mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 18:27:35 +00:00
LibTLS: Check if certificate is self signed before importing it as CA
This commit is contained in:
parent
114a383af3
commit
ee0ae18386
2 changed files with 8 additions and 6 deletions
|
@ -522,12 +522,11 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
|
|||
continue;
|
||||
}
|
||||
auto certificate = certificate_result.release_value();
|
||||
// FIXME: We might want to check additional things here to make sure we only load root CAs:
|
||||
// - Root certificates are self-signed
|
||||
// - Either it has matched Authority Key Identifier with Subject Key Identifier,
|
||||
// - in some cases there is no Authority Key identifier, then Issuer string should match with Subject string
|
||||
if (certificate.is_certificate_authority)
|
||||
if (certificate.is_certificate_authority && certificate.is_self_signed()) {
|
||||
m_ca_certificates.append(move(certificate));
|
||||
} else {
|
||||
dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
|
||||
}
|
||||
}
|
||||
|
||||
dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue