open-ead · Fuzzy2319 · Jan 23, 2026 · Jan 24, 2026 · Jan 25, 2026 · Mar 22, 2026
diff --git a/CMakeLists.txt b/CMakeLists.txt
diff --git a/include/nn/sf/IServiceObject.h b/include/nn/sf/IServiceObject.h
@@ -0,0 +1,11 @@
+#pragma once
+
+#include <nn/sf/ISharedObject.h>
+
+namespace nn::sf {
+class IServiceObject : public ISharedObject {
+public:
+    virtual void* GetInterfaceTypeInfo() { return nullptr; }
+    virtual void* GetProxyInfo() { return nullptr; }  // CmifProxyInfo* ?
+};
+}  // namespace nn::sf
diff --git a/include/nn/sf/ISharedObject.h b/include/nn/sf/ISharedObject.h
@@ -0,0 +1,6 @@
+#pragma once
+
+namespace nn::sf {
+// TODO: stubbed for now
+class ISharedObject {};
+}  // namespace nn::sf
diff --git a/include/nn/ssl.h b/include/nn/ssl.h
@@ -1,26 +1,80 @@
-/**
- * @file ssl.h
- * @brief SSL implementation.
- */
-
 #pragma once
 
 #include <nn/types.h>
 
-namespace nn {
-namespace ssl {
-enum CertificateFormat { PEM = 0x01, DER = 0x02 };
+namespace nn::ssl {
+enum class CertificateFormat { PEM = 1, DER = 2 };
+enum class CaCertificateId {
+    All = -1,  // [3.0.0+]
 
-class Context {
-public:
-    enum SslVersion { Auto = 0x01, v10 = 0x08, v11 = 0x10, v12 = 0x20 };
+    NintendoCAG3 = 1,
+    NintendoClass2CAG3 = 2,
+    NintendoRootCAG4 = 3,  // [16.0.0+]
 
-    Result Create(nn::ssl::Context::SslVersion version);
-    Result ImportServerPki(u64*, char const* certData, u32 certSize,
-                           nn::ssl::CertificateFormat certFormat);
+    AmazonRootCA1 = 1000,
+    StarfieldServicesRootCertificateAuthorityG2 = 1001,
+    AddTrustExternalCARoot = 1002,
+    COMODOCertificationAuthority = 1003,
+    UTNDATACorpSGC = 1004,
+    UTNUSERFirstHardware = 1005,
+    BaltimoreCyberTrustRoot = 1006,
+    CybertrustGlobalRoot = 1007,
+    VerizonGlobalRootCA = 1008,
+    DigiCertAssuredIDRootCA = 1009,
+    DigiCertAssuredIDRootG2 = 1010,
+    DigiCertGlobalRootCA = 1011,
+    DigiCertGlobalRootG2 = 1012,
+    DigiCertHighAssuranceEVRootCA = 1013,
+    EntrustnetCertificationAuthority2048 = 1014,
+    EntrustRootCertificationAuthority = 1015,
+    EntrustRootCertificationAuthorityG2 = 1016,
+    GeoTrustGlobalCA2 = 1017,
+    GeoTrustGlobalCA = 1018,
+    GeoTrustPrimaryCertificationAuthorityG3 = 1019,
+    GeoTrustPrimaryCertificationAuthority = 1020,
+    GlobalSignRootCA = 1021,
+    GlobalSignRootCAR2 = 1022,
+    GlobalSignRootCAR3 = 1023,
+    GoDaddyClass2CertificationAuthority = 1024,
+    GoDaddyRootCertificateAuthorityG2 = 1025,
+    StarfieldClass2CertificationAuthority = 1026,
+    StarfieldRootCertificateAuthorityG2 = 1027,
+    ThawtePrimaryRootCAG3 = 1028,
+    ThawtePrimaryRootCA = 1029,
+    VeriSignClass3PublicPrimaryCertificationAuthorityG3 = 1030,
+    VeriSignClass3PublicPrimaryCertificationAuthorityG5 = 1031,
+    VeriSignUniversalRootCertificationAuthority = 1032,
+    DSTRootCAX3 = 1033,                           // [6.0.0+]
+    USERTrustRsaCertificationAuthority = 1034,    // [10.0.3+]
+    ISRGRootX10 = 1035,                           // [10.1.0+]
+    USERTrustEccCertificationAuthority = 1036,    // [10.1.0+]
+    COMODORsaCertificationAuthority = 1037,       // [10.1.0+]
+    COMODOEccCertificationAuthority = 1038,       // [10.1.0+]
+    AmazonRootCA2 = 1039,                         // [11.0.0+]
+    AmazonRootCA3 = 1040,                         // [11.0.0+]
+    AmazonRootCA4 = 1041,                         // [11.0.0+]
+    DigiCertAssuredIDRootG3 = 1042,               // [11.0.0+]
+    DigiCertGlobalRootG3 = 1043,                  // [11.0.0+]
+    DigiCertTrustedRootG4 = 1044,                 // [11.0.0+]
+    EntrustRootCertificationAuthorityEC1 = 1045,  // [11.0.0+]
+    EntrustRootCertificationAuthorityG4 = 1046,   // [11.0.0+]
+    GlobalSignECCRootCAR4 = 1047,                 // [11.0.0+]
+    GlobalSignECCRootCAR5 = 1048,                 // [11.0.0+]
+    GlobalSignECCRootCAR6 = 1049,                 // [11.0.0+]
+    GTSRootR1 = 1050,                             // [11.0.0+]
+    GTSRootR2 = 1051,                             // [11.0.0+]
+    GTSRootR3 = 1052,                             // [11.0.0+]
+    GTSRootR4 = 1053,                             // [11.0.0+]
+    SecurityCommunicationRootCA = 1054,           // [12.0.0+]
+    GlobalSignRootE4 = 1055,                      // [15.0.0+]
+    GlobalSignRootR4 = 1056,                      // [15.0.0+]
+    TTeleSecGlobalRootClass2 = 1057,              // [15.0.0+]
+    DigiCertTLSECCP384RootG5 = 1058,              // [16.0.0+]
+    DigiCertTLSRSA4096RootG5 = 1059               // [16.0.0+]
 };
 
 Result Initialize();
+Result Initialize(u32 concurrencyLimit);
 Result Finalize();
-}  // namespace ssl
-}  // namespace nn
+Result GetSslResultFromValue(Result*, const char*, u32);
+}  // namespace nn::ssl
diff --git a/include/nn/ssl/BuiltInManager.h b/include/nn/ssl/BuiltInManager.h
@@ -0,0 +1,14 @@
+#pragma once
+
+#include <nn/types.h>
+
+namespace nn::ssl {
+enum class CaCertificateId;
+}  // namespace nn::ssl
+
+namespace nn::ssl::BuiltInManager {
+struct BuiltInCertificateInfo;  // TODO
+
+Result GetBuiltInCertificates(BuiltInCertificateInfo**, u8*, u32, CaCertificateId*, u32);
+Result GetBuiltInCertificateBufSize(u32*, CaCertificateId*, u32);
+}  // namespace nn::ssl::BuiltInManager
diff --git a/include/nn/ssl/Connection.h b/include/nn/ssl/Connection.h
@@ -0,0 +1,87 @@
+#pragma once
+
+#include <nn/types.h>
+
+namespace nn::ssl {
+struct Context;
+
+class Connection {
+public:
+    enum class VerifyOption {
+        PeerCa = 1 << 0,
+        HostName = 1 << 1,
+        DateCheck = 1 << 2,
+        EvCertPartial = 1 << 3,
+        EvPolicyOid = 1 << 4,       // [6.0.0+]
+        EvCertFingerprint = 1 << 5  // [6.0.0+]
+    };
+
+    enum class IoMode { Blocking = 1, NonBlocking = 2 };
+
+    enum class SessionCacheMode { None, SessionId, SessionTicket };
+
+    enum class RenegotiationMode { None, Secure };
+
+    enum class PollEvent { Read = 1 << 0, Write = 1 << 1, Except = 1 << 2 };
+
+    enum class OptionType {
+        DoNotCloseSocket,
+        GetServerCertChain,  // [3.0.0+]
+        SkipDefaultVerify,   // [5.0.0+]
+        EnableAlpn           // [9.0.0+]
+    };
+
+    // TODO
+    struct ServerCertDetail;
+
+    Connection();
+    ~Connection();
+
+    Result Create(Context* context);
+    Result Destroy();
+    Result SetSocketDescriptor(s32 socketDescriptor);
+    Result SetHostName(const char* hostName, u32 hostNameSize);
+    Result SetVerifyOption(VerifyOption verifyOption);
+    Result SetServerCertBuffer(const char* serverCertificateBuffer,
+                               u32 serverCertificateBufferSize);
+    Result SetIoMode(IoMode ioMode);
+    Result SetSessionCacheMode(SessionCacheMode sessionCacheMode);
+    Result SetRenegotiationMode(RenegotiationMode renegotiationMode);
+    Result GetSocketDescriptor(s32* outSocketDescriptor);
+    Result GetHostName(const char* outHostName, u32* outHostNameSize, u32 maxHostNameSize);
+    Result GetVerifyOption(VerifyOption* outVerifyOption);
+    Result GetIoMode(IoMode* outIoMode);
+    Result GetSessionCacheMode(SessionCacheMode* outSessionCacheMode);
+    Result GetRenegotiationMode(RenegotiationMode* outRenegotiationMode);
+    Result FlushSessionCache();
+    Result DoHandshake();
+    Result DoHandshake(u32* outServerCertificateBufferSize, u32* outNumCertificates);
+    Result DoHandshake(u32* outServerCertificateBufferSize, u32* outNumCertificates,
+                       char* outServerCertificateBuffer, u32 serverCertificateBufferMaxSize);
+    Result GetServerCertDetail(ServerCertDetail*, const char*, u32);
+    Result Read(char* outBuffer, u32 maxBufferSize);
+    Result Read(char* outBuffer, s32* outBufferSize, u32 maxBufferSize);
+    Result Write(const char* buffer, u32 maxBufferSize);
+    Result Write(const char* buffer, s32* outWrittenBufferSize, u32 maxBufferSize);
+    Result Pending();
+    Result Pending(s32*);
+    Result Peek(char* outBuffer, s32* outBufferSize, u32 maxBufferSize);
+    Result Poll(PollEvent*, PollEvent*, u32 timeout);
+    Result GetLastError(Result* outErrorResult);
+    Result GetVerifyCertError(Result* outErrorResult);
+    Result GetVerifyCertErrors(Result* outErrorResults, u32*, u32*, u32 maxErrorResultCount);
+    Result GetNeededServerCertBufferSize(u32* outNeededServerCertBufferSize);
+    Result GetContextId(u64* outContextId);
+    Result GetConnectionId(u64* outConnectionId);
+    Result SetOption(OptionType option, bool value);
+    Result GetOption(bool* outValue, OptionType option);
+
+private:
+    u64 mConnectionId;
+    u64 mContextId;
+    unsigned char _10[8];
+    const char* mServerCertificateBuffer;
+    u32 mServerCertificateBufferSize;
+    Result _24;
+};
+}  // namespace nn::ssl
diff --git a/include/nn/ssl/Context.h b/include/nn/ssl/Context.h
@@ -0,0 +1,58 @@
+#pragma once
+
+#include <nn/ssl.h>
+#include <nn/types.h>
+
+namespace nn::ssl {
+// TODO: find the size of this struct
+class Context {
+public:
+    enum class SslVersion {
+        Auto = 0x01,
+        v10 = 0x08,
+        v11 = 0x10,
+        v12 = 0x20,
+        v13 = 0x40,         // [11.0.0+]
+        Auto24 = 0x1000000  // [11.0.0+]
+    };
+
+    enum class InternalPki { DeviceClientCertDefault = 1 };
+
+    enum class ContextOption { CrlImportDateCheckEnable = 1 };
+
+    Context();
+    ~Context();
+
+    Result Create(SslVersion version);
+    Result Destroy();
+    Result SetOption(ContextOption option, s32 value);
+    Result GetOption(s32* outValue, ContextOption option);
+    Result GetContextId(u64* outId);
+    Result ImportServerPki(u64* outId, const char* certificateBuffer, u32 certificateBufferSize,
+                           CertificateFormat certificateFormat);
+    Result ImportClientPki(u64* outId, const char* certificateBuffer,
+                           const char* certificatePassword, u32 certificateBufferSize,
+                           u32 certificatePasswordSize);
+    Result RemovePki(u64 id);
+    Result RegisterInternalPki(u64* outId, InternalPki pki);
+    Result AddPolicyOid(const char* policyOidBuffer, u32 policyOidBufferSize);
+    Result ImportCrl(u64* outId, const char* certificateRevocationListBuffer,
+                     u32 certificateRevocationListBufferSize);
+
+private:
+    u64 mContextId;
+};
+
+// TODO: I'm pretty sure there is inheritance between ContextPrivate and Context
+class ContextPrivate {
+public:
+    enum class SslVersion {
+        // TODO
+    };
+
+    Result Create(SslVersion version);
+
+private:
+    Context context;
+};
+}  // namespace nn::ssl
diff --git a/include/nn/ssl/Debug.h b/include/nn/ssl/Debug.h
@@ -0,0 +1,20 @@
+#pragma once
+
+#include <nn/types.h>
+
+namespace nn::ssl::Debug {
+struct Output;            // TODO
+struct Input;             // TODO
+enum class IoctlCommand;  // TODO
+
+struct HeapTrackPoint {
+public:
+    HeapTrackPoint();
+
+private:
+    char _0[0x10];
+    bool _10;
+};
+
+Result Ioctl(Output*, Input*, IoctlCommand);
+}  // namespace nn::ssl::Debug
diff --git a/include/nn/ssl/sf/ISslConnection.h b/include/nn/ssl/sf/ISslConnection.h
@@ -0,0 +1,7 @@
+#pragma once
+
+#include <nn/sf/IServiceObject.h>
+
+namespace nn::ssl::sf {
+class ISslConnection : public nn::sf::IServiceObject {};
+}  // namespace nn::ssl::sf
diff --git a/include/nn/ssl/sf/ISslContext.h b/include/nn/ssl/sf/ISslContext.h
@@ -0,0 +1,7 @@
+#pragma once
+
+#include <nn/sf/IServiceObject.h>
+
+namespace nn::ssl::sf {
+class ISslContext : public nn::sf::IServiceObject {};
+}  // namespace nn::ssl::sf
diff --git a/include/nn/ssl/sf/ISslService.h b/include/nn/ssl/sf/ISslService.h
@@ -0,0 +1,7 @@
+#pragma once
+
+#include <nn/sf/IServiceObject.h>
+
+namespace nn::ssl::sf {
+class ISslService : public nn::sf::IServiceObject {};
+}  // namespace nn::ssl::sf
diff --git a/include/nn/ssl/ssl-c-bindings.h b/include/nn/ssl/ssl-c-bindings.h
@@ -0,0 +1,67 @@
+#pragma once
+
+#include <nn/ssl/Connection.h>
+#include <nn/ssl/Context.h>
+#include <nn/types.h>
+
+extern "C" {
+nn::Result nnsslInitialize(void);
+nn::Result nnsslInitializeWithConcurrencyLimit(u32 limit);
+nn::Result nnsslFinialize(void);
+nn::Result nnsslContextCreate(nn::ssl::Context* context, nn::ssl::Context::SslVersion version);
+nn::Result nnsslContextDestroy(nn::ssl::Context* context);
+nn::Result nnsslContextGetContextId(nn::ssl::Context* context, u64* outId);
+nn::Result nnsslConnectionCreate(nn::ssl::Connection* connection, nn::ssl::Context* context);
+nn::Result nnsslConnectionDestroy(nn::ssl::Connection* connection);
+nn::Result nnsslConnectionSetSocketDescriptor(nn::ssl::Connection* connection,
+                                              s32 socketDescriptor);
+nn::Result nnsslConnectionSetHostName(nn::ssl::Connection* connection, const char* hostName,
+                                      u32 hostNameSize);
+nn::Result nnsslConnectionSetVerifyOption(nn::ssl::Connection* connection,
+                                          nn::ssl::Connection::VerifyOption verifyOption);
+nn::Result nnsslConnectionSetServerCertBuffer(nn::ssl::Connection* connection,
+                                              const char* serverCertificateBuffer,
+                                              u32 serverCertificateBufferSize);
+nn::Result nnsslConnectionSetIoMode(nn::ssl::Connection* connection,
+                                    nn::ssl::Connection::IoMode ioMode);
+nn::Result
+nnsslConnectionSetSessionCacheMode(nn::ssl::Connection* connection,
+                                   nn::ssl::Connection::SessionCacheMode sessionCacheMode);
+nn::Result nnsslConnectionGetSocketDescriptor(nn::ssl::Connection* connection,
+                                              s32* outSocketDescriptor);
+nn::Result nnsslConnectionGetHostName(nn::ssl::Connection* connection, const char* outHostName,
+                                      u32* outHostNameSize, u32 maxHostNameSize);
+nn::Result nnsslConnectionGetVerifyOption(nn::ssl::Connection* connection,
+                                          nn::ssl::Connection::VerifyOption* outVerifyOption);
+nn::Result nnsslConnectionGetIoMode(nn::ssl::Connection* connection,
+                                    nn::ssl::Connection::IoMode* outIoMode);
+nn::Result nnsslConnectionDoHandshake(nn::ssl::Connection* connection);
+nn::Result nnsslConnectionDoHandshakeWithCertBuffer(nn::ssl::Connection* connection,
+                                                    u32* outServerCertificateBufferSize,
+                                                    u32* outNumCertificates);
+nn::Result nnsslConnectionDoHandshakeWithBuffer(nn::ssl::Connection* connection,
+                                                u32* outServerCertificateBufferSize,
+                                                u32* outNumCertificates,
+                                                char* outServerCertificateBuffer,
+                                                u32 serverCertificateBufferMaxSize);
+nn::Result nnsslConnectionGetServerCertDetail(nn::ssl::Connection* connection,
+                                              nn::ssl::Connection::ServerCertDetail*, const char*,
+                                              u32);
+nn::Result nnsslConnectionRead(nn::ssl::Connection* connection, char* outBuffer, s32* outBufferSize,
+                               u32 maxBufferSize);
+nn::Result nnsslConnectionWrite(nn::ssl::Connection* connection, const char* buffer,
+                                s32* outWrittenBufferSize, u32 maxBufferSize);
+nn::Result nnsslConnectionPending(nn::ssl::Connection* connection, s32*);
+nn::Result nnsslConnectionPeek(nn::ssl::Connection* connection, char* outBuffer, s32* outBufferSize,
+                               u32 maxBufferSize);
+nn::Result nnsslConnectionPoll(nn::ssl::Connection* connection, PollEvent*, PollEvent*,
+                               u32 timeout);
+nn::Result nnsslConnectionGetVerifyCertError(nn::ssl::Connection* connection,
+                                             nn::Result* outErrorResult);
+nn::Result nnsslConnectionGetContextId(nn::ssl::Connection* connection, u64* outContextId);
+nn::Result nnsslConnectionGetConnectionId(nn::ssl::Connection* connection, u64* outConnectionId);
+nn::Result nnsslConnectionSetOption(nn::ssl::Connection* connection,
+                                    nn::ssl::Connection::OptionType option, bool value);
+nn::Result nnsslConnectionGetOption(nn::ssl::Connection* connection, bool* outValue,
+                                    nn::ssl::Connection::OptionType option);
+}