RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-28 00:37:35 +00:00
Code Issues Activity Actions

LibTLS: Check if certificate is self signed before importing it as CA

Browse source
This commit is contained in:
Fabian Dellwing 2023-03-21 18:48:18 +01:00 committed by Ali Mohammad Pur
parent 114a383af3
commit ee0ae18386
2 changed files with 8 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Userland/Libraries/LibTLS/TLSv12.cpp
View file

@ -522,12 +522,11 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
continue;
}
auto certificate = certificate_result.release_value();
// FIXME: We might want to check additional things here to make sure we only load root CAs:
// - Root certificates are self-signed
// - Either it has matched Authority Key Identifier with Subject Key Identifier,
// - in some cases there is no Authority Key identifier, then Issuer string should match with Subject string
if (certificate.is_certificate_authority)
if (certificate.is_certificate_authority && certificate.is_self_signed()) {
m_ca_certificates.append(move(certificate));
} else {
dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
}
}
dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());