feat: add TLS for node bridge

2026-03-12 07:20:45 +00:00 · 2026-01-16 05:28:33 +00:00
parent 1656f491fd
commit 1ab1e312b2
36 changed files with 1161 additions and 180 deletions
--- a/apps/ios/Sources/Settings/SettingsTab.swift
+++ b/apps/ios/Sources/Settings/SettingsTab.swift
@@ -407,9 +407,11 @@ struct SettingsTab: View {
                modelIdentifier: self.modelIdentifier(),
                caps: self.currentCaps(),
                commands: self.currentCommands())
+            let tlsParams = self.resolveDiscoveredTLSParams(bridge: bridge)
            let token = try await BridgeClient().pairAndHello(
                endpoint: bridge.endpoint,
                hello: hello,
+                tls: tlsParams,
                onStatus: { status in
                    Task { @MainActor in
                        statusStore.text = status
@@ -426,6 +428,7 @@ struct SettingsTab: View {
            self.appModel.connectToBridge(
                endpoint: bridge.endpoint,
                bridgeStableID: bridge.stableID,
+                tls: tlsParams,
                hello: BridgeHello(
                    nodeId: self.instanceId,
                    displayName: self.displayName,
@@ -462,6 +465,8 @@ struct SettingsTab: View {
        defer { self.connectingBridgeID = nil }

        let endpoint: NWEndpoint = .hostPort(host: NWEndpoint.Host(host), port: port)
+        let stableID = BridgeEndpointID.stableID(endpoint)
+        let tlsParams = self.resolveManualTLSParams(stableID: stableID)

        do {
            let statusStore = self.connectStatus
@@ -485,6 +490,7 @@ struct SettingsTab: View {
            let token = try await BridgeClient().pairAndHello(
                endpoint: endpoint,
                hello: hello,
+                tls: tlsParams,
                onStatus: { status in
                    Task { @MainActor in
                        statusStore.text = status
@@ -500,7 +506,8 @@ struct SettingsTab: View {

            self.appModel.connectToBridge(
                endpoint: endpoint,
-                bridgeStableID: BridgeEndpointID.stableID(endpoint),
+                bridgeStableID: stableID,
+                tls: tlsParams,
                hello: BridgeHello(
                    nodeId: self.instanceId,
                    displayName: self.displayName,
@@ -517,6 +524,47 @@ struct SettingsTab: View {
        }
    }

+    private func resolveDiscoveredTLSParams(
+        bridge: BridgeDiscoveryModel.DiscoveredBridge) -> BridgeTLSParams?
+    {
+        let stableID = bridge.stableID
+        let stored = BridgeTLSStore.loadFingerprint(stableID: stableID)
+
+        if bridge.tlsEnabled || bridge.tlsFingerprintSha256 != nil {
+            return BridgeTLSParams(
+                required: true,
+                expectedFingerprint: bridge.tlsFingerprintSha256 ?? stored,
+                allowTOFU: stored == nil,
+                storeKey: stableID)
+        }
+
+        if let stored {
+            return BridgeTLSParams(
+                required: true,
+                expectedFingerprint: stored,
+                allowTOFU: false,
+                storeKey: stableID)
+        }
+
+        return nil
+    }
+
+    private func resolveManualTLSParams(stableID: String) -> BridgeTLSParams? {
+        if let stored = BridgeTLSStore.loadFingerprint(stableID: stableID) {
+            return BridgeTLSParams(
+                required: true,
+                expectedFingerprint: stored,
+                allowTOFU: false,
+                storeKey: stableID)
+        }
+
+        return BridgeTLSParams(
+            required: false,
+            expectedFingerprint: nil,
+            allowTOFU: true,
+            storeKey: stableID)
+    }
+
    private static func primaryIPv4Address() -> String? {
        var addrList: UnsafeMutablePointer<ifaddrs>?
        guard getifaddrs(&addrList) == 0, let first = addrList else { return nil }