QSslSocket: remove certificate-related setters

They were deprecated with replacements in QSslConfiguration proposed (and
some without alternative, which we'll provide if there is any demand
in such an API). Special thanks to M.N. for a nice hint on how to
amend the test without introducing a new API.

Change-Id: I7841a5b3f30469d8204b61cb65921c34275e0650
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

5 files changed, 14 insertions, 214 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index ab1f2b0dc8..188473912c 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1378,194 +1378,6 @@ QSslKey QSslSocket::privateKey() const
 }
 
 /*!
-  \deprecated
-
-  Use QSslConfiguration::addCaCertificate() instead.
-
-  Adds the \a certificate to this socket's CA certificate database.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  To add multiple certificates, use addCaCertificates().
-
-  \sa QSslConfiguration::caCertificates(),
-      QSslConfiguration::setCaCertificates()
-*/
-void QSslSocket::addCaCertificate(const QSslCertificate &certificate)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates += certificate;
-}
-
-/*!
-  \deprecated
-
-  Use QSslConfiguration::addCaCertificates() instead.
-
-  Adds the \a certificates to this socket's CA certificate database.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  For more precise control, use addCaCertificate().
-
-  \sa QSslConfiguration::caCertificates(), addDefaultCaCertificate()
-*/
-void QSslSocket::addCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates += certificates;
-}
-
-#if QT_DEPRECATED_SINCE(5, 5)
-/*!
-  \deprecated
-
-  Use QSslConfiguration::setCaCertificates() instead.
-
-  Sets this socket's CA certificate database to be \a certificates.
-  The certificate database must be set prior to the SSL handshake.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  The CA certificate database can be reset to the current default CA
-  certificate database by calling this function with the list of CA
-  certificates returned by defaultCaCertificates().
-
-  \sa defaultCaCertificates()
-*/
-void QSslSocket::setCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates = certificates;
-    d->allowRootCertOnDemandLoading = false;
-}
-
-/*!
-  \deprecated
-
-  Use QSslConfiguration::caCertificates() instead.
-
-  Returns this socket's CA certificate database. The CA certificate
-  database is used by the socket during the handshake phase to
-  validate the peer's certificate. It can be moodified prior to the
-  handshake with addCaCertificate(), addCaCertificates(), and
-  setCaCertificates().
-
-  \note On Unix, this method may return an empty list if the root
-  certificates are loaded on demand.
-
-  \sa addCaCertificate(), addCaCertificates(), setCaCertificates()
-*/
-QList<QSslCertificate> QSslSocket::caCertificates() const
-{
-    Q_D(const QSslSocket);
-    return d->configuration.caCertificates;
-}
-#endif  // #if QT_DEPRECATED_SINCE(5, 5)
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead.
-
-    Adds \a certificate to the default CA certificate database.  Each
-    SSL socket's CA certificate database is initialized to the default
-    CA certificate database.
-
-    \sa QSslConfiguration::addCaCertificates()
-*/
-void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate)
-{
-    QSslSocketPrivate::addDefaultCaCertificate(certificate);
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead.
-
-    Adds \a certificates to the default CA certificate database.  Each
-    SSL socket's CA certificate database is initialized to the default
-    CA certificate database.
-
-    \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates()
-*/
-void QSslSocket::addDefaultCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    QSslSocketPrivate::addDefaultCaCertificates(certificates);
-}
-
-#if QT_DEPRECATED_SINCE(5, 5)
-/*!
-    \deprecated
-
-    Use QSslConfiguration::setCaCertificates() on the default QSslConfiguration instead.
-
-    Sets the default CA certificate database to \a certificates. The
-    default CA certificate database is originally set to your system's
-    default CA certificate database. You can override the default CA
-    certificate database with your own CA certificate database using
-    this function.
-
-    Each SSL socket's CA certificate database is initialized to the
-    default CA certificate database.
-
-    \sa addDefaultCaCertificate()
-*/
-void QSslSocket::setDefaultCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    QSslSocketPrivate::setDefaultCaCertificates(certificates);
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::caCertificates() on the default QSslConfiguration instead.
-
-    Returns the current default CA certificate database. This database
-    is originally set to your system's default CA certificate database.
-    If no system default database is found, an empty database will be
-    returned. You can override the default CA certificate database
-    with your own CA certificate database using setDefaultCaCertificates().
-
-    Each SSL socket's CA certificate database is initialized to the
-    default CA certificate database.
-
-    \note On Unix, this method may return an empty list if the root
-    certificates are loaded on demand.
-
-    \sa caCertificates()
-*/
-QList<QSslCertificate> QSslSocket::defaultCaCertificates()
-{
-    return QSslSocketPrivate::defaultCaCertificates();
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::systemDefaultCaCertificates instead.
-
-    This function provides the CA certificate database
-    provided by the operating system. The CA certificate database
-    returned by this function is used to initialize the database
-    returned by defaultCaCertificates(). You can replace that database
-    with your own with setDefaultCaCertificates().
-
-    \note: On OS X, only certificates that are either trusted for all
-    purposes or trusted for the purpose of SSL in the keychain will be
-    returned.
-
-    \sa caCertificates(), defaultCaCertificates(), setDefaultCaCertificates()
-*/
-QList<QSslCertificate> QSslSocket::systemCaCertificates()
-{
-    // we are calling ensureInitialized() in the method below
-    return QSslSocketPrivate::systemCaCertificates();
-}
-#endif  // #if QT_DEPRECATED_SINCE(5, 5)
-
-/*!
     Waits until the socket is connected, or \a msecs milliseconds,
     whichever happens first. If the connection has been established,
     this function returns \c true; otherwise it returns \c false.
diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h
index a091828638..d7a4fbe070 100644
--- a/src/network/ssl/qsslsocket.h
+++ b/src/network/ssl/qsslsocket.h
@@ -196,25 +196,6 @@ public:
                        const QByteArray &passPhrase = QByteArray());
     QSslKey privateKey() const;
 
-    // CA settings.
-#if QT_DEPRECATED_SINCE(5, 15)
-    QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificate()") void addCaCertificate(const QSslCertificate &certificate);
-    QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") void addCaCertificates(const QList<QSslCertificate> &certificates);
-#endif // QT_DEPRECATED_SINCE(5, 15)
-#if QT_DEPRECATED_SINCE(5, 5)
-    QT_DEPRECATED_X("Use QSslConfiguration::setCaCertificates()") void setCaCertificates(const QList<QSslCertificate> &certificates);
-    QT_DEPRECATED_X("Use QSslConfiguration::caCertificates()") QList<QSslCertificate> caCertificates() const;
-#endif // QT_DEPRECATED_SINCE(5, 5)
-#if QT_DEPRECATED_SINCE(5, 15)
-    QT_DEPRECATED static void addDefaultCaCertificate(const QSslCertificate &certificate);
-    QT_DEPRECATED static void addDefaultCaCertificates(const QList<QSslCertificate> &certificates);
-#endif // QT_DEPRECATED_SINCE(5, 15)
-#if QT_DEPRECATED_SINCE(5, 5)
-    QT_DEPRECATED static void setDefaultCaCertificates(const QList<QSslCertificate> &certificates);
-    QT_DEPRECATED static QList<QSslCertificate> defaultCaCertificates();
-    QT_DEPRECATED_X("Use QSslConfiguration::systemCaCertificates()") static QList<QSslCertificate> systemCaCertificates();
-#endif // QT_DEPRECATED_SINCE(5, 5)
-
     bool waitForConnected(int msecs = 30000) override;
     bool waitForEncrypted(int msecs = 30000);
     bool waitForReadyRead(int msecs = 30000) override;
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index ea59063e72..cf10001050 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1752,7 +1752,9 @@ void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertifi
     if (!trustedRoot.isNull() && !trustedRoot.isBlacklisted()) {
         if (s_loadRootCertsOnDemand) {
             //Add the new root cert to default cert list for use by future sockets
-            QSslSocket::addDefaultCaCertificate(trustedRoot);
+            auto defaultConfig = QSslConfiguration::defaultConfiguration();
+            defaultConfig.addCaCertificate(trustedRoot);
+            QSslConfiguration::setDefaultConfiguration(defaultConfig);
         }
         //Add the new root cert to this socket for future connections
         if (!configuration.caCertificates.contains(trustedRoot))
diff --git a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
index 329e3e367d..ee2b05aada 100644
--- a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
+++ b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
@@ -32,6 +32,7 @@
 #include <qsslkey.h>
 #include <qsslsocket.h>
 #include <qsslcertificateextension.h>
+#include <qscopeguard.h>
 
 #ifndef QT_NO_OPENSSL
 #include <openssl/obj_mac.h>
@@ -1000,11 +1001,15 @@ void tst_QSslCertificate::verify()
 
     // Verify a valid cert signed by a CA
     QList<QSslCertificate> caCerts = QSslCertificate::fromPath(testDataDir + "verify-certs/cacert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
-
-QT_WARNING_PUSH
-QT_WARNING_DISABLE_DEPRECATED
-    QSslSocket::addDefaultCaCertificate(caCerts.first());
-QT_WARNING_POP
+    // For the purpose of this test only, add (and then remove) the
+    // specific CA certificate.
+    const auto defaultConfig = QSslConfiguration::defaultConfiguration();
+    auto temporaryDefault = defaultConfig;
+    temporaryDefault.addCaCertificate(caCerts.first());
+    QSslConfiguration::setDefaultConfiguration(temporaryDefault);
+    const auto confGuard = qScopeGuard([&defaultConfig](){
+        QSslConfiguration::setDefaultConfiguration(defaultConfig);
+    });
 
     toVerify = QSslCertificate::fromPath(testDataDir + "verify-certs/test-ocsp-good-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
 
diff --git a/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
index afd0c720a2..d44556db58 100644
--- a/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -92,7 +92,7 @@ void tst_QSslSocket::systemCaCertificates()
   // Therefore this benchmark is only good for manual regression checking between
   // Qt versions.
   QBENCHMARK_ONCE {
-     QList<QSslCertificate> list = QSslSocket::systemCaCertificates();
+      QList<QSslCertificate> list = QSslConfiguration::defaultConfiguration().systemCaCertificates();
   }
 }