From 77a4b817720f7cc66873ecc9e8f077afc34a1267 Mon Sep 17 00:00:00 2001
From: Simone Basso <bassosimone@gmail.com>
Date: Wed, 20 Sep 2023 20:47:58 +0200
Subject: [PATCH] feat: add functions required by ooni/probe-cli

Part of https://github.com/ooni/probe/issues/2531
---
 ca.go        | 13 ++++++++-----
 model.go     |  3 +++
 unetstack.go | 12 ++++++++++++
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/ca.go b/ca.go
index 644eab2..381f9d5 100644
--- a/ca.go
+++ b/ca.go
@@ -85,7 +85,10 @@ func caMustNewAuthority(name, organization string, validity time.Duration,
 //
 // SPDX-License-Identifier: Apache-2.0.
 type CA struct {
-	ca       *x509.Certificate
+	// CACert is the public certificate used by the CA.
+	CACert *x509.Certificate
+
+	// These fields are not exported
 	capriv   any
 	keyID    []byte
 	org      string
@@ -120,7 +123,7 @@ func MustNewCAWithTimeNow(timeNow func() time.Time) *CA {
 	keyID := h.Sum(nil)
 
 	return &CA{
-		ca:       ca,
+		CACert:   ca,
 		capriv:   privateKey,
 		priv:     priv,
 		keyID:    keyID,
@@ -132,7 +135,7 @@ func MustNewCAWithTimeNow(timeNow func() time.Time) *CA {
 // CertPool returns an [x509.CertPool] using the given [*CA].
 func (c *CA) CertPool() *x509.CertPool {
 	pool := x509.NewCertPool()
-	pool.AddCert(c.ca)
+	pool.AddCert(c.CACert)
 	return pool
 }
 
@@ -185,13 +188,13 @@ func (c *CA) MustNewCertWithTimeNow(timeNow func() time.Time, commonName string,
 		}
 	}
 
-	raw := Must1(x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.priv.Public(), c.capriv))
+	raw := Must1(x509.CreateCertificate(rand.Reader, tmpl, c.CACert, c.priv.Public(), c.capriv))
 
 	// Parse certificate bytes so that we have a leaf certificate.
 	x509c := Must1(x509.ParseCertificate(raw))
 
 	tlsc := &tls.Certificate{
-		Certificate: [][]byte{raw, c.ca.Raw},
+		Certificate: [][]byte{raw, c.CACert.Raw},
 		PrivateKey:  c.priv,
 		Leaf:        x509c,
 	}
diff --git a/model.go b/model.go
index 974a847..9b67b8b 100644
--- a/model.go
+++ b/model.go
@@ -157,6 +157,9 @@ type UnderlyingNetwork interface {
 	// CA returns the CA we're using.
 	CA() *CA
 
+	// CACert returns the CA cert we're using.
+	CACert() *x509.Certificate
+
 	// DefaultCertPool returns the underlying cert pool to be used.
 	DefaultCertPool() *x509.CertPool
 
diff --git a/unetstack.go b/unetstack.go
index bef91d0..464133e 100644
--- a/unetstack.go
+++ b/unetstack.go
@@ -6,6 +6,7 @@ package netem
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
@@ -108,6 +109,17 @@ func (gs *UNetStack) CA() *CA {
 	return gs.ca
 }
 
+// CACert implements UnderlyingNetwork.
+func (gs *UNetStack) CACert() *x509.Certificate {
+	return gs.ca.CACert
+}
+
+// MustServerTLSConfig is used by [github.com/ooni/probe-cli] code
+// when generating configuration for servers using TLS.
+func (gs *UNetStack) MustServerTLSConfig(commonName string, extraNames ...string) *tls.Config {
+	return gs.ca.MustServerTLSConfig(commonName, extraNames...)
+}
+
 // Logger implements HTTPUnderlyingNetwork.
 func (gs *UNetStack) Logger() Logger {
 	return gs.ns.logger