diff options
| author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2019-01-16 14:43:09 +0100 |
|---|---|---|
| committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2019-01-23 17:02:40 +0000 |
| commit | e649c4143e37591d5e32ca0b6abb1487cfea4c86 (patch) | |
| tree | abd8cab09913caeb9cf1ef4b5803bc3c4df9e6ff /src/network/ssl/qsslsocket_openssl.cpp | |
| parent | 237c3972fd8869698cea69ff57f751c982bec487 (diff) | |
Add class QOcspResponse, providing a bit more details
about why a certificate was revoked (if it was) and the responder's
certificate, if we managed to verify a signature, as was previously
shortly discussed in the 'OCSP stapling' patch-set. Auto-test update
will be in a separate patch.
[ChangeLog][QtNetwork][Ssl] Added class QOcspResponse as a part of
OCSP stapling support.
Change-Id: I4e17fb6fc4c3dae0b8ad04ff2897a4823736d16e
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 48 |
1 files changed, 45 insertions, 3 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index d684100313..a7c681920e 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -65,6 +65,7 @@ #include "qsslellipticcurve.h" #include "qsslpresharedkeyauthenticator.h" #include "qsslpresharedkeyauthenticator_p.h" +#include "qocspresponse_p.h" #ifdef Q_OS_WIN #include "qwindowscarootfetcher_p.h" @@ -257,6 +258,34 @@ QSslError qt_OCSP_response_status_to_QSslError(long code) Q_UNREACHABLE(); } +OcspRevocationReason qt_OCSP_revocation_reason(int reason) +{ + switch (reason) { + case OCSP_REVOKED_STATUS_NOSTATUS: + return OcspRevocationReason::None; + case OCSP_REVOKED_STATUS_UNSPECIFIED: + return OcspRevocationReason::Unspecified; + case OCSP_REVOKED_STATUS_KEYCOMPROMISE: + return OcspRevocationReason::KeyCompromise; + case OCSP_REVOKED_STATUS_CACOMPROMISE: + return OcspRevocationReason::CACompromise; + case OCSP_REVOKED_STATUS_AFFILIATIONCHANGED: + return OcspRevocationReason::AffiliationChanged; + case OCSP_REVOKED_STATUS_SUPERSEDED: + return OcspRevocationReason::Superseded; + case OCSP_REVOKED_STATUS_CESSATIONOFOPERATION: + return OcspRevocationReason::CessationOfOperation; + case OCSP_REVOKED_STATUS_CERTIFICATEHOLD: + return OcspRevocationReason::CertificateHold; + case OCSP_REVOKED_STATUS_REMOVEFROMCRL: + return OcspRevocationReason::RemoveFromCRL; + default: + return OcspRevocationReason::None; + } + + Q_UNREACHABLE(); +} + bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, X509 *issuer) { // OCSP_basic_verify does verify that the responder is legit, the response is @@ -1429,6 +1458,9 @@ bool QSslSocketBackendPrivate::checkOcspStatus() Q_ASSERT(mode == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode Q_ASSERT(configuration.peerVerifyMode != QSslSocket::VerifyNone); + ocspResponse.clear(); + QOcspResponsePrivate *dResponse = ocspResponse.d.data(); + ocspErrorDescription.clear(); ocspErrors.clear(); @@ -1524,9 +1556,10 @@ bool QSslSocketBackendPrivate::checkOcspStatus() // Let's make sure the response is for the correct certificate - we // can re-create this CertID using our peer's certificate and its // issuer's public key. - + dResponse->isNull = false; bool matchFound = false; if (configuration.peerCertificate.isSelfSigned()) { + dResponse->signerCert = configuration.peerCertificate; matchFound = qt_OCSP_certificate_match(singleResponse, peerX509, peerX509); } else { const STACK_OF(X509) *certs = q_SSL_get_peer_cert_chain(ssl); @@ -1541,16 +1574,20 @@ bool QSslSocketBackendPrivate::checkOcspStatus() X509 *issuer = q_sk_X509_value(certs, i); matchFound = qt_OCSP_certificate_match(singleResponse, peerX509, issuer); if (matchFound) { - if (q_X509_check_issued(issuer, peerX509) == X509_V_OK) + if (q_X509_check_issued(issuer, peerX509) == X509_V_OK) { + dResponse->signerCert = QSslCertificatePrivate::QSslCertificate_from_X509(issuer); break; + } matchFound = false; } } } } - if (!matchFound) + if (!matchFound) { + dResponse->signerCert.clear(); ocspErrors.push_back({QSslError::OcspResponseCertIdUnknown, configuration.peerCertificate}); + } // Check if the response is valid time-wise: ASN1_GENERALIZEDTIME *revTime = nullptr; @@ -1562,6 +1599,7 @@ bool QSslSocketBackendPrivate::checkOcspStatus() // This is unexpected, treat as SslHandshakeError, OCSP_check_validity assumes this pointer // to be != nullptr. ocspErrors.clear(); + ocspResponse.clear(); ocspErrorDescription = QSslSocket::tr("Failed to extract 'this update time' from the SingleResponse"); return false; } @@ -1582,11 +1620,15 @@ bool QSslSocketBackendPrivate::checkOcspStatus() switch (certStatus) { case V_OCSP_CERTSTATUS_GOOD: // This certificate was not found among the revoked ones. + dResponse->certificateStatus = OcspCertificateStatus::Good; break; case V_OCSP_CERTSTATUS_REVOKED: + dResponse->certificateStatus = OcspCertificateStatus::Revoked; + dResponse->revocationReason = qt_OCSP_revocation_reason(reason); ocspErrors.push_back({QSslError::CertificateRevoked, configuration.peerCertificate}); break; case V_OCSP_CERTSTATUS_UNKNOWN: + dResponse->certificateStatus = OcspCertificateStatus::Unknown; ocspErrors.push_back({QSslError::OcspStatusUnknown, configuration.peerCertificate}); } |