Line | Source Code | Coverage |
---|
1 | /**************************************************************************** | - |
| ** | |
| ** Copyright (C) 2012 Digia Plc and/or its subsidiary(-ies). | |
| ** Contact: http://www.qt-project.org/legal | |
| ** | |
| ** This file is part of the QtNetwork module of the Qt Toolkit. | |
| ** | |
| ** $QT_BEGIN_LICENSE:LGPL$ | |
| ** Commercial License Usage | |
| ** Licensees holding valid commercial Qt licenses may use this file in | |
| ** accordance with the commercial license agreement provided with the | |
| ** Software or, alternatively, in accordance with the terms contained in | |
| ** a written agreement between you and Digia. For licensing terms and | |
| ** conditions see http://qt.digia.com/licensing. For further information | |
| ** use the contact form at http://qt.digia.com/contact-us. | |
| ** | |
| ** GNU Lesser General Public License Usage | |
| ** Alternatively, this file may be used under the terms of the GNU Lesser | |
| ** General Public License version 2.1 as published by the Free Software | |
| ** Foundation and appearing in the file LICENSE.LGPL included in the | |
| ** packaging of this file. Please review the following information to | |
| ** ensure the GNU Lesser General Public License version 2.1 requirements | |
| ** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. | |
| ** | |
| ** In addition, as a special exception, Digia gives you certain additional | |
| ** rights. These rights are described in the Digia Qt LGPL Exception | |
| ** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. | |
| ** | |
| ** GNU General Public License Usage | |
| ** Alternatively, this file may be used under the terms of the GNU | |
| ** General Public License version 3.0 as published by the Free Software | |
| ** Foundation and appearing in the file LICENSE.GPL included in the | |
| ** packaging of this file. Please review the following information to | |
| ** ensure the GNU General Public License version 3.0 requirements will be | |
| ** met: http://www.gnu.org/copyleft/gpl.html. | |
| ** | |
| ** | |
| ** $QT_END_LICENSE$ | |
| ** | |
| ****************************************************************************/**************************************************************************** | |
2 | ** | - |
3 | ** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). | - |
4 | ** Contact: http://www.qt-project.org/legal | - |
5 | ** | - |
6 | ** This file is part of the QtNetwork module of the Qt Toolkit. | - |
7 | ** | - |
8 | ** $QT_BEGIN_LICENSE:LGPL$ | - |
9 | ** Commercial License Usage | - |
10 | ** Licensees holding valid commercial Qt licenses may use this file in | - |
11 | ** accordance with the commercial license agreement provided with the | - |
12 | ** Software or, alternatively, in accordance with the terms contained in | - |
13 | ** a written agreement between you and Digia. For licensing terms and | - |
14 | ** conditions see http://qt.digia.com/licensing. For further information | - |
15 | ** use the contact form at http://qt.digia.com/contact-us. | - |
16 | ** | - |
17 | ** GNU Lesser General Public License Usage | - |
18 | ** Alternatively, this file may be used under the terms of the GNU Lesser | - |
19 | ** General Public License version 2.1 as published by the Free Software | - |
20 | ** Foundation and appearing in the file LICENSE.LGPL included in the | - |
21 | ** packaging of this file. Please review the following information to | - |
22 | ** ensure the GNU Lesser General Public License version 2.1 requirements | - |
23 | ** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. | - |
24 | ** | - |
25 | ** In addition, as a special exception, Digia gives you certain additional | - |
26 | ** rights. These rights are described in the Digia Qt LGPL Exception | - |
27 | ** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. | - |
28 | ** | - |
29 | ** GNU General Public License Usage | - |
30 | ** Alternatively, this file may be used under the terms of the GNU | - |
31 | ** General Public License version 3.0 as published by the Free Software | - |
32 | ** Foundation and appearing in the file LICENSE.GPL included in the | - |
33 | ** packaging of this file. Please review the following information to | - |
34 | ** ensure the GNU General Public License version 3.0 requirements will be | - |
35 | ** met: http://www.gnu.org/copyleft/gpl.html. | - |
36 | ** | - |
37 | ** | - |
38 | ** $QT_END_LICENSE$ | - |
39 | ** | - |
40 | ****************************************************************************/ | - |
41 | | - |
42 | | - |
43 | /*! | - |
44 | \class QSslCertificate | - |
45 | \brief The QSslCertificate class provides a convenient API for an X509 certificate. | - |
46 | \since 4.3 | - |
47 | | - |
48 | \reentrant | - |
49 | \ingroup network | - |
50 | \ingroup ssl | - |
51 | \ingroup shared | - |
52 | \inmodule QtNetwork | - |
53 | | - |
54 | QSslCertificate stores an X509 certificate, and is commonly used | - |
55 | to verify the identity and store information about the local host, | - |
56 | a remotely connected peer, or a trusted third party Certificate | - |
57 | Authority. | - |
58 | | - |
59 | There are many ways to construct a QSslCertificate. The most | - |
60 | common way is to call QSslSocket::peerCertificate(), which returns | - |
61 | a QSslCertificate object, or QSslSocket::peerCertificateChain(), | - |
62 | which returns a list of them. You can also load certificates from | - |
63 | a DER (binary) or PEM (Base64) encoded bundle, typically stored as | - |
64 | one or more local files, or in a Qt Resource. | - |
65 | | - |
66 | You can call isNull() to check if your certificate is null. By default, | - |
67 | QSslCertificate constructs a null certificate. A null certificate is | - |
68 | invalid, but an invalid certificate is not necessarily null. If you want | - |
69 | to reset all contents in a certificate, call clear(). | - |
70 | | - |
71 | After loading a certificate, you can find information about the | - |
72 | certificate, its subject, and its issuer, by calling one of the | - |
73 | many accessor functions, including version(), serialNumber(), | - |
74 | issuerInfo() and subjectInfo(). You can call effectiveDate() and | - |
75 | expiryDate() to check when the certificate starts being | - |
76 | effective and when it expires. | - |
77 | The publicKey() function returns the certificate | - |
78 | subject's public key as a QSslKey. You can call issuerInfo() or | - |
79 | subjectInfo() to get detailed information about the certificate | - |
80 | issuer and its subject. | - |
81 | | - |
82 | Internally, QSslCertificate is stored as an X509 structure. You | - |
83 | can access this handle by calling handle(), but the results are | - |
84 | likely to not be portable. | - |
85 | | - |
86 | \sa QSslSocket, QSslKey, QSslCipher, QSslError | - |
87 | */ | - |
88 | | - |
89 | /*! | - |
90 | \enum QSslCertificate::SubjectInfo | - |
91 | | - |
92 | Describes keys that you can pass to QSslCertificate::issuerInfo() or | - |
93 | QSslCertificate::subjectInfo() to get information about the certificate | - |
94 | issuer or subject. | - |
95 | | - |
96 | \value Organization "O" The name of the organization. | - |
97 | | - |
98 | \value CommonName "CN" The common name; most often this is used to store | - |
99 | the host name. | - |
100 | | - |
101 | \value LocalityName "L" The locality. | - |
102 | | - |
103 | \value OrganizationalUnitName "OU" The organizational unit name. | - |
104 | | - |
105 | \value CountryName "C" The country. | - |
106 | | - |
107 | \value StateOrProvinceName "ST" The state or province. | - |
108 | | - |
109 | \value DistinguishedNameQualifier The distinguished name qualifier | - |
110 | | - |
111 | \value SerialNumber The certificate's serial number | - |
112 | | - |
113 | \value EmailAddress The email address associated with the certificate | - |
114 | */ | - |
115 | | - |
116 | #include "qsslsocket_openssl_symbols_p.h" | - |
117 | #include "qsslcertificate.h" | - |
118 | #include "qsslcertificate_p.h" | - |
119 | #include "qsslkey.h" | - |
120 | #include "qsslkey_p.h" | - |
121 | #include "qsslcertificateextension.h" | - |
122 | #include "qsslcertificateextension_p.h" | - |
123 | | - |
124 | #include <QtCore/qatomic.h> | - |
125 | #include <QtCore/qdatetime.h> | - |
126 | #include <QtCore/qdebug.h> | - |
127 | #include <QtCore/qdir.h> | - |
128 | #include <QtCore/qdiriterator.h> | - |
129 | #include <QtCore/qfile.h> | - |
130 | #include <QtCore/qfileinfo.h> | - |
131 | #include <QtCore/qmap.h> | - |
132 | #include <QtCore/qmutex.h> | - |
133 | #include <QtCore/private/qmutexpool_p.h> | - |
134 | #include <QtCore/qstring.h> | - |
135 | #include <QtCore/qstringlist.h> | - |
136 | #include <QtCore/qvarlengtharray.h> | - |
137 | | - |
138 | QT_BEGIN_NAMESPACE | - |
139 | | - |
140 | // forward declaration | - |
141 | static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name); | - |
142 | | - |
143 | /*! | - |
144 | Constructs a QSslCertificate by reading \a format encoded data | - |
145 | from \a device and using the first certificate found. You can | - |
146 | later call isNull() to see if \a device contained a certificate, | - |
147 | and if this certificate was loaded successfully. | - |
148 | */ | - |
149 | QSslCertificate::QSslCertificate(QIODevice *device, QSsl::EncodingFormat format) | - |
150 | : d(new QSslCertificatePrivate) | - |
151 | { | - |
152 | QSslSocketPrivate::ensureInitialized(); | - |
153 | if (device) | - |
154 | d->init(device->readAll(), format); | - |
155 | } | - |
156 | | - |
157 | /*! | - |
158 | Constructs a QSslCertificate by parsing the \a format encoded | - |
159 | \a data and using the first available certificate found. You can | - |
160 | later call isNull() to see if \a data contained a certificate, | - |
161 | and if this certificate was loaded successfully. | - |
162 | */ | - |
163 | QSslCertificate::QSslCertificate(const QByteArray &data, QSsl::EncodingFormat format) | - |
164 | : d(new QSslCertificatePrivate) | - |
165 | { | - |
166 | QSslSocketPrivate::ensureInitialized(); | - |
167 | d->init(data, format); | - |
168 | } | - |
169 | | - |
170 | /*! | - |
171 | Constructs an identical copy of \a other. | - |
172 | */ | - |
173 | QSslCertificate::QSslCertificate(const QSslCertificate &other) : d(other.d) | - |
174 | { | - |
175 | } | - |
176 | | - |
177 | /*! | - |
178 | Destroys the QSslCertificate. | - |
179 | */ | - |
180 | QSslCertificate::~QSslCertificate() | - |
181 | { | - |
182 | } | - |
183 | | - |
184 | /*! | - |
185 | Copies the contents of \a other into this certificate, making the two | - |
186 | certificates identical. | - |
187 | */ | - |
188 | QSslCertificate &QSslCertificate::operator=(const QSslCertificate &other) | - |
189 | { | - |
190 | d = other.d; | - |
191 | return *this; | - |
192 | } | - |
193 | | - |
194 | /*! | - |
195 | \fn void QSslCertificate::swap(QSslCertificate &other) | - |
196 | \since 5.0 | - |
197 | | - |
198 | Swaps this certificate instance with \a other. This function is | - |
199 | very fast and never fails. | - |
200 | */ | - |
201 | | - |
202 | /*! | - |
203 | Returns true if this certificate is the same as \a other; otherwise | - |
204 | returns false. | - |
205 | */ | - |
206 | bool QSslCertificate::operator==(const QSslCertificate &other) const | - |
207 | { | - |
208 | if (d == other.d) | - |
209 | return true; | - |
210 | if (d->null && other.d->null) | - |
211 | return true; | - |
212 | if (d->x509 && other.d->x509) | - |
213 | return q_X509_cmp(d->x509, other.d->x509) == 0; | - |
214 | return false; | - |
215 | } | - |
216 | | - |
217 | /*! | - |
218 | \fn bool QSslCertificate::operator!=(const QSslCertificate &other) const | - |
219 | | - |
220 | Returns true if this certificate is not the same as \a other; otherwise | - |
221 | returns false. | - |
222 | */ | - |
223 | | - |
224 | /*! | - |
225 | Returns true if this is a null certificate (i.e., a certificate | - |
226 | with no contents); otherwise returns false. | - |
227 | | - |
228 | By default, QSslCertificate constructs a null certificate. | - |
229 | | - |
230 | \sa clear() | - |
231 | */ | - |
232 | bool QSslCertificate::isNull() const | - |
233 | { | - |
234 | return d->null; | - |
235 | } | - |
236 | | - |
237 | #if QT_DEPRECATED_SINCE(5,0) | - |
238 | /*! | - |
239 | \fn bool QSslCertificate::isValid() const | - |
240 | \obsolete | - |
241 | | - |
242 | To verify a certificate, use verify(). | - |
243 | To check if a certificate is blacklisted, use isBlacklisted(). | - |
244 | To check if a certificate has expired or is not yet valid, compare | - |
245 | expiryDate() and effectiveDate() with QDateTime::currentDateTime() | - |
246 | | - |
247 | This function checks that the current | - |
248 | date-time is within the date-time range during which the | - |
249 | certificate is considered valid, and checks that the | - |
250 | certificate is not in a blacklist of fraudulent certificates. | - |
251 | | - |
252 | \sa isNull(), verify(), isBlacklisted(), expiryDate(), effectiveDate() | - |
253 | */ | - |
254 | #endif | - |
255 | | - |
256 | /*! | - |
257 | Returns true if this certificate is blacklisted; otherwise | - |
258 | returns false. | - |
259 | | - |
260 | \sa isNull() | - |
261 | */ | - |
262 | bool QSslCertificate::isBlacklisted() const | - |
263 | { | - |
264 | return QSslCertificatePrivate::isBlacklisted(*this); | - |
265 | } | - |
266 | | - |
267 | /*! | - |
268 | Clears the contents of this certificate, making it a null | - |
269 | certificate. | - |
270 | | - |
271 | \sa isNull() | - |
272 | */ | - |
273 | void QSslCertificate::clear() | - |
274 | { | - |
275 | if (isNull()) | - |
276 | return; | - |
277 | d = new QSslCertificatePrivate; | - |
278 | } | - |
279 | | - |
280 | /*! | - |
281 | Returns the certificate's version string. | - |
282 | */ | - |
283 | QByteArray QSslCertificate::version() const | - |
284 | { | - |
285 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
286 | if (d->versionString.isEmpty() && d->x509) | - |
287 | d->versionString = | - |
288 | QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); | - |
289 | | - |
290 | return d->versionString; | - |
291 | } | - |
292 | | - |
293 | /*! | - |
294 | Returns the certificate's serial number string in hexadecimal format. | - |
295 | */ | - |
296 | QByteArray QSslCertificate::serialNumber() const | - |
297 | { | - |
298 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
299 | if (d->serialNumberString.isEmpty() && d->x509) { | - |
300 | ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; | - |
301 | QByteArray hexString; | - |
302 | hexString.reserve(serialNumber->length * 3); | - |
303 | for (int a = 0; a < serialNumber->length; ++a) { | - |
304 | hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0'); | - |
305 | hexString += ':'; | - |
306 | } | - |
307 | hexString.chop(1); | - |
308 | d->serialNumberString = hexString; | - |
309 | } | - |
310 | return d->serialNumberString; | - |
311 | } | - |
312 | | - |
313 | /*! | - |
314 | Returns a cryptographic digest of this certificate. By default, | - |
315 | an MD5 digest will be generated, but you can also specify a | - |
316 | custom \a algorithm. | - |
317 | */ | - |
318 | QByteArray QSslCertificate::digest(QCryptographicHash::Algorithm algorithm) const | - |
319 | { | - |
320 | return QCryptographicHash::hash(toDer(), algorithm); | - |
321 | } | - |
322 | | - |
323 | static QByteArray _q_SubjectInfoToString(QSslCertificate::SubjectInfo info) | - |
324 | { | - |
325 | QByteArray str; | - |
326 | switch (info) { | - |
327 | case QSslCertificate::Organization: str = QByteArray("O"); break; | - |
328 | case QSslCertificate::CommonName: str = QByteArray("CN"); break; | - |
329 | case QSslCertificate::LocalityName: str = QByteArray("L"); break; | - |
330 | case QSslCertificate::OrganizationalUnitName: str = QByteArray("OU"); break; | - |
331 | case QSslCertificate::CountryName: str = QByteArray("C"); break; | - |
332 | case QSslCertificate::StateOrProvinceName: str = QByteArray("ST"); break; | - |
333 | case QSslCertificate::DistinguishedNameQualifier: str = QByteArray("dnQualifier"); break; | - |
334 | case QSslCertificate::SerialNumber: str = QByteArray("serialNumber"); break; | - |
335 | case QSslCertificate::EmailAddress: str = QByteArray("emailAddress"); break; | - |
336 | } | - |
337 | return str; | - |
338 | } | - |
339 | | - |
340 | /*! | - |
341 | \fn QString QSslCertificate::issuerInfo(SubjectInfo subject) const | - |
342 | | - |
343 | Returns the issuer information for the \a subject from the | - |
344 | certificate, or an empty string if there is no information for | - |
345 | \a subject in the certificate. | - |
346 | | - |
347 | \sa subjectInfo() | - |
348 | */ | - |
349 | QStringList QSslCertificate::issuerInfo(SubjectInfo info) const | - |
350 | { | - |
351 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
352 | // lazy init | - |
353 | if (d->issuerInfo.isEmpty() && d->x509) | - |
354 | d->issuerInfo = | - |
355 | _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); | - |
356 | | - |
357 | return d->issuerInfo.values(_q_SubjectInfoToString(info)); | - |
358 | } | - |
359 | | - |
360 | /*! | - |
361 | Returns the issuer information for \a attribute from the certificate, | - |
362 | or an empty string if there is no information for \a attribute in the | - |
363 | certificate. | - |
364 | | - |
365 | \sa subjectInfo() | - |
366 | */ | - |
367 | QStringList QSslCertificate::issuerInfo(const QByteArray &attribute) const | - |
368 | { | - |
369 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
370 | // lazy init | - |
371 | if (d->issuerInfo.isEmpty() && d->x509) | - |
372 | d->issuerInfo = | - |
373 | _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); | - |
374 | | - |
375 | return d->issuerInfo.values(attribute); | - |
376 | } | - |
377 | | - |
378 | /*! | - |
379 | | - |
380 | \fn QString QSslCertificate::subjectInfo(SubjectInfo subject) const | - |
381 | | - |
382 | Returns the information for the \a subject, or an empty string if | - |
383 | there is no information for \a subject in the certificate. | - |
384 | | - |
385 | \sa issuerInfo() | - |
386 | */ | - |
387 | QStringList QSslCertificate::subjectInfo(SubjectInfo info) const | - |
388 | { | - |
389 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
390 | // lazy init | - |
391 | if (d->subjectInfo.isEmpty() && d->x509) | - |
392 | d->subjectInfo = | - |
393 | _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); | - |
394 | | - |
395 | return d->subjectInfo.values(_q_SubjectInfoToString(info)); | - |
396 | } | - |
397 | | - |
398 | /*! | - |
399 | Returns the subject information for \a attribute, or an empty string if | - |
400 | there is no information for \a attribute in the certificate. | - |
401 | | - |
402 | \sa issuerInfo() | - |
403 | */ | - |
404 | QStringList QSslCertificate::subjectInfo(const QByteArray &attribute) const | - |
405 | { | - |
406 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
407 | // lazy init | - |
408 | if (d->subjectInfo.isEmpty() && d->x509) | - |
409 | d->subjectInfo = | - |
410 | _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); | - |
411 | | - |
412 | return d->subjectInfo.values(attribute); | - |
413 | } | - |
414 | | - |
415 | /*! | - |
416 | \since 5.0 | - |
417 | Returns a list of the attributes that have values in the subject | - |
418 | information of this certificate. The information associated | - |
419 | with a given attribute can be accessed using the subjectInfo() | - |
420 | method. Note that this list may include the OIDs for any | - |
421 | elements that are not known by the SSL backend. | - |
422 | | - |
423 | \sa subjectInfo() | - |
424 | */ | - |
425 | QList<QByteArray> QSslCertificate::subjectInfoAttributes() const | - |
426 | { | - |
427 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
428 | // lazy init | - |
429 | if (d->subjectInfo.isEmpty() && d->x509) | - |
430 | d->subjectInfo = | - |
431 | _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); | - |
432 | | - |
433 | return d->subjectInfo.uniqueKeys(); | - |
434 | } | - |
435 | | - |
436 | /*! | - |
437 | \since 5.0 | - |
438 | Returns a list of the attributes that have values in the issuer | - |
439 | information of this certificate. The information associated | - |
440 | with a given attribute can be accessed using the issuerInfo() | - |
441 | method. Note that this list may include the OIDs for any | - |
442 | elements that are not known by the SSL backend. | - |
443 | | - |
444 | \sa subjectInfo() | - |
445 | */ | - |
446 | QList<QByteArray> QSslCertificate::issuerInfoAttributes() const | - |
447 | { | - |
448 | QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); | - |
449 | // lazy init | - |
450 | if (d->issuerInfo.isEmpty() && d->x509) | - |
451 | d->issuerInfo = | - |
452 | _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); | - |
453 | | - |
454 | return d->issuerInfo.uniqueKeys(); | - |
455 | } | - |
456 | | - |
457 | #if QT_DEPRECATED_SINCE(5,0) | - |
458 | /*! | - |
459 | \fn QMultiMap<QSsl::AlternateNameEntryType, QString> QSslCertificate::alternateSubjectNames() const | - |
460 | \obsolete | - |
461 | | - |
462 | Use QSslCertificate::subjectAlternativeNames(); | - |
463 | */ | - |
464 | #endif | - |
465 | | - |
466 | /*! | - |
467 | Returns the list of alternative subject names for this | - |
468 | certificate. The alternative names typically contain host | - |
469 | names, optionally with wildcards, that are valid for this | - |
470 | certificate. | - |
471 | | - |
472 | These names are tested against the connected peer's host name, if | - |
473 | either the subject information for \l CommonName doesn't define a | - |
474 | valid host name, or the subject info name doesn't match the peer's | - |
475 | host name. | - |
476 | | - |
477 | \sa subjectInfo() | - |
478 | */ | - |
479 | QMultiMap<QSsl::AlternativeNameEntryType, QString> QSslCertificate::subjectAlternativeNames() const | - |
480 | { | - |
481 | QMultiMap<QSsl::AlternativeNameEntryType, QString> result; | - |
482 | | - |
483 | if (!d->x509) | - |
484 | return result; | - |
485 | | - |
486 | STACK_OF(GENERAL_NAME) *altNames = (STACK_OF(GENERAL_NAME)*)q_X509_get_ext_d2i(d->x509, NID_subject_alt_name, 0, 0); | - |
487 | | - |
488 | if (altNames) { | - |
489 | for (int i = 0; i < q_sk_GENERAL_NAME_num(altNames); ++i) { | - |
490 | const GENERAL_NAME *genName = q_sk_GENERAL_NAME_value(altNames, i); | - |
491 | if (genName->type != GEN_DNS && genName->type != GEN_EMAIL) | - |
492 | continue; | - |
493 | | - |
494 | int len = q_ASN1_STRING_length(genName->d.ia5); | - |
495 | if (len < 0 || len >= 8192) { | - |
496 | // broken name | - |
497 | continue; | - |
498 | } | - |
499 | | - |
500 | const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(genName->d.ia5)); | - |
501 | const QString altName = QString::fromLatin1(altNameStr, len); | - |
502 | if (genName->type == GEN_DNS) | - |
503 | result.insert(QSsl::DnsEntry, altName); | - |
504 | else if (genName->type == GEN_EMAIL) | - |
505 | result.insert(QSsl::EmailEntry, altName); | - |
506 | } | - |
507 | q_sk_pop_free((STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_sk_free)); | - |
508 | } | - |
509 | | - |
510 | return result; | - |
511 | } | - |
512 | | - |
513 | /*! | - |
514 | Returns the date-time that the certificate becomes valid, or an | - |
515 | empty QDateTime if this is a null certificate. | - |
516 | | - |
517 | \sa expiryDate() | - |
518 | */ | - |
519 | QDateTime QSslCertificate::effectiveDate() const | - |
520 | { | - |
521 | return d->notValidBefore; | - |
522 | } | - |
523 | | - |
524 | /*! | - |
525 | Returns the date-time that the certificate expires, or an empty | - |
526 | QDateTime if this is a null certificate. | - |
527 | | - |
528 | \sa effectiveDate() | - |
529 | */ | - |
530 | QDateTime QSslCertificate::expiryDate() const | - |
531 | { | - |
532 | return d->notValidAfter; | - |
533 | } | - |
534 | | - |
535 | /*! | - |
536 | Returns a pointer to the native certificate handle, if there is | - |
537 | one, or a null pointer otherwise. | - |
538 | | - |
539 | You can use this handle, together with the native API, to access | - |
540 | extended information about the certificate. | - |
541 | | - |
542 | \warning Use of this function has a high probability of being | - |
543 | non-portable, and its return value may vary from platform to | - |
544 | platform or change from minor release to minor release. | - |
545 | */ | - |
546 | Qt::HANDLE QSslCertificate::handle() const | - |
547 | { | - |
548 | return Qt::HANDLE(d->x509); | - |
549 | } | - |
550 | | - |
551 | /*! | - |
552 | Returns the certificate subject's public key. | - |
553 | */ | - |
554 | QSslKey QSslCertificate::publicKey() const | - |
555 | { | - |
556 | if (!d->x509) | - |
557 | return QSslKey(); | - |
558 | | - |
559 | QSslKey key; | - |
560 | | - |
561 | key.d->type = QSsl::PublicKey; | - |
562 | X509_PUBKEY *xkey = d->x509->cert_info->key; | - |
563 | EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); | - |
564 | Q_ASSERT(pkey); | - |
565 | | - |
566 | if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { | - |
567 | key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); | - |
568 | key.d->algorithm = QSsl::Rsa; | - |
569 | key.d->isNull = false; | - |
570 | } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { | - |
571 | key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); | - |
572 | key.d->algorithm = QSsl::Dsa; | - |
573 | key.d->isNull = false; | - |
574 | } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { | - |
575 | // DH unsupported | - |
576 | } else { | - |
577 | // error? | - |
578 | } | - |
579 | | - |
580 | q_EVP_PKEY_free(pkey); | - |
581 | return key; | - |
582 | } | - |
583 | | - |
584 | /* | - |
585 | * Convert unknown extensions to a QVariant. | - |
586 | */ | - |
587 | static QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext) | - |
588 | { | - |
589 | // Get the extension specific method object if available | - |
590 | // we cast away the const-ness here because some versions of openssl | - |
591 | // don't use const for the parameters in the functions pointers stored | - |
592 | // in the object. | - |
593 | X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); | - |
594 | if (!meth) { | - |
595 | ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); | - |
596 | QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_data(value)), | - |
597 | q_ASN1_STRING_length(value)); | - |
598 | return result; | - |
599 | } | - |
600 | | - |
601 | //const unsigned char *data = ext->value->data; | - |
602 | void *ext_internal = q_X509V3_EXT_d2i(ext); | - |
603 | | - |
604 | // If this extension can be converted | - |
605 | if (meth->i2v && ext_internal) { | - |
606 | STACK_OF(CONF_VALUE) *val = meth->i2v(meth, ext_internal, 0); | - |
607 | | - |
608 | QVariantMap map; | - |
609 | QVariantList list; | - |
610 | bool isMap = false; | - |
611 | | - |
612 | for (int j = 0; j < q_SKM_sk_num(CONF_VALUE, val); j++) { | - |
613 | CONF_VALUE *nval = q_SKM_sk_value(CONF_VALUE, val, j); | - |
614 | if (nval->name && nval->value) { | - |
615 | isMap = true; | - |
616 | map[QString::fromUtf8(nval->name)] = QString::fromUtf8(nval->value); | - |
617 | } else if (nval->name) { | - |
618 | list << QString::fromUtf8(nval->name); | - |
619 | } else if (nval->value) { | - |
620 | list << QString::fromUtf8(nval->value); | - |
621 | } | - |
622 | } | - |
623 | | - |
624 | if (isMap) | - |
625 | return map; | - |
626 | else | - |
627 | return list; | - |
628 | } else if (meth->i2s && ext_internal) { | - |
629 | //qDebug() << meth->i2s(meth, ext_internal); | - |
630 | QVariant result(QString::fromUtf8(meth->i2s(meth, ext_internal))); | - |
631 | return result; | - |
632 | } else if (meth->i2r && ext_internal) { | - |
633 | QByteArray result; | - |
634 | | - |
635 | BIO *bio = q_BIO_new(q_BIO_s_mem()); | - |
636 | if (!bio) | - |
637 | return result; | - |
638 | | - |
639 | meth->i2r(meth, ext_internal, bio, 0); | - |
640 | | - |
641 | char *bio_buffer; | - |
642 | long bio_size = q_BIO_get_mem_data(bio, &bio_buffer); | - |
643 | result = QByteArray(bio_buffer, bio_size); | - |
644 | | - |
645 | q_BIO_free(bio); | - |
646 | return result; | - |
647 | } | - |
648 | | - |
649 | return QVariant(); | - |
650 | } | - |
651 | | - |
652 | /* | - |
653 | * Convert extensions to a variant. The naming of the keys of the map are | - |
654 | * taken from RFC 5280, however we decided the capitalisation in the RFC | - |
655 | * was too silly for the real world. | - |
656 | */ | - |
657 | static QVariant x509ExtensionToValue(X509_EXTENSION *ext) | - |
658 | { | - |
659 | ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext); | - |
660 | int nid = q_OBJ_obj2nid(obj); | - |
661 | | - |
662 | switch (nid) { | - |
663 | case NID_basic_constraints: | - |
664 | { | - |
665 | BASIC_CONSTRAINTS *basic = reinterpret_cast<BASIC_CONSTRAINTS *>(q_X509V3_EXT_d2i(ext)); | - |
666 | | - |
667 | QVariantMap result; | - |
668 | result[QLatin1String("ca")] = basic->ca ? true : false; | - |
669 | if (basic->pathlen) | - |
670 | result[QLatin1String("pathLenConstraint")] = (qlonglong)q_ASN1_INTEGER_get(basic->pathlen); | - |
671 | | - |
672 | q_BASIC_CONSTRAINTS_free(basic); | - |
673 | return result; | - |
674 | } | - |
675 | break; | - |
676 | case NID_info_access: | - |
677 | { | - |
678 | AUTHORITY_INFO_ACCESS *info = reinterpret_cast<AUTHORITY_INFO_ACCESS *>(q_X509V3_EXT_d2i(ext)); | - |
679 | | - |
680 | QVariantMap result; | - |
681 | for (int i=0; i < q_SKM_sk_num(ACCESS_DESCRIPTION, info); i++) { | - |
682 | ACCESS_DESCRIPTION *ad = q_SKM_sk_value(ACCESS_DESCRIPTION, info, i); | - |
683 | | - |
684 | GENERAL_NAME *name = ad->location; | - |
685 | if (name->type == GEN_URI) { | - |
686 | int len = q_ASN1_STRING_length(name->d.uniformResourceIdentifier); | - |
687 | if (len < 0 || len >= 8192) { | - |
688 | // broken name | - |
689 | continue; | - |
690 | } | - |
691 | | - |
692 | const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(name->d.uniformResourceIdentifier)); | - |
693 | const QString uri = QString::fromUtf8(uriStr, len); | - |
694 | | - |
695 | result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; | - |
696 | } else { | - |
697 | qWarning() << "Strange location type" << name->type; | - |
698 | } | - |
699 | } | - |
700 | | - |
701 | #if OPENSSL_VERSION_NUMBER >= 0x10000000L | - |
702 | q_sk_pop_free((_STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); | - |
703 | #else | - |
704 | q_sk_pop_free((STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); | - |
705 | #endif | - |
706 | return result; | - |
707 | } | - |
708 | break; | - |
709 | case NID_subject_key_identifier: | - |
710 | { | - |
711 | void *ext_internal = q_X509V3_EXT_d2i(ext); | - |
712 | | - |
713 | // we cast away the const-ness here because some versions of openssl | - |
714 | // don't use const for the parameters in the functions pointers stored | - |
715 | // in the object. | - |
716 | X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); | - |
717 | | - |
718 | return QVariant(QString::fromUtf8(meth->i2s(meth, ext_internal))); | - |
719 | } | - |
720 | break; | - |
721 | case NID_authority_key_identifier: | - |
722 | { | - |
723 | AUTHORITY_KEYID *auth_key = reinterpret_cast<AUTHORITY_KEYID *>(q_X509V3_EXT_d2i(ext)); | - |
724 | | - |
725 | QVariantMap result; | - |
726 | | - |
727 | // keyid | - |
728 | if (auth_key->keyid) { | - |
729 | QByteArray keyid(reinterpret_cast<const char *>(auth_key->keyid->data), | - |
730 | auth_key->keyid->length); | - |
731 | result[QLatin1String("keyid")] = keyid.toHex(); | - |
732 | } | - |
733 | | - |
734 | // issuer | - |
735 | // TODO: GENERAL_NAMES | - |
736 | | - |
737 | // serial | - |
738 | if (auth_key->serial) | - |
739 | result[QLatin1String("serial")] = (qlonglong)q_ASN1_INTEGER_get(auth_key->serial); | - |
740 | | - |
741 | q_AUTHORITY_KEYID_free(auth_key); | - |
742 | return result; | - |
743 | } | - |
744 | break; | - |
745 | } | - |
746 | | - |
747 | return QVariant(); | - |
748 | } | - |
749 | | - |
750 | QSslCertificateExtension QSslCertificatePrivate::convertExtension(X509_EXTENSION *ext) | - |
751 | { | - |
752 | QSslCertificateExtension result; | - |
753 | | - |
754 | ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext); | - |
755 | QByteArray oid = QSslCertificatePrivate::asn1ObjectId(obj); | - |
756 | QByteArray name = QSslCertificatePrivate::asn1ObjectName(obj); | - |
757 | | - |
758 | result.d->oid = QString::fromUtf8(oid); | - |
759 | result.d->name = QString::fromUtf8(name); | - |
760 | | - |
761 | bool critical = q_X509_EXTENSION_get_critical(ext); | - |
762 | result.d->critical = critical; | - |
763 | | - |
764 | // Lets see if we have custom support for this one | - |
765 | QVariant extensionValue = x509ExtensionToValue(ext); | - |
766 | if (extensionValue.isValid()) { | - |
767 | result.d->value = extensionValue; | - |
768 | result.d->supported = true; | - |
769 | | - |
770 | return result; | - |
771 | } | - |
772 | | - |
773 | extensionValue = x509UnknownExtensionToValue(ext); | - |
774 | if (extensionValue.isValid()) { | - |
775 | result.d->value = extensionValue; | - |
776 | result.d->supported = false; | - |
777 | return result; | - |
778 | } | - |
779 | | - |
780 | return result; | - |
781 | } | - |
782 | | - |
783 | /*! | - |
784 | Returns a list containing the X509 extensions of this certificate. | - |
785 | \since 5.0 | - |
786 | */ | - |
787 | QList<QSslCertificateExtension> QSslCertificate::extensions() const | - |
788 | { | - |
789 | QList<QSslCertificateExtension> result; | - |
790 | | - |
791 | if (!d->x509) | - |
792 | return result; | - |
793 | | - |
794 | int count = q_X509_get_ext_count(d->x509); | - |
795 | | - |
796 | for (int i=0; i < count; i++) { | - |
797 | X509_EXTENSION *ext = q_X509_get_ext(d->x509, i); | - |
798 | result << QSslCertificatePrivate::convertExtension(ext); | - |
799 | } | - |
800 | | - |
801 | return result; | - |
802 | } | - |
803 | | - |
804 | /*! | - |
805 | Returns this certificate converted to a PEM (Base64) encoded | - |
806 | representation. | - |
807 | */ | - |
808 | QByteArray QSslCertificate::toPem() const | - |
809 | { | - |
810 | if (!d->x509) | - |
811 | return QByteArray(); | - |
812 | return d->QByteArray_from_X509(d->x509, QSsl::Pem); | - |
813 | } | - |
814 | | - |
815 | /*! | - |
816 | Returns this certificate converted to a DER (binary) encoded | - |
817 | representation. | - |
818 | */ | - |
819 | QByteArray QSslCertificate::toDer() const | - |
820 | { | - |
821 | if (!d->x509) | - |
822 | return QByteArray(); | - |
823 | return d->QByteArray_from_X509(d->x509, QSsl::Der); | - |
824 | } | - |
825 | | - |
826 | /*! | - |
827 | Returns this certificate converted to a human-readable text | - |
828 | representation. | - |
829 | | - |
830 | \since 5.0 | - |
831 | */ | - |
832 | QString QSslCertificate::toText() const | - |
833 | { | - |
834 | if (!d->x509) | - |
835 | return QString(); | - |
836 | return d->text_from_X509(d->x509); | - |
837 | } | - |
838 | | - |
839 | /*! | - |
840 | Searches all files in the \a path for certificates encoded in the | - |
841 | specified \a format and returns them in a list. \e must be a file or a | - |
842 | pattern matching one or more files, as specified by \a syntax. | - |
843 | | - |
844 | Example: | - |
845 | | - |
846 | \snippet code/src_network_ssl_qsslcertificate.cpp 0 | - |
847 | | - |
848 | \sa fromData() | - |
849 | */ | - |
850 | QList<QSslCertificate> QSslCertificate::fromPath(const QString &path, | - |
851 | QSsl::EncodingFormat format, | - |
852 | QRegExp::PatternSyntax syntax) | - |
853 | { | - |
854 | // $, (,), *, +, ., ?, [, ,], ^, {, | and }. | - |
855 | | - |
856 | // make sure to use the same path separators on Windows and Unix like systems. | - |
857 | QString sourcePath = QDir::fromNativeSeparators(path); executed (the execution status of this line is deduced): QString sourcePath = QDir::fromNativeSeparators(path); | - |
858 | | - |
859 | // Find the path without the filename | - |
860 | QString pathPrefix = sourcePath.left(sourcePath.lastIndexOf(QLatin1Char('/'))); executed (the execution status of this line is deduced): QString pathPrefix = sourcePath.left(sourcePath.lastIndexOf(QLatin1Char('/'))); | - |
861 | | - |
862 | // Check if the path contains any special chars | - |
863 | int pos = -1; executed (the execution status of this line is deduced): int pos = -1; | - |
864 | if (syntax == QRegExp::Wildcard) evaluated: syntax == QRegExp::Wildcard yes Evaluation Count:22 | yes Evaluation Count:242 |
| 22-242 |
865 | pos = pathPrefix.indexOf(QRegExp(QLatin1String("[*?[]"))); executed: pos = pathPrefix.indexOf(QRegExp(QLatin1String("[*?[]"))); Execution Count:22 | 22 |
866 | else if (syntax != QRegExp::FixedString) evaluated: syntax != QRegExp::FixedString yes Evaluation Count:16 | yes Evaluation Count:226 |
| 16-226 |
867 | pos = sourcePath.indexOf(QRegExp(QLatin1String("[\\$\\(\\)\\*\\+\\.\\?\\[\\]\\^\\{\\}\\|]"))); executed: pos = sourcePath.indexOf(QRegExp(QLatin1String("[\\$\\(\\)\\*\\+\\.\\?\\[\\]\\^\\{\\}\\|]"))); Execution Count:16 | 16 |
868 | if (pos != -1) { evaluated: pos != -1 yes Evaluation Count:20 | yes Evaluation Count:244 |
| 20-244 |
869 | // there was a special char in the path so cut of the part containing that char. | - |
870 | pathPrefix = pathPrefix.left(pos); executed (the execution status of this line is deduced): pathPrefix = pathPrefix.left(pos); | - |
871 | if (pathPrefix.contains(QLatin1Char('/'))) partially evaluated: pathPrefix.contains(QLatin1Char('/')) no Evaluation Count:0 | yes Evaluation Count:20 |
| 0-20 |
872 | pathPrefix = pathPrefix.left(pathPrefix.lastIndexOf(QLatin1Char('/'))); never executed: pathPrefix = pathPrefix.left(pathPrefix.lastIndexOf(QLatin1Char('/'))); | 0 |
873 | else | - |
874 | pathPrefix.clear(); executed: pathPrefix.clear(); Execution Count:20 | 20 |
875 | } else { | - |
876 | // Check if the path is a file. | - |
877 | if (QFileInfo(sourcePath).isFile()) { evaluated: QFileInfo(sourcePath).isFile() yes Evaluation Count:212 | yes Evaluation Count:32 |
| 32-212 |
878 | QFile file(sourcePath); executed (the execution status of this line is deduced): QFile file(sourcePath); | - |
879 | if (file.open(QIODevice::OpenMode openMode = QIODevice::ReadOnly; executed (the execution status of this line is deduced): QIODevice::OpenMode openMode = QIODevice::ReadOnly; | - |
880 | if (format == QSsl::Pem) evaluated: format == QSsl::Pem yes Evaluation Count:210 | yes Evaluation Count:2 |
| 2-210 |
881 | openMode |= QIODevice::Text; executed: openMode |= QIODevice::Text; Execution Count:210 | 210 |
882 | if (file.open(openMode)) partially evaluated: file.open(openMode) yes Evaluation Count:212 | no Evaluation Count:0 |
| 0-212 |
883 | return QSslCertificate::fromData(file.readAll(), format); executed: return QSslCertificate::fromData(file.readAll(), format); Execution Count:212 | 212 |
884 | return QList<QSslCertificate>(); never executed: return QList<QSslCertificate>(); | 0 |
885 | } | - |
886 | } executed: } Execution Count:32 | 32 |
887 | | - |
888 | // Special case - if the prefix ends up being nothing, use "." instead. | - |
889 | int startIndex = 0; executed (the execution status of this line is deduced): int startIndex = 0; | - |
890 | if (pathPrefix.isEmpty()) { evaluated: pathPrefix.isEmpty() yes Evaluation Count:26 | yes Evaluation Count:26 |
| 26 |
891 | pathPrefix = QLatin1String("."); executed (the execution status of this line is deduced): pathPrefix = QLatin1String("."); | - |
892 | startIndex = 2; executed (the execution status of this line is deduced): startIndex = 2; | - |
893 | } executed: } Execution Count:26 | 26 |
894 | | - |
895 | // The path can be a file or directory. | - |
896 | QList<QSslCertificate> certs; executed (the execution status of this line is deduced): QList<QSslCertificate> certs; | - |
897 | QRegExp pattern(sourcePath, Qt::CaseSensitive, syntax); executed (the execution status of this line is deduced): QRegExp pattern(sourcePath, Qt::CaseSensitive, syntax); | - |
898 | QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks | QDirIterator::Subdirectories); executed (the execution status of this line is deduced): QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks | QDirIterator::Subdirectories); | - |
899 | while (it.hasNext()) { evaluated: it.hasNext() yes Evaluation Count:1928 | yes Evaluation Count:52 |
| 52-1928 |
900 | QString filePath = startIndex == 0 ? it.next() : it.next().mid(startIndex); evaluated: startIndex == 0 yes Evaluation Count:342 | yes Evaluation Count:1586 |
| 342-1586 |
901 | if (!pattern.exactMatch(filePath)) evaluated: !pattern.exactMatch(filePath) yes Evaluation Count:1818 | yes Evaluation Count:110 |
| 110-1818 |
902 | continue; executed: continue; Execution Count:1818 | 1818 |
903 | | - |
904 | QFile file(filePath); executed (the execution status of this line is deduced): QFile file(filePath); | - |
905 | if (file.open(QIODevice::OpenMode openMode = QIODevice::ReadOnly; executed (the execution status of this line is deduced): QIODevice::OpenMode openMode = QIODevice::ReadOnly; | - |
906 | if (format == QSsl::Pem) evaluated: format == QSsl::Pem yes Evaluation Count:78 | yes Evaluation Count:32 |
| 32-78 |
907 | openMode |= QIODevice::Text; executed: openMode |= QIODevice::Text; Execution Count:78 | 78 |
908 | if (file.open(openMode)) partially evaluated: file.open(openMode) yes Evaluation Count:110 | no Evaluation Count:0 |
| 0-110 |
909 | certs += QSslCertificate::fromData(file.readAll(), format); executed: certs += QSslCertificate::fromData(file.readAll(), format); Execution Count:110 | 110 |
910 | } executed: } Execution Count:110 | 110 |
911 | return certs; executed: return certs; Execution Count:52 | 52 |
912 | } | - |
913 | | - |
914 | /*! | - |
915 | Searches for and parses all certificates in \a device that are | - |
916 | encoded in the specified \a format and returns them in a list of | - |
917 | certificates. | - |
918 | | - |
919 | \sa fromData() | - |
920 | */ | - |
921 | QList<QSslCertificate> QSslCertificate::fromDevice(QIODevice *device, QSsl::EncodingFormat format) | - |
922 | { | - |
923 | if (!device) { | - |
924 | qWarning("QSslCertificate::fromDevice: cannot read from a null device"); | - |
925 | return QList<QSslCertificate>(); | - |
926 | } | - |
927 | return fromData(device->readAll(), format); | - |
928 | } | - |
929 | | - |
930 | /*! | - |
931 | Searches for and parses all certificates in \a data that are | - |
932 | encoded in the specified \a format and returns them in a list of | - |
933 | certificates. | - |
934 | | - |
935 | \sa fromDevice() | - |
936 | */ | - |
937 | QList<QSslCertificate> QSslCertificate::fromData(const QByteArray &data, QSsl::EncodingFormat format) | - |
938 | { | - |
939 | return (format == QSsl::Pem) | - |
940 | ? QSslCertificatePrivate::certificatesFromPem(data) | - |
941 | : QSslCertificatePrivate::certificatesFromDer(data); | - |
942 | } | - |
943 | | - |
944 | /*! | - |
945 | Verifies a certificate chain. The chain to be verified is passed in the | - |
946 | \a certificateChain parameter. The first certificate in the list should | - |
947 | be the leaf certificate of the chain to be verified. If \a hostName is | - |
948 | specified then the certificate is also checked to see if it is valid for | - |
949 | the specified host name. | - |
950 | | - |
951 | Note that the root (CA) certificate should not be included in the list to be verified, | - |
952 | this will be looked up automatically either using the CA list specified by | - |
953 | QSslSocket::defaultCaCertificates() or, if possible, it will be loaded on demand | - |
954 | on Unix. | - |
955 | | - |
956 | \since 5.0 | - |
957 | */ | - |
958 | QList<QSslError> QSslCertificate::verify(QList<QSslCertificate> certificateChain, const QString &hostName) | - |
959 | { | - |
960 | return QSslSocketBackendPrivate::verify(certificateChain, hostName); | - |
961 | } | - |
962 | | - |
963 | void QSslCertificatePrivate::init(const QByteArray &data, QSsl::EncodingFormat format) | - |
964 | { | - |
965 | if (!data.isEmpty()) { | - |
966 | QList<QSslCertificate> certs = (format == QSsl::Pem) | - |
967 | ? certificatesFromPem(data, 1) | - |
968 | : certificatesFromDer(data, 1); | - |
969 | if (!certs.isEmpty()) { | - |
970 | *this = *certs.first().d; | - |
971 | if (x509) | - |
972 | x509 = q_X509_dup(x509); | - |
973 | } | - |
974 | } | - |
975 | } | - |
976 | | - |
977 | #define BEGINCERTSTRING "-----BEGIN CERTIFICATE-----" | - |
978 | #define ENDCERTSTRING "-----END CERTIFICATE-----" | - |
979 | | - |
980 | // ### refactor against QSsl::pemFromDer() etc. (to avoid redundant implementations) | - |
981 | QByteArray QSslCertificatePrivate::QByteArray_from_X509(X509 *x509, QSsl::EncodingFormat format) | - |
982 | { | - |
983 | if (!x509) { | - |
984 | qWarning("QSslSocketBackendPrivate::X509_to_QByteArray: null X509"); | - |
985 | return QByteArray(); | - |
986 | } | - |
987 | | - |
988 | // Use i2d_X509 to convert the X509 to an array. | - |
989 | int length = q_i2d_X509(x509, 0); | - |
990 | QByteArray array; | - |
991 | array.resize(length); | - |
992 | char *data = array.data(); | - |
993 | char **dataP = &data; | - |
994 | unsigned char **dataPu = (unsigned char **)dataP; | - |
995 | if (q_i2d_X509(x509, dataPu) < 0) | - |
996 | return QByteArray(); | - |
997 | | - |
998 | if (format == QSsl::Der) | - |
999 | return array; | - |
1000 | | - |
1001 | // Convert to Base64 - wrap at 64 characters. | - |
1002 | array = array.toBase64(); | - |
1003 | QByteArray tmp; | - |
1004 | for (int i = 0; i <= array.size() - 64; i += 64) { | - |
1005 | tmp += QByteArray::fromRawData(array.data() + i, 64); | - |
1006 | tmp += '\n'; | - |
1007 | } | - |
1008 | if (int remainder = array.size() % 64) { | - |
1009 | tmp += QByteArray::fromRawData(array.data() + array.size() - remainder, remainder); | - |
1010 | tmp += '\n'; | - |
1011 | } | - |
1012 | | - |
1013 | return BEGINCERTSTRING "\n" + tmp + ENDCERTSTRING "\n"; | - |
1014 | } | - |
1015 | | - |
1016 | QString QSslCertificatePrivate::text_from_X509(X509 *x509) | - |
1017 | { | - |
1018 | if (!x509) { | - |
1019 | qWarning("QSslSocketBackendPrivate::text_from_X509: null X509"); | - |
1020 | return QString(); | - |
1021 | } | - |
1022 | | - |
1023 | QByteArray result; | - |
1024 | BIO *bio = q_BIO_new(q_BIO_s_mem()); | - |
1025 | if (!bio) | - |
1026 | return QString(); | - |
1027 | | - |
1028 | q_X509_print(bio, x509); | - |
1029 | | - |
1030 | QVarLengthArray<char, 16384> data; | - |
1031 | int count = q_BIO_read(bio, data.data(), 16384); | - |
1032 | if ( count > 0 ) { | - |
1033 | result = QByteArray( data.data(), count ); | - |
1034 | } | - |
1035 | | - |
1036 | q_BIO_free(bio); | - |
1037 | | - |
1038 | return QString::fromLatin1(result); | - |
1039 | } | - |
1040 | | - |
1041 | QByteArray QSslCertificatePrivate::asn1ObjectId(ASN1_OBJECT *object) | - |
1042 | { | - |
1043 | char buf[80]; // The openssl docs a buffer length of 80 should be more than enough | - |
1044 | q_OBJ_obj2txt(buf, sizeof(buf), object, 1); // the 1 says always use the oid not the long name | - |
1045 | | - |
1046 | return QByteArray(buf); | - |
1047 | } | - |
1048 | | - |
1049 | | - |
1050 | QByteArray QSslCertificatePrivate::asn1ObjectName(ASN1_OBJECT *object) | - |
1051 | { | - |
1052 | int nid = q_OBJ_obj2nid(object); | - |
1053 | if (nid != NID_undef) | - |
1054 | return QByteArray(q_OBJ_nid2sn(nid)); | - |
1055 | | - |
1056 | return asn1ObjectId(object); | - |
1057 | } | - |
1058 | | - |
1059 | static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name) | - |
1060 | { | - |
1061 | QMap<QByteArray, QString> info; | - |
1062 | for (int i = 0; i < q_X509_NAME_entry_count(name); ++i) { | - |
1063 | X509_NAME_ENTRY *e = q_X509_NAME_get_entry(name, i); | - |
1064 | | - |
1065 | QByteArray name = QSslCertificatePrivate::asn1ObjectName(q_X509_NAME_ENTRY_get_object(e)); | - |
1066 | unsigned char *data = 0; | - |
1067 | int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); | - |
1068 | info.insertMulti(name, QString::fromUtf8((char*)data, size)); | - |
1069 | q_CRYPTO_free(data); | - |
1070 | } | - |
1071 | | - |
1072 | return info; | - |
1073 | } | - |
1074 | | - |
1075 | QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) | - |
1076 | { | - |
1077 | QSslCertificate certificate; | - |
1078 | if (!x509 || !QSslSocket::supportsSsl()) | - |
1079 | return certificate; | - |
1080 | | - |
1081 | ASN1_TIME *nbef = q_X509_get_notBefore(x509); | - |
1082 | ASN1_TIME *naft = q_X509_get_notAfter(x509); | - |
1083 | certificate.d->notValidBefore = q_getTimeFromASN1(nbef); | - |
1084 | certificate.d->notValidAfter = q_getTimeFromASN1(naft); | - |
1085 | certificate.d->null = false; | - |
1086 | certificate.d->x509 = q_X509_dup(x509); | - |
1087 | | - |
1088 | return certificate; | - |
1089 | } | - |
1090 | | - |
1091 | static bool matchLineFeed(const QByteArray &pem, int *offset) | - |
1092 | { | - |
1093 | char ch = 0; | - |
1094 | | - |
1095 | // ignore extra whitespace at the end of the line | - |
1096 | while (*offset < pem.size() && (ch = pem.at(*offset)) == ' ') | - |
1097 | ++*offset; | - |
1098 | | - |
1099 | if (ch == '\n') { | - |
1100 | *offset += 1; | - |
1101 | return true; | - |
1102 | } | - |
1103 | if (ch == '\r' && pem.size() > (*offset + 1) && pem.at(*offset + 1) == '\n') { | - |
1104 | *offset += 2; | - |
1105 | return true; | - |
1106 | } | - |
1107 | return false; | - |
1108 | } | - |
1109 | | - |
1110 | QList<QSslCertificate> QSslCertificatePrivate::certificatesFromPem(const QByteArray &pem, int count) | - |
1111 | { | - |
1112 | QList<QSslCertificate> certificates; | - |
1113 | QSslSocketPrivate::ensureInitialized(); | - |
1114 | | - |
1115 | int offset = 0; | - |
1116 | while (count == -1 || certificates.size() < count) { | - |
1117 | int startPos = pem.indexOf(BEGINCERTSTRING, offset); | - |
1118 | if (startPos == -1) | - |
1119 | break; | - |
1120 | startPos += sizeof(BEGINCERTSTRING) - 1; | - |
1121 | if (!matchLineFeed(pem, &startPos)) | - |
1122 | break; | - |
1123 | | - |
1124 | int endPos = pem.indexOf(ENDCERTSTRING, startPos); | - |
1125 | if (endPos == -1) | - |
1126 | break; | - |
1127 | | - |
1128 | offset = endPos + sizeof(ENDCERTSTRING) - 1; | - |
1129 | if (offset < pem.size() && !matchLineFeed(pem, &offset)) | - |
1130 | break; | - |
1131 | | - |
1132 | QByteArray decoded = QByteArray::fromBase64( | - |
1133 | QByteArray::fromRawData(pem.data() + startPos, endPos - startPos)); | - |
1134 | #if OPENSSL_VERSION_NUMBER >= 0x00908000L | - |
1135 | const unsigned char *data = (const unsigned char *)decoded.data(); | - |
1136 | #else | - |
1137 | unsigned char *data = (unsigned char *)decoded.data(); | - |
1138 | #endif | - |
1139 | | - |
1140 | if (X509 *x509 = q_d2i_X509(0, &data, decoded.size())) { | - |
1141 | certificates << QSslCertificate_from_X509(x509); | - |
1142 | q_X509_free(x509); | - |
1143 | } | - |
1144 | } | - |
1145 | | - |
1146 | return certificates; | - |
1147 | } | - |
1148 | | - |
1149 | QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteArray &der, int count) | - |
1150 | { | - |
1151 | QList<QSslCertificate> certificates; | - |
1152 | QSslSocketPrivate::ensureInitialized(); | - |
1153 | | - |
1154 | | - |
1155 | #if OPENSSL_VERSION_NUMBER >= 0x00908000L | - |
1156 | const unsigned char *data = (const unsigned char *)der.data(); | - |
1157 | #else | - |
1158 | unsigned char *data = (unsigned char *)der.data(); | - |
1159 | #endif | - |
1160 | int size = der.size(); | - |
1161 | | - |
1162 | while (count == -1 || certificates.size() < count) { | - |
1163 | if (X509 *x509 = q_d2i_X509(0, &data, size)) { | - |
1164 | certificates << QSslCertificate_from_X509(x509); | - |
1165 | q_X509_free(x509); | - |
1166 | } else { | - |
1167 | break; | - |
1168 | } | - |
1169 | size -= ((char *)data - der.data()); | - |
1170 | } | - |
1171 | | - |
1172 | return certificates; | - |
1173 | } | - |
1174 | | - |
1175 | // These certificates are known to be fraudulent and were created during the comodo | - |
1176 | // compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html | - |
1177 | static const char *certificate_blacklist[] = { | - |
1178 | "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", "mail.google.com", // Comodo | - |
1179 | "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", "www.google.com", // Comodo | - |
1180 | "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", "login.yahoo.com", // Comodo | - |
1181 | "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", "login.yahoo.com", // Comodo | - |
1182 | "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", "login.yahoo.com", // Comodo | - |
1183 | "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", "login.skype.com", // Comodo | - |
1184 | "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", "addons.mozilla.org", // Comodo | - |
1185 | "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", "login.live.com", // Comodo | - |
1186 | "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", "global trustee", // Comodo | - |
1187 | | - |
1188 | "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56", "*.google.com", // leaf certificate issued by DigiNotar | - |
1189 | "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c", "DigiNotar Root CA", // DigiNotar root | - |
1190 | "f1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49", "DigiNotar Services CA", // DigiNotar intermediate signed by DigiNotar Root | - |
1191 | "36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38", "DigiNotar Services 1024 CA", // DigiNotar intermediate signed by DigiNotar Root | - |
1192 | "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e", "DigiNotar Root CA G2", // other DigiNotar Root CA | - |
1193 | "a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21", "CertiID Enterprise Certificate Authority", // DigiNotar intermediate signed by "DigiNotar Root CA G2" | - |
1194 | "5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41", "DigiNotar Qualified CA", // DigiNotar intermediate signed by DigiNotar Root | - |
1195 | | - |
1196 | "46:9c:2c:b0", "DigiNotar Services 1024 CA", // DigiNotar intermediate cross-signed by Entrust | - |
1197 | "07:27:10:0d", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust | - |
1198 | "07:27:0f:f9", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust | - |
1199 | "07:27:10:03", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust | - |
1200 | "01:31:69:b0", "DigiNotar PKIoverheid CA Overheid en Bedrijven", // DigiNotar intermediate cross-signed by the Dutch government | - |
1201 | "01:31:34:bf", "DigiNotar PKIoverheid CA Organisatie - G2", // DigiNotar intermediate cross-signed by the Dutch government | - |
1202 | "d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4", "DigiNotar Extended Validation CA", // DigiNotar intermediate signed by DigiNotar EV Root | - |
1203 | "1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04", "DigiNotar Public CA 2025", // DigiNotar intermediate | - |
1204 | // "(has not been seen in the wild so far)", "DigiNotar Public CA - G2", // DigiNotar intermediate | - |
1205 | // "(has not been seen in the wild so far)", "Koninklijke Notariele Beroepsorganisatie CA", // compromised during DigiNotar breach | - |
1206 | // "(has not been seen in the wild so far)", "Stichting TTP Infos CA," // compromised during DigiNotar breach | - |
1207 | "46:9c:2c:af", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust | - |
1208 | "46:9c:3c:c9", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust | - |
1209 | | - |
1210 | "07:27:14:a9", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust | - |
1211 | "4c:0e:63:6a", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust | - |
1212 | "72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate | - |
1213 | "41", "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/ | - |
1214 | | - |
1215 | "08:27", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate | - |
1216 | "08:64", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate | - |
1217 | 0 | - |
1218 | }; | - |
1219 | | - |
1220 | bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate) | - |
1221 | { | - |
1222 | for (int a = 0; certificate_blacklist[a] != 0; a++) { | - |
1223 | QString blacklistedCommonName = QString::fromUtf8(certificate_blacklist[(a+1)]); | - |
1224 | if (certificate.serialNumber() == certificate_blacklist[a++] && | - |
1225 | (certificate.subjectInfo(QSslCertificate::CommonName).contains(blacklistedCommonName) || | - |
1226 | certificate.issuerInfo(QSslCertificate::CommonName).contains(blacklistedCommonName))) | - |
1227 | return true; | - |
1228 | } | - |
1229 | return false; | - |
1230 | } | - |
1231 | | - |
1232 | #ifndef QT_NO_DEBUG_STREAM | - |
1233 | QDebug operator<<(QDebug debug, const QSslCertificate &certificate) | - |
1234 | { | - |
1235 | debug << "QSslCertificate(" | - |
1236 | << certificate.version() | - |
1237 | << ',' << certificate.serialNumber() | - |
1238 | << ',' << certificate.digest().toBase64() | - |
1239 | << ',' << certificate.issuerInfo(QSslCertificate::Organization) | - |
1240 | << ',' << certificate.subjectInfo(QSslCertificate::Organization) | - |
1241 | << ',' << certificate.subjectAlternativeNames() | - |
1242 | #ifndef QT_NO_DATESTRING | - |
1243 | << ',' << certificate.effectiveDate() | - |
1244 | << ',' << certificate.expiryDate() | - |
1245 | #endif | - |
1246 | << ')'; | - |
1247 | return debug; | - |
1248 | } | - |
1249 | QDebug operator<<(QDebug debug, QSslCertificate::SubjectInfo info) | - |
1250 | { | - |
1251 | switch (info) { | - |
1252 | case QSslCertificate::Organization: debug << "Organization"; break; | - |
1253 | case QSslCertificate::CommonName: debug << "CommonName"; break; | - |
1254 | case QSslCertificate::CountryName: debug << "CountryName"; break; | - |
1255 | case QSslCertificate::LocalityName: debug << "LocalityName"; break; | - |
1256 | case QSslCertificate::OrganizationalUnitName: debug << "OrganizationalUnitName"; break; | - |
1257 | case QSslCertificate::StateOrProvinceName: debug << "StateOrProvinceName"; break; | - |
1258 | case QSslCertificate::DistinguishedNameQualifier: debug << "DistinguishedNameQualifier"; break; | - |
1259 | case QSslCertificate::SerialNumber: debug << "SerialNumber"; break; | - |
1260 | case QSslCertificate::EmailAddress: debug << "EmailAddress"; break; | - |
1261 | } | - |
1262 | return debug; | - |
1263 | } | - |
1264 | #endif | - |
1265 | | - |
1266 | QT_END_NAMESPACE | - |
1267 | | - |
| | |