From ee0ae1838655275b1f27d4e83260c7acc5c6b6f2 Mon Sep 17 00:00:00 2001
From: Fabian Dellwing <fabian.dellwing@gmail.com>
Date: Tue, 21 Mar 2023 18:48:18 +0100
Subject: [PATCH] LibTLS: Check if certificate is self signed before importing
 it as CA

---
 Tests/LibTLS/TestTLSHandshake.cpp    | 5 ++++-
 Userland/Libraries/LibTLS/TLSv12.cpp | 9 ++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/Tests/LibTLS/TestTLSHandshake.cpp b/Tests/LibTLS/TestTLSHandshake.cpp
index f3ff6c6fa9..c7b0d35834 100644
--- a/Tests/LibTLS/TestTLSHandshake.cpp
+++ b/Tests/LibTLS/TestTLSHandshake.cpp
@@ -72,8 +72,11 @@ Vector<Certificate> load_certificates()
             continue;
         }
         auto certificate = certificate_result.release_value();
-        if (certificate.is_certificate_authority)
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
             certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     return certificates;
diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp
index e60b830349..d2ff01791b 100644
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@@ -522,12 +522,11 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
             continue;
         }
         auto certificate = certificate_result.release_value();
-        // FIXME: We might want to check additional things here to make sure we only load root CAs:
-        //        - Root certificates are self-signed
-        //        - Either it has matched Authority Key Identifier with Subject Key Identifier,
-        //        - in some cases there is no Authority Key identifier, then Issuer string should match with Subject string
-        if (certificate.is_certificate_authority)
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
             m_ca_certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());