diff options
-rw-r--r-- | src/network/ssl/qsslkey_p.cpp | 12 | ||||
-rw-r--r-- | src/network/ssl/qsslkey_p.h | 20 | ||||
-rw-r--r-- | src/network/ssl/qsslkey_qt.cpp | 185 | ||||
-rw-r--r-- | src/network/ssl/qsslkey_winrt.cpp | 134 | ||||
-rw-r--r-- | src/network/ssl/ssl.pri | 1 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp | 31 |
6 files changed, 217 insertions, 166 deletions
diff --git a/src/network/ssl/qsslkey_p.cpp b/src/network/ssl/qsslkey_p.cpp index 37936fad10..40e9231177 100644 --- a/src/network/ssl/qsslkey_p.cpp +++ b/src/network/ssl/qsslkey_p.cpp @@ -228,7 +228,11 @@ QSslKey::QSslKey(QIODevice *device, QSsl::KeyAlgorithm algorithm, QSsl::Encoding QSslKey::QSslKey(Qt::HANDLE handle, QSsl::KeyType type) : d(new QSslKeyPrivate) { +#ifndef QT_NO_OPENSSL d->opaque = reinterpret_cast<EVP_PKEY *>(handle); +#else + d->opaque = handle; +#endif d->algorithm = QSsl::Opaque; d->type = type; d->isNull = !d->opaque; @@ -323,7 +327,15 @@ QByteArray QSslKey::toDer(const QByteArray &passPhrase) const if (d->isNull || d->algorithm == QSsl::Opaque) return QByteArray(); +#ifndef QT_NO_OPENSSL return d->derFromPem(toPem(passPhrase)); +#else + // Encrypted DER is nonsense, see QTBUG-41038. + if (d->type == QSsl::PrivateKey && !passPhrase.isEmpty()) + return QByteArray(); + + return d->derData; +#endif } /*! diff --git a/src/network/ssl/qsslkey_p.h b/src/network/ssl/qsslkey_p.h index e12bbadc06..64a157ba09 100644 --- a/src/network/ssl/qsslkey_p.h +++ b/src/network/ssl/qsslkey_p.h @@ -61,10 +61,6 @@ #ifndef QT_NO_OPENSSL #include <openssl/rsa.h> #include <openssl/dsa.h> -#else -struct RSA; -struct DSA; -struct EVP_PKEY; #endif QT_BEGIN_NAMESPACE @@ -73,9 +69,11 @@ class QSslKeyPrivate { public: inline QSslKeyPrivate() - : rsa(0) + : opaque(0) +#ifndef QT_NO_OPENSSL + , rsa(0) , dsa(0) - , opaque(0) +#endif { clear(); } @@ -85,7 +83,9 @@ public: void clear(bool deep = true); +#ifndef QT_NO_OPENSSL bool fromEVP_PKEY(EVP_PKEY *pkey); +#endif void decodeDer(const QByteArray &der, const QByteArray &passPhrase, bool deepClear = true); void decodePem(const QByteArray &pem, const QByteArray &passPhrase, @@ -102,9 +102,15 @@ public: bool isNull; QSsl::KeyType type; QSsl::KeyAlgorithm algorithm; +#ifndef QT_NO_OPENSSL + EVP_PKEY *opaque; RSA *rsa; DSA *dsa; - EVP_PKEY *opaque; +#else + Qt::HANDLE opaque; + QByteArray derData; + int keyLength; +#endif QAtomicInt ref; diff --git a/src/network/ssl/qsslkey_qt.cpp b/src/network/ssl/qsslkey_qt.cpp new file mode 100644 index 0000000000..1e60476601 --- /dev/null +++ b/src/network/ssl/qsslkey_qt.cpp @@ -0,0 +1,185 @@ +/**************************************************************************** +** +** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org> +** Contact: http://www.qt-project.org/legal +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and Digia. For licensing terms and +** conditions see http://qt.digia.com/licensing. For further information +** use the contact form at http://qt.digia.com/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 2.1 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 2.1 requirements +** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. +** +** In addition, as a special exception, Digia gives you certain additional +** rights. These rights are described in the Digia Qt LGPL Exception +** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 3.0 as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL included in the +** packaging of this file. Please review the following information to +** ensure the GNU General Public License version 3.0 requirements will be +** met: http://www.gnu.org/copyleft/gpl.html. +** +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#include "qsslkey.h" +#include "qsslkey_p.h" +#include "qasn1element_p.h" + +QT_USE_NAMESPACE + +static const quint8 bits_table[256] = { + 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4, + 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5, + 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6, + 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6, + 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, + 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, + 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, + 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, +}; + +static int numberOfBits(const QByteArray &modulus) +{ + int bits = modulus.size() * 8; + for (int i = 0; i < modulus.size(); ++i) { + quint8 b = modulus[i]; + bits -= 8; + if (b != 0) { + bits += bits_table[b]; + break; + } + } + return bits; +} + +void QSslKeyPrivate::clear(bool deep) +{ + Q_UNUSED(deep); + isNull = true; + derData.clear(); + keyLength = -1; +} + +void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase, + bool deepClear) +{ + clear(deepClear); + + if (der.isEmpty()) + return; + + if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) { + Q_UNIMPLEMENTED(); + return; + } + + QAsn1Element elem; + if (!elem.read(der) || elem.type() != QAsn1Element::SequenceType) + return; + + if (type == QSsl::PublicKey) { + // key info + QDataStream keyStream(elem.value()); + if (!elem.read(keyStream) || elem.type() != QAsn1Element::SequenceType) + return; + QVector<QAsn1Element> infoItems = elem.toVector(); + if (infoItems.size() < 2 || infoItems[0].type() != QAsn1Element::ObjectIdentifierType) + return; + if (algorithm == QSsl::Rsa) { + if (infoItems[0].toObjectId() != "1.2.840.113549.1.1.1") + return; + // key data + if (!elem.read(keyStream) || elem.type() != QAsn1Element::BitStringType || elem.value().isEmpty()) + return; + if (!elem.read(elem.value().mid(1)) || elem.type() != QAsn1Element::SequenceType) + return; + if (!elem.read(elem.value()) || elem.type() != QAsn1Element::IntegerType) + return; + keyLength = numberOfBits(elem.value()); + } else if (algorithm == QSsl::Dsa) { + if (infoItems[0].toObjectId() != "1.2.840.10040.4.1") + return; + if (infoItems[1].type() != QAsn1Element::SequenceType) + return; + // key params + QVector<QAsn1Element> params = infoItems[1].toVector(); + if (params.isEmpty() || params[0].type() != QAsn1Element::IntegerType) + return; + keyLength = numberOfBits(params[0].value()); + } + + } else { + QVector<QAsn1Element> items = elem.toVector(); + if (items.isEmpty()) + return; + + // version + if (items[0].type() != QAsn1Element::IntegerType || items[0].value().toHex() != "00") + return; + + if (algorithm == QSsl::Rsa) { + if (items.size() != 9 || items[1].type() != QAsn1Element::IntegerType) + return; + keyLength = numberOfBits(items[1].value()); + } else if (algorithm == QSsl::Dsa) { + if (items.size() != 6 || items[1].type() != QAsn1Element::IntegerType) + return; + keyLength = numberOfBits(items[1].value()); + } + } + + derData = der; + isNull = false; +} + +void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase, + bool deepClear) +{ + decodeDer(derFromPem(pem), passPhrase, deepClear); +} + +int QSslKeyPrivate::length() const +{ + return keyLength; +} + +QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const +{ + if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) { + Q_UNIMPLEMENTED(); + return QByteArray(); + } + + return pemFromDer(derData); +} + +Qt::HANDLE QSslKeyPrivate::handle() const +{ + return opaque; +} diff --git a/src/network/ssl/qsslkey_winrt.cpp b/src/network/ssl/qsslkey_winrt.cpp index 1c625081a4..c1dc7890f7 100644 --- a/src/network/ssl/qsslkey_winrt.cpp +++ b/src/network/ssl/qsslkey_winrt.cpp @@ -59,136 +59,4 @@ using namespace ABI::Windows::Security::Cryptography::Certificates; using namespace ABI::Windows::Security::Cryptography::Core; using namespace ABI::Windows::Storage::Streams; -QT_BEGIN_NAMESPACE - -struct SslKeyGlobal -{ - SslKeyGlobal() - { - HRESULT hr; - hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_CryptographicBuffer).Get(), - &bufferFactory); - Q_ASSERT_SUCCEEDED(hr); - - ComPtr<IAsymmetricKeyAlgorithmProviderStatics> keyProviderFactory; - hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricKeyAlgorithmProvider).Get(), - &keyProviderFactory); - Q_ASSERT_SUCCEEDED(hr); - - ComPtr<IAsymmetricAlgorithmNamesStatics> algorithmNames; - hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricAlgorithmNames).Get(), - &algorithmNames); - Q_ASSERT_SUCCEEDED(hr); - - HString algorithmName; - // The algorithm name doesn't matter for imports, so just use PKCS1 - hr = algorithmNames->get_RsaPkcs1(algorithmName.GetAddressOf()); - Q_ASSERT_SUCCEEDED(hr); - hr = keyProviderFactory->OpenAlgorithm(algorithmName.Get(), &keyProvider); - Q_ASSERT_SUCCEEDED(hr); - } - - ComPtr<ICryptographicBufferStatics> bufferFactory; - ComPtr<IAsymmetricKeyAlgorithmProvider> keyProvider; -}; -Q_GLOBAL_STATIC(SslKeyGlobal, g) - -// Use the opaque struct for key storage -struct EVP_PKEY { - ComPtr<ICryptographicKey> key; -}; - -void QSslKeyPrivate::clear(bool deep) -{ - isNull = true; - - if (opaque) { - if (deep) { - delete opaque; - opaque = 0; - } else { - opaque->key.Reset(); - } - } -} - -void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase, - bool deepClear) -{ - Q_UNUSED(passPhrase); - - clear(deepClear); - - if (der.isEmpty()) - return; - - if (type != QSsl::PublicKey) { - qWarning("The WinRT SSL backend does not support importing private keys."); - return; - } - - HRESULT hr; - ComPtr<IBuffer> buffer; - hr = g->bufferFactory->CreateFromByteArray(der.length(), (BYTE *)der.data(), &buffer); - Q_ASSERT_SUCCEEDED(hr); - - if (!opaque) - opaque = new EVP_PKEY; - - hr = g->keyProvider->ImportDefaultPublicKeyBlob(buffer.Get(), &opaque->key); - RETURN_VOID_IF_FAILED("Failed to import public key"); - - isNull = false; -} - -void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase, - bool deepClear) -{ - decodeDer(derFromPem(pem), passPhrase, deepClear); -} - -int QSslKeyPrivate::length() const -{ - if (isNull) - return -1; - - Q_ASSERT(opaque && opaque->key); - HRESULT hr; - UINT32 keySize; - hr = opaque->key->get_KeySize(&keySize); - Q_ASSERT_SUCCEEDED(hr); - return keySize; -} - -QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const -{ - Q_UNUSED(passPhrase); - QByteArray result; - if (isNull) - return result; - - Q_ASSERT(opaque && opaque->key); - HRESULT hr; - ComPtr<IBuffer> buffer; - hr = opaque->key->ExportDefaultPublicKeyBlobType(&buffer); - RETURN_IF_FAILED("Failed to export key", return result); - - ComPtr<Windows::Storage::Streams::IBufferByteAccess> byteAccess; - hr = buffer.As(&byteAccess); - Q_ASSERT_SUCCEEDED(hr); - char *data; - hr = byteAccess->Buffer(reinterpret_cast<byte **>(&data)); - Q_ASSERT_SUCCEEDED(hr); - UINT32 size; - hr = buffer->get_Length(&size); - Q_ASSERT_SUCCEEDED(hr); - result = pemFromDer(QByteArray::fromRawData(data, size)); - return result; -} - -Qt::HANDLE QSslKeyPrivate::handle() const -{ - return opaque ? opaque->key.Get() : 0; -} - -QT_END_NAMESPACE +QT_USE_NAMESPACE diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri index e71028b778..ad14b99423 100644 --- a/src/network/ssl/ssl.pri +++ b/src/network/ssl/ssl.pri @@ -28,6 +28,7 @@ contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, op winrt { HEADERS += ssl/qsslsocket_winrt_p.h SOURCES += ssl/qsslcertificate_qt.cpp \ + ssl/qsslkey_qt.cpp \ ssl/qsslkey_winrt.cpp \ ssl/qsslsocket_winrt.cpp } diff --git a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp index f7b9bcba62..445fdc7df4 100644 --- a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp +++ b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp @@ -47,14 +47,6 @@ #include <QtNetwork/qhostaddress.h> #include <QtNetwork/qnetworkproxy.h> -#ifdef Q_OS_WINRT -#define WINRT_EXPECT_FAILURES \ - if (type == QSsl::PrivateKey) \ - QEXPECT_FAIL("", "No support for private keys on WinRT: QTBUG-40688", Abort); \ - if (strstr(QTest::currentDataTag(), "rsa-pub-40")) \ - QEXPECT_FAIL("", "Weak public keys are not supported on WinRT", Abort); -#endif - class tst_QSslKey : public QObject { Q_OBJECT @@ -179,10 +171,6 @@ void tst_QSslKey::constructor() QFETCH(QSsl::KeyType, type); QFETCH(QSsl::EncodingFormat, format); -#ifdef Q_OS_WINRT - WINRT_EXPECT_FAILURES -#endif - QByteArray encoded = readFile(absFilePath); QSslKey key(encoded, algorithm, format, type); QVERIFY(!key.isNull()); @@ -244,10 +232,6 @@ void tst_QSslKey::length() QFETCH(int, length); QFETCH(QSsl::EncodingFormat, format); -#ifdef Q_OS_WINRT - WINRT_EXPECT_FAILURES -#endif - QByteArray encoded = readFile(absFilePath); QSslKey key(encoded, algorithm, format, type); QVERIFY(!key.isNull()); @@ -269,10 +253,6 @@ void tst_QSslKey::toPemOrDer() QFETCH(QSsl::KeyType, type); QFETCH(QSsl::EncodingFormat, format); -#ifdef Q_OS_WINRT - WINRT_EXPECT_FAILURES -#endif - QByteArray encoded = readFile(absFilePath); QSslKey key(encoded, algorithm, format, type); QVERIFY(!key.isNull()); @@ -317,10 +297,6 @@ void tst_QSslKey::toEncryptedPemOrDer() QFETCH(QSsl::EncodingFormat, format); QFETCH(QString, password); -#ifdef Q_OS_WINRT - WINRT_EXPECT_FAILURES -#endif - QByteArray plain = readFile(absFilePath); QSslKey key(plain, algorithm, format, type); QVERIFY(!key.isNull()); @@ -328,6 +304,9 @@ void tst_QSslKey::toEncryptedPemOrDer() QByteArray pwBytes(password.toLatin1()); if (type == QSsl::PrivateKey) { +#ifdef QT_NO_OPENSSL + QSKIP("Encrypted keys require support from the SSL backend"); +#endif QByteArray encryptedPem = key.toPem(pwBytes); QVERIFY(!encryptedPem.isEmpty()); QSslKey keyPem(encryptedPem, algorithm, QSsl::Pem, type, pwBytes); @@ -398,8 +377,8 @@ void tst_QSslKey::passphraseChecks() QSslKey key(&keyFile,QSsl::Rsa,QSsl::Pem, QSsl::PrivateKey, "WRONG!"); QVERIFY(key.isNull()); // wrong passphrase => should not be able to decode key } -#ifdef Q_OS_WINRT - QEXPECT_FAIL("", "The WinRT backend does not support private key imports: QTBUG-40688", Abort); +#ifdef QT_NO_OPENSSL + QEXPECT_FAIL("", "Encrypted keys require support from the SSL backend", Abort); #endif { if (!keyFile.isOpen()) |