mirrors/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-04-20 11:36:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibTLS: Move DefaultRootCACertificates to own file

Browse source
This commit is contained in:
devgianlu 2025-02-14 09:35:31 +01:00 committed by Ali Mohammad Pur
parent 6889fa9695
commit 53dd99098c
Notes: github-actions[bot] 2025-02-17 18:54:08 +00:00
8 changed files with 132 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Libraries/LibTLS/CMakeLists.txt
View file

@ -1,6 +1,7 @@
add_cxx_compile_options(-Wvla)
set(SOURCES
DefaultRootCACertificates.cpp
Handshake.cpp
HandshakeCertificate.cpp
HandshakeClient.cpp

93
Libraries/LibTLS/DefaultRootCACertificates.cpp Normal file
View file

@ -0,0 +1,93 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
* Copyright (c) 2025, Altomani Gianluca <altomanigianluca@gmail.com>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <AK/ByteBuffer.h>
#include <LibCore/StandardPaths.h>
#include <LibCrypto/ASN1/PEM.h>
#include <LibFileSystem/FileSystem.h>
#include <LibTLS/DefaultRootCACertificates.h>
namespace TLS {
static Vector<ByteString> s_default_ca_certificate_paths;
void DefaultRootCACertificates::set_default_certificate_paths(Span<ByteString> paths)
{
s_default_ca_certificate_paths.clear();
s_default_ca_certificate_paths.ensure_capacity(paths.size());
for (auto& path : paths)
s_default_ca_certificate_paths.unchecked_append(path);
}
DefaultRootCACertificates::DefaultRootCACertificates()
{
auto load_result = load_certificates(s_default_ca_certificate_paths);
if (load_result.is_error()) {
dbgln("Failed to load CA Certificates: {}", load_result.error());
return;
}
m_ca_certificates = load_result.release_value();
}
DefaultRootCACertificates& DefaultRootCACertificates::the()
{
static thread_local DefaultRootCACertificates s_the;
return s_the;
}
ErrorOr<Vector<Certificate>> DefaultRootCACertificates::load_certificates(Span<ByteString> custom_cert_paths)
{
auto cacert_file_or_error = Core::File::open("/etc/cacert.pem"sv, Core::File::OpenMode::Read);
ByteBuffer data;
if (!cacert_file_or_error.is_error())
data = TRY(cacert_file_or_error.value()->read_until_eof());
auto user_cert_path = TRY(String::formatted("{}/.config/certs.pem", Core::StandardPaths::home_directory()));
if (FileSystem::exists(user_cert_path)) {
auto user_cert_file = TRY(Core::File::open(user_cert_path, Core::File::OpenMode::Read));
TRY(data.try_append(TRY(user_cert_file->read_until_eof())));
}
for (auto& custom_cert_path : custom_cert_paths) {
if (FileSystem::exists(custom_cert_path)) {
auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read));
TRY(data.try_append(TRY(custom_cert_file->read_until_eof())));
}
}
return TRY(parse_pem_root_certificate_authorities(data));
}
ErrorOr<Vector<Certificate>> DefaultRootCACertificates::parse_pem_root_certificate_authorities(ByteBuffer& data)
{
Vector<Certificate> certificates;
auto certs = TRY(Crypto::decode_pems(data));
for (auto& cert : certs) {
auto certificate_result = Certificate::parse_certificate(cert.data);
if (certificate_result.is_error()) {
// FIXME: It would be nice to have more informations about the certificate we failed to parse.
// Like: Issuer, Algorithm, CN, etc
dbgln("Failed to load certificate: {}", certificate_result.error());
continue;
}
auto certificate = certificate_result.release_value();
if (certificate.is_certificate_authority && certificate.is_self_signed()) {
TRY(certificates.try_append(move(certificate)));
} else {
dbgln("Skipped '{}' because it is not a valid root CA", TRY(certificate.subject.to_string()));
}
}
dbgln_if(TLS_DEBUG, "Loaded {} of {} ({:.2}%) provided CA Certificates", certificates.size(), certs.size(), (certificates.size() * 100.0) / certs.size());
return certificates;
}
}

34
Libraries/LibTLS/DefaultRootCACertificates.h Normal file
View file

@ -0,0 +1,34 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
* Copyright (c) 2025, Altomani Gianluca <altomanigianluca@gmail.com>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#pragma once
#include <LibCrypto/Certificate/Certificate.h>
namespace TLS {
using Crypto::Certificate::Certificate;
class DefaultRootCACertificates {
public:
DefaultRootCACertificates();
Vector<Certificate> const& certificates() const { return m_ca_certificates; }
static ErrorOr<Vector<Certificate>> parse_pem_root_certificate_authorities(ByteBuffer&);
static ErrorOr<Vector<Certificate>> load_certificates(Span<ByteString> custom_cert_paths = {});
static DefaultRootCACertificates& the();
static void set_default_certificate_paths(Span<ByteString> paths);
private:
Vector<Certificate> m_ca_certificates;
};
}
using TLS::DefaultRootCACertificates;

83
Libraries/LibTLS/TLSv12.cpp
View file

@ -9,18 +9,14 @@
#include <AK/Endian.h>
#include <LibCore/ConfigFile.h>
#include <LibCore/DateTime.h>
#include <LibCore/File.h>
#include <LibCore/StandardPaths.h>
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/ASN1.h>
#include <LibCrypto/ASN1/Constants.h>
#include <LibCrypto/ASN1/PEM.h>
#include <LibCrypto/Certificate/Certificate.h>
#include <LibCrypto/Curves/Ed25519.h>
#include <LibCrypto/Curves/SECPxxxr1.h>
#include <LibFileSystem/FileSystem.h>
#include <LibTLS/DefaultRootCACertificates.h>
#include <LibTLS/TLSv12.h>
#include <errno.h>
namespace TLS {
@ -509,83 +505,6 @@ Vector<Certificate> TLSv12::parse_pem_certificate(ReadonlyBytes certificate_pem_
return { move(certificate) };
}
static Vector<ByteString> s_default_ca_certificate_paths;
void DefaultRootCACertificates::set_default_certificate_paths(Span<ByteString> paths)
{
s_default_ca_certificate_paths.clear();
s_default_ca_certificate_paths.ensure_capacity(paths.size());
for (auto& path : paths)
s_default_ca_certificate_paths.unchecked_append(path);
}
DefaultRootCACertificates::DefaultRootCACertificates()
{
auto load_result = load_certificates(s_default_ca_certificate_paths);
if (load_result.is_error()) {
dbgln("Failed to load CA Certificates: {}", load_result.error());
return;
}
m_ca_certificates = load_result.release_value();
}
DefaultRootCACertificates& DefaultRootCACertificates::the()
{
static thread_local DefaultRootCACertificates s_the;
return s_the;
}
ErrorOr<Vector<Certificate>> DefaultRootCACertificates::load_certificates(Span<ByteString> custom_cert_paths)
{
auto cacert_file_or_error = Core::File::open("/etc/cacert.pem"sv, Core::File::OpenMode::Read);
ByteBuffer data;
if (!cacert_file_or_error.is_error())
data = TRY(cacert_file_or_error.value()->read_until_eof());
auto user_cert_path = TRY(String::formatted("{}/.config/certs.pem", Core::StandardPaths::home_directory()));
if (FileSystem::exists(user_cert_path)) {
auto user_cert_file = TRY(Core::File::open(user_cert_path, Core::File::OpenMode::Read));
TRY(data.try_append(TRY(user_cert_file->read_until_eof())));
}
for (auto& custom_cert_path : custom_cert_paths) {
if (FileSystem::exists(custom_cert_path)) {
auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read));
TRY(data.try_append(TRY(custom_cert_file->read_until_eof())));
}
}
return TRY(parse_pem_root_certificate_authorities(data));
}
ErrorOr<Vector<Certificate>> DefaultRootCACertificates::parse_pem_root_certificate_authorities(ByteBuffer& data)
{
Vector<Certificate> certificates;
auto certs = TRY(Crypto::decode_pems(data));
for (auto& cert : certs) {
auto certificate_result = Certificate::parse_certificate(cert.data);
if (certificate_result.is_error()) {
// FIXME: It would be nice to have more informations about the certificate we failed to parse.
// Like: Issuer, Algorithm, CN, etc
dbgln("Failed to load certificate: {}", certificate_result.error());
continue;
}
auto certificate = certificate_result.release_value();
if (certificate.is_certificate_authority && certificate.is_self_signed()) {
TRY(certificates.try_append(move(certificate)));
} else {
dbgln("Skipped '{}' because it is not a valid root CA", TRY(certificate.subject.to_string()));
}
}
dbgln_if(TLS_DEBUG, "Loaded {} of {} ({:.2}%) provided CA Certificates", certificates.size(), certs.size(), (certificates.size() * 100.0) / certs.size());
return certificates;
}
ErrorOr<SupportedGroup> oid_to_curve(Vector<int> curve)
{
if (curve == Crypto::ASN1::secp384r1_oid)

21
Libraries/LibTLS/TLSv12.h
View file

@ -13,12 +13,10 @@
#include <LibCore/Socket.h>
#include <LibCore/Timer.h>
#include <LibCrypto/Authentication/HMAC.h>
#include <LibCrypto/BigInt/UnsignedBigInteger.h>
#include <LibCrypto/Certificate/Certificate.h>
#include <LibCrypto/Cipher/AES.h>
#include <LibCrypto/Curves/EllipticCurve.h>
#include <LibCrypto/Hash/HashManager.h>
#include <LibCrypto/PK/RSA.h>
#include <LibTLS/CipherSuite.h>
#include <LibTLS/TLSPacketBuilder.h>
@ -553,23 +551,4 @@ private:
RefPtr<Core::Timer> m_handshake_timeout_timer;
};
class DefaultRootCACertificates {
public:
DefaultRootCACertificates();
Vector<Certificate> const& certificates() const { return m_ca_certificates; }
static ErrorOr<Vector<Certificate>> parse_pem_root_certificate_authorities(ByteBuffer&);
static ErrorOr<Vector<Certificate>> load_certificates(Span<ByteString> custom_cert_paths = {});
static DefaultRootCACertificates& the();
static void set_default_certificate_paths(Span<ByteString> paths);
private:
Vector<Certificate> m_ca_certificates;
};
}
using TLS::DefaultRootCACertificates;

1
Services/RequestServer/main.cpp
View file

@ -15,6 +15,7 @@
#include <LibFileSystem/FileSystem.h>
#include <LibIPC/SingleServer.h>
#include <LibMain/Main.h>
#include <LibTLS/DefaultRootCACertificates.h>
#include <LibTLS/TLSv12.h>
#include <RequestServer/ConnectionFromClient.h>

1
Tests/LibTLS/TestTLSHandshake.cpp
View file

@ -10,6 +10,7 @@
#include <LibCrypto/ASN1/ASN1.h>
#include <LibCrypto/ASN1/PEM.h>
#include <LibFileSystem/FileSystem.h>
#include <LibTLS/DefaultRootCACertificates.h>
#include <LibTLS/TLSv12.h>
#include <LibTest/TestCase.h>

1
Utilities/dns.cpp
View file

@ -9,6 +9,7 @@
#include <LibCore/Socket.h>
#include <LibDNS/Resolver.h>
#include <LibMain/Main.h>
#include <LibTLS/DefaultRootCACertificates.h>
#include <LibTLS/TLSv12.h>
ErrorOr<int> serenity_main(Main::Arguments arguments)