LibTLS: Add self signage information to our parsed certificates

Author: https://github.com/fdellwing Commit: https://github.com/SerenityOS/serenity/commit/114a383af3 Pull-request: https://github.com/SerenityOS/serenity/pull/17955 Reviewed-by: https://github.com/gmta ✅ Reviewed-by: https://github.com/kleinesfilmroellchen ✅
2024-09-30 08:41:15 +00:00 · 2023-03-21 18:48:05 +01:00 · 2023-03-21 18:48:05 +01:00 · 114a383af3 · 2024-07-17 07:35:03 +09:00
parent c5542ea2c9
commit 114a383af3
3 changed files with 27 additions and 0 deletions
--- a/Userland/Libraries/LibTLS/Certificate.cpp
+++ b/Userland/Libraries/LibTLS/Certificate.cpp
@ -349,6 +349,11 @@ Optional<Certificate> Certificate::parse_asn1(ReadonlyBytes buffer, bool)
            return {};
    }

+    // self issued
+    {
+        certificate.is_self_issued = certificate.issuer_identifier_string() == certificate.subject_identifier_string();
+    }
+
    // extensions
    {
        if (certificate.version == 2) {
--- a/Userland/Libraries/LibTLS/Certificate.h
+++ b/Userland/Libraries/LibTLS/Certificate.h
@ -60,9 +60,11 @@ public:
    bool is_allowed_to_sign_certificate { false };
    bool is_certificate_authority { false };
    Optional<size_t> path_length_constraint {};
+    bool is_self_issued { false };

    static Optional<Certificate> parse_asn1(ReadonlyBytes, bool client_cert = false);

+    bool is_self_signed();
    bool is_valid() const;

    DeprecatedString subject_identifier_string() const
@ -124,6 +126,9 @@ public:
        }
        return cert_name.to_deprecated_string();
    }
+
+private:
+    Optional<bool> m_is_self_signed;
 };

 class DefaultRootCACertificates {
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@ -115,6 +115,23 @@ bool Certificate::is_valid() const
    return true;
 }

+// https://www.ietf.org/rfc/rfc5280.html#page-12
+bool Certificate::is_self_signed()
+{
+    if (m_is_self_signed.has_value())
+        return *m_is_self_signed;
+
+    // Self-signed certificates are self-issued certificates where the digital
+    // signature may be verified by the public key bound into the certificate.
+    if (!this->is_self_issued)
+        m_is_self_signed.emplace(false);
+
+    // FIXME: Actually check if we sign ourself
+
+    m_is_self_signed.emplace(true);
+    return *m_is_self_signed;
+}
+
 void TLSv12::try_disambiguate_error() const
 {
    dbgln("Possible failure cause(s): ");