LibTLS: Refactor CA loading into central function

2025-07-26 21:27:34 +00:00 · 2023-03-27 19:28:27 +02:00 · 2023-03-27 19:28:27 +02:00 · 459dee1f86
commit 459dee1f86
parent 924758c6f8
3 changed files with 20 additions and 52 deletions
--- a/Tests/LibTLS/TestTLSHandshake.cpp
+++ b/Tests/LibTLS/TestTLSHandshake.cpp
@ -40,46 +40,9 @@ DeprecatedString locate_ca_certs_file()
 Vector<Certificate> load_certificates()
 {
-    Vector<Certificate> certificates;
+    auto cacert_file = MUST(Core::File::open(locate_ca_certs_file(), Core::File::OpenMode::Read));
-
+    auto data = MUST(cacert_file->read_until_eof());
-    auto cacert_result = Core::File::open(locate_ca_certs_file(), Core::File::OpenMode::Read);
+    return MUST(DefaultRootCACertificates::the().reload_certificates(data));
    if (cacert_result.is_error()) {
        dbgln("Failed to load CA Certificates: {}", cacert_result.error());
        return certificates;
    }
    auto cacert_file = cacert_result.release_value();
    auto data_result = cacert_file->read_until_eof();
    if (data_result.is_error()) {
        dbgln("Failed to load CA Certificates: {}", data_result.error());
        return certificates;
    }
    auto data = data_result.release_value();
    auto decode_result = Crypto::decode_pems(data);
    if (decode_result.is_error()) {
        dbgln("Failed to load CA Certificates: {}", decode_result.error());
        return certificates;
    }
    auto certs = decode_result.release_value();
    for (auto& cert : certs) {
        auto certificate_result = Certificate::parse_asn1(cert.bytes());
        // If the certificate does not parse it is likely using elliptic curve keys/signatures, which are not
        // supported right now. It might make sense to cleanup cacert.pem before adding it to the system.
        if (!certificate_result.has_value()) {
            // FIXME: It would be nice to have more informations about the certificate we failed to parse.
            //        Like: Issuer, Algorithm, CN, etc
            continue;
        }
        auto certificate = certificate_result.release_value();
        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
            certificates.append(move(certificate));
        } else {
            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
        }
    }
    return certificates;
 }
 static Vector<Certificate> s_root_ca_certificates = load_certificates();
--- a/Userland/Libraries/LibTLS/Certificate.h
+++ b/Userland/Libraries/LibTLS/Certificate.h
@ -137,7 +137,7 @@ public:
    Vector<Certificate> const& certificates() const { return m_ca_certificates; }
-    void reload_certificates(ByteBuffer&);
+    ErrorOr<Vector<Certificate>> reload_certificates(ByteBuffer&);
    static DefaultRootCACertificates& the() { return s_the; }
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@ -499,18 +499,21 @@ DefaultRootCACertificates::DefaultRootCACertificates()
        return;
    }
    auto data = data_result.release_value();
    reload_certificates(data);
 }
-void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
+    auto reload_result = reload_certificates(data);
-{
+    if (reload_result.is_error()) {
-    auto decode_result = Crypto::decode_pems(data);
+        dbgln("Failed to load CA Certificates: {}", reload_result.error());
    if (decode_result.is_error()) {
        dbgln("Failed to load CA Certificates: {}", decode_result.error());
        return;
    }
-    m_ca_certificates.clear();
+
-    auto certs = decode_result.release_value();
+    m_ca_certificates = reload_result.release_value();
 }
 ErrorOr<Vector<Certificate>> DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
 {
    Vector<Certificate> certificates;
    auto certs = TRY(Crypto::decode_pems(data));
    for (auto& cert : certs) {
        auto certificate_result = Certificate::parse_asn1(cert.bytes());
@ -523,12 +526,14 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
        }
        auto certificate = certificate_result.release_value();
        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
-            m_ca_certificates.append(move(certificate));
+            TRY(certificates.try_append(move(certificate)));
        } else {
            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
        }
    }
-    dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());
+    dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", certificates.size(), certs.size(), (certificates.size() * 100.0) / certs.size());
    return certificates;
 }
 }