From 89b6d8ec59aa2394d768c3a2d215c9e65b1c9323 Mon Sep 17 00:00:00 2001
From: UnknownShadow200 <unknownshadow200@gmail.com>
Date: Tue, 24 Jun 2025 07:55:49 +1000
Subject: [PATCH] Start drafting up cert validator backend API

---
 src/Certs.h | 28 ++++++++++++++++++++++++++++
 src/SSL.c   | 34 +++++++++++++++++++++-------------
 2 files changed, 49 insertions(+), 13 deletions(-)
 create mode 100644 src/Certs.h

diff --git a/src/Certs.h b/src/Certs.h
new file mode 100644
index 000000000..203a56434
--- /dev/null
+++ b/src/Certs.h
@@ -0,0 +1,28 @@
+#ifndef CC_SSL_H
+#define CC_SSL_H
+#include "Platform.h"
+CC_BEGIN_HEADER
+
+/* 
+Validates an X509 certificate chain for verifying a SSL/TLS connection.
+Copyright 2014-2025 ClassiCube | Licensed under BSD-3
+*/
+
+void CertsBackend_Init(void);
+
+struct X509CertContext {
+	void* ctx;
+	void* chain;
+	void* cert;
+};
+
+cc_result Certs_BeginChain( struct X509CertContext* ctx);
+cc_result Certs_FreeChain(  struct X509CertContext* ctx);
+cc_result Certs_VerifyChain(struct X509CertContext* ctx);
+
+void Certs_BeginCert( struct X509CertContext* ctx, int size);
+void Certs_AppendCert(struct X509CertContext* ctx, void* data, int len);
+void Certs_FinishCert(struct X509CertContext* ctx);
+
+CC_END_HEADER
+#endif
diff --git a/src/SSL.c b/src/SSL.c
index a296b1c70..8db578081 100644
--- a/src/SSL.c
+++ b/src/SSL.c
@@ -408,13 +408,22 @@ cc_result SSL_Free(void* ctx_) {
 #include "String.h"
 #include "bearssl.h"
 #include "../misc/certs/certs.h"
+
 // https://github.com/unkaktus/bearssl/blob/master/samples/client_basic.c#L283
 #define SSL_ERROR_SHIFT 0xB5510000
 
-static br_x509_class cert_verifier_vtable;
+typedef struct SSLContext {
+	br_x509_minimal_context xc;
+	br_ssl_client_context sc;
+	struct X509CertContext x509;
+	unsigned char iobuf[BR_SSL_BUFSIZE_BIDI];
+	br_sslio_context ioc;
+	cc_result readError, writeError;
+	cc_socket socket;
+} SSLContext;
 static cc_bool _verifyCerts;
 
-static unsigned cert_verifier_end_chain(const br_x509_class** ctx) {
+static unsigned x509_end_chain(const br_x509_class** ctx) {
 	unsigned r = br_x509_minimal_vtable.end_chain(ctx);
 
 	/* User selected to not care about certificate authenticity */
@@ -434,20 +443,19 @@ static unsigned cert_verifier_end_chain(const br_x509_class** ctx) {
 	return r;
 }
 
-typedef struct SSLContext {
-	br_x509_minimal_context xc;
-	br_ssl_client_context sc;
-	unsigned char iobuf[BR_SSL_BUFSIZE_BIDI];
-	br_sslio_context ioc;
-	cc_result readError, writeError;
-	cc_socket socket;
-} SSLContext;
+static const br_x509_class cert_verifier_vtable = {
+	sizeof(br_x509_minimal_context),
+	x509_start_chain,
+	x509_start_cert,
+	x509_append,
+	x509_end_cert,
+	x509_end_chain,
+	x509_get_pkey
+};
 
 void SSLBackend_Init(cc_bool verifyCerts) {
 	_verifyCerts = verifyCerts;
-	
-	cert_verifier_vtable = br_x509_minimal_vtable;
-	cert_verifier_vtable.end_chain = cert_verifier_end_chain;
+	CertsBackend_Init();
 }
 
 cc_bool SSLBackend_DescribeError(cc_result res, cc_string* dst) {