From 5339b99f40bf5679c09b56db8e958a88dfd90633 Mon Sep 17 00:00:00 2001
From: Darius Clark <dariusc93@users.noreply.github.com>
Date: Fri, 30 Aug 2024 11:54:32 -0400
Subject: [PATCH] refactor: Support multiple certificates for wss. (#295)

---
 CHANGELOG.md         |  1 +
 src/p2p/transport.rs | 20 ++++++++++++++------
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf6124e0a..1f91b651a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@
 - feat: Passthrough timeout to WantSession::new. [PR 265](https://github.com/dariusc93/rust-ipfs/pull/265)
 - chore: Update libp2p to 0.54. [PR 289](https://github.com/dariusc93/rust-ipfs/pull/289)
 - chore: Change IpfsOptions visibility, remove UninitializedIpfs::{empty, with_opt}. [PR 294](https://github.com/dariusc93/rust-ipfs/pull/294)
+- refactor: Support multiple certificates for wss. [PR 295](https://github.com/dariusc93/rust-ipfs/pull/295)
 
 # 0.11.21
 - chore: Put libp2p-webrtc-websys behind feature.
diff --git a/src/p2p/transport.rs b/src/p2p/transport.rs
index 118240f60..7facf0225 100644
--- a/src/p2p/transport.rs
+++ b/src/p2p/transport.rs
@@ -37,7 +37,7 @@ pub struct TransportConfig {
     pub enable_dns: bool,
     pub enable_memory_transport: bool,
     pub enable_webtransport: bool,
-    pub websocket_pem: Option<(String, String)>,
+    pub websocket_pem: Option<(Vec<String>, String)>,
     pub enable_secure_websocket: bool,
     pub support_quic_draft_29: bool,
     pub enable_webrtc: bool,
@@ -175,12 +175,20 @@ pub(crate) fn build_transport(
             let mut ws_transport =
                 libp2p::websocket::WsConfig::new(TokioTcpTransport::new(tcp_config));
             if enable_secure_websocket {
-                let (cert, priv_key) = match websocket_pem {
+                let (certs, priv_key) = match websocket_pem {
                     Some((cert, kp)) => {
+                        let mut certs = Vec::with_capacity(cert.len());
                         let kp = KeyPair::from_pem(&kp).map_err(io::Error::other)?;
                         let priv_key = libp2p::websocket::tls::PrivateKey::new(kp.serialize_der());
-                        let cert = libp2p::websocket::tls::Certificate::new(cert.into_bytes());
-                        (cert, priv_key)
+                        for cert in cert.iter().map(|c| c.as_bytes()) {
+                            let pem = pem::parse(cert)
+                                .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
+                            let cert =
+                                libp2p::websocket::tls::Certificate::new(pem.into_contents());
+                            certs.push(cert);
+                        }
+
+                        (certs, priv_key)
                     }
                     None => {
                         let (cert, prv, _) = generate_cert(&keypair, b"libp2p-websocket", false)?;
@@ -189,11 +197,11 @@ pub(crate) fn build_transport(
                         let self_cert =
                             libp2p::websocket::tls::Certificate::new(cert.der().to_vec());
 
-                        (self_cert, priv_key)
+                        (vec![self_cert], priv_key)
                     }
                 };
 
-                let tls_config = libp2p::websocket::tls::Config::new(priv_key, [cert])
+                let tls_config = libp2p::websocket::tls::Config::new(priv_key, certs)
                     .map_err(io::Error::other)?;
                 ws_transport.set_tls_config(tls_config);
             }