LibTLS: Verify the certificate chain sent by the server

With this change the certificate chain sent by the server will actually be verified, instead of just checking the names of the certificates. To determine if a certificate is signed by a root certificate, the list of root certificates is now a HashMap mapping from the unique identifier string to the certificate. This allows us to take the issuer of a certificate and easily check if it is a root certificate. If a certificate is not signed by a root certificate, we will check that it is signed by the next certificate in the chain. This also removes the ad-hoc checking of certificate validity from multiple places, and moves all checking to the verify_chain.
2025-07-26 12:27:34 +00:00 · 2022-02-21 22:25:34 +01:00 · 2022-02-21 22:25:34 +01:00 · fea5aeda0b
commit fea5aeda0b
parent d5cef41bb6
6 changed files with 162 additions and 47 deletions
--- a/Userland/Libraries/LibTLS/Certificate.cpp
+++ b/Userland/Libraries/LibTLS/Certificate.cpp
@ -91,6 +91,11 @@ Optional<Certificate> Certificate::parse_asn1(ReadonlyBytes buffer, bool)
    } while (0)

    Certificate certificate;
+    auto copy_buffer_result = ByteBuffer::copy(buffer.data(), buffer.size());
+    if (copy_buffer_result.is_error())
+        return {};
+    certificate.original_asn1 = copy_buffer_result.release_value();
+
    Crypto::ASN1::Decoder decoder { buffer };
    // Certificate ::= Sequence {
    //     certificate          TBSCertificate,