QSslCertificate: block all DigiNotar (intermediate and root) certs

and do not only check leaf certificates, but all intermediates and
the root. Tested manually with the cross-signed intermediates.

Change-Id: I860dc9b568bc244abc9228486dbb374a1a2b47c4
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 64adbd0c5775f97343afbe0e7b5fde0d70bdaedd)
Reviewed-on: http://codereview.qt.nokia.com/4291
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>

1 files changed, 9 insertions, 6 deletions

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 0ff17910f3..14a3899bfd 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1270,12 +1270,15 @@ bool QSslSocketBackendPrivate::startHandshake()
     // Start translating errors.
     QList<QSslError> errors;
 
-    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
-        QSslError error(QSslError::CertificateBlacklisted, configuration.peerCertificate);
-        errors << error;
-        emit q->peerVerifyError(error);
-        if (q->state() != QAbstractSocket::ConnectedState)
-            return false;
+    // check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer)
+    foreach (const QSslCertificate &cert, configuration.peerCertificateChain) {
+        if (QSslCertificatePrivate::isBlacklisted(cert)) {
+            QSslError error(QSslError::CertificateBlacklisted, cert);
+            errors << error;
+            emit q->peerVerifyError(error);
+            if (q->state() != QAbstractSocket::ConnectedState)
+                return false;
+        }
     }
 
     bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer