ssl/qsslcertificate.cpp

Source codeSwitch to Preprocessed file
LineSource CodeCoverage
1/****************************************************************************-
**
** Copyright (C) 2012 Digia Plc and/or its subsidiary(-ies).
** Contact: http://www.qt-project.org/legal
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and Digia. For licensing terms and
** conditions see http://qt.digia.com/licensing. For further information
** use the contact form at http://qt.digia.com/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 2.1 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 2.1 requirements
** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
**
** In addition, as a special exception, Digia gives you certain additional
** rights. These rights are described in the Digia Qt LGPL Exception
** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3.0 as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU General Public License version 3.0 requirements will be
** met: http://www.gnu.org/copyleft/gpl.html.
**
**
** $QT_END_LICENSE$
**
****************************************************************************/****************************************************************************
2** -
3** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). -
4** Contact: http://www.qt-project.org/legal -
5** -
6** This file is part of the QtNetwork module of the Qt Toolkit. -
7** -
8** $QT_BEGIN_LICENSE:LGPL$ -
9** Commercial License Usage -
10** Licensees holding valid commercial Qt licenses may use this file in -
11** accordance with the commercial license agreement provided with the -
12** Software or, alternatively, in accordance with the terms contained in -
13** a written agreement between you and Digia. For licensing terms and -
14** conditions see http://qt.digia.com/licensing. For further information -
15** use the contact form at http://qt.digia.com/contact-us. -
16** -
17** GNU Lesser General Public License Usage -
18** Alternatively, this file may be used under the terms of the GNU Lesser -
19** General Public License version 2.1 as published by the Free Software -
20** Foundation and appearing in the file LICENSE.LGPL included in the -
21** packaging of this file. Please review the following information to -
22** ensure the GNU Lesser General Public License version 2.1 requirements -
23** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. -
24** -
25** In addition, as a special exception, Digia gives you certain additional -
26** rights. These rights are described in the Digia Qt LGPL Exception -
27** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. -
28** -
29** GNU General Public License Usage -
30** Alternatively, this file may be used under the terms of the GNU -
31** General Public License version 3.0 as published by the Free Software -
32** Foundation and appearing in the file LICENSE.GPL included in the -
33** packaging of this file. Please review the following information to -
34** ensure the GNU General Public License version 3.0 requirements will be -
35** met: http://www.gnu.org/copyleft/gpl.html. -
36** -
37** -
38** $QT_END_LICENSE$ -
39** -
40****************************************************************************/ -
41 -
42 -
43/*! -
44 \class QSslCertificate -
45 \brief The QSslCertificate class provides a convenient API for an X509 certificate. -
46 \since 4.3 -
47 -
48 \reentrant -
49 \ingroup network -
50 \ingroup ssl -
51 \ingroup shared -
52 \inmodule QtNetwork -
53 -
54 QSslCertificate stores an X509 certificate, and is commonly used -
55 to verify the identity and store information about the local host, -
56 a remotely connected peer, or a trusted third party Certificate -
57 Authority. -
58 -
59 There are many ways to construct a QSslCertificate. The most -
60 common way is to call QSslSocket::peerCertificate(), which returns -
61 a QSslCertificate object, or QSslSocket::peerCertificateChain(), -
62 which returns a list of them. You can also load certificates from -
63 a DER (binary) or PEM (Base64) encoded bundle, typically stored as -
64 one or more local files, or in a Qt Resource. -
65 -
66 You can call isNull() to check if your certificate is null. By default, -
67 QSslCertificate constructs a null certificate. A null certificate is -
68 invalid, but an invalid certificate is not necessarily null. If you want -
69 to reset all contents in a certificate, call clear(). -
70 -
71 After loading a certificate, you can find information about the -
72 certificate, its subject, and its issuer, by calling one of the -
73 many accessor functions, including version(), serialNumber(), -
74 issuerInfo() and subjectInfo(). You can call effectiveDate() and -
75 expiryDate() to check when the certificate starts being -
76 effective and when it expires. -
77 The publicKey() function returns the certificate -
78 subject's public key as a QSslKey. You can call issuerInfo() or -
79 subjectInfo() to get detailed information about the certificate -
80 issuer and its subject. -
81 -
82 Internally, QSslCertificate is stored as an X509 structure. You -
83 can access this handle by calling handle(), but the results are -
84 likely to not be portable. -
85 -
86 \sa QSslSocket, QSslKey, QSslCipher, QSslError -
87*/ -
88 -
89/*! -
90 \enum QSslCertificate::SubjectInfo -
91 -
92 Describes keys that you can pass to QSslCertificate::issuerInfo() or -
93 QSslCertificate::subjectInfo() to get information about the certificate -
94 issuer or subject. -
95 -
96 \value Organization "O" The name of the organization. -
97 -
98 \value CommonName "CN" The common name; most often this is used to store -
99 the host name. -
100 -
101 \value LocalityName "L" The locality. -
102 -
103 \value OrganizationalUnitName "OU" The organizational unit name. -
104 -
105 \value CountryName "C" The country. -
106 -
107 \value StateOrProvinceName "ST" The state or province. -
108 -
109 \value DistinguishedNameQualifier The distinguished name qualifier -
110 -
111 \value SerialNumber The certificate's serial number -
112 -
113 \value EmailAddress The email address associated with the certificate -
114*/ -
115 -
116#include "qsslsocket_openssl_symbols_p.h" -
117#include "qsslcertificate.h" -
118#include "qsslcertificate_p.h" -
119#include "qsslkey.h" -
120#include "qsslkey_p.h" -
121#include "qsslcertificateextension.h" -
122#include "qsslcertificateextension_p.h" -
123 -
124#include <QtCore/qatomic.h> -
125#include <QtCore/qdatetime.h> -
126#include <QtCore/qdebug.h> -
127#include <QtCore/qdir.h> -
128#include <QtCore/qdiriterator.h> -
129#include <QtCore/qfile.h> -
130#include <QtCore/qfileinfo.h> -
131#include <QtCore/qmap.h> -
132#include <QtCore/qmutex.h> -
133#include <QtCore/private/qmutexpool_p.h> -
134#include <QtCore/qstring.h> -
135#include <QtCore/qstringlist.h> -
136#include <QtCore/qvarlengtharray.h> -
137 -
138QT_BEGIN_NAMESPACE -
139 -
140// forward declaration -
141static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name); -
142 -
143/*! -
144 Constructs a QSslCertificate by reading \a format encoded data -
145 from \a device and using the first certificate found. You can -
146 later call isNull() to see if \a device contained a certificate, -
147 and if this certificate was loaded successfully. -
148*/ -
149QSslCertificate::QSslCertificate(QIODevice *device, QSsl::EncodingFormat format) -
150 : d(new QSslCertificatePrivate) -
151{ -
152 QSslSocketPrivate::ensureInitialized(); -
153 if (device) -
154 d->init(device->readAll(), format); -
155} -
156 -
157/*! -
158 Constructs a QSslCertificate by parsing the \a format encoded -
159 \a data and using the first available certificate found. You can -
160 later call isNull() to see if \a data contained a certificate, -
161 and if this certificate was loaded successfully. -
162*/ -
163QSslCertificate::QSslCertificate(const QByteArray &data, QSsl::EncodingFormat format) -
164 : d(new QSslCertificatePrivate) -
165{ -
166 QSslSocketPrivate::ensureInitialized(); -
167 d->init(data, format); -
168} -
169 -
170/*! -
171 Constructs an identical copy of \a other. -
172*/ -
173QSslCertificate::QSslCertificate(const QSslCertificate &other) : d(other.d) -
174{ -
175} -
176 -
177/*! -
178 Destroys the QSslCertificate. -
179*/ -
180QSslCertificate::~QSslCertificate() -
181{ -
182} -
183 -
184/*! -
185 Copies the contents of \a other into this certificate, making the two -
186 certificates identical. -
187*/ -
188QSslCertificate &QSslCertificate::operator=(const QSslCertificate &other) -
189{ -
190 d = other.d; -
191 return *this; -
192} -
193 -
194/*! -
195 \fn void QSslCertificate::swap(QSslCertificate &other) -
196 \since 5.0 -
197 -
198 Swaps this certificate instance with \a other. This function is -
199 very fast and never fails. -
200*/ -
201 -
202/*! -
203 Returns true if this certificate is the same as \a other; otherwise -
204 returns false. -
205*/ -
206bool QSslCertificate::operator==(const QSslCertificate &other) const -
207{ -
208 if (d == other.d) -
209 return true; -
210 if (d->null && other.d->null) -
211 return true; -
212 if (d->x509 && other.d->x509) -
213 return q_X509_cmp(d->x509, other.d->x509) == 0; -
214 return false; -
215} -
216 -
217/*! -
218 \fn bool QSslCertificate::operator!=(const QSslCertificate &other) const -
219 -
220 Returns true if this certificate is not the same as \a other; otherwise -
221 returns false. -
222*/ -
223 -
224/*! -
225 Returns true if this is a null certificate (i.e., a certificate -
226 with no contents); otherwise returns false. -
227 -
228 By default, QSslCertificate constructs a null certificate. -
229 -
230 \sa clear() -
231*/ -
232bool QSslCertificate::isNull() const -
233{ -
234 return d->null; -
235} -
236 -
237#if QT_DEPRECATED_SINCE(5,0) -
238/*! -
239 \fn bool QSslCertificate::isValid() const -
240 \obsolete -
241 -
242 To verify a certificate, use verify(). -
243 To check if a certificate is blacklisted, use isBlacklisted(). -
244 To check if a certificate has expired or is not yet valid, compare -
245 expiryDate() and effectiveDate() with QDateTime::currentDateTime() -
246 -
247 This function checks that the current -
248 date-time is within the date-time range during which the -
249 certificate is considered valid, and checks that the -
250 certificate is not in a blacklist of fraudulent certificates. -
251 -
252 \sa isNull(), verify(), isBlacklisted(), expiryDate(), effectiveDate() -
253*/ -
254#endif -
255 -
256/*! -
257 Returns true if this certificate is blacklisted; otherwise -
258 returns false. -
259 -
260 \sa isNull() -
261*/ -
262bool QSslCertificate::isBlacklisted() const -
263{ -
264 return QSslCertificatePrivate::isBlacklisted(*this); -
265} -
266 -
267/*! -
268 Clears the contents of this certificate, making it a null -
269 certificate. -
270 -
271 \sa isNull() -
272*/ -
273void QSslCertificate::clear() -
274{ -
275 if (isNull()) -
276 return; -
277 d = new QSslCertificatePrivate; -
278} -
279 -
280/*! -
281 Returns the certificate's version string. -
282*/ -
283QByteArray QSslCertificate::version() const -
284{ -
285 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
286 if (d->versionString.isEmpty() && d->x509) -
287 d->versionString = -
288 QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); -
289 -
290 return d->versionString; -
291} -
292 -
293/*! -
294 Returns the certificate's serial number string in hexadecimal format. -
295*/ -
296QByteArray QSslCertificate::serialNumber() const -
297{ -
298 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
299 if (d->serialNumberString.isEmpty() && d->x509) { -
300 ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; -
301 QByteArray hexString; -
302 hexString.reserve(serialNumber->length * 3); -
303 for (int a = 0; a < serialNumber->length; ++a) { -
304 hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0'); -
305 hexString += ':'; -
306 } -
307 hexString.chop(1); -
308 d->serialNumberString = hexString; -
309 } -
310 return d->serialNumberString; -
311} -
312 -
313/*! -
314 Returns a cryptographic digest of this certificate. By default, -
315 an MD5 digest will be generated, but you can also specify a -
316 custom \a algorithm. -
317*/ -
318QByteArray QSslCertificate::digest(QCryptographicHash::Algorithm algorithm) const -
319{ -
320 return QCryptographicHash::hash(toDer(), algorithm); -
321} -
322 -
323static QByteArray _q_SubjectInfoToString(QSslCertificate::SubjectInfo info) -
324{ -
325 QByteArray str; -
326 switch (info) { -
327 case QSslCertificate::Organization: str = QByteArray("O"); break; -
328 case QSslCertificate::CommonName: str = QByteArray("CN"); break; -
329 case QSslCertificate::LocalityName: str = QByteArray("L"); break; -
330 case QSslCertificate::OrganizationalUnitName: str = QByteArray("OU"); break; -
331 case QSslCertificate::CountryName: str = QByteArray("C"); break; -
332 case QSslCertificate::StateOrProvinceName: str = QByteArray("ST"); break; -
333 case QSslCertificate::DistinguishedNameQualifier: str = QByteArray("dnQualifier"); break; -
334 case QSslCertificate::SerialNumber: str = QByteArray("serialNumber"); break; -
335 case QSslCertificate::EmailAddress: str = QByteArray("emailAddress"); break; -
336 } -
337 return str; -
338} -
339 -
340/*! -
341 \fn QString QSslCertificate::issuerInfo(SubjectInfo subject) const -
342 -
343 Returns the issuer information for the \a subject from the -
344 certificate, or an empty string if there is no information for -
345 \a subject in the certificate. -
346 -
347 \sa subjectInfo() -
348*/ -
349QStringList QSslCertificate::issuerInfo(SubjectInfo info) const -
350{ -
351 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
352 // lazy init -
353 if (d->issuerInfo.isEmpty() && d->x509) -
354 d->issuerInfo = -
355 _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); -
356 -
357 return d->issuerInfo.values(_q_SubjectInfoToString(info)); -
358} -
359 -
360/*! -
361 Returns the issuer information for \a attribute from the certificate, -
362 or an empty string if there is no information for \a attribute in the -
363 certificate. -
364 -
365 \sa subjectInfo() -
366*/ -
367QStringList QSslCertificate::issuerInfo(const QByteArray &attribute) const -
368{ -
369 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
370 // lazy init -
371 if (d->issuerInfo.isEmpty() && d->x509) -
372 d->issuerInfo = -
373 _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); -
374 -
375 return d->issuerInfo.values(attribute); -
376} -
377 -
378/*! -
379 -
380 \fn QString QSslCertificate::subjectInfo(SubjectInfo subject) const -
381 -
382 Returns the information for the \a subject, or an empty string if -
383 there is no information for \a subject in the certificate. -
384 -
385 \sa issuerInfo() -
386*/ -
387QStringList QSslCertificate::subjectInfo(SubjectInfo info) const -
388{ -
389 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
390 // lazy init -
391 if (d->subjectInfo.isEmpty() && d->x509) -
392 d->subjectInfo = -
393 _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); -
394 -
395 return d->subjectInfo.values(_q_SubjectInfoToString(info)); -
396} -
397 -
398/*! -
399 Returns the subject information for \a attribute, or an empty string if -
400 there is no information for \a attribute in the certificate. -
401 -
402 \sa issuerInfo() -
403*/ -
404QStringList QSslCertificate::subjectInfo(const QByteArray &attribute) const -
405{ -
406 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
407 // lazy init -
408 if (d->subjectInfo.isEmpty() && d->x509) -
409 d->subjectInfo = -
410 _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); -
411 -
412 return d->subjectInfo.values(attribute); -
413} -
414 -
415/*! -
416 \since 5.0 -
417 Returns a list of the attributes that have values in the subject -
418 information of this certificate. The information associated -
419 with a given attribute can be accessed using the subjectInfo() -
420 method. Note that this list may include the OIDs for any -
421 elements that are not known by the SSL backend. -
422 -
423 \sa subjectInfo() -
424*/ -
425QList<QByteArray> QSslCertificate::subjectInfoAttributes() const -
426{ -
427 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
428 // lazy init -
429 if (d->subjectInfo.isEmpty() && d->x509) -
430 d->subjectInfo = -
431 _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); -
432 -
433 return d->subjectInfo.uniqueKeys(); -
434} -
435 -
436/*! -
437 \since 5.0 -
438 Returns a list of the attributes that have values in the issuer -
439 information of this certificate. The information associated -
440 with a given attribute can be accessed using the issuerInfo() -
441 method. Note that this list may include the OIDs for any -
442 elements that are not known by the SSL backend. -
443 -
444 \sa subjectInfo() -
445*/ -
446QList<QByteArray> QSslCertificate::issuerInfoAttributes() const -
447{ -
448 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); -
449 // lazy init -
450 if (d->issuerInfo.isEmpty() && d->x509) -
451 d->issuerInfo = -
452 _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); -
453 -
454 return d->issuerInfo.uniqueKeys(); -
455} -
456 -
457#if QT_DEPRECATED_SINCE(5,0) -
458/*! -
459 \fn QMultiMap<QSsl::AlternateNameEntryType, QString> QSslCertificate::alternateSubjectNames() const -
460 \obsolete -
461 -
462 Use QSslCertificate::subjectAlternativeNames(); -
463*/ -
464#endif -
465 -
466/*! -
467 Returns the list of alternative subject names for this -
468 certificate. The alternative names typically contain host -
469 names, optionally with wildcards, that are valid for this -
470 certificate. -
471 -
472 These names are tested against the connected peer's host name, if -
473 either the subject information for \l CommonName doesn't define a -
474 valid host name, or the subject info name doesn't match the peer's -
475 host name. -
476 -
477 \sa subjectInfo() -
478*/ -
479QMultiMap<QSsl::AlternativeNameEntryType, QString> QSslCertificate::subjectAlternativeNames() const -
480{ -
481 QMultiMap<QSsl::AlternativeNameEntryType, QString> result; -
482 -
483 if (!d->x509) -
484 return result; -
485 -
486 STACK_OF(GENERAL_NAME) *altNames = (STACK_OF(GENERAL_NAME)*)q_X509_get_ext_d2i(d->x509, NID_subject_alt_name, 0, 0); -
487 -
488 if (altNames) { -
489 for (int i = 0; i < q_sk_GENERAL_NAME_num(altNames); ++i) { -
490 const GENERAL_NAME *genName = q_sk_GENERAL_NAME_value(altNames, i); -
491 if (genName->type != GEN_DNS && genName->type != GEN_EMAIL) -
492 continue; -
493 -
494 int len = q_ASN1_STRING_length(genName->d.ia5); -
495 if (len < 0 || len >= 8192) { -
496 // broken name -
497 continue; -
498 } -
499 -
500 const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(genName->d.ia5)); -
501 const QString altName = QString::fromLatin1(altNameStr, len); -
502 if (genName->type == GEN_DNS) -
503 result.insert(QSsl::DnsEntry, altName); -
504 else if (genName->type == GEN_EMAIL) -
505 result.insert(QSsl::EmailEntry, altName); -
506 } -
507 q_sk_pop_free((STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_sk_free)); -
508 } -
509 -
510 return result; -
511} -
512 -
513/*! -
514 Returns the date-time that the certificate becomes valid, or an -
515 empty QDateTime if this is a null certificate. -
516 -
517 \sa expiryDate() -
518*/ -
519QDateTime QSslCertificate::effectiveDate() const -
520{ -
521 return d->notValidBefore; -
522} -
523 -
524/*! -
525 Returns the date-time that the certificate expires, or an empty -
526 QDateTime if this is a null certificate. -
527 -
528 \sa effectiveDate() -
529*/ -
530QDateTime QSslCertificate::expiryDate() const -
531{ -
532 return d->notValidAfter; -
533} -
534 -
535/*! -
536 Returns a pointer to the native certificate handle, if there is -
537 one, or a null pointer otherwise. -
538 -
539 You can use this handle, together with the native API, to access -
540 extended information about the certificate. -
541 -
542 \warning Use of this function has a high probability of being -
543 non-portable, and its return value may vary from platform to -
544 platform or change from minor release to minor release. -
545*/ -
546Qt::HANDLE QSslCertificate::handle() const -
547{ -
548 return Qt::HANDLE(d->x509); -
549} -
550 -
551/*! -
552 Returns the certificate subject's public key. -
553*/ -
554QSslKey QSslCertificate::publicKey() const -
555{ -
556 if (!d->x509) -
557 return QSslKey(); -
558 -
559 QSslKey key; -
560 -
561 key.d->type = QSsl::PublicKey; -
562 X509_PUBKEY *xkey = d->x509->cert_info->key; -
563 EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); -
564 Q_ASSERT(pkey); -
565 -
566 if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { -
567 key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); -
568 key.d->algorithm = QSsl::Rsa; -
569 key.d->isNull = false; -
570 } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { -
571 key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); -
572 key.d->algorithm = QSsl::Dsa; -
573 key.d->isNull = false; -
574 } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { -
575 // DH unsupported -
576 } else { -
577 // error? -
578 } -
579 -
580 q_EVP_PKEY_free(pkey); -
581 return key; -
582} -
583 -
584/* -
585 * Convert unknown extensions to a QVariant. -
586 */ -
587static QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext) -
588{ -
589 // Get the extension specific method object if available -
590 // we cast away the const-ness here because some versions of openssl -
591 // don't use const for the parameters in the functions pointers stored -
592 // in the object. -
593 X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); -
594 if (!meth) { -
595 ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); -
596 QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_data(value)), -
597 q_ASN1_STRING_length(value)); -
598 return result; -
599 } -
600 -
601 //const unsigned char *data = ext->value->data; -
602 void *ext_internal = q_X509V3_EXT_d2i(ext); -
603 -
604 // If this extension can be converted -
605 if (meth->i2v && ext_internal) { -
606 STACK_OF(CONF_VALUE) *val = meth->i2v(meth, ext_internal, 0); -
607 -
608 QVariantMap map; -
609 QVariantList list; -
610 bool isMap = false; -
611 -
612 for (int j = 0; j < q_SKM_sk_num(CONF_VALUE, val); j++) { -
613 CONF_VALUE *nval = q_SKM_sk_value(CONF_VALUE, val, j); -
614 if (nval->name && nval->value) { -
615 isMap = true; -
616 map[QString::fromUtf8(nval->name)] = QString::fromUtf8(nval->value); -
617 } else if (nval->name) { -
618 list << QString::fromUtf8(nval->name); -
619 } else if (nval->value) { -
620 list << QString::fromUtf8(nval->value); -
621 } -
622 } -
623 -
624 if (isMap) -
625 return map; -
626 else -
627 return list; -
628 } else if (meth->i2s && ext_internal) { -
629 //qDebug() << meth->i2s(meth, ext_internal); -
630 QVariant result(QString::fromUtf8(meth->i2s(meth, ext_internal))); -
631 return result; -
632 } else if (meth->i2r && ext_internal) { -
633 QByteArray result; -
634 -
635 BIO *bio = q_BIO_new(q_BIO_s_mem()); -
636 if (!bio) -
637 return result; -
638 -
639 meth->i2r(meth, ext_internal, bio, 0); -
640 -
641 char *bio_buffer; -
642 long bio_size = q_BIO_get_mem_data(bio, &bio_buffer); -
643 result = QByteArray(bio_buffer, bio_size); -
644 -
645 q_BIO_free(bio); -
646 return result; -
647 } -
648 -
649 return QVariant(); -
650} -
651 -
652/* -
653 * Convert extensions to a variant. The naming of the keys of the map are -
654 * taken from RFC 5280, however we decided the capitalisation in the RFC -
655 * was too silly for the real world. -
656 */ -
657static QVariant x509ExtensionToValue(X509_EXTENSION *ext) -
658{ -
659 ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext); -
660 int nid = q_OBJ_obj2nid(obj); -
661 -
662 switch (nid) { -
663 case NID_basic_constraints: -
664 { -
665 BASIC_CONSTRAINTS *basic = reinterpret_cast<BASIC_CONSTRAINTS *>(q_X509V3_EXT_d2i(ext)); -
666 -
667 QVariantMap result; -
668 result[QLatin1String("ca")] = basic->ca ? true : false; -
669 if (basic->pathlen) -
670 result[QLatin1String("pathLenConstraint")] = (qlonglong)q_ASN1_INTEGER_get(basic->pathlen); -
671 -
672 q_BASIC_CONSTRAINTS_free(basic); -
673 return result; -
674 } -
675 break;
dead code: break;
-
676 case NID_info_access: -
677 { -
678 AUTHORITY_INFO_ACCESS *info = reinterpret_cast<AUTHORITY_INFO_ACCESS *>(q_X509V3_EXT_d2i(ext)); -
679 -
680 QVariantMap result; -
681 for (int i=0; i < q_SKM_sk_num(ACCESS_DESCRIPTION, info); i++) { -
682 ACCESS_DESCRIPTION *ad = q_SKM_sk_value(ACCESS_DESCRIPTION, info, i); -
683 -
684 GENERAL_NAME *name = ad->location; -
685 if (name->type == GEN_URI) { -
686 int len = q_ASN1_STRING_length(name->d.uniformResourceIdentifier); -
687 if (len < 0 || len >= 8192) { -
688 // broken name -
689 continue; -
690 } -
691 -
692 const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(name->d.uniformResourceIdentifier)); -
693 const QString uri = QString::fromUtf8(uriStr, len); -
694 -
695 result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; -
696 } else { -
697 qWarning() << "Strange location type" << name->type; -
698 } -
699 } -
700 -
701#if OPENSSL_VERSION_NUMBER >= 0x10000000L -
702 q_sk_pop_free((_STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); -
703#else -
704 q_sk_pop_free((STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); -
705#endif -
706 return result; -
707 } -
708 break;
dead code: break;
-
709 case NID_subject_key_identifier: -
710 { -
711 void *ext_internal = q_X509V3_EXT_d2i(ext); -
712 -
713 // we cast away the const-ness here because some versions of openssl -
714 // don't use const for the parameters in the functions pointers stored -
715 // in the object. -
716 X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); -
717 -
718 return QVariant(QString::fromUtf8(meth->i2s(meth, ext_internal))); -
719 } -
720 break;
dead code: break;
-
721 case NID_authority_key_identifier: -
722 { -
723 AUTHORITY_KEYID *auth_key = reinterpret_cast<AUTHORITY_KEYID *>(q_X509V3_EXT_d2i(ext)); -
724 -
725 QVariantMap result; -
726 -
727 // keyid -
728 if (auth_key->keyid) { -
729 QByteArray keyid(reinterpret_cast<const char *>(auth_key->keyid->data), -
730 auth_key->keyid->length); -
731 result[QLatin1String("keyid")] = keyid.toHex(); -
732 } -
733 -
734 // issuer -
735 // TODO: GENERAL_NAMES -
736 -
737 // serial -
738 if (auth_key->serial) -
739 result[QLatin1String("serial")] = (qlonglong)q_ASN1_INTEGER_get(auth_key->serial); -
740 -
741 q_AUTHORITY_KEYID_free(auth_key); -
742 return result; -
743 } -
744 break;
dead code: break;
-
745 } -
746 -
747 return QVariant(); -
748} -
749 -
750QSslCertificateExtension QSslCertificatePrivate::convertExtension(X509_EXTENSION *ext) -
751{ -
752 QSslCertificateExtension result; -
753 -
754 ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext); -
755 QByteArray oid = QSslCertificatePrivate::asn1ObjectId(obj); -
756 QByteArray name = QSslCertificatePrivate::asn1ObjectName(obj); -
757 -
758 result.d->oid = QString::fromUtf8(oid); -
759 result.d->name = QString::fromUtf8(name); -
760 -
761 bool critical = q_X509_EXTENSION_get_critical(ext); -
762 result.d->critical = critical; -
763 -
764 // Lets see if we have custom support for this one -
765 QVariant extensionValue = x509ExtensionToValue(ext); -
766 if (extensionValue.isValid()) { -
767 result.d->value = extensionValue; -
768 result.d->supported = true; -
769 -
770 return result; -
771 } -
772 -
773 extensionValue = x509UnknownExtensionToValue(ext); -
774 if (extensionValue.isValid()) { -
775 result.d->value = extensionValue; -
776 result.d->supported = false; -
777 return result; -
778 } -
779 -
780 return result; -
781} -
782 -
783/*! -
784 Returns a list containing the X509 extensions of this certificate. -
785 \since 5.0 -
786 */ -
787QList<QSslCertificateExtension> QSslCertificate::extensions() const -
788{ -
789 QList<QSslCertificateExtension> result; -
790 -
791 if (!d->x509) -
792 return result; -
793 -
794 int count = q_X509_get_ext_count(d->x509); -
795 -
796 for (int i=0; i < count; i++) { -
797 X509_EXTENSION *ext = q_X509_get_ext(d->x509, i); -
798 result << QSslCertificatePrivate::convertExtension(ext); -
799 } -
800 -
801 return result; -
802} -
803 -
804/*! -
805 Returns this certificate converted to a PEM (Base64) encoded -
806 representation. -
807*/ -
808QByteArray QSslCertificate::toPem() const -
809{ -
810 if (!d->x509) -
811 return QByteArray(); -
812 return d->QByteArray_from_X509(d->x509, QSsl::Pem); -
813} -
814 -
815/*! -
816 Returns this certificate converted to a DER (binary) encoded -
817 representation. -
818*/ -
819QByteArray QSslCertificate::toDer() const -
820{ -
821 if (!d->x509) -
822 return QByteArray(); -
823 return d->QByteArray_from_X509(d->x509, QSsl::Der); -
824} -
825 -
826/*! -
827 Returns this certificate converted to a human-readable text -
828 representation. -
829 -
830 \since 5.0 -
831*/ -
832QString QSslCertificate::toText() const -
833{ -
834 if (!d->x509) -
835 return QString(); -
836 return d->text_from_X509(d->x509); -
837} -
838 -
839/*! -
840 Searches all files in the \a path for certificates encoded in the -
841 specified \a format and returns them in a list. \e must be a file or a -
842 pattern matching one or more files, as specified by \a syntax. -
843 -
844 Example: -
845 -
846 \snippet code/src_network_ssl_qsslcertificate.cpp 0 -
847 -
848 \sa fromData() -
849*/ -
850QList<QSslCertificate> QSslCertificate::fromPath(const QString &path, -
851 QSsl::EncodingFormat format, -
852 QRegExp::PatternSyntax syntax) -
853{ -
854 // $, (,), *, +, ., ?, [, ,], ^, {, | and }. -
855 -
856 // make sure to use the same path separators on Windows and Unix like systems. -
857 QString sourcePath = QDir::fromNativeSeparators(path);
executed (the execution status of this line is deduced): QString sourcePath = QDir::fromNativeSeparators(path);
-
858 -
859 // Find the path without the filename -
860 QString pathPrefix = sourcePath.left(sourcePath.lastIndexOf(QLatin1Char('/')));
executed (the execution status of this line is deduced): QString pathPrefix = sourcePath.left(sourcePath.lastIndexOf(QLatin1Char('/')));
-
861 -
862 // Check if the path contains any special chars -
863 int pos = -1;
executed (the execution status of this line is deduced): int pos = -1;
-
864 if (syntax == QRegExp::Wildcard)
evaluated: syntax == QRegExp::Wildcard
TRUEFALSE
yes
Evaluation Count:22
yes
Evaluation Count:242
22-242
865 pos = pathPrefix.indexOf(QRegExp(QLatin1String("[*?[]")));
executed: pos = pathPrefix.indexOf(QRegExp(QLatin1String("[*?[]")));
Execution Count:22
22
866 else if (syntax != QRegExp::FixedString)
evaluated: syntax != QRegExp::FixedString
TRUEFALSE
yes
Evaluation Count:16
yes
Evaluation Count:226
16-226
867 pos = sourcePath.indexOf(QRegExp(QLatin1String("[\\$\\(\\)\\*\\+\\.\\?\\[\\]\\^\\{\\}\\|]")));
executed: pos = sourcePath.indexOf(QRegExp(QLatin1String("[\\$\\(\\)\\*\\+\\.\\?\\[\\]\\^\\{\\}\\|]")));
Execution Count:16
16
868 if (pos != -1) {
evaluated: pos != -1
TRUEFALSE
yes
Evaluation Count:20
yes
Evaluation Count:244
20-244
869 // there was a special char in the path so cut of the part containing that char. -
870 pathPrefix = pathPrefix.left(pos);
executed (the execution status of this line is deduced): pathPrefix = pathPrefix.left(pos);
-
871 if (pathPrefix.contains(QLatin1Char('/')))
partially evaluated: pathPrefix.contains(QLatin1Char('/'))
TRUEFALSE
no
Evaluation Count:0
yes
Evaluation Count:20
0-20
872 pathPrefix = pathPrefix.left(pathPrefix.lastIndexOf(QLatin1Char('/')));
never executed: pathPrefix = pathPrefix.left(pathPrefix.lastIndexOf(QLatin1Char('/')));
0
873 else -
874 pathPrefix.clear();
executed: pathPrefix.clear();
Execution Count:20
20
875 } else { -
876 // Check if the path is a file. -
877 if (QFileInfo(sourcePath).isFile()) {
evaluated: QFileInfo(sourcePath).isFile()
TRUEFALSE
yes
Evaluation Count:212
yes
Evaluation Count:32
32-212
878 QFile file(sourcePath);
executed (the execution status of this line is deduced): QFile file(sourcePath);
-
879 if (file.open(QIODevice::OpenMode openMode = QIODevice::ReadOnly;
executed (the execution status of this line is deduced): QIODevice::OpenMode openMode = QIODevice::ReadOnly;
-
880 if (format == QSsl::Pem)
evaluated: format == QSsl::Pem
TRUEFALSE
yes
Evaluation Count:210
yes
Evaluation Count:2
2-210
881 openMode |= QIODevice::Text;
executed: openMode |= QIODevice::Text;
Execution Count:210
210
882 if (file.open(openMode))
partially evaluated: file.open(openMode)
TRUEFALSE
yes
Evaluation Count:212
no
Evaluation Count:0
0-212
883 return QSslCertificate::fromData(file.readAll(), format);
executed: return QSslCertificate::fromData(file.readAll(), format);
Execution Count:212
212
884 return QList<QSslCertificate>();
never executed: return QList<QSslCertificate>();
0
885 } -
886 }
executed: }
Execution Count:32
32
887 -
888 // Special case - if the prefix ends up being nothing, use "." instead. -
889 int startIndex = 0;
executed (the execution status of this line is deduced): int startIndex = 0;
-
890 if (pathPrefix.isEmpty()) {
evaluated: pathPrefix.isEmpty()
TRUEFALSE
yes
Evaluation Count:26
yes
Evaluation Count:26
26
891 pathPrefix = QLatin1String(".");
executed (the execution status of this line is deduced): pathPrefix = QLatin1String(".");
-
892 startIndex = 2;
executed (the execution status of this line is deduced): startIndex = 2;
-
893 }
executed: }
Execution Count:26
26
894 -
895 // The path can be a file or directory. -
896 QList<QSslCertificate> certs;
executed (the execution status of this line is deduced): QList<QSslCertificate> certs;
-
897 QRegExp pattern(sourcePath, Qt::CaseSensitive, syntax);
executed (the execution status of this line is deduced): QRegExp pattern(sourcePath, Qt::CaseSensitive, syntax);
-
898 QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks | QDirIterator::Subdirectories);
executed (the execution status of this line is deduced): QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks | QDirIterator::Subdirectories);
-
899 while (it.hasNext()) {
evaluated: it.hasNext()
TRUEFALSE
yes
Evaluation Count:1928
yes
Evaluation Count:52
52-1928
900 QString filePath = startIndex == 0 ? it.next() : it.next().mid(startIndex);
evaluated: startIndex == 0
TRUEFALSE
yes
Evaluation Count:342
yes
Evaluation Count:1586
342-1586
901 if (!pattern.exactMatch(filePath))
evaluated: !pattern.exactMatch(filePath)
TRUEFALSE
yes
Evaluation Count:1818
yes
Evaluation Count:110
110-1818
902 continue;
executed: continue;
Execution Count:1818
1818
903 -
904 QFile file(filePath);
executed (the execution status of this line is deduced): QFile file(filePath);
-
905 if (file.open(QIODevice::OpenMode openMode = QIODevice::ReadOnly;
executed (the execution status of this line is deduced): QIODevice::OpenMode openMode = QIODevice::ReadOnly;
-
906 if (format == QSsl::Pem)
evaluated: format == QSsl::Pem
TRUEFALSE
yes
Evaluation Count:78
yes
Evaluation Count:32
32-78
907 openMode |= QIODevice::Text;
executed: openMode |= QIODevice::Text;
Execution Count:78
78
908 if (file.open(openMode))
partially evaluated: file.open(openMode)
TRUEFALSE
yes
Evaluation Count:110
no
Evaluation Count:0
0-110
909 certs += QSslCertificate::fromData(file.readAll(), format);
executed: certs += QSslCertificate::fromData(file.readAll(), format);
Execution Count:110
110
910 }
executed: }
Execution Count:110
110
911 return certs;
executed: return certs;
Execution Count:52
52
912} -
913 -
914/*! -
915 Searches for and parses all certificates in \a device that are -
916 encoded in the specified \a format and returns them in a list of -
917 certificates. -
918 -
919 \sa fromData() -
920*/ -
921QList<QSslCertificate> QSslCertificate::fromDevice(QIODevice *device, QSsl::EncodingFormat format) -
922{ -
923 if (!device) { -
924 qWarning("QSslCertificate::fromDevice: cannot read from a null device"); -
925 return QList<QSslCertificate>(); -
926 } -
927 return fromData(device->readAll(), format); -
928} -
929 -
930/*! -
931 Searches for and parses all certificates in \a data that are -
932 encoded in the specified \a format and returns them in a list of -
933 certificates. -
934 -
935 \sa fromDevice() -
936*/ -
937QList<QSslCertificate> QSslCertificate::fromData(const QByteArray &data, QSsl::EncodingFormat format) -
938{ -
939 return (format == QSsl::Pem) -
940 ? QSslCertificatePrivate::certificatesFromPem(data) -
941 : QSslCertificatePrivate::certificatesFromDer(data); -
942} -
943 -
944/*! -
945 Verifies a certificate chain. The chain to be verified is passed in the -
946 \a certificateChain parameter. The first certificate in the list should -
947 be the leaf certificate of the chain to be verified. If \a hostName is -
948 specified then the certificate is also checked to see if it is valid for -
949 the specified host name. -
950 -
951 Note that the root (CA) certificate should not be included in the list to be verified, -
952 this will be looked up automatically either using the CA list specified by -
953 QSslSocket::defaultCaCertificates() or, if possible, it will be loaded on demand -
954 on Unix. -
955 -
956 \since 5.0 -
957 */ -
958QList<QSslError> QSslCertificate::verify(QList<QSslCertificate> certificateChain, const QString &hostName) -
959{ -
960 return QSslSocketBackendPrivate::verify(certificateChain, hostName); -
961} -
962 -
963void QSslCertificatePrivate::init(const QByteArray &data, QSsl::EncodingFormat format) -
964{ -
965 if (!data.isEmpty()) { -
966 QList<QSslCertificate> certs = (format == QSsl::Pem) -
967 ? certificatesFromPem(data, 1) -
968 : certificatesFromDer(data, 1); -
969 if (!certs.isEmpty()) { -
970 *this = *certs.first().d; -
971 if (x509) -
972 x509 = q_X509_dup(x509); -
973 } -
974 } -
975} -
976 -
977#define BEGINCERTSTRING "-----BEGIN CERTIFICATE-----" -
978#define ENDCERTSTRING "-----END CERTIFICATE-----" -
979 -
980// ### refactor against QSsl::pemFromDer() etc. (to avoid redundant implementations) -
981QByteArray QSslCertificatePrivate::QByteArray_from_X509(X509 *x509, QSsl::EncodingFormat format) -
982{ -
983 if (!x509) { -
984 qWarning("QSslSocketBackendPrivate::X509_to_QByteArray: null X509"); -
985 return QByteArray(); -
986 } -
987 -
988 // Use i2d_X509 to convert the X509 to an array. -
989 int length = q_i2d_X509(x509, 0); -
990 QByteArray array; -
991 array.resize(length); -
992 char *data = array.data(); -
993 char **dataP = &data; -
994 unsigned char **dataPu = (unsigned char **)dataP; -
995 if (q_i2d_X509(x509, dataPu) < 0) -
996 return QByteArray(); -
997 -
998 if (format == QSsl::Der) -
999 return array; -
1000 -
1001 // Convert to Base64 - wrap at 64 characters. -
1002 array = array.toBase64(); -
1003 QByteArray tmp; -
1004 for (int i = 0; i <= array.size() - 64; i += 64) { -
1005 tmp += QByteArray::fromRawData(array.data() + i, 64); -
1006 tmp += '\n'; -
1007 } -
1008 if (int remainder = array.size() % 64) { -
1009 tmp += QByteArray::fromRawData(array.data() + array.size() - remainder, remainder); -
1010 tmp += '\n'; -
1011 } -
1012 -
1013 return BEGINCERTSTRING "\n" + tmp + ENDCERTSTRING "\n"; -
1014} -
1015 -
1016QString QSslCertificatePrivate::text_from_X509(X509 *x509) -
1017{ -
1018 if (!x509) { -
1019 qWarning("QSslSocketBackendPrivate::text_from_X509: null X509"); -
1020 return QString(); -
1021 } -
1022 -
1023 QByteArray result; -
1024 BIO *bio = q_BIO_new(q_BIO_s_mem()); -
1025 if (!bio) -
1026 return QString(); -
1027 -
1028 q_X509_print(bio, x509); -
1029 -
1030 QVarLengthArray<char, 16384> data; -
1031 int count = q_BIO_read(bio, data.data(), 16384); -
1032 if ( count > 0 ) { -
1033 result = QByteArray( data.data(), count ); -
1034 } -
1035 -
1036 q_BIO_free(bio); -
1037 -
1038 return QString::fromLatin1(result); -
1039} -
1040 -
1041QByteArray QSslCertificatePrivate::asn1ObjectId(ASN1_OBJECT *object) -
1042{ -
1043 char buf[80]; // The openssl docs a buffer length of 80 should be more than enough -
1044 q_OBJ_obj2txt(buf, sizeof(buf), object, 1); // the 1 says always use the oid not the long name -
1045 -
1046 return QByteArray(buf); -
1047} -
1048 -
1049 -
1050QByteArray QSslCertificatePrivate::asn1ObjectName(ASN1_OBJECT *object) -
1051{ -
1052 int nid = q_OBJ_obj2nid(object); -
1053 if (nid != NID_undef) -
1054 return QByteArray(q_OBJ_nid2sn(nid)); -
1055 -
1056 return asn1ObjectId(object); -
1057} -
1058 -
1059static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name) -
1060{ -
1061 QMap<QByteArray, QString> info; -
1062 for (int i = 0; i < q_X509_NAME_entry_count(name); ++i) { -
1063 X509_NAME_ENTRY *e = q_X509_NAME_get_entry(name, i); -
1064 -
1065 QByteArray name = QSslCertificatePrivate::asn1ObjectName(q_X509_NAME_ENTRY_get_object(e)); -
1066 unsigned char *data = 0; -
1067 int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); -
1068 info.insertMulti(name, QString::fromUtf8((char*)data, size)); -
1069 q_CRYPTO_free(data); -
1070 } -
1071 -
1072 return info; -
1073} -
1074 -
1075QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) -
1076{ -
1077 QSslCertificate certificate; -
1078 if (!x509 || !QSslSocket::supportsSsl()) -
1079 return certificate; -
1080 -
1081 ASN1_TIME *nbef = q_X509_get_notBefore(x509); -
1082 ASN1_TIME *naft = q_X509_get_notAfter(x509); -
1083 certificate.d->notValidBefore = q_getTimeFromASN1(nbef); -
1084 certificate.d->notValidAfter = q_getTimeFromASN1(naft); -
1085 certificate.d->null = false; -
1086 certificate.d->x509 = q_X509_dup(x509); -
1087 -
1088 return certificate; -
1089} -
1090 -
1091static bool matchLineFeed(const QByteArray &pem, int *offset) -
1092{ -
1093 char ch = 0; -
1094 -
1095 // ignore extra whitespace at the end of the line -
1096 while (*offset < pem.size() && (ch = pem.at(*offset)) == ' ') -
1097 ++*offset; -
1098 -
1099 if (ch == '\n') { -
1100 *offset += 1; -
1101 return true; -
1102 } -
1103 if (ch == '\r' && pem.size() > (*offset + 1) && pem.at(*offset + 1) == '\n') { -
1104 *offset += 2; -
1105 return true; -
1106 } -
1107 return false; -
1108} -
1109 -
1110QList<QSslCertificate> QSslCertificatePrivate::certificatesFromPem(const QByteArray &pem, int count) -
1111{ -
1112 QList<QSslCertificate> certificates; -
1113 QSslSocketPrivate::ensureInitialized(); -
1114 -
1115 int offset = 0; -
1116 while (count == -1 || certificates.size() < count) { -
1117 int startPos = pem.indexOf(BEGINCERTSTRING, offset); -
1118 if (startPos == -1) -
1119 break; -
1120 startPos += sizeof(BEGINCERTSTRING) - 1; -
1121 if (!matchLineFeed(pem, &startPos)) -
1122 break; -
1123 -
1124 int endPos = pem.indexOf(ENDCERTSTRING, startPos); -
1125 if (endPos == -1) -
1126 break; -
1127 -
1128 offset = endPos + sizeof(ENDCERTSTRING) - 1; -
1129 if (offset < pem.size() && !matchLineFeed(pem, &offset)) -
1130 break; -
1131 -
1132 QByteArray decoded = QByteArray::fromBase64( -
1133 QByteArray::fromRawData(pem.data() + startPos, endPos - startPos)); -
1134#if OPENSSL_VERSION_NUMBER >= 0x00908000L -
1135 const unsigned char *data = (const unsigned char *)decoded.data(); -
1136#else -
1137 unsigned char *data = (unsigned char *)decoded.data(); -
1138#endif -
1139 -
1140 if (X509 *x509 = q_d2i_X509(0, &data, decoded.size())) { -
1141 certificates << QSslCertificate_from_X509(x509); -
1142 q_X509_free(x509); -
1143 } -
1144 } -
1145 -
1146 return certificates; -
1147} -
1148 -
1149QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteArray &der, int count) -
1150{ -
1151 QList<QSslCertificate> certificates; -
1152 QSslSocketPrivate::ensureInitialized(); -
1153 -
1154 -
1155#if OPENSSL_VERSION_NUMBER >= 0x00908000L -
1156 const unsigned char *data = (const unsigned char *)der.data(); -
1157#else -
1158 unsigned char *data = (unsigned char *)der.data(); -
1159#endif -
1160 int size = der.size(); -
1161 -
1162 while (count == -1 || certificates.size() < count) { -
1163 if (X509 *x509 = q_d2i_X509(0, &data, size)) { -
1164 certificates << QSslCertificate_from_X509(x509); -
1165 q_X509_free(x509); -
1166 } else { -
1167 break; -
1168 } -
1169 size -= ((char *)data - der.data()); -
1170 } -
1171 -
1172 return certificates; -
1173} -
1174 -
1175// These certificates are known to be fraudulent and were created during the comodo -
1176// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html -
1177static const char *certificate_blacklist[] = { -
1178 "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", "mail.google.com", // Comodo -
1179 "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", "www.google.com", // Comodo -
1180 "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", "login.yahoo.com", // Comodo -
1181 "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", "login.yahoo.com", // Comodo -
1182 "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", "login.yahoo.com", // Comodo -
1183 "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", "login.skype.com", // Comodo -
1184 "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", "addons.mozilla.org", // Comodo -
1185 "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", "login.live.com", // Comodo -
1186 "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", "global trustee", // Comodo -
1187 -
1188 "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56", "*.google.com", // leaf certificate issued by DigiNotar -
1189 "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c", "DigiNotar Root CA", // DigiNotar root -
1190 "f1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49", "DigiNotar Services CA", // DigiNotar intermediate signed by DigiNotar Root -
1191 "36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38", "DigiNotar Services 1024 CA", // DigiNotar intermediate signed by DigiNotar Root -
1192 "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e", "DigiNotar Root CA G2", // other DigiNotar Root CA -
1193 "a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21", "CertiID Enterprise Certificate Authority", // DigiNotar intermediate signed by "DigiNotar Root CA G2" -
1194 "5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41", "DigiNotar Qualified CA", // DigiNotar intermediate signed by DigiNotar Root -
1195 -
1196 "46:9c:2c:b0", "DigiNotar Services 1024 CA", // DigiNotar intermediate cross-signed by Entrust -
1197 "07:27:10:0d", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust -
1198 "07:27:0f:f9", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust -
1199 "07:27:10:03", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust -
1200 "01:31:69:b0", "DigiNotar PKIoverheid CA Overheid en Bedrijven", // DigiNotar intermediate cross-signed by the Dutch government -
1201 "01:31:34:bf", "DigiNotar PKIoverheid CA Organisatie - G2", // DigiNotar intermediate cross-signed by the Dutch government -
1202 "d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4", "DigiNotar Extended Validation CA", // DigiNotar intermediate signed by DigiNotar EV Root -
1203 "1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04", "DigiNotar Public CA 2025", // DigiNotar intermediate -
1204// "(has not been seen in the wild so far)", "DigiNotar Public CA - G2", // DigiNotar intermediate -
1205// "(has not been seen in the wild so far)", "Koninklijke Notariele Beroepsorganisatie CA", // compromised during DigiNotar breach -
1206// "(has not been seen in the wild so far)", "Stichting TTP Infos CA," // compromised during DigiNotar breach -
1207 "46:9c:2c:af", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust -
1208 "46:9c:3c:c9", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust -
1209 -
1210 "07:27:14:a9", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust -
1211 "4c:0e:63:6a", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust -
1212 "72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate -
1213 "41", "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/ -
1214 -
1215 "08:27", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate -
1216 "08:64", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate -
1217 0 -
1218}; -
1219 -
1220bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate) -
1221{ -
1222 for (int a = 0; certificate_blacklist[a] != 0; a++) { -
1223 QString blacklistedCommonName = QString::fromUtf8(certificate_blacklist[(a+1)]); -
1224 if (certificate.serialNumber() == certificate_blacklist[a++] && -
1225 (certificate.subjectInfo(QSslCertificate::CommonName).contains(blacklistedCommonName) || -
1226 certificate.issuerInfo(QSslCertificate::CommonName).contains(blacklistedCommonName))) -
1227 return true; -
1228 } -
1229 return false; -
1230} -
1231 -
1232#ifndef QT_NO_DEBUG_STREAM -
1233QDebug operator<<(QDebug debug, const QSslCertificate &certificate) -
1234{ -
1235 debug << "QSslCertificate(" -
1236 << certificate.version() -
1237 << ',' << certificate.serialNumber() -
1238 << ',' << certificate.digest().toBase64() -
1239 << ',' << certificate.issuerInfo(QSslCertificate::Organization) -
1240 << ',' << certificate.subjectInfo(QSslCertificate::Organization) -
1241 << ',' << certificate.subjectAlternativeNames() -
1242#ifndef QT_NO_DATESTRING -
1243 << ',' << certificate.effectiveDate() -
1244 << ',' << certificate.expiryDate() -
1245#endif -
1246 << ')'; -
1247 return debug; -
1248} -
1249QDebug operator<<(QDebug debug, QSslCertificate::SubjectInfo info) -
1250{ -
1251 switch (info) { -
1252 case QSslCertificate::Organization: debug << "Organization"; break; -
1253 case QSslCertificate::CommonName: debug << "CommonName"; break; -
1254 case QSslCertificate::CountryName: debug << "CountryName"; break; -
1255 case QSslCertificate::LocalityName: debug << "LocalityName"; break; -
1256 case QSslCertificate::OrganizationalUnitName: debug << "OrganizationalUnitName"; break; -
1257 case QSslCertificate::StateOrProvinceName: debug << "StateOrProvinceName"; break; -
1258 case QSslCertificate::DistinguishedNameQualifier: debug << "DistinguishedNameQualifier"; break; -
1259 case QSslCertificate::SerialNumber: debug << "SerialNumber"; break; -
1260 case QSslCertificate::EmailAddress: debug << "EmailAddress"; break; -
1261 } -
1262 return debug; -
1263} -
1264#endif -
1265 -
1266QT_END_NAMESPACE -
1267 -
Source codeSwitch to Preprocessed file

Generated by Squish Coco Non-Commercial