Enable OCSP stapling in QSslSocket

This patch enables OCSP stapling in QSslSocket::SslClientMode (OpenSSL back-end
only). OCSP stapling is described by RFC6066 and based on the original OCSP as
defined by RFC2560. At the moment multiple certificate status protocol is not
supported (not implemented in OpenSSL). SecureTransport does not support OCSP
stapling at the moment.

[ChangeLog][QtNetwork][TLS] Added OCSP-stapling support for OpenSSL backend

Task-number: QTBUG-12812
Task-number: QTBUG-17158
Change-Id: Id2e0f4cc861311d1ece462864e5e30c76184af8c
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

1 files changed, 45 insertions, 0 deletions

diff --git a/src/network/ssl/qsslerror.cpp b/src/network/ssl/qsslerror.cpp
index 3f79d1a037..74ff6987d2 100644
--- a/src/network/ssl/qsslerror.cpp
+++ b/src/network/ssl/qsslerror.cpp
@@ -86,6 +86,18 @@
     \value UnspecifiedError
     \value NoSslSupport
     \value CertificateBlacklisted
+    \value OcspNoResponseFound
+    \value OcspMalformedRequest
+    \value OcspMalformedResponse
+    \value OcspInternalError
+    \value OcspTryLater
+    \value OcspSigRequred
+    \value OcspUnauthorized
+    \value OcspResponseCannotBeTrusted
+    \value OcspResponseCertIdUnknown
+    \value OcspResponseExpired
+    \value OcspStatusUnknown
+
 
     \sa QSslError::errorString()
 */
@@ -292,6 +304,39 @@ QString QSslError::errorString() const
     case CertificateBlacklisted:
         errStr = QSslSocket::tr("The peer certificate is blacklisted");
         break;
+    case OcspNoResponseFound:
+        errStr = QSslSocket::tr("No OCSP status response found");
+        break;
+    case OcspMalformedRequest:
+        errStr = QSslSocket::tr("The OCSP status request had invalid syntax");
+        break;
+    case OcspMalformedResponse:
+        errStr = QSslSocket::tr("OCSP response contains an unexpected number of SingleResponse structures");
+        break;
+    case OcspInternalError:
+        errStr = QSslSocket::tr("OCSP responder reached an inconsistent internal state");
+        break;
+    case OcspTryLater:
+        errStr = QSslSocket::tr("OCSP responder was unable to return a status for the requested certificate");
+        break;
+    case OcspSigRequred:
+        errStr = QSslSocket::tr("The server requires the client to sign the OCSP request in order to construct a response");
+        break;
+    case OcspUnauthorized:
+        errStr = QSslSocket::tr("The client is not authorized to request OCSP status from this server");
+        break;
+    case OcspResponseCannotBeTrusted:
+        errStr = QSslSocket::tr("OCSP reponder's identity cannot be verified");
+        break;
+    case OcspResponseCertIdUnknown:
+        errStr = QSslSocket::tr("The identity of a certificate in an OCSP response cannot be established");
+        break;
+    case OcspResponseExpired:
+        errStr = QSslSocket::tr("The certificate status response has expired");
+        break;
+    case OcspStatusUnknown:
+        errStr = QSslSocket::tr("The certificate's status is unknown");
+        break;
     default:
         errStr = QSslSocket::tr("Unknown error");
         break;