QSslCertificate: report fraudulent certificates as invalid

There are some fraudulent certificates in the wild that are not valid;
this patch introduces a blacklist of serial numbers of those
certificates.

Reviewed-by: Richard J. Moore
Reviewed-by: Markus Goetz
Task-number: QTBUG-18338
(cherry picked from commit 04e074e8d7c097295505e63565abdc7ca2b49f7b)

12 files changed, 213 insertions, 4 deletions

diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index 9e321c97c3..8f5843271b 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
     Returns true if this certificate is valid; otherwise returns
     false.
 
-    Note: Currently, this function only checks that the current
+    Note: Currently, this function checks that the current
     data-time is within the date-time range during which the
-    certificate is considered valid. No other checks are
-    currently performed.
+    certificate is considered valid, and checks that the
+    certificate is not in a blacklist of fraudulent certificates.
 
     \sa isNull()
 */
 bool QSslCertificate::isValid() const
 {
     const QDateTime currentTime = QDateTime::currentDateTime();
-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
+    return currentTime >= d->notValidBefore &&
+            currentTime <= d->notValidAfter &&
+            ! QSslCertificatePrivate::isBlacklisted(*this);
 }
 
 /*!
@@ -793,6 +795,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
     return certificates;
 }
 
+// These certificates are known to be fraudulent and were created during the comodo
+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
+static const char *certificate_blacklist[] = {
+    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
+    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
+    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
+    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
+    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
+    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
+    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
+    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
+    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
+    0
+};
+
+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
+{
+    for (int a = 0; certificate_blacklist[a] != 0; a++) {
+        if (certificate.serialNumber() == certificate_blacklist[a])
+            return true;
+    }
+    return false;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
 {
diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
index bf71eb6d41..9f8f14a753 100644
--- a/src/network/ssl/qsslcertificate_p.h
+++ b/src/network/ssl/qsslcertificate_p.h
@@ -96,6 +96,7 @@ public:
     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
+    static bool isBlacklisted(const QSslCertificate &certificate);
 
     friend class QSslSocketBackendPrivate;
 
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem
new file mode 100644
index 0000000000..3945aea91e
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQBH7L6fylX3vQnq424QyuHjANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb20w
+HhcNMTEwMzI0MTMwNjI1WhcNMTEwNDIzMTMwNjI1WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAOeAGV2FbGnT4rLjTvCNEEDjj0/iIUATa6RT8WKF2PVaOzbE
+oceiODx6hTStvBnCgs+h/d3eVKgp+uAyBde5sW/HlOwHrNgKF3ZDvxegzIOEHaVI
+ndNtBpFS3UyOEkO0NxfioBatNRYpeTRU/DVmazu3yvzgrV1V2mDsrNngVWxJAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFHcF1eqRpm7B78aY8ZjseN6zSYbvMIGYBgNVHSME
+gZAwgY2AFHcF1eqRpm7B78aY8ZjseN6zSYbvoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb22CEAR+y+n8pV970J6uNuEM
+rh4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBEb1iF+EbhAJli5Sj2
++iEdJ5xMP8R6FtgqAYknqXD8+tyEyXxJXdN186qdAWuTD9N22AUqi61BPWxUkufW
+xH8FYMEHdFCkitvYE0321+GT5pJz6ON/d5Co+wusumt7T5oSjzj8Ax9V+nmo3Nkb
+dSANM4/Lnc6moijcpJZq+GC1ng==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem
new file mode 100644
index 0000000000..4b8d0599d2
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRAPXIavNhYvE6ZPVPbclYfAYwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20w
+HhcNMTEwMzI0MTMwNzExWhcNMTEwNDIzMTMwNzExWjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAy1fNDFl65Njfcd1EUJeaxvyiKln+JKlqUmk1x4mrE1BQoa0C
+QZaiXAF21rDhivWejZWBiEQ4IWbg3b12ANY74G1KqAfLC4BNKS9UP94hy18vezRA
+pFc+m/HAClwc8AdACpl8eZpQW8cMgdvnMBMZTrQkgV0JYykX+uDD9Tb+QNUCAwEA
+AaOByzCByDAdBgNVHQ4EFgQUSelG6IVRj2ZQbp049zkQ0X/Po9wwgZgGA1UdIwSB
+kDCBjYAUSelG6IVRj2ZQbp049zkQ0X/Po9yhYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tghEA9chq82Fi8Tpk9U9tyVh8
+BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALQyDC/AMQMNj2fa6E8L
+umILCklWJwG1K1p/1bUAgm0CB8zm94n1xrh/ZK4+HS+k2a9OQmvLRbFyJn8Wua8p
+3UU0267UNkCanA1FKHuO3Mo18wLvjMLWjjCQ4g1C9IvJx6P+8EFDQFG+MJBV/w2k
+gJXXVl3q1T1dvahIgfav9QBL
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem
new file mode 100644
index 0000000000..e47ece60dd
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIRANdVj9r18RBbshMoK3B3KaMwDQYJKoZIhvcNAQEFBQAw
+XzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29t
+MB4XDTExMDMyNDEzMDg0MloXDTExMDQyMzEzMDg0MlowXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCosFLKRvGtxjvdAjWdEAHYycFTa4VtdpXmCNhNHf2xbeLn
+xzde10KjEe44pQxNI+UUD1rJkyuH6wUfloyefn0D2Mu+MvusmvOEzFosa4EDbK9s
+BAAlsSiyJgrp/GgbEPq/XOl4XJRBIVP1WC6LllduNbskFCipDqS+HQwifXmmwQID
+AQABo4HMMIHJMB0GA1UdDgQWBBSEgWnsoYtd5GEx/MGJvKxuIuROJzCBmQYDVR0j
+BIGRMIGOgBSEgWnsoYtd5GEx/MGJvKxuIuROJ6FjpGEwXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tghEA11WP2vXxEFuyEygr
+cHcpozAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKNpIrzTOxIykKZt
+EE6HU2nW1lrWUkIMjwjL8ntw7QI4JLMDN1ADVIxWaGTeQ+U/eXFou6dDNAYVAijK
+ONDXgOItxW2YvSw0wOZsZj6INX2x88/0yRH+19TqaL/r+Y1D1h/0zefkHgfXufnY
+Ex7BHju/rGBTp6R1mr+Tlh1tewva
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem
new file mode 100644
index 0000000000..64c7d41516
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQOSpDTw4H3x+KowXeNODCKTANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20w
+HhcNMTEwMzI0MTMwOTE1WhcNMTEwNDIzMTMwOTE1WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANO2gz9x2H92xz5OvZSEul9gHxqqd+kdjeoS2exyvjC9wzqb
+gYXqNmAsbtNp4WmieEQFd0riCAEkIAn8JpHTCsMHN4rHhS+W+4D5a/drI2jfnZEF
+orNYJG1PHSQV/rvh6d7wkVdT+0SYOjrFTAA2biGWaK3W9ztf2yX577w+uQtBAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFJjDp8Prs7oReRmskIeFixp0vDkGMIGYBgNVHSME
+gZAwgY2AFJjDp8Prs7oReRmskIeFixp0vDkGoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb22CEDkqQ08OB98fiqMF3jTg
+wikwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAZyo0Q3leeM1+lxeCd
+Wp0ZYHMSW11ANc6nuMWOmJC+nIQGlyGiP3IqeUvIfekwboV638bahVPwcl2HYWsS
+/l01Bgyd25Zn6VTQBfMK01dILyxscjVwdHuojzYBN05sl+qkVoqQr5EroQQbgDc9
+6I88p6Kjajv3IusCwfK6wlqISw==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem
new file mode 100644
index 0000000000..c7ddbf2839
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQPnXO1GtpMCEhiDCuhqgqcTANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20w
+HhcNMTEwMzI0MTMwOTQ4WhcNMTEwNDIzMTMwOTQ4WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALkiHG9TgTw/00CMW8D23NBDAa3331AL5kTkAaXbAWg2R/1o
+yKQfXq3hgHbyWGPccUT+tU6FmaBf3bIndLK7iGx81RGzGgXeoQ5mpgnJ50iCeW73
+G99VlVwutPia7d9qqui84YdcG9t+P2Fuxv+xRqAB6lKOaa4qTPIbH50PgwOvAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFBWJrs8bnZ5fikfaLbTxK0ssj69MMIGYBgNVHSME
+gZAwgY2AFBWJrs8bnZ5fikfaLbTxK0ssj69MoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb22CED51ztRraTAhIYgwroao
+KnEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCIfqqs1a7RzdmV8U00
+v/xAsxscKvQvmu6BK+HwvY5iL2pSwXTYgRLJLoj5QGOd3mmgOFsyW3BPSCP1+fVE
+M1ROhU2u8wHub+hGGds18Fx6F4yZjdh8pNUoOUR9A0Ym+VDJr2p50oUNTTy0RbH8
+9ns/gbemx84cjF9DD2G5stQhYg==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem
new file mode 100644
index 0000000000..bc2be2adcf
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIRAOkCi5V45BXcGnEKK4gVREcwDQYJKoZIhvcNAQEFBQAw
+XzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29t
+MB4XDTExMDMyNDEzMTAxNloXDTExMDQyMzEzMTAxNlowXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29tMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDFq06qqRl86pP7GRX3m7FMMSaSU6zlNGAo+WPoRfYAzB6x
+5KpvlfxMCo3T/nWtInX3Bw9TBWCZSweQ2GEjggO0irjw5UX3MiToLxK+rwzWztm9
+H3LBxTWR0cOOa78kRFvNQ1onvNHbs8fJzXjG7b2IJDOIwG1HAT1LK80oPXZc1wID
+AQABo4HMMIHJMB0GA1UdDgQWBBTiGNxw0ImW/wfW0mD3eA65PY5CAzCBmQYDVR0j
+BIGRMIGOgBTiGNxw0ImW/wfW0mD3eA65PY5CA6FjpGEwXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29tghEA6QKLlXjkFdwacQor
+iBVERzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHdb1QY/oxuro/4x
+GX9jbm930ysoeXkWZSKVtVxoxrPIferu8jVpb1SLRjGcMnmjJoNWNFpvnbZgoYei
+f3wdSWun7ndyQBh61k8eM7UABDOUXUHOsHuHj7s1koMKtet4gykmMfd6VxBkwBvN
+ZXOll4X+TKe8nrxbnGUByIwQaRM+
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem
new file mode 100644
index 0000000000..19d4353fab
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGjCCAoOgAwIBAgIRAJI51TSPQNFpWnRUcOHyP0MwDQYJKoZIhvcNAQEFBQAw
+YjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEu
+b3JnMB4XDTExMDMyNDEzMTA0NFoXDTExMDQyMzEzMTA0NFowYjELMAkGA1UEBhMC
+QVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEub3JnMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC1lsoAcZTwF8Pf0E9do5avLdobB/O7EhhrCMs2
+/EMO07aIlrLwl3UP/Fmu/cAkKuX8Mx+Eif9x+XT3ZqGKGYKiqPTJcNfeZvgwbn0j
+wXDtEo4DuURrwtBU9okS+v4dF6F4RtHQKAGcsXoOjhR7ah71kve+PG2GG0sJ167V
+klK1xwIDAQABo4HPMIHMMB0GA1UdDgQWBBRgGDJ4Qp0WFyLIzm4Nz5wgqDSSxjCB
+nAYDVR0jBIGUMIGRgBRgGDJ4Qp0WFyLIzm4Nz5wgqDSSxqFmpGQwYjELMAkGA1UE
+BhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
+ZGdpdHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEub3JnghEAkjnV
+NI9A0WladFRw4fI/QzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACeE
+DHMQ+LWEuoa/6z2EgrgM1k9rvBbUtCR+rjTuyzVW4OLXdpiVwZPOAiKphpq7q8Sb
+TQ3zwsCoPLLJk5VolwcPfcD8Y2/tYK3NCYl+HzGxxnzPDFVaZM5Jh8RI861Hc00D
+hVoQaptPK/V/lr0KEevqjhusAdFZbwlWA923zASa
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem
new file mode 100644
index 0000000000..aedf3f7010
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRALC3Ez7Qlvm1b66RyHS9OsAwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMObG9naW4ubGl2ZS5jb20w
+HhcNMTEwMzI0MTMxMTA2WhcNMTEwNDIzMTMxMTA2WjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw5sb2dpbi5saXZlLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA3OVNj9ijzMewvDeZYzgCWoKtyjclyIHxrQfHZpcexaKbxUap
+1MtF6L0ayjtRWpiBYuPteUSy/Ja4Oh6zZz8K6z5rVgXhmy3xPIYuOoWaTKEOhb0Z
+oHTBtGh8aWWai1XWw37HIm2FP8cmfgdH4lZwVvpTZIUxYidsyqyjB9IrhiMCAwEA
+AaOByzCByDAdBgNVHQ4EFgQU4CcQcIvEhJC0tqHlNFMkv6MlDN4wgZgGA1UdIwSB
+kDCBjYAU4CcQcIvEhJC0tqHlNFMkv6MlDN6hYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDmxvZ2luLmxpdmUuY29tghEAsLcTPtCW+bVvrpHIdL06
+wDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMNzIStXDNSNQ8ayxrcj
+4RrUMsHWUG/6XPrgfYqCP5TfPGAa5qBfNb9LfUbiS4b0flJVN1RlHVwwRo0yf9v4
+LGg0dSuPQAOWlLeUR1GminO1jHZw7E4dYfR7QEmiiOgaQU+CbxLsf5vCaKInN9Gu
+jv/5xytVCbMoLoZ4EBVb0tka
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem
new file mode 100644
index 0000000000..d179b29288
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRANjzX063hystqwaS4xU4L7AwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOZ2xvYmFsIHRydXN0ZWUw
+HhcNMTEwMzI0MTMxMTM3WhcNMTEwNDIzMTMxMTM3WjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw5nbG9iYWwgdHJ1c3RlZTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEArHCVym7AEZDBhDkrUSG3Q94a+caNcCk5fE6ltZHiZHv096xr
+cixHYvSGvms780bkI+oot2xI/e9awwkV+7VjWNvr0HrajzBWeimwk+myjP+3ddMY
+Kmr0eI6bmvmPHtOFJE5Ar8/62FwD0wlLogRIx56JtXcCpkiUQktJVPz2gtMCAwEA
+AaOByzCByDAdBgNVHQ4EFgQUUJwC/qSGBmcB+DVrd43ovRLdLmQwgZgGA1UdIwSB
+kDCBjYAUUJwC/qSGBmcB+DVrd43ovRLdLmShYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDmdsb2JhbCB0cnVzdGVlghEA2PNfTreHKy2rBpLjFTgv
+sDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACAYxI+r3+JNelL6SBB0
+Pda3LkbCm+schP64NBYDdGl2Kus2b2QZ83T7xENBFEhyNoXvc6pRI4/Oh6JDxmG1
+7WmqOVStS/4JeAu6ygiyI1ImRKq2/MvJx/kaKh6IiXanB5nW1U+fhDV6kMOEfpwV
+i6FBibpHboPQoqzPPRe7qHSL
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
index 201c0d46c8..339c48ac90 100644
--- a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
+++ b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
@@ -111,6 +111,8 @@ private slots:
     void nulInSan();
     void largeSerialNumber();
     void largeExpirationDate();
+    void blacklistedCertificates();
+
 // ### add tests for certificate bundles (multiple certificates concatenated into a single
 //     structure); both PEM and DER formatted
 #endif
@@ -814,6 +816,15 @@ void tst_QSslCertificate::largeExpirationDate() // QTBUG-12489
     QCOMPARE(cert.expiryDate().toUTC(), QDateTime(QDate(2051, 8, 29), QTime(9, 53, 41), Qt::UTC));
 }
 
+void tst_QSslCertificate::blacklistedCertificates()
+{
+    QList<QSslCertificate> blacklistedCerts = QSslCertificate::fromPath(SRCDIR "more-certificates/blacklisted*.pem", QSsl::Pem, QRegExp::Wildcard);
+    QVERIFY(blacklistedCerts.count() > 0);
+    for (int a = 0; a < blacklistedCerts.count(); a++) {
+        QVERIFY(! blacklistedCerts.at(a).isValid());
+    }
+}
+
 #endif // QT_NO_OPENSSL
 
 QTEST_MAIN(tst_QSslCertificate)