6 files changed, 236 insertions, 12 deletions

diff --git a/cli/js/deno.ts b/cli/js/deno.ts
index 511e4f0ec..4b0e3ff96 100644
--- a/cli/js/deno.ts
+++ b/cli/js/deno.ts
@@ -75,7 +75,7 @@ export {
 export { truncateSync, truncate } from "./truncate.ts";
 export { FileInfo } from "./file_info.ts";
 export { connect, dial, listen, Listener, Conn } from "./net.ts";
-export { dialTLS } from "./tls.ts";
+export { dialTLS, listenTLS } from "./tls.ts";
 export { metrics, Metrics } from "./metrics.ts";
 export { resources } from "./resources.ts";
 export {
diff --git a/cli/js/dispatch.ts b/cli/js/dispatch.ts
index bff4d0f5b..38405a866 100644
--- a/cli/js/dispatch.ts
+++ b/cli/js/dispatch.ts
@@ -26,9 +26,11 @@ export let OP_METRICS: number;
 export let OP_REPL_START: number;
 export let OP_REPL_READLINE: number;
 export let OP_ACCEPT: number;
+export let OP_ACCEPT_TLS: number;
 export let OP_DIAL: number;
 export let OP_SHUTDOWN: number;
 export let OP_LISTEN: number;
+export let OP_LISTEN_TLS: number;
 export let OP_RESOURCES: number;
 export let OP_GET_RANDOM_VALUES: number;
 export let OP_GLOBAL_TIMER_STOP: number;
@@ -81,6 +83,7 @@ export function asyncMsgFromRust(opId: number, ui8: Uint8Array): void {
     case OP_REPL_START:
     case OP_REPL_READLINE:
     case OP_ACCEPT:
+    case OP_ACCEPT_TLS:
     case OP_DIAL:
     case OP_GLOBAL_TIMER:
     case OP_HOST_GET_WORKER_CLOSED:
diff --git a/cli/js/lib.deno_runtime.d.ts b/cli/js/lib.deno_runtime.d.ts
index 94b6b61cd..3036ea2d1 100644
--- a/cli/js/lib.deno_runtime.d.ts
+++ b/cli/js/lib.deno_runtime.d.ts
@@ -990,6 +990,29 @@ declare namespace Deno {
    */
   export function listen(options: ListenOptions): Listener;
 
+  export interface ListenTLSOptions {
+    port: number;
+    hostname?: string;
+    transport?: Transport;
+    certFile: string;
+    keyFile: string;
+  }
+
+  /** Listen announces on the local transport address over TLS (transport layer security).
+   *
+   * @param options
+   * @param options.port The port to connect to. (Required.)
+   * @param options.hostname A literal IP address or host name that can be
+   *   resolved to an IP address. If not specified, defaults to 0.0.0.0
+   * @param options.certFile Server certificate file
+   * @param options.keyFile Server public key file
+   *
+   * Examples:
+   *
+   *     Deno.listenTLS({ port: 443, certFile: "./my_server.crt", keyFile: "./my_server.key" })
+   */
+  export function listenTLS(options: ListenTLSOptions): Listener;
+
   export interface DialOptions {
     port: number;
     hostname?: string;
@@ -1018,6 +1041,7 @@ declare namespace Deno {
   export interface DialTLSOptions {
     port: number;
     hostname?: string;
+    certFile?: string;
   }
 
   /**
diff --git a/cli/js/net.ts b/cli/js/net.ts
index a7ad2b73c..f463da60b 100644
--- a/cli/js/net.ts
+++ b/cli/js/net.ts
@@ -78,7 +78,7 @@ export class ConnImpl implements Conn {
   }
 }
 
-class ListenerImpl implements Listener {
+export class ListenerImpl implements Listener {
   constructor(
     readonly rid: number,
     private transport: Transport,
diff --git a/cli/js/tls.ts b/cli/js/tls.ts
index ec24b458b..3e38c7854 100644
--- a/cli/js/tls.ts
+++ b/cli/js/tls.ts
@@ -1,13 +1,14 @@
 // Copyright 2018-2019 the Deno authors. All rights reserved. MIT license.
-import { sendAsync } from "./dispatch_json.ts";
+import { sendAsync, sendSync } from "./dispatch_json.ts";
 import * as dispatch from "./dispatch.ts";
-import { Conn, ConnImpl } from "./net.ts";
+import { Listener, Transport, Conn, ConnImpl, ListenerImpl } from "./net.ts";
 
 // TODO(ry) There are many configuration options to add...
 // https://docs.rs/rustls/0.16.0/rustls/struct.ClientConfig.html
 interface DialTLSOptions {
   port: number;
   hostname?: string;
+  certFile?: string;
 }
 const dialTLSDefaults = { hostname: "127.0.0.1", transport: "tcp" };
 
@@ -19,3 +20,44 @@ export async function dialTLS(options: DialTLSOptions): Promise<Conn> {
   const res = await sendAsync(dispatch.OP_DIAL_TLS, options);
   return new ConnImpl(res.rid, res.remoteAddr!, res.localAddr!);
 }
+
+class TLSListenerImpl extends ListenerImpl {
+  async accept(): Promise<Conn> {
+    const res = await sendAsync(dispatch.OP_ACCEPT_TLS, { rid: this.rid });
+    return new ConnImpl(res.rid, res.remoteAddr, res.localAddr);
+  }
+}
+
+export interface ListenTLSOptions {
+  port: number;
+  hostname?: string;
+  transport?: Transport;
+  certFile: string;
+  keyFile: string;
+}
+
+/** Listen announces on the local transport address over TLS (transport layer security).
+ *
+ * @param options
+ * @param options.port The port to connect to. (Required.)
+ * @param options.hostname A literal IP address or host name that can be
+ *   resolved to an IP address. If not specified, defaults to 0.0.0.0
+ * @param options.certFile Server certificate file
+ * @param options.keyFile Server public key file
+ *
+ * Examples:
+ *
+ *     Deno.listenTLS({ port: 443, certFile: "./my_server.crt", keyFile: "./my_server.key" })
+ */
+export function listenTLS(options: ListenTLSOptions): Listener {
+  const hostname = options.hostname || "0.0.0.0";
+  const transport = options.transport || "tcp";
+  const res = sendSync(dispatch.OP_LISTEN_TLS, {
+    hostname,
+    port: options.port,
+    transport,
+    certFile: options.certFile,
+    keyFile: options.keyFile
+  });
+  return new TLSListenerImpl(res.rid, transport, res.localAddr);
+}
diff --git a/cli/js/tls_test.ts b/cli/js/tls_test.ts
index 79e6bcad8..58cafd23e 100644
--- a/cli/js/tls_test.ts
+++ b/cli/js/tls_test.ts
@@ -3,8 +3,9 @@ import { test, testPerm, assert, assertEquals } from "./test_util.ts";
 import { BufWriter, BufReader } from "../../std/io/bufio.ts";
 import { TextProtoReader } from "../../std/textproto/mod.ts";
 import { runIfMain } from "../../std/testing/mod.ts";
-// TODO(ry) The tests in this file use github.com:443, but it would be better to
-// not rely on an internet connection and rather use a localhost TLS server.
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
 
 test(async function dialTLSNoPerm(): Promise<void> {
   let err;
@@ -17,15 +18,168 @@ test(async function dialTLSNoPerm(): Promise<void> {
   assertEquals(err.name, "PermissionDenied");
 });
 
-testPerm({ net: true }, async function dialTLSBasic(): Promise<void> {
-  const conn = await Deno.dialTLS({ hostname: "github.com", port: 443 });
+test(async function dialTLSCertFileNoReadPerm(): Promise<void> {
+  let err;
+  try {
+    await Deno.dialTLS({
+      hostname: "github.com",
+      port: 443,
+      certFile: "cli/tests/tls/RootCA.crt"
+    });
+  } catch (e) {
+    err = e;
+  }
+  assertEquals(err.kind, Deno.ErrorKind.PermissionDenied);
+  assertEquals(err.name, "PermissionDenied");
+});
+
+testPerm(
+  { read: true, net: true },
+  async function listenTLSNonExistentCertKeyFiles(): Promise<void> {
+    let err;
+    const options = {
+      hostname: "localhost",
+      port: 4500,
+      certFile: "cli/tests/tls/localhost.crt",
+      keyFile: "cli/tests/tls/localhost.key"
+    };
+
+    try {
+      Deno.listenTLS({
+        ...options,
+        certFile: "./non/existent/file"
+      });
+    } catch (e) {
+      err = e;
+    }
+    assertEquals(err.kind, Deno.ErrorKind.NotFound);
+    assertEquals(err.name, "NotFound");
+
+    try {
+      Deno.listenTLS({
+        ...options,
+        keyFile: "./non/existent/file"
+      });
+    } catch (e) {
+      err = e;
+    }
+    assertEquals(err.kind, Deno.ErrorKind.NotFound);
+    assertEquals(err.name, "NotFound");
+  }
+);
+
+testPerm({ net: true }, async function listenTLSNoReadPerm(): Promise<void> {
+  let err;
+  try {
+    Deno.listenTLS({
+      hostname: "localhost",
+      port: 4500,
+      certFile: "cli/tests/tls/localhost.crt",
+      keyFile: "cli/tests/tls/localhost.key"
+    });
+  } catch (e) {
+    err = e;
+  }
+  assertEquals(err.kind, Deno.ErrorKind.PermissionDenied);
+  assertEquals(err.name, "PermissionDenied");
+});
+
+testPerm(
+  { read: true, write: true, net: true },
+  async function listenTLSEmptyKeyFile(): Promise<void> {
+    let err;
+    const options = {
+      hostname: "localhost",
+      port: 4500,
+      certFile: "cli/tests/tls/localhost.crt",
+      keyFile: "cli/tests/tls/localhost.key"
+    };
+
+    const testDir = Deno.makeTempDirSync();
+    const keyFilename = testDir + "/key.pem";
+    Deno.writeFileSync(keyFilename, new Uint8Array([]), {
+      perm: 0o666
+    });
+
+    try {
+      Deno.listenTLS({
+        ...options,
+        keyFile: keyFilename
+      });
+    } catch (e) {
+      err = e;
+    }
+    assertEquals(err.kind, Deno.ErrorKind.Other);
+    assertEquals(err.name, "Other");
+  }
+);
+
+testPerm(
+  { read: true, write: true, net: true },
+  async function listenTLSEmptyCertFile(): Promise<void> {
+    let err;
+    const options = {
+      hostname: "localhost",
+      port: 4500,
+      certFile: "cli/tests/tls/localhost.crt",
+      keyFile: "cli/tests/tls/localhost.key"
+    };
+
+    const testDir = Deno.makeTempDirSync();
+    const certFilename = testDir + "/cert.crt";
+    Deno.writeFileSync(certFilename, new Uint8Array([]), {
+      perm: 0o666
+    });
+
+    try {
+      Deno.listenTLS({
+        ...options,
+        certFile: certFilename
+      });
+    } catch (e) {
+      err = e;
+    }
+    assertEquals(err.kind, Deno.ErrorKind.Other);
+    assertEquals(err.name, "Other");
+  }
+);
+
+testPerm({ read: true, net: true }, async function dialAndListenTLS(): Promise<
+  void
+> {
+  const hostname = "localhost";
+  const port = 4500;
+
+  const listener = Deno.listenTLS({
+    hostname,
+    port,
+    certFile: "cli/tests/tls/localhost.crt",
+    keyFile: "cli/tests/tls/localhost.key"
+  });
+
+  const response = encoder.encode(
+    "HTTP/1.1 200 OK\r\nContent-Length: 12\r\n\r\nHello World\n"
+  );
+
+  listener.accept().then(
+    async (conn): Promise<void> => {
+      assert(conn.remoteAddr != null);
+      assert(conn.localAddr != null);
+      await conn.write(response);
+      conn.close();
+    }
+  );
+
+  const conn = await Deno.dialTLS({
+    hostname,
+    port,
+    certFile: "cli/tests/tls/RootCA.pem"
+  });
   assert(conn.rid > 0);
   const w = new BufWriter(conn);
   const r = new BufReader(conn);
-  let body = "GET / HTTP/1.1\r\n";
-  body += "Host: github.com\r\n";
-  body += "\r\n";
-  const writeResult = await w.write(new TextEncoder().encode(body));
+  const body = `GET / HTTP/1.1\r\nHost: ${hostname}:${port}\r\n\r\n`;
+  const writeResult = await w.write(encoder.encode(body));
   assertEquals(body.length, writeResult);
   await w.flush();
   const tpr = new TextProtoReader(r);
@@ -41,6 +195,7 @@ testPerm({ net: true }, async function dialTLSBasic(): Promise<void> {
   const contentLength = parseInt(headers.get("content-length"));
   const bodyBuf = new Uint8Array(contentLength);
   await r.readFull(bodyBuf);
+  assertEquals(decoder.decode(bodyBuf), "Hello World\n");
   conn.close();
 });