1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 21:57:43 +00:00

LibTLS: Verify the certificate chain sent by the server

With this change the certificate chain sent by the server will actually
be verified, instead of just checking the names of the certificates.

To determine if a certificate is signed by a root certificate, the list
of root certificates is now a HashMap mapping from the unique identifier
string to the certificate. This allows us to take the issuer of a
certificate and easily check if it is a root certificate. If a
certificate is not signed by a root certificate, we will check that it
is signed by the next certificate in the chain.

This also removes the ad-hoc checking of certificate validity from
multiple places, and moves all checking to the verify_chain.
This commit is contained in:
Michiel Visser 2022-02-21 22:25:34 +01:00 committed by Ali Mohammad Pur
parent d5cef41bb6
commit fea5aeda0b
6 changed files with 162 additions and 47 deletions

View file

@ -91,6 +91,11 @@ Optional<Certificate> Certificate::parse_asn1(ReadonlyBytes buffer, bool)
} while (0)
Certificate certificate;
auto copy_buffer_result = ByteBuffer::copy(buffer.data(), buffer.size());
if (copy_buffer_result.is_error())
return {};
certificate.original_asn1 = copy_buffer_result.release_value();
Crypto::ASN1::Decoder decoder { buffer };
// Certificate ::= Sequence {
// certificate TBSCertificate,