diff options
author | Daniel Molkentin <daniel@molkentin.de> | 2015-11-16 15:06:15 +0100 |
---|---|---|
committer | Daniel Molkentin (ownCloud) <danimo@owncloud.com> | 2015-11-24 16:30:21 +0000 |
commit | fe3a84138e266c425f11353f7d8dc28a588af89e (patch) | |
tree | c8304282752cf0b0533d602cabb3191f0c6e0dac /src/network/ssl/qsslsocket_openssl.cpp | |
parent | d42d7781f1cd62c3c7c008859507f24a1ff5bb2a (diff) |
QSslSocket: evaluate CAs in all keychain categories
This will make sure that certs in the domainUser (login),
and domainAdmin (per machine) keychain are being picked up
in systemCaCertificates() in addition to the (usually immutable)
DomainSystem keychain.
Also consider the trust settings on OS X: If a certificate
is either fully trusted or trusted for the purpose of SSL,
it will be accepted.
[ChangeLog][Platform Specific Changes] OS X now accepts trusted
certificates from the login and system keychains.
Task-number: QTBUG-32898
Change-Id: Ia23083d5af74388eeee31ba07239735cbbe64368
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 31 |
1 files changed, 3 insertions, 28 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 31aeac9489..bbd712317c 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -76,15 +76,6 @@ #include <string.h> -#ifdef Q_OS_DARWIN -# include <private/qcore_mac_p.h> -#endif - -#ifdef Q_OS_OSX -# include <Security/Security.h> -#endif - - QT_BEGIN_NAMESPACE #if defined(Q_OS_WIN) @@ -668,6 +659,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() setDefaultSupportedEllipticCurves(curves); } +#ifndef Q_OS_DARWIN // Apple implementation in qsslsocket_mac_shared.cpp QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() { ensureInitialized(); @@ -676,25 +668,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() timer.start(); #endif QList<QSslCertificate> systemCerts; - // note: also check implementation in openssl_mac.cpp -#if defined(Q_OS_OSX) - // SecTrustSettingsCopyCertificates is not defined on iOS. - QCFType<CFArrayRef> cfCerts; - - OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts); - if (status == noErr ) { - const CFIndex size = CFArrayGetCount(cfCerts); - for (CFIndex i = 0; i < size; ++i) { - SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i); - QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert); - if (derData == NULL) { - qCWarning(lcSsl, "error retrieving a CA certificate from the system store"); - } else { - systemCerts << QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der); - } - } - } -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { HCERTSTORE hSystemStore; #if defined(Q_OS_WINCE) @@ -771,6 +745,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() return systemCerts; } +#endif // Q_OS_DARWIN void QSslSocketBackendPrivate::startClientEncryption() { |