpjHguT+cAiWXwhU2pm1CmhrVRBD9fz5
+tZT3IAlXHYO2/dRmw/KwKnAUlr9wS4EvlhLPvEotWJsa+JlogT3cgRktz4nLDmBB
+jRH+9AOJaUWIq2dVHDhfq+I8oh8TFREumEoWLpFZ9Hya+9I6lUWq5smdcEI+gHWs
+yWhq4auR2/zkhvgsjLKPK8P2M8tmm8IPecE74NSBZqxoqb4upUHpMTxasAE2UJpK
+0slvxiZtk3LT/rflco04twIqK/KmH7phrPzmoSl+Lp1Zh9y4iNznTQKBdImsGl+g
+9FWL7pdxKjVNGQsrKVvB1A78VhhteAuaebT5MicIwQKBgQDtmYfyrlGoYGkArmNL
+tGBc5afGx/mL/8BGTQfIx4b11OEr+G4hppLh/WGLUksfMfprL0YU3BM+FOsECsY0
+5AJB6oQuSE8vCIS7yCxV00V+I6n2bEMxZkDwdDuF9rHhGODFx4pPz1nJqScAa23T
+48c+hNSBLRHTSuDAi2DcuxLn4QKBgQDElDjmB/kpW50ya2M2hO5LpwMcAlTJ3nPv
+000eTfzdtDNzesvRClYZWGWs7zSkNsf/F+G0tCg4slzvHPkRJN53hHF0Kwug2aj5
+1BPuDbn3EumDO6quykz6S9vZGcPAMuNm+qtkf+42KE5Sqj3NTf6aiu4tEZbH69me
+av1sbfkHwwKBgQC5cb5g1FuZjn4F8RZBDSy09O4pQQVtlpSsigzMUabtklSY7BKR
+IyC7T/dlNTq6w1hPdhs9xrMiHlN72SjwORHl/rNiKD/dVsm6grbP2dEAbbeHROKA
+2O1Qf3fBzFTzemZdF6vFNPJAakytkCutWLe2/RebJuElx+h5f49/WGeeIQKBgQC0
+mcCUharB9ms7kTF7OzF6y5utte6T8A3vvd9SAjBYt1+1rpFmIersKixvbuycGcAw
+eo5gaEuzmxqKi8G/oHHKuCFLquhqBM6bh94vjOjXN8bVTJIJN870/ZCjqmoPQDFv
+wMiJ8oa1tt4OUF2rKwbIkO809L3kOqiaRI1Det2Z5QKBgGp4JS3OqzeIMQbUa8e8
+tOYnML+RFpo2cZ9rCQAQitm/w5P6lAnG9vv4cXAu94RbtITEuGmqEhYDMhSC2i8e
+kjwRLp5R+/pynUdTckRP8buwRSDRlPz3x8GI2Dm0z8fb/uZ8AJK/iITtsOoJtyPx
+fUZ521uRyKXnpzj1HTz5WVp0
+-----END PRIVATE KEY-----`;
+
+export default async () => {
+  await describe('tls — RFC 6125 + cert extraction', async () => {
+
+    // ---------------- RFC 6125 wildcard depth rules ----------------
+    await describe('RFC 6125 wildcard depth', async () => {
+      await it('rejects two-label wildcard *.com', async () => {
+        const err = checkServerIdentity('foo.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:*.com',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+
+      await it('rejects single-label wildcard *', async () => {
+        const err = checkServerIdentity('foo', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:*',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+
+      await it('accepts three-label wildcard *.example.com matching foo.example.com', async () => {
+        const ok = checkServerIdentity('foo.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:*.example.com',
+        }));
+        expect(ok).toBeUndefined();
+      });
+
+      await it('rejects empty wildcard label .x.example.com', async () => {
+        const err = checkServerIdentity('foo.x.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:.x.example.com',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+    });
+
+    // ---------------- RFC 6125 wildcard prefix/suffix ----------------
+    await describe('RFC 6125 wildcard prefix/suffix', async () => {
+      await it('matches f*.example.com against foo.example.com', async () => {
+        const ok = checkServerIdentity('foo.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:f*.example.com',
+        }));
+        expect(ok).toBeUndefined();
+      });
+
+      await it('rejects f*.example.com against bar.example.com', async () => {
+        const err = checkServerIdentity('bar.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:f*.example.com',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+
+      await it('matches *foo.example.com against barfoo.example.com', async () => {
+        const ok = checkServerIdentity('barfoo.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:*foo.example.com',
+        }));
+        expect(ok).toBeUndefined();
+      });
+
+      await it('rejects f*r.example.com against bar.example.com (prefix mismatch)', async () => {
+        const err = checkServerIdentity('bar.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:f*r.example.com',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+    });
+
+    // ---------------- IDN / xn-- handling ----------------
+    await describe('Punycode / IDN', async () => {
+      await it('treats xn-- labels as exact-match (no wildcard expansion)', async () => {
+        // pattern is the punycoded form; hostname must match exactly.
+        const ok = checkServerIdentity('xn--bcher-kva.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:xn--bcher-kva.example.com',
+        }));
+        expect(ok).toBeUndefined();
+      });
+
+      await it('rejects wildcard expansion against xn-- A-label leftmost', async () => {
+        // *xn--bcher-kva matched against bcher-kva: per RFC 6125 the wildcard
+        // is not allowed to expand into A-label content.
+        const err = checkServerIdentity('foo.example.com', fakeCert({
+          subject: {},
+          subjectaltname: 'DNS:xn--*.example.com',
+        }));
+        expect(err instanceof Error).toBe(true);
+      });
+    });
+
+    // ---------------- Error code shape (Node-compat) ----------------
+    await describe('error.code', async () => {
+      await it('returns ERR_TLS_CERT_ALTNAME_INVALID code on mismatch', async () => {
+        const err = checkServerIdentity('a.com', fakeCert({
+          subject: { CN: 'b.com' },
+        }));
+        expect(err instanceof Error).toBe(true);
+        const e = err as { code?: string };
+        // Node: ERR_TLS_CERT_ALTNAME_INVALID. Our impl: same.
+        expect(e.code).toBe('ERR_TLS_CERT_ALTNAME_INVALID');
+      });
+    });
+
+    // ---------------- createSecureContext PEM acceptance ----------------
+    await describe('createSecureContext', async () => {
+      await it('accepts string PEM material (cert + key)', async () => {
+        const ctx = createSecureContext({ cert: SAMPLE_CERT_PEM, key: SAMPLE_KEY_PEM });
+        expect(ctx).toBeDefined();
+      });
+
+      await it('accepts Buffer PEM material', async () => {
+        const Buffer = (globalThis as { Buffer?: { from(s: string): unknown } }).Buffer;
+        if (!Buffer) return;  // skip if Buffer unavailable
+        const ctx = createSecureContext({
+          cert: Buffer.from(SAMPLE_CERT_PEM) as never,
+          key: Buffer.from(SAMPLE_KEY_PEM) as never,
+        });
+        expect(ctx).toBeDefined();
+      });
+
+      await it('accepts array of PEM blocks for ca', async () => {
+        const ctx = createSecureContext({ ca: [SAMPLE_CERT_PEM, SAMPLE_CERT_PEM] });
+        expect(ctx).toBeDefined();
+      });
+
+      await it('returns ctx.context self-reference (Node-compat)', async () => {
+        const ctx = createSecureContext();
+        const ref = (ctx as unknown as { context?: unknown }).context;
+        expect(ref !== undefined).toBe(true);
+      });
+
+      // Our impl preserves the user-supplied options on the SecureContext;
+      // Node does not, so this is a GJS-specific guarantee we lean on for
+      // diagnostics + integration debugging.
+      await on('Gjs', async () => {
+        await it('preserves passed-through options (ciphers/minVersion/maxVersion)', async () => {
+          const ctx = createSecureContext({
+            ciphers: 'TLS_AES_128_GCM_SHA256',
+            minVersion: 'TLSv1.2',
+            maxVersion: 'TLSv1.3',
+          });
+          const o = (ctx as unknown as { options?: { ciphers?: string; minVersion?: string; maxVersion?: string } }).options;
+          expect(o).toBeDefined();
+          expect(o!.ciphers).toBe('TLS_AES_128_GCM_SHA256');
+          expect(o!.minVersion).toBe('TLSv1.2');
+          expect(o!.maxVersion).toBe('TLSv1.3');
+        });
+      });
+    });
+  });
+};