diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2020-05-14 16:40:08 +0200 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2020-05-29 16:58:43 +0200 |
commit | 73158a9cb0942c2cdb3c6a98bcfd5763eed65c85 (patch) | |
tree | 0ac4b5b9a110d0c0b76ea9d9a758b18a106ea43e /src/network/ssl/qwindowscarootfetcher_p.h | |
parent | 2216f10ffdd7e6e836dd0b63f5130bcac2f071d7 (diff) |
CA fetcher (Windows) - relax the logic a bit
In case a certificate chain is missing an intermediate,
for a certificate having "Authority Information Access"
extension it's possible to fetch this intermediate and
build the chain up to the trusted root. Unfortunately,
it's not always possible to install the root certificate
in the system "ROOT" store and then an application
wants to set it in the socket's configuration,
using setCaCertificates(). But this call also
disables CA fetcher ('no on demand root loading').
It makes sense to relax this logic for such
certificates and try to fetch the intermediate CA
and then have the complete chain verified.
Pick-to: 5.15
Fixes: QTBUG-84173
Change-Id: I5b9b4271767eba6f5fd2b5cf05e942360c6aa245
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/network/ssl/qwindowscarootfetcher_p.h')
-rw-r--r-- | src/network/ssl/qwindowscarootfetcher_p.h | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/network/ssl/qwindowscarootfetcher_p.h b/src/network/ssl/qwindowscarootfetcher_p.h index 181c309388..e98e59f0cf 100644 --- a/src/network/ssl/qwindowscarootfetcher_p.h +++ b/src/network/ssl/qwindowscarootfetcher_p.h @@ -43,9 +43,13 @@ #include <QtCore/QtGlobal> #include <QtCore/QObject> +#include "qsslsocket_p.h" + #include "qsslsocket.h" #include "qsslcertificate.h" +#include <memory> + // // W A R N I N G // ------------- @@ -61,17 +65,29 @@ QT_BEGIN_NAMESPACE class QWindowsCaRootFetcher : public QObject { - Q_OBJECT; + Q_OBJECT public: - QWindowsCaRootFetcher(const QSslCertificate &certificate, QSslSocket::SslMode sslMode); + QWindowsCaRootFetcher(const QSslCertificate &certificate, QSslSocket::SslMode sslMode, + const QList<QSslCertificate> &caCertificates = {}, + const QString &hostName = {}); ~QWindowsCaRootFetcher(); public slots: void start(); signals: void finished(QSslCertificate brokenChain, QSslCertificate caroot); private: + QHCertStorePointer createAdditionalStore() const; + QSslCertificate cert; QSslSocket::SslMode mode; + // In case the application set CA certificates in the configuration, + // in the past we did not load missing certs. But this disables + // recoverable case when a certificate has Authority Information Access + // extension. So we try to fetch in this scenario also, but in case + // explicitly trusted root was not in a system store, we'll do + // additional checks, thus we need 'peerVerifyName': + QList<QSslCertificate> explicitlyTrustedCAs; + QString peerVerifyName; }; QT_END_NAMESPACE |