ssl: Add common key parser for backends

This internal implementation of QSslKey can be used when OpenSSL is not available. Encrypted keys are not supported, as the cryptography must be supplied by a separate library. With this commit, WinRT is migrated to the new implementation, but qsslkey_winrt.cpp is left in place so that the missing crypto implementation can be added later. This also means most of the expected failures for that platform can be removed from the autotest. Change-Id: I24a3ad1053bb72311613b28b3ae845aa1645a321 Reviewed-by: Andrew Knight <andrew.knight@digia.com> Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com> Reviewed-by: Richard J. Moore <rich@kde.org>
author: Jeremy Lainé <jeremy.laine@m4x.org> 2014-08-28 23:56:03 +0200
committer: Jeremy Lainé <jeremy.laine@m4x.org> 2014-08-29 23:18:22 +0200
commit: 6a4cb8d62b9ba68666e6d89f101a571da18432cb (patch)
tree: 8358e64d66d90cabc2998ac1836ba0c830f31829
parent: def5a56b0316edcf95693c86e86b80b338fbbba4 (diff)
6 files changed, 217 insertions, 166 deletions
diff --git a/src/network/ssl/qsslkey_p.cpp b/src/network/ssl/qsslkey_p.cpp
index 37936fad10..40e9231177 100644
--- a/src/network/ssl/qsslkey_p.cpp
+++ b/src/network/ssl/qsslkey_p.cpp
@@ -228,7 +228,11 @@ QSslKey::QSslKey(QIODevice *device, QSsl::KeyAlgorithm algorithm, QSsl::Encoding
 QSslKey::QSslKey(Qt::HANDLE handle, QSsl::KeyType type)
     : d(new QSslKeyPrivate)
 {
+#ifndef QT_NO_OPENSSL
     d->opaque = reinterpret_cast<EVP_PKEY *>(handle);
+#else
+    d->opaque = handle;
+#endif
     d->algorithm = QSsl::Opaque;
     d->type = type;
     d->isNull = !d->opaque;
@@ -323,7 +327,15 @@ QByteArray QSslKey::toDer(const QByteArray &passPhrase) const
     if (d->isNull || d->algorithm == QSsl::Opaque)
         return QByteArray();
 
+#ifndef QT_NO_OPENSSL
     return d->derFromPem(toPem(passPhrase));
+#else
+    // Encrypted DER is nonsense, see QTBUG-41038.
+    if (d->type == QSsl::PrivateKey && !passPhrase.isEmpty())
+        return QByteArray();
+
+    return d->derData;
+#endif
 }
 
 /*!
diff --git a/src/network/ssl/qsslkey_p.h b/src/network/ssl/qsslkey_p.h
index e12bbadc06..64a157ba09 100644
--- a/src/network/ssl/qsslkey_p.h
+++ b/src/network/ssl/qsslkey_p.h
@@ -61,10 +61,6 @@
 #ifndef QT_NO_OPENSSL
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
-#else
-struct RSA;
-struct DSA;
-struct EVP_PKEY;
 #endif
 
 QT_BEGIN_NAMESPACE
@@ -73,9 +69,11 @@ class QSslKeyPrivate
 {
 public:
     inline QSslKeyPrivate()
-        : rsa(0)
+        : opaque(0)
+#ifndef QT_NO_OPENSSL
+        , rsa(0)
         , dsa(0)
-        , opaque(0)
+#endif
     {
         clear();
     }
@@ -85,7 +83,9 @@ public:
 
     void clear(bool deep = true);
 
+#ifndef QT_NO_OPENSSL
     bool fromEVP_PKEY(EVP_PKEY *pkey);
+#endif
     void decodeDer(const QByteArray &der, const QByteArray &passPhrase,
                    bool deepClear = true);
     void decodePem(const QByteArray &pem, const QByteArray &passPhrase,
@@ -102,9 +102,15 @@ public:
     bool isNull;
     QSsl::KeyType type;
     QSsl::KeyAlgorithm algorithm;
+#ifndef QT_NO_OPENSSL
+    EVP_PKEY *opaque;
     RSA *rsa;
     DSA *dsa;
-    EVP_PKEY *opaque;
+#else
+    Qt::HANDLE opaque;
+    QByteArray derData;
+    int keyLength;
+#endif
 
     QAtomicInt ref;
 
diff --git a/src/network/ssl/qsslkey_qt.cpp b/src/network/ssl/qsslkey_qt.cpp
new file mode 100644
index 0000000000..1e60476601
--- /dev/null
+++ b/src/network/ssl/qsslkey_qt.cpp
@@ -0,0 +1,185 @@
+/****************************************************************************
+**
+** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+#include "qsslkey.h"
+#include "qsslkey_p.h"
+#include "qasn1element_p.h"
+
+QT_USE_NAMESPACE
+
+static const quint8 bits_table[256] = {
+    0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
+    5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
+    6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
+    6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
+    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+};
+
+static int numberOfBits(const QByteArray &modulus)
+{
+    int bits = modulus.size() * 8;
+    for (int i = 0; i < modulus.size(); ++i) {
+        quint8 b = modulus[i];
+        bits -= 8;
+        if (b != 0) {
+            bits += bits_table[b];
+            break;
+        }
+    }
+    return bits;
+}
+
+void QSslKeyPrivate::clear(bool deep)
+{
+    Q_UNUSED(deep);
+    isNull = true;
+    derData.clear();
+    keyLength = -1;
+}
+
+void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase,
+                               bool deepClear)
+{
+    clear(deepClear);
+
+    if (der.isEmpty())
+        return;
+
+    if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) {
+        Q_UNIMPLEMENTED();
+        return;
+    }
+
+    QAsn1Element elem;
+    if (!elem.read(der) || elem.type() != QAsn1Element::SequenceType)
+        return;
+
+    if (type == QSsl::PublicKey) {
+        // key info
+        QDataStream keyStream(elem.value());
+        if (!elem.read(keyStream) || elem.type() != QAsn1Element::SequenceType)
+            return;
+        QVector<QAsn1Element> infoItems = elem.toVector();
+        if (infoItems.size() < 2 || infoItems[0].type() != QAsn1Element::ObjectIdentifierType)
+            return;
+        if (algorithm == QSsl::Rsa) {
+            if (infoItems[0].toObjectId() != "1.2.840.113549.1.1.1")
+                return;
+            // key data
+            if (!elem.read(keyStream) || elem.type() != QAsn1Element::BitStringType || elem.value().isEmpty())
+                return;
+            if (!elem.read(elem.value().mid(1)) || elem.type() != QAsn1Element::SequenceType)
+                return;
+            if (!elem.read(elem.value()) || elem.type() != QAsn1Element::IntegerType)
+                return;
+            keyLength = numberOfBits(elem.value());
+        } else if (algorithm == QSsl::Dsa) {
+            if (infoItems[0].toObjectId() != "1.2.840.10040.4.1")
+                return;
+            if (infoItems[1].type() != QAsn1Element::SequenceType)
+                return;
+            // key params
+            QVector<QAsn1Element> params = infoItems[1].toVector();
+            if (params.isEmpty() || params[0].type() != QAsn1Element::IntegerType)
+                return;
+            keyLength = numberOfBits(params[0].value());
+        }
+
+    } else {
+        QVector<QAsn1Element> items = elem.toVector();
+        if (items.isEmpty())
+            return;
+
+        // version
+        if (items[0].type() != QAsn1Element::IntegerType || items[0].value().toHex() != "00")
+            return;
+
+        if (algorithm == QSsl::Rsa) {
+            if (items.size() != 9 || items[1].type() != QAsn1Element::IntegerType)
+                return;
+            keyLength = numberOfBits(items[1].value());
+        } else if (algorithm == QSsl::Dsa) {
+            if (items.size() != 6 || items[1].type() != QAsn1Element::IntegerType)
+                return;
+            keyLength = numberOfBits(items[1].value());
+        }
+    }
+
+    derData = der;
+    isNull = false;
+}
+
+void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase,
+                               bool deepClear)
+{
+    decodeDer(derFromPem(pem), passPhrase, deepClear);
+}
+
+int QSslKeyPrivate::length() const
+{
+    return keyLength;
+}
+
+QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const
+{
+    if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) {
+        Q_UNIMPLEMENTED();
+        return QByteArray();
+    }
+
+    return pemFromDer(derData);
+}
+
+Qt::HANDLE QSslKeyPrivate::handle() const
+{
+    return opaque;
+}
diff --git a/src/network/ssl/qsslkey_winrt.cpp b/src/network/ssl/qsslkey_winrt.cpp
index 1c625081a4..c1dc7890f7 100644
--- a/src/network/ssl/qsslkey_winrt.cpp
+++ b/src/network/ssl/qsslkey_winrt.cpp
@@ -59,136 +59,4 @@ using namespace ABI::Windows::Security::Cryptography::Certificates;
 using namespace ABI::Windows::Security::Cryptography::Core;
 using namespace ABI::Windows::Storage::Streams;
 
-QT_BEGIN_NAMESPACE
-
-struct SslKeyGlobal
-{
-    SslKeyGlobal()
-    {
-        HRESULT hr;
-        hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_CryptographicBuffer).Get(),
-                                  &bufferFactory);
-        Q_ASSERT_SUCCEEDED(hr);
-
-        ComPtr<IAsymmetricKeyAlgorithmProviderStatics> keyProviderFactory;
-        hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricKeyAlgorithmProvider).Get(),
-                                  &keyProviderFactory);
-        Q_ASSERT_SUCCEEDED(hr);
-
-        ComPtr<IAsymmetricAlgorithmNamesStatics> algorithmNames;
-        hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricAlgorithmNames).Get(),
-                                  &algorithmNames);
-        Q_ASSERT_SUCCEEDED(hr);
-
-        HString algorithmName;
-        // The algorithm name doesn't matter for imports, so just use PKCS1
-        hr = algorithmNames->get_RsaPkcs1(algorithmName.GetAddressOf());
-        Q_ASSERT_SUCCEEDED(hr);
-        hr = keyProviderFactory->OpenAlgorithm(algorithmName.Get(), &keyProvider);
-        Q_ASSERT_SUCCEEDED(hr);
-    }
-
-    ComPtr<ICryptographicBufferStatics> bufferFactory;
-    ComPtr<IAsymmetricKeyAlgorithmProvider> keyProvider;
-};
-Q_GLOBAL_STATIC(SslKeyGlobal, g)
-
-// Use the opaque struct for key storage
-struct EVP_PKEY {
-    ComPtr<ICryptographicKey> key;
-};
-
-void QSslKeyPrivate::clear(bool deep)
-{
-    isNull = true;
-
-    if (opaque) {
-        if (deep) {
-            delete opaque;
-            opaque = 0;
-        } else {
-            opaque->key.Reset();
-        }
-    }
-}
-
-void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase,
-                               bool deepClear)
-{
-    Q_UNUSED(passPhrase);
-
-    clear(deepClear);
-
-    if (der.isEmpty())
-        return;
-
-    if (type != QSsl::PublicKey) {
-        qWarning("The WinRT SSL backend does not support importing private keys.");
-        return;
-    }
-
-    HRESULT hr;
-    ComPtr<IBuffer> buffer;
-    hr = g->bufferFactory->CreateFromByteArray(der.length(), (BYTE *)der.data(), &buffer);
-    Q_ASSERT_SUCCEEDED(hr);
-
-    if (!opaque)
-        opaque = new EVP_PKEY;
-
-    hr = g->keyProvider->ImportDefaultPublicKeyBlob(buffer.Get(), &opaque->key);
-    RETURN_VOID_IF_FAILED("Failed to import public key");
-
-    isNull = false;
-}
-
-void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase,
-                               bool deepClear)
-{
-    decodeDer(derFromPem(pem), passPhrase, deepClear);
-}
-
-int QSslKeyPrivate::length() const
-{
-    if (isNull)
-        return -1;
-
-    Q_ASSERT(opaque && opaque->key);
-    HRESULT hr;
-    UINT32 keySize;
-    hr = opaque->key->get_KeySize(&keySize);
-    Q_ASSERT_SUCCEEDED(hr);
-    return keySize;
-}
-
-QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const
-{
-    Q_UNUSED(passPhrase);
-    QByteArray result;
-    if (isNull)
-        return result;
-
-    Q_ASSERT(opaque && opaque->key);
-    HRESULT hr;
-    ComPtr<IBuffer> buffer;
-    hr = opaque->key->ExportDefaultPublicKeyBlobType(&buffer);
-    RETURN_IF_FAILED("Failed to export key", return result);
-
-    ComPtr<Windows::Storage::Streams::IBufferByteAccess> byteAccess;
-    hr = buffer.As(&byteAccess);
-    Q_ASSERT_SUCCEEDED(hr);
-    char *data;
-    hr = byteAccess->Buffer(reinterpret_cast<byte **>(&data));
-    Q_ASSERT_SUCCEEDED(hr);
-    UINT32 size;
-    hr = buffer->get_Length(&size);
-    Q_ASSERT_SUCCEEDED(hr);
-    result = pemFromDer(QByteArray::fromRawData(data, size));
-    return result;
-}
-
-Qt::HANDLE QSslKeyPrivate::handle() const
-{
-    return opaque ? opaque->key.Get() : 0;
-}
-
-QT_END_NAMESPACE
+QT_USE_NAMESPACE
diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri
index e71028b778..ad14b99423 100644
--- a/src/network/ssl/ssl.pri
+++ b/src/network/ssl/ssl.pri
@@ -28,6 +28,7 @@ contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, op
     winrt {
         HEADERS += ssl/qsslsocket_winrt_p.h
         SOURCES += ssl/qsslcertificate_qt.cpp \
+                   ssl/qsslkey_qt.cpp \
                    ssl/qsslkey_winrt.cpp \
                    ssl/qsslsocket_winrt.cpp
     }
diff --git a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
index f7b9bcba62..445fdc7df4 100644
--- a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
+++ b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
@@ -47,14 +47,6 @@
 #include <QtNetwork/qhostaddress.h>
 #include <QtNetwork/qnetworkproxy.h>
 
-#ifdef Q_OS_WINRT
-#define WINRT_EXPECT_FAILURES \
-    if (type == QSsl::PrivateKey) \
-        QEXPECT_FAIL("", "No support for private keys on WinRT: QTBUG-40688", Abort); \
-    if (strstr(QTest::currentDataTag(), "rsa-pub-40")) \
-        QEXPECT_FAIL("", "Weak public keys are not supported on WinRT", Abort);
-#endif
-
 class tst_QSslKey : public QObject
 {
     Q_OBJECT
@@ -179,10 +171,6 @@ void tst_QSslKey::constructor()
     QFETCH(QSsl::KeyType, type);
     QFETCH(QSsl::EncodingFormat, format);
 
-#ifdef Q_OS_WINRT
-    WINRT_EXPECT_FAILURES
-#endif
-
     QByteArray encoded = readFile(absFilePath);
     QSslKey key(encoded, algorithm, format, type);
     QVERIFY(!key.isNull());
@@ -244,10 +232,6 @@ void tst_QSslKey::length()
     QFETCH(int, length);
     QFETCH(QSsl::EncodingFormat, format);
 
-#ifdef Q_OS_WINRT
-    WINRT_EXPECT_FAILURES
-#endif
-
     QByteArray encoded = readFile(absFilePath);
     QSslKey key(encoded, algorithm, format, type);
     QVERIFY(!key.isNull());
@@ -269,10 +253,6 @@ void tst_QSslKey::toPemOrDer()
     QFETCH(QSsl::KeyType, type);
     QFETCH(QSsl::EncodingFormat, format);
 
-#ifdef Q_OS_WINRT
-    WINRT_EXPECT_FAILURES
-#endif
-
     QByteArray encoded = readFile(absFilePath);
     QSslKey key(encoded, algorithm, format, type);
     QVERIFY(!key.isNull());
@@ -317,10 +297,6 @@ void tst_QSslKey::toEncryptedPemOrDer()
     QFETCH(QSsl::EncodingFormat, format);
     QFETCH(QString, password);
 
-#ifdef Q_OS_WINRT
-    WINRT_EXPECT_FAILURES
-#endif
-
     QByteArray plain = readFile(absFilePath);
     QSslKey key(plain, algorithm, format, type);
     QVERIFY(!key.isNull());
@@ -328,6 +304,9 @@ void tst_QSslKey::toEncryptedPemOrDer()
     QByteArray pwBytes(password.toLatin1());
 
     if (type == QSsl::PrivateKey) {
+#ifdef QT_NO_OPENSSL
+        QSKIP("Encrypted keys require support from the SSL backend");
+#endif
         QByteArray encryptedPem = key.toPem(pwBytes);
         QVERIFY(!encryptedPem.isEmpty());
         QSslKey keyPem(encryptedPem, algorithm, QSsl::Pem, type, pwBytes);
@@ -398,8 +377,8 @@ void tst_QSslKey::passphraseChecks()
             QSslKey key(&keyFile,QSsl::Rsa,QSsl::Pem, QSsl::PrivateKey, "WRONG!");
             QVERIFY(key.isNull()); // wrong passphrase => should not be able to decode key
         }
-#ifdef Q_OS_WINRT
-        QEXPECT_FAIL("", "The WinRT backend does not support private key imports: QTBUG-40688", Abort);
+#ifdef QT_NO_OPENSSL
+        QEXPECT_FAIL("", "Encrypted keys require support from the SSL backend", Abort);
 #endif
         {
             if (!keyFile.isOpen())
author	Jeremy Lainé <jeremy.laine@m4x.org>	2014-08-28 23:56:03 +0200
committer	Jeremy Lainé <jeremy.laine@m4x.org>	2014-08-29 23:18:22 +0200
commit	6a4cb8d62b9ba68666e6d89f101a571da18432cb (patch)
tree	8358e64d66d90cabc2998ac1836ba0c830f31829
parent	def5a56b0316edcf95693c86e86b80b338fbbba4 (diff)