beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-30 00:31:14 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

LibTLS: Add references to RFC5246 for the verify procedure

Browse source
This commit is contained in:
Michiel Visser 2022-02-22 13:48:52 +01:00 committed by Ali Mohammad Pur
parent d78813d902
commit 331092d25a
Notes: sideshowbarker 2024-07-17 22:09:47 +09:00 
Author: https://github.com/msvisser
Commit: https://github.com/SerenityOS/serenity/commit/331092d25a
Pull-request: https://github.com/SerenityOS/serenity/pull/12739
Reviewed-by: https://github.com/alimpfard
3 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Userland/Libraries/LibTLS/HandshakeClient.cpp
View file

@ -179,6 +179,7 @@ void TLSv12::build_rsa_pre_master_secret(PacketBuilder& builder)
}
m_context.premaster_key = premaster_key_result.release_value();
// RFC5246 section 7.4.2: The sender's certificate MUST come first in the list.
auto& certificate = m_context.certificates.first();
if constexpr (TLS_DEBUG) {
dbgln("PreMaster secret");

1
Userland/Libraries/LibTLS/HandshakeServer.cpp
View file

@ -359,6 +359,7 @@ ssize_t TLSv12::verify_rsa_server_key_exchange(ReadonlyBytes server_key_info_buf
dbgln("verify_rsa_server_key_exchange failed: Attempting to verify signature without certificates");
return (i8)Error::NotSafe;
}
// RFC5246 section 7.4.2: The sender's certificate MUST come first in the list.
auto certificate_public_key = m_context.certificates.first().public_key;
Crypto::PK::RSAPrivateKey dummy_private_key;
auto rsa = Crypto::PK::RSA(certificate_public_key, dummy_private_key);

6
Userland/Libraries/LibTLS/TLSv12.cpp
View file

@ -233,6 +233,12 @@ bool Context::verify_chain(StringView host) const
return false;
}
// RFC5246 section 7.4.2: The sender's certificate MUST come first in the list. Each following certificate
// MUST directly certify the one preceding it. Because certificate validation requires that root keys be
// distributed independently, the self-signed certificate that specifies the root certificate authority MAY be
// omitted from the chain, under the assumption that the remote end must already possess it in order to validate
// it in any case.
if (!host.is_empty()) {
auto first_certificate = local_chain->first();
auto subject_matches = certificate_subject_matches_host(first_certificate, host);