1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 16:57:35 +00:00

Base+LibTLS: Update CA Certificates list with actual certificates

The CA certificates list now contains the actual certificate data for
approximatly a hundred certificate authorities. These certificates were
generated from https://mkcert.org, which uses the Mozilla CA certificate
list.

This also updates the code for reading the CA certificates.
This commit is contained in:
Michiel Visser 2022-02-21 22:11:15 +01:00 committed by Ali Mohammad Pur
parent 707b222913
commit 2b416e5faa
2 changed files with 238 additions and 462 deletions

View file

@ -4,6 +4,7 @@
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <AK/Base64.h>
#include <AK/Debug.h>
#include <AK/Endian.h>
#include <LibCore/ConfigFile.h>
@ -345,19 +346,34 @@ Singleton<DefaultRootCACertificates> DefaultRootCACertificates::s_the;
DefaultRootCACertificates::DefaultRootCACertificates()
{
// FIXME: This might not be the best format, find a better way to represent CA certificates.
auto config = Core::ConfigFile::open_for_system("ca_certs").release_value_but_fixme_should_propagate_errors();
auto now = Core::DateTime::now();
auto last_year = Core::DateTime::create(now.year() - 1);
auto next_year = Core::DateTime::create(now.year() + 1);
for (auto& entity : config->groups()) {
Certificate cert;
cert.subject.subject = entity;
cert.issuer.subject = config->read_entry(entity, "issuer_subject", entity);
cert.subject.country = config->read_entry(entity, "country");
cert.not_before = Crypto::ASN1::parse_generalized_time(config->read_entry(entity, "not_before", "")).value_or(last_year);
cert.not_after = Crypto::ASN1::parse_generalized_time(config->read_entry(entity, "not_after", "")).value_or(next_year);
m_ca_certificates.append(move(cert));
auto config_result = Core::ConfigFile::open_for_system("ca_certs");
if (config_result.is_error()) {
dbgln("Failed to load CA Certificates: {}", config_result.error());
return;
}
auto config = config_result.release_value();
for (auto& entity : config->groups()) {
for (auto& subject : config->keys(entity)) {
auto certificate_base64 = config->read_entry(entity, subject);
auto certificate_data_result = decode_base64(certificate_base64);
if (certificate_data_result.is_error()) {
dbgln("Skipping CA Certificate {} {}: out of memory", entity, subject);
continue;
}
auto certificate_data = certificate_data_result.release_value();
auto certificate_result = Certificate::parse_asn1(certificate_data.bytes());
// If the certificate does not parse it is likely using elliptic curve keys/signatures, which are not
// supported right now. Currently, ca_certs.ini should only contain certificates with RSA keys/signatures.
if (!certificate_result.has_value()) {
dbgln("Skipping CA Certificate {} {}: unable to parse", entity, subject);
continue;
}
auto certificate = certificate_result.release_value();
m_ca_certificates.append(move(certificate));
}
}
dbgln("Loaded {} CA Certificates", m_ca_certificates.size());
}
}