Certificates can have each issuer and subject field many times

THIS COMMIT BREAKS SOURCE COMPATIBILITY BETWEEN Qt 4 AND Qt 5 Qt4 assumed that there was only one entry of each type in the subject and issuer of a certificate. This is incorrect (eg. you can have many common names). In addition, some of the fields required by RFC3280 were not suppport. This change modifiers the API to return a list of entries of each type and adds support for the missing fields. It also updates the commonname matching code for SSL connections to handle multiple entries. Change-Id: I9457266a205def0a07c13de47094ff56ead42845 Merge-request: 5 Reviewed-on: http://codereview.qt.nokia.com/796 Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com> Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
author: Richard Moore <rich@kde.org> 2011-06-18 09:22:11 +0100
committer: Qt by Nokia <qt-info@nokia.com> 2011-06-27 20:44:36 +0200
commit: 2cf935b43e41c6589159536652412dab443ff1f8 (patch)
tree: 95bcd7638f509c48d2b139920e3936a9d4e7e60c /src/network/ssl/qsslsocket_openssl.cpp
parent: cadbfc07b68513920bb877e2e0212988c43f1fa4 (diff)
1 files changed, 18 insertions, 11 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index fb41b7c9e9..1221db98c9 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1262,10 +1262,17 @@ bool QSslSocketBackendPrivate::startHandshake()
         // if we're the server, don't check CN
         if (mode == QSslSocket::SslClientMode) {
             QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName);
-            QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName);
+            QStringList commonNameList = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName);
+            bool matched = false;
 
-            if (!isMatchingHostname(commonName.toLower(), peerName.toLower())) {
-                bool matched = false;
+            foreach (const QString &commonName, commonNameList) {
+                if (isMatchingHostname(commonName.toLower(), peerName.toLower())) {
+                    matched = true;
+                    break;
+                }
+            }
+
+            if (!matched) {
                 foreach (const QString &altName, configuration.peerCertificate
                          .alternateSubjectNames().values(QSsl::DnsEntry)) {
                     if (isMatchingHostname(altName.toLower(), peerName.toLower())) {
@@ -1273,15 +1280,15 @@ bool QSslSocketBackendPrivate::startHandshake()
                         break;
                     }
                 }
+            }
 
-                if (!matched) {
-                    // No matches in common names or alternate names.
-                    QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate);
-                    errors << error;
-                    emit q->peerVerifyError(error);
-                    if (q->state() != QAbstractSocket::ConnectedState)
-                        return false;
-                }
+        if (!matched) {
+            // No matches in common names or alternate names.
+            QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate);
+            errors << error;
+            emit q->peerVerifyError(error);
+            if (q->state() != QAbstractSocket::ConnectedState)
+                return false;
             }
         }
     } else {
author	Richard Moore <rich@kde.org>	2011-06-18 09:22:11 +0100
committer	Qt by Nokia <qt-info@nokia.com>	2011-06-27 20:44:36 +0200
commit	2cf935b43e41c6589159536652412dab443ff1f8 (patch)
tree	95bcd7638f509c48d2b139920e3936a9d4e7e60c /src/network/ssl/qsslsocket_openssl.cpp
parent	cadbfc07b68513920bb877e2e0212988c43f1fa4 (diff)