From 9eeea1075cfd3cb49bad3adbf41985563aa2e629 Mon Sep 17 00:00:00 2001
From: Narihiro Nakamura <authornari@gmail.com>
Date: Thu, 12 Jan 2017 18:46:07 +0900
Subject: [PATCH] Support ssl_verify_peer with wss. * add :trust_ca option *
 implement ssl_verify_peer on Connection

---
 lib/faye/websocket/client.rb       | 18 ++++++++++++++++++
 spec/faye/websocket/client_spec.rb | 12 +++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/lib/faye/websocket/client.rb b/lib/faye/websocket/client.rb
index 54cc0b4..cfda53a 100644
--- a/lib/faye/websocket/client.rb
+++ b/lib/faye/websocket/client.rb
@@ -22,6 +22,8 @@ def initialize(url, protocols = nil, options = {})
         @secure     = SECURE_PROTOCOLS.include?(endpoint.scheme)
         @origin_tls = options.fetch(:tls, {})
         @socket_tls = proxy[:origin] ? proxy.fetch(:tls, {}) : @origin_tls
+        @cert_store = OpenSSL::X509::Store.new
+        @cert_store.set_default_paths
 
         if proxy[:origin]
           @proxy = @driver.proxy(proxy[:origin])
@@ -36,6 +38,7 @@ def initialize(url, protocols = nil, options = {})
 
             if secure
               origin_tls = {:sni_hostname => uri.host}.merge(@origin_tls)
+              add_trust_ca(origin_tls.delete(:trust_ca))
               @stream.start_tls(origin_tls)
             end
 
@@ -62,6 +65,7 @@ def on_connect(stream)
 
         if @secure
           socket_tls = {:sni_hostname => URI.parse(@url).host}.merge(@socket_tls)
+          add_trust_ca(socket_tls.delete(:trust_ca))
           @stream.start_tls(socket_tls)
         end
 
@@ -69,6 +73,16 @@ def on_connect(stream)
         worker.start
       end
 
+      def add_trust_ca(ca_file)
+        return if ca_file.nil?
+        @trust_ca = Array[ca_file].map{|ca| OpenSSL::X509::Certificate.new(File.read(ca)) }
+      end
+
+      def ssl_verify_peer(cert)
+        crt = OpenSSL::X509::Certificate.new(cert)
+        return @cert_store.verify(crt) || @trust_ca.any?{|ca| ca.verify(crt.public_key) }
+      end
+
       module Connection
         attr_accessor :parent
 
@@ -87,6 +101,10 @@ def unbind
         def write(data)
           send_data(data) rescue nil
         end
+
+        def ssl_verify_peer(cert)
+          return parent.__send__(:ssl_verify_peer, cert)
+        end
       end
     end
 
diff --git a/spec/faye/websocket/client_spec.rb b/spec/faye/websocket/client_spec.rb
index 7b8af0b..115685e 100644
--- a/spec/faye/websocket/client_spec.rb
+++ b/spec/faye/websocket/client_spec.rb
@@ -39,7 +39,17 @@ def open_socket(url, protocols, &callback)
       end
     end
 
-    @ws = Faye::WebSocket::Client.new(url, protocols, :proxy => {:origin => proxy_url})
+    secure = Faye::WebSocket::Client::SECURE_PROTOCOLS.include?(URI.parse(url).scheme)
+    options = {:proxy => {:origin => proxy_url}}
+    if secure
+      options.merge!(:tls => {
+        :private_key_file => File.expand_path('../../../server.key', __FILE__),
+        :cert_chain_file  => File.expand_path('../../../server.crt', __FILE__),
+        :trust_ca => File.expand_path('../../../server.crt', __FILE__),
+        :verify_peer => true,
+      })
+    end
+    @ws = Faye::WebSocket::Client.new(url, protocols, options)
 
     @ws.on(:open) { |e| resume.call(true) }
     @ws.onclose = lambda { |e| resume.call(false) }