Base+LibTLS: Update CA Certificates list with actual certificates

The CA certificates list now contains the actual certificate data for approximatly a hundred certificate authorities. These certificates were generated from https://mkcert.org, which uses the Mozilla CA certificate list. This also updates the code for reading the CA certificates.
2025-07-26 05:37:35 +00:00 · 2022-02-21 22:11:15 +01:00 · 2022-02-21 22:11:15 +01:00 · 2b416e5faa
commit 2b416e5faa
parent 707b222913
2 changed files with 238 additions and 462 deletions
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@ -4,6 +4,7 @@
 * SPDX-License-Identifier: BSD-2-Clause
 */

+#include <AK/Base64.h>
 #include <AK/Debug.h>
 #include <AK/Endian.h>
 #include <LibCore/ConfigFile.h>
@ -345,19 +346,34 @@ Singleton<DefaultRootCACertificates> DefaultRootCACertificates::s_the;
 DefaultRootCACertificates::DefaultRootCACertificates()
 {
    // FIXME: This might not be the best format, find a better way to represent CA certificates.
-    auto config = Core::ConfigFile::open_for_system("ca_certs").release_value_but_fixme_should_propagate_errors();
-    auto now = Core::DateTime::now();
-    auto last_year = Core::DateTime::create(now.year() - 1);
-    auto next_year = Core::DateTime::create(now.year() + 1);
-    for (auto& entity : config->groups()) {
-        Certificate cert;
-        cert.subject.subject = entity;
-        cert.issuer.subject = config->read_entry(entity, "issuer_subject", entity);
-        cert.subject.country = config->read_entry(entity, "country");
-        cert.not_before = Crypto::ASN1::parse_generalized_time(config->read_entry(entity, "not_before", "")).value_or(last_year);
-        cert.not_after = Crypto::ASN1::parse_generalized_time(config->read_entry(entity, "not_after", "")).value_or(next_year);
-        m_ca_certificates.append(move(cert));
+    auto config_result = Core::ConfigFile::open_for_system("ca_certs");
+    if (config_result.is_error()) {
+        dbgln("Failed to load CA Certificates: {}", config_result.error());
+        return;
    }
+    auto config = config_result.release_value();
+
+    for (auto& entity : config->groups()) {
+        for (auto& subject : config->keys(entity)) {
+            auto certificate_base64 = config->read_entry(entity, subject);
+            auto certificate_data_result = decode_base64(certificate_base64);
+            if (certificate_data_result.is_error()) {
+                dbgln("Skipping CA Certificate {} {}: out of memory", entity, subject);
+                continue;
+            }
+            auto certificate_data = certificate_data_result.release_value();
+            auto certificate_result = Certificate::parse_asn1(certificate_data.bytes());
+            // If the certificate does not parse it is likely using elliptic curve keys/signatures, which are not
+            // supported right now. Currently, ca_certs.ini should only contain certificates with RSA keys/signatures.
+            if (!certificate_result.has_value()) {
+                dbgln("Skipping CA Certificate {} {}: unable to parse", entity, subject);
+                continue;
+            }
+            auto certificate = certificate_result.release_value();
+            m_ca_certificates.append(move(certificate));
+        }
+    }
+
    dbgln("Loaded {} CA Certificates", m_ca_certificates.size());
 }
 }