From 79f5fc157cb50da155f0d3e55504c4edeb34f302 Mon Sep 17 00:00:00 2001
From: rhclayto <h+github@2milebridge.com>
Date: Mon, 9 Feb 2026 20:53:10 -0700
Subject: [PATCH] Client Certificate Authentication Support

Client Certificate Authentication Support

Signed-off-by: rhclayto <h+github@2milebridge.com>
---
 lib/private/Http/Client/Client.php | 38 ++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/lib/private/Http/Client/Client.php b/lib/private/Http/Client/Client.php
index 6160e68a99c57..12c6fde597052 100644
--- a/lib/private/Http/Client/Client.php
+++ b/lib/private/Http/Client/Client.php
@@ -73,6 +73,14 @@ private function buildRequestOptions(array $options): array {
 
 		$options = array_merge($defaults, $options);
 
+		if ($this->isClientAuthenticationEnabled($options)) {
+			$client_auth_options = [
+				RequestOptions::CERT => $this->getClientAuthenticationCert($options),
+				RequestOptions::SSL_KEY => $this->getClientAuthenticationKey($options),
+			];
+			$options = array_merge($client_auth_options, $options);
+		}
+
 		if (!isset($options[RequestOptions::HEADERS]['User-Agent'])) {
 			$userAgent = 'Nextcloud-Server-Crawler/' . $this->serverVersion->getVersionString();
 			$options[RequestOptions::HEADERS]['User-Agent'] = $userAgent;
@@ -109,6 +117,36 @@ private function getCertBundle(): string {
 		return $this->certificateManager->getAbsoluteBundlePath();
 	}
 
+	private function isClientAuthenticationEnabled(array $options): bool {
+		if (($options['nextcloud']['client_authentication_enabled'] ?? false) ||
+			$this->config->getSystemValueBool('client_authentication_enabled', false)) {
+			return true;
+		}
+
+		return false;
+	}
+
+	private function getClientAuthenticationCert(array $options): ?string {
+		$clientCert = $this->config->getSystemValueString('internal_client_authentication_cert', \OC::$SERVERROOT . '/config/client_ssl/cert.pem');
+		if ($clientCert === '') {
+						return null;
+		}
+		return $clientCert;
+	}
+
+	private function getClientAuthenticationKey(array $options) {
+		$clientKey = $this->config->getSystemValueString('internal_client_authentication_key', \OC::$SERVERROOT . '/config/client_ssl/key.pem');
+		$clientKeyPass = $this->config->getSystemValueString('internal_client_authentication_key_pass', '<not specified>');
+		if ($clientKey === '') {
+			return null;
+		}
+		if ($clientKeyPass === '<not specified>') {
+			return $clientKey;
+		} else {
+			return array($clientKey, $clientKeyPass);
+		}
+	}
+
 	/**
 	 * Returns a null or an associative array specifying the proxy URI for
 	 * 'http' and 'https' schemes, in addition to a 'no' key value pair