LibTLS: Move DefaultRootCACertificates to own file

Author: https://github.com/devgianlu
Commit: 53dd99098c
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3571
Reviewed-by: https://github.com/ADKaster
Reviewed-by: https://github.com/alimpfard ✅

Libraries/LibTLS/CMakeLists.txt

@@ -1,6 +1,7 @@
 add_cxx_compile_options(-Wvla)
 
 set(SOURCES
+    DefaultRootCACertificates.cpp
     Handshake.cpp
     HandshakeCertificate.cpp
     HandshakeClient.cpp

Libraries/LibTLS/DefaultRootCACertificates.cpp

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
+ * Copyright (c) 2025, Altomani Gianluca <altomanigianluca@gmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <AK/ByteBuffer.h>
+#include <LibCore/StandardPaths.h>
+#include <LibCrypto/ASN1/PEM.h>
+#include <LibFileSystem/FileSystem.h>
+#include <LibTLS/DefaultRootCACertificates.h>
+
+namespace TLS {
+
+static Vector<ByteString> s_default_ca_certificate_paths;
+
+void DefaultRootCACertificates::set_default_certificate_paths(Span<ByteString> paths)
+{
+    s_default_ca_certificate_paths.clear();
+    s_default_ca_certificate_paths.ensure_capacity(paths.size());
+    for (auto& path : paths)
+        s_default_ca_certificate_paths.unchecked_append(path);
+}
+
+DefaultRootCACertificates::DefaultRootCACertificates()
+{
+    auto load_result = load_certificates(s_default_ca_certificate_paths);
+    if (load_result.is_error()) {
+        dbgln("Failed to load CA Certificates: {}", load_result.error());
+        return;
+    }
+
+    m_ca_certificates = load_result.release_value();
+}
+
+DefaultRootCACertificates& DefaultRootCACertificates::the()
+{
+    static thread_local DefaultRootCACertificates s_the;
+    return s_the;
+}
+
+ErrorOr<Vector<Certificate>> DefaultRootCACertificates::load_certificates(Span<ByteString> custom_cert_paths)
+{
+    auto cacert_file_or_error = Core::File::open("/etc/cacert.pem"sv, Core::File::OpenMode::Read);
+    ByteBuffer data;
+    if (!cacert_file_or_error.is_error())
+        data = TRY(cacert_file_or_error.value()->read_until_eof());
+
+    auto user_cert_path = TRY(String::formatted("{}/.config/certs.pem", Core::StandardPaths::home_directory()));
+    if (FileSystem::exists(user_cert_path)) {
+        auto user_cert_file = TRY(Core::File::open(user_cert_path, Core::File::OpenMode::Read));
+        TRY(data.try_append(TRY(user_cert_file->read_until_eof())));
+    }
+
+    for (auto& custom_cert_path : custom_cert_paths) {
+        if (FileSystem::exists(custom_cert_path)) {
+            auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read));
+            TRY(data.try_append(TRY(custom_cert_file->read_until_eof())));
+        }
+    }
+
+    return TRY(parse_pem_root_certificate_authorities(data));
+}
+
+ErrorOr<Vector<Certificate>> DefaultRootCACertificates::parse_pem_root_certificate_authorities(ByteBuffer& data)
+{
+    Vector<Certificate> certificates;
+
+    auto certs = TRY(Crypto::decode_pems(data));
+
+    for (auto& cert : certs) {
+        auto certificate_result = Certificate::parse_certificate(cert.data);
+        if (certificate_result.is_error()) {
+            // FIXME: It would be nice to have more informations about the certificate we failed to parse.
+            //        Like: Issuer, Algorithm, CN, etc
+            dbgln("Failed to load certificate: {}", certificate_result.error());
+            continue;
+        }
+        auto certificate = certificate_result.release_value();
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
+            TRY(certificates.try_append(move(certificate)));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", TRY(certificate.subject.to_string()));
+        }
+    }
+
+    dbgln_if(TLS_DEBUG, "Loaded {} of {} ({:.2}%) provided CA Certificates", certificates.size(), certs.size(), (certificates.size() * 100.0) / certs.size());
+
+    return certificates;
+}
+
+}

Libraries/LibTLS/DefaultRootCACertificates.h

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
+ * Copyright (c) 2025, Altomani Gianluca <altomanigianluca@gmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibCrypto/Certificate/Certificate.h>
+
+namespace TLS {
+
+using Crypto::Certificate::Certificate;
+
+class DefaultRootCACertificates {
+public:
+    DefaultRootCACertificates();
+
+    Vector<Certificate> const& certificates() const { return m_ca_certificates; }
+
+    static ErrorOr<Vector<Certificate>> parse_pem_root_certificate_authorities(ByteBuffer&);
+    static ErrorOr<Vector<Certificate>> load_certificates(Span<ByteString> custom_cert_paths = {});
+
+    static DefaultRootCACertificates& the();
+
+    static void set_default_certificate_paths(Span<ByteString> paths);
+
+private:
+    Vector<Certificate> m_ca_certificates;
+};
+}
+
+using TLS::DefaultRootCACertificates;

Libraries/LibTLS/TLSv12.cpp

@@ -9,18 +9,14 @@
 #include <AK/Endian.h>
 #include <LibCore/ConfigFile.h>
 #include <LibCore/DateTime.h>
-#include <LibCore/File.h>
-#include <LibCore/StandardPaths.h>
-#include <LibCore/Timer.h>
 #include <LibCrypto/ASN1/ASN1.h>
 #include <LibCrypto/ASN1/Constants.h>
 #include <LibCrypto/ASN1/PEM.h>
 #include <LibCrypto/Certificate/Certificate.h>
 #include <LibCrypto/Curves/Ed25519.h>
 #include <LibCrypto/Curves/SECPxxxr1.h>
-#include <LibFileSystem/FileSystem.h>
+#include <LibTLS/DefaultRootCACertificates.h>
 #include <LibTLS/TLSv12.h>
-#include <errno.h>
 
 namespace TLS {
 
@@ -509,83 +505,6 @@ Vector<Certificate> TLSv12::parse_pem_certificate(ReadonlyBytes certificate_pem_
     return { move(certificate) };
 }
 
-static Vector<ByteString> s_default_ca_certificate_paths;
-
-void DefaultRootCACertificates::set_default_certificate_paths(Span<ByteString> paths)
-{
-    s_default_ca_certificate_paths.clear();
-    s_default_ca_certificate_paths.ensure_capacity(paths.size());
-    for (auto& path : paths)
-        s_default_ca_certificate_paths.unchecked_append(path);
-}
-
-DefaultRootCACertificates::DefaultRootCACertificates()
-{
-    auto load_result = load_certificates(s_default_ca_certificate_paths);
-    if (load_result.is_error()) {
-        dbgln("Failed to load CA Certificates: {}", load_result.error());
-        return;
-    }
-
-    m_ca_certificates = load_result.release_value();
-}
-
-DefaultRootCACertificates& DefaultRootCACertificates::the()
-{
-    static thread_local DefaultRootCACertificates s_the;
-    return s_the;
-}
-
-ErrorOr<Vector<Certificate>> DefaultRootCACertificates::load_certificates(Span<ByteString> custom_cert_paths)
-{
-    auto cacert_file_or_error = Core::File::open("/etc/cacert.pem"sv, Core::File::OpenMode::Read);
-    ByteBuffer data;
-    if (!cacert_file_or_error.is_error())
-        data = TRY(cacert_file_or_error.value()->read_until_eof());
-
-    auto user_cert_path = TRY(String::formatted("{}/.config/certs.pem", Core::StandardPaths::home_directory()));
-    if (FileSystem::exists(user_cert_path)) {
-        auto user_cert_file = TRY(Core::File::open(user_cert_path, Core::File::OpenMode::Read));
-        TRY(data.try_append(TRY(user_cert_file->read_until_eof())));
-    }
-
-    for (auto& custom_cert_path : custom_cert_paths) {
-        if (FileSystem::exists(custom_cert_path)) {
-            auto custom_cert_file = TRY(Core::File::open(custom_cert_path, Core::File::OpenMode::Read));
-            TRY(data.try_append(TRY(custom_cert_file->read_until_eof())));
-        }
-    }
-
-    return TRY(parse_pem_root_certificate_authorities(data));
-}
-
-ErrorOr<Vector<Certificate>> DefaultRootCACertificates::parse_pem_root_certificate_authorities(ByteBuffer& data)
-{
-    Vector<Certificate> certificates;
-
-    auto certs = TRY(Crypto::decode_pems(data));
-
-    for (auto& cert : certs) {
-        auto certificate_result = Certificate::parse_certificate(cert.data);
-        if (certificate_result.is_error()) {
-            // FIXME: It would be nice to have more informations about the certificate we failed to parse.
-            //        Like: Issuer, Algorithm, CN, etc
-            dbgln("Failed to load certificate: {}", certificate_result.error());
-            continue;
-        }
-        auto certificate = certificate_result.release_value();
-        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
-            TRY(certificates.try_append(move(certificate)));
-        } else {
-            dbgln("Skipped '{}' because it is not a valid root CA", TRY(certificate.subject.to_string()));
-        }
-    }
-
-    dbgln_if(TLS_DEBUG, "Loaded {} of {} ({:.2}%) provided CA Certificates", certificates.size(), certs.size(), (certificates.size() * 100.0) / certs.size());
-
-    return certificates;
-}
-
 ErrorOr<SupportedGroup> oid_to_curve(Vector<int> curve)
 {
     if (curve == Crypto::ASN1::secp384r1_oid)

Libraries/LibTLS/TLSv12.h

@@ -13,12 +13,10 @@
 #include <LibCore/Socket.h>
 #include <LibCore/Timer.h>
 #include <LibCrypto/Authentication/HMAC.h>
-#include <LibCrypto/BigInt/UnsignedBigInteger.h>
 #include <LibCrypto/Certificate/Certificate.h>
 #include <LibCrypto/Cipher/AES.h>
 #include <LibCrypto/Curves/EllipticCurve.h>
 #include <LibCrypto/Hash/HashManager.h>
-#include <LibCrypto/PK/RSA.h>
 #include <LibTLS/CipherSuite.h>
 #include <LibTLS/TLSPacketBuilder.h>
 
@@ -553,23 +551,4 @@ private:
     RefPtr<Core::Timer> m_handshake_timeout_timer;
 };
 
-class DefaultRootCACertificates {
-public:
-    DefaultRootCACertificates();
-
-    Vector<Certificate> const& certificates() const { return m_ca_certificates; }
-
-    static ErrorOr<Vector<Certificate>> parse_pem_root_certificate_authorities(ByteBuffer&);
-    static ErrorOr<Vector<Certificate>> load_certificates(Span<ByteString> custom_cert_paths = {});
-
-    static DefaultRootCACertificates& the();
-
-    static void set_default_certificate_paths(Span<ByteString> paths);
-
-private:
-    Vector<Certificate> m_ca_certificates;
-};
-
 }
-
-using TLS::DefaultRootCACertificates;

Services/RequestServer/main.cpp

@@ -15,6 +15,7 @@
 #include <LibFileSystem/FileSystem.h>
 #include <LibIPC/SingleServer.h>
 #include <LibMain/Main.h>
+#include <LibTLS/DefaultRootCACertificates.h>
 #include <LibTLS/TLSv12.h>
 #include <RequestServer/ConnectionFromClient.h>
 

Tests/LibTLS/TestTLSHandshake.cpp

@@ -10,6 +10,7 @@
 #include <LibCrypto/ASN1/ASN1.h>
 #include <LibCrypto/ASN1/PEM.h>
 #include <LibFileSystem/FileSystem.h>
+#include <LibTLS/DefaultRootCACertificates.h>
 #include <LibTLS/TLSv12.h>
 #include <LibTest/TestCase.h>
 

Utilities/dns.cpp

@@ -9,6 +9,7 @@
 #include <LibCore/Socket.h>
 #include <LibDNS/Resolver.h>
 #include <LibMain/Main.h>
+#include <LibTLS/DefaultRootCACertificates.h>
 #include <LibTLS/TLSv12.h>
 
 ErrorOr<int> serenity_main(Main::Arguments arguments)