1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 19:37:35 +00:00

LibCrypto+LibTLS: Implement Key Usage and Basic Constraints extensions

Root and intermediate CA certificates should have these extensions set
to indicate that they are allowed to sign other certificates. The values
reported in these extensions is now also checked by `verify_chain` to
make sure no non-CA certificates are used to sign another certificate.

The certificate parser now also aborts when a critical extension is
detected which is unsupported, as is required by the specification.
This commit is contained in:
Michiel Visser 2022-02-23 17:35:05 +01:00 committed by Ali Mohammad Pur
parent a6e465fba2
commit 804af863b4
3 changed files with 46 additions and 1 deletions

View file

@ -297,6 +297,15 @@ bool Context::verify_chain(StringView host) const
return false;
}
if (!(parent_certificate.is_allowed_to_sign_certificate && parent_certificate.is_certificate_authority)) {
dbgln("verify_chain: {} is not marked as certificate authority", issuer_string);
return false;
}
if (parent_certificate.path_length_constraint.has_value() && cert_index > parent_certificate.path_length_constraint.value()) {
dbgln("verify_chain: Path length for certificate exceeded");
return false;
}
bool verification_correct = verify_certificate_pair(cert, parent_certificate);
if (!verification_correct) {
dbgln("verify_chain: Signature inconsistent, {} was not signed by {}", subject_string, issuer_string);