1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 20:27:45 +00:00

LibTLS: Verify the certificate chain sent by the server

With this change the certificate chain sent by the server will actually
be verified, instead of just checking the names of the certificates.

To determine if a certificate is signed by a root certificate, the list
of root certificates is now a HashMap mapping from the unique identifier
string to the certificate. This allows us to take the issuer of a
certificate and easily check if it is a root certificate. If a
certificate is not signed by a root certificate, we will check that it
is signed by the next certificate in the chain.

This also removes the ad-hoc checking of certificate validity from
multiple places, and moves all checking to the verify_chain.
This commit is contained in:
Michiel Visser 2022-02-21 22:25:34 +01:00 committed by Ali Mohammad Pur
parent d5cef41bb6
commit fea5aeda0b
6 changed files with 162 additions and 47 deletions

View file

@ -313,21 +313,6 @@ ssize_t TLSv12::handle_handshake_payload(ReadonlyBytes vbuffer)
VERIFY_NOT_REACHED();
}
payload_res = handle_certificate(buffer.slice(1, payload_size));
if (m_context.certificates.size()) {
auto it = m_context.certificates.find_if([](auto const& cert) { return cert.is_valid(); });
if (it.is_end()) {
// no valid certificates
dbgln("No valid certificates found");
payload_res = (i8)Error::BadCertificate;
m_context.critical_error = payload_res;
break;
}
// swap the first certificate with the valid one
if (it.index() != 0)
swap(m_context.certificates[0], m_context.certificates[it.index()]);
}
} else {
payload_res = (i8)Error::UnexpectedMessage;
}