Userland/Libraries/LibTLS/Certificate.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

/*
 * Copyright (c) 2020, the SerenityOS developers.
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#pragma once

#include <AK/ByteBuffer.h>
#include <AK/Forward.h>
#include <AK/Optional.h>
#include <AK/Singleton.h>
#include <AK/Types.h>
#include <LibCore/ConfigFile.h>
#include <LibCore/DateTime.h>
#include <LibCrypto/BigInt/UnsignedBigInteger.h>
#include <LibCrypto/PK/RSA.h>

namespace TLS {

enum class CertificateKeyAlgorithm {
    Unsupported = 0x00,
    RSA_RSA = 0x01,
    RSA_MD5 = 0x04,
    RSA_SHA1 = 0x05,
    RSA_SHA256 = 0x0b,
    RSA_SHA384 = 0x0c,
    RSA_SHA512 = 0x0d,
};

class Certificate {
public:
    u16 version { 0 };
    CertificateKeyAlgorithm algorithm { CertificateKeyAlgorithm::Unsupported };
    CertificateKeyAlgorithm key_algorithm { CertificateKeyAlgorithm::Unsupported };
    CertificateKeyAlgorithm ec_algorithm { CertificateKeyAlgorithm::Unsupported };
    ByteBuffer exponent {};
    Crypto::PK::RSAPublicKey<Crypto::UnsignedBigInteger> public_key {};
    Crypto::PK::RSAPrivateKey<Crypto::UnsignedBigInteger> private_key {};
    struct Name {
        DeprecatedString country;
        DeprecatedString state;
        DeprecatedString location;
        DeprecatedString entity;
        DeprecatedString subject;
        DeprecatedString unit;
    } issuer, subject;
    Core::DateTime not_before;
    Core::DateTime not_after;
    Vector<DeprecatedString> SAN;
    u8* ocsp { nullptr };
    Crypto::UnsignedBigInteger serial_number;
    ByteBuffer sign_key {};
    ByteBuffer fingerprint {};
    ByteBuffer der {};
    ByteBuffer data {};
    CertificateKeyAlgorithm signature_algorithm { CertificateKeyAlgorithm::Unsupported };
    ByteBuffer signature_value {};
    ByteBuffer original_asn1 {};
    bool is_allowed_to_sign_certificate { false };
    bool is_certificate_authority { false };
    Optional<size_t> path_length_constraint {};

    static Optional<Certificate> parse_asn1(ReadonlyBytes, bool client_cert = false);

    bool is_valid() const;

    DeprecatedString subject_identifier_string() const
    {
        StringBuilder cert_name;
        if (!subject.country.is_empty()) {
            cert_name.append("/C="sv);
            cert_name.append(subject.country);
        }
        if (!subject.state.is_empty()) {
            cert_name.append("/ST="sv);
            cert_name.append(subject.state);
        }
        if (!subject.location.is_empty()) {
            cert_name.append("/L="sv);
            cert_name.append(subject.location);
        }
        if (!subject.entity.is_empty()) {
            cert_name.append("/O="sv);
            cert_name.append(subject.entity);
        }
        if (!subject.unit.is_empty()) {
            cert_name.append("/OU="sv);
            cert_name.append(subject.unit);
        }
        if (!subject.subject.is_empty()) {
            cert_name.append("/CN="sv);
            cert_name.append(subject.subject);
        }
        return cert_name.to_deprecated_string();
    }

    DeprecatedString issuer_identifier_string() const
    {
        StringBuilder cert_name;
        if (!issuer.country.is_empty()) {
            cert_name.append("/C="sv);
            cert_name.append(issuer.country);
        }
        if (!issuer.state.is_empty()) {
            cert_name.append("/ST="sv);
            cert_name.append(issuer.state);
        }
        if (!issuer.location.is_empty()) {
            cert_name.append("/L="sv);
            cert_name.append(issuer.location);
        }
        if (!issuer.entity.is_empty()) {
            cert_name.append("/O="sv);
            cert_name.append(issuer.entity);
        }
        if (!issuer.unit.is_empty()) {
            cert_name.append("/OU="sv);
            cert_name.append(issuer.unit);
        }
        if (!issuer.subject.is_empty()) {
            cert_name.append("/CN="sv);
            cert_name.append(issuer.subject);
        }
        return cert_name.to_deprecated_string();
    }
};

class DefaultRootCACertificates {
public:
    DefaultRootCACertificates();

    Vector<Certificate> const& certificates() const { return m_ca_certificates; }

    void reload_certificates(ByteBuffer&);

    static DefaultRootCACertificates& the() { return s_the; }

private:
    static Singleton<DefaultRootCACertificates> s_the;

    Vector<Certificate> m_ca_certificates;
};

}

using TLS::Certificate;
using TLS::DefaultRootCACertificates;