Use windows API to update missing CA roots

Windows ships with a minimal set of CA roots.
When using windows API to verify a certificate, it will fetch the
root certificate from windows update (assuming it is part of the
Microsoft trust program).

As we are using openssl, this does not happen transparently.

If SSL errors occur which indicate a broken chain then attempt
to fix it using the windows API before emitting sslErrors.

If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.

Key usage is specified, so that windows will return not trusted
status if the root is not suitable for SSL (server auth or
client auth OID).

Testability:
 - to test, must delete the CA cert(s) from the "third party
   root certification authorities" section of the cert store
   using mmc.exe.
 - If the workaround of installing the windows XP cert bundle was
   performed, then you also need to delete certs from the "trusted
   root certification authorities" section.
   This is dangerous, be careful not to delete the required
   certificates which are documented on MS website
 - Naturally, modifying these areas of the cert store requires
   elevated privilege.

Task-number: QTBUG-24827
Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 22 insertions, 0 deletions

diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h
index b31eae9c97..deeceb8d85 100644
--- a/src/network/ssl/qsslsocket_openssl_p.h
+++ b/src/network/ssl/qsslsocket_openssl_p.h
@@ -117,6 +117,11 @@ public:
     void disconnected();
     QSslCipher sessionCipher() const;
     void continueHandshake();
+    bool checkSslErrors();
+#ifdef Q_OS_WIN
+    void fetchCaRootForCert(const QSslCertificate &cert);
+    void _q_caRootLoaded(QSslCertificate,QSslCertificate);
+#endif
 
     Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions);
     static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher);
@@ -127,6 +132,23 @@ public:
     static QString getErrorsFromOpenSsl();
 };
 
+#ifdef Q_OS_WIN
+class QWindowsCaRootFetcher : public QObject
+{
+    Q_OBJECT;
+public:
+    QWindowsCaRootFetcher(const QSslCertificate &certificate, QSslSocket::SslMode sslMode);
+    ~QWindowsCaRootFetcher();
+public slots:
+    void start();
+signals:
+    void finished(QSslCertificate brokenChain, QSslCertificate caroot);
+private:
+    QSslCertificate cert;
+    QSslSocket::SslMode mode;
+};
+#endif
+
 QT_END_NAMESPACE
 
 #endif