LibTLS: Check if certificate is self signed before importing it as CA

Tests/LibTLS/TestTLSHandshake.cpp

@@ -72,8 +72,11 @@ Vector<Certificate> load_certificates()
             continue;
         }
         auto certificate = certificate_result.release_value();
-        if (certificate.is_certificate_authority)
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
             certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     return certificates;

Userland/Libraries/LibTLS/TLSv12.cpp

@@ -522,12 +522,11 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
             continue;
         }
         auto certificate = certificate_result.release_value();
-        // FIXME: We might want to check additional things here to make sure we only load root CAs:
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
-        //        - Root certificates are self-signed
-        //        - Either it has matched Authority Key Identifier with Subject Key Identifier,
-        //        - in some cases there is no Authority Key identifier, then Issuer string should match with Subject string
-        if (certificate.is_certificate_authority)
             m_ca_certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());