summaryrefslogtreecommitdiffstats
path: root/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp')
-rw-r--r--tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp162
1 files changed, 86 insertions, 76 deletions
diff --git a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
index 6799ed7ca3..b51053effd 100644
--- a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
+++ b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
@@ -1,19 +1,22 @@
// Copyright (C) 2016 The Qt Company Ltd.
-// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
-
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
#include <QTest>
#include <QtNetwork/qtnetworkglobal.h>
+
+#include <QtCore/qdatetime.h>
+#include <QtCore/qtimezone.h>
+#include <QtCore/qscopeguard.h>
#include <QtCore/qset.h>
#include <qsslcertificate.h>
#include <qsslkey.h>
#include <qsslsocket.h>
#include <qsslcertificateextension.h>
-#include <qscopeguard.h>
#ifndef QT_NO_OPENSSL
+#include <openssl/opensslv.h>
#include <openssl/obj_mac.h>
#endif
@@ -99,7 +102,31 @@ private slots:
#endif // QT_CONFIG(ssl)
private:
QString testDataDir;
- bool isNonOpenSslTls = false;
+
+ enum class TLSBackend {
+ OpenSSL,
+ Schannel,
+ SecureTransport,
+ CertOnly,
+ Unknown,
+ };
+ static TLSBackend currentBackend()
+ {
+ static TLSBackend activeBackend = []() {
+ using namespace Qt::StringLiterals;
+ const QString active = QSslSocket::activeBackend();
+ if (active == "openssl"_L1)
+ return TLSBackend::OpenSSL;
+ if (active == "schannel")
+ return TLSBackend::Schannel;
+ if (active == "securetransport")
+ return TLSBackend::SecureTransport;
+ if (active == "cert-only")
+ return TLSBackend::CertOnly;
+ return TLSBackend::Unknown;
+ }();
+ return activeBackend;
+ }
};
void tst_QSslCertificate::initTestCase()
@@ -109,22 +136,15 @@ void tst_QSslCertificate::initTestCase()
testDataDir = QCoreApplication::applicationDirPath();
if (!testDataDir.endsWith(QLatin1String("/")))
testDataDir += QLatin1String("/");
-#if QT_CONFIG(opensslv11)
- // In the presence of 'openssl' backend, QSslSocket will
- // select 'openssl' as the default one.
- isNonOpenSslTls = QSslSocket::activeBackend() != QStringLiteral("openssl");
-#else
- isNonOpenSslTls = true;
-#endif // QT_CONFIG(ssl)
QDir dir(testDataDir + "certificates");
- QFileInfoList fileInfoList = dir.entryInfoList(QDir::Files | QDir::Readable);
+ const QFileInfoList fileInfoList = dir.entryInfoList(QDir::Files | QDir::Readable);
QRegularExpression rxCert(QLatin1String("^.+\\.(pem|der)$"));
QRegularExpression rxSan(QLatin1String("^(.+\\.(?:pem|der))\\.san$"));
QRegularExpression rxPubKey(QLatin1String("^(.+\\.(?:pem|der))\\.pubkey$"));
QRegularExpression rxDigest(QLatin1String("^(.+\\.(?:pem|der))\\.digest-(md5|sha1)$"));
QRegularExpressionMatch match;
- foreach (QFileInfo fileInfo, fileInfoList) {
+ for (const QFileInfo &fileInfo : fileInfoList) {
if ((match = rxCert.match(fileInfo.fileName())).hasMatch())
certInfoList <<
CertInfo(fileInfo,
@@ -187,7 +207,7 @@ void tst_QSslCertificate::createTestRows()
{
QTest::addColumn<QString>("absFilePath");
QTest::addColumn<QSsl::EncodingFormat>("format");
- foreach (CertInfo certInfo, certInfoList) {
+ for (const CertInfo &certInfo : std::as_const(certInfoList)) {
QTest::newRow(certInfo.fileInfo.fileName().toLatin1())
<< certInfo.fileInfo.absoluteFilePath() << certInfo.format;
}
@@ -318,7 +338,7 @@ void tst_QSslCertificate::digest_data()
QTest::addColumn<QSsl::EncodingFormat>("format");
QTest::addColumn<QString>("absFilePath_digest_md5");
QTest::addColumn<QString>("absFilePath_digest_sha1");
- foreach (CertInfo certInfo, certInfoList) {
+ for (const CertInfo &certInfo : std::as_const(certInfoList)) {
QString certName = certInfo.fileInfo.fileName();
QTest::newRow(certName.toLatin1())
<< certInfo.fileInfo.absoluteFilePath()
@@ -371,7 +391,7 @@ void tst_QSslCertificate::subjectAlternativeNames_data()
QTest::addColumn<QSsl::EncodingFormat>("format");
QTest::addColumn<QString>("subjAltNameFilePath");
- foreach (CertInfo certInfo, certInfoList) {
+ for (const CertInfo &certInfo : std::as_const(certInfoList)) {
QString certName = certInfo.fileInfo.fileName();
if (subjAltNameMap.contains(certName))
QTest::newRow(certName.toLatin1())
@@ -453,7 +473,7 @@ void tst_QSslCertificate::subjectInfoToString()
QVERIFY(testInfo(QSslCertificate::DistinguishedNameQualifier, QString()));
QVERIFY(testInfo(QSslCertificate::SerialNumber, QString()));
// TODO: check why generic code does not handle this!
- if (!isNonOpenSslTls)
+ if (currentBackend() == TLSBackend::OpenSSL)
QVERIFY(testInfo(QSslCertificate::EmailAddress, QStringLiteral("ababic@trolltech.com")));
}
@@ -465,9 +485,8 @@ void tst_QSslCertificate::subjectIssuerDisplayName_data()
QTest::addRow("CommonName") << QStringLiteral("more-certificates/cert-cn.pem") << QStringLiteral("YOUR name");
QTest::addRow("OrganizationName") << QStringLiteral("more-certificates/cert-on.pem") << QStringLiteral("R&D");
QTest::addRow("OrganizationUnitName") << QStringLiteral("more-certificates/cert-oun.pem") << QStringLiteral("Foundations");
-#ifndef QT_NO_OPENSSL
- QTest::addRow("NoSubjectName") << QStringLiteral("more-certificates/cert-noname.pem") << QString();
-#endif
+ if (currentBackend() == TLSBackend::OpenSSL)
+ QTest::addRow("NoSubjectName") << QStringLiteral("more-certificates/cert-noname.pem") << QString();
}
void tst_QSslCertificate::subjectIssuerDisplayName()
@@ -497,7 +516,7 @@ void tst_QSslCertificate::utf8SubjectNames()
static const char *ou = "\xe3\x88\xa7" "A" "\xe3\x89\x81\xef\xbd\xab" "BC";
// the following two tests should help find "\x"-literal encoding bugs in the test itself
- QCOMPARE(cert.subjectInfo("O")[0].length(), QString::fromUtf8(o).length());
+ QCOMPARE(cert.subjectInfo("O")[0].size(), QString::fromUtf8(o).size());
QCOMPARE (cert.subjectInfo("O")[0].toUtf8().toHex(), QByteArray(o).toHex());
QCOMPARE(cert.subjectInfo("O")[0], QString::fromUtf8(o));
@@ -510,7 +529,7 @@ void tst_QSslCertificate::publicKey_data()
QTest::addColumn<QSsl::EncodingFormat>("format");
QTest::addColumn<QString>("pubkeyFilePath");
- foreach (CertInfo certInfo, certInfoList) {
+ for (const CertInfo &certInfo : std::as_const(certInfoList)) {
QString certName = certInfo.fileInfo.fileName();
if (pubkeyMap.contains(certName))
QTest::newRow(certName.toLatin1())
@@ -812,8 +831,10 @@ void tst_QSslCertificate::certInfo()
QCOMPARE(cert.digest(QCryptographicHash::Sha1),
QByteArray::fromHex("B6:D1:51:82:E0:29:CA:59:96:38:BD:B6:F9:40:05:91:6D:49:09:60"));
- QCOMPARE(cert.effectiveDate().toUTC(), QDateTime(QDate(2007, 4, 17), QTime(7,40,26), Qt::UTC));
- QCOMPARE(cert.expiryDate().toUTC(), QDateTime(QDate(2007, 5, 17), QTime(7,40,26), Qt::UTC));
+ QCOMPARE(cert.effectiveDate().toUTC(),
+ QDateTime(QDate(2007, 4, 17), QTime(7,40,26), QTimeZone::UTC));
+ QCOMPARE(cert.expiryDate().toUTC(),
+ QDateTime(QDate(2007, 5, 17), QTime(7,40,26), QTimeZone::UTC));
QVERIFY(cert.expiryDate() < QDateTime::currentDateTime()); // cert has expired
QSslCertificate copy = cert;
@@ -875,7 +896,7 @@ void tst_QSslCertificate::task256066toPem()
void tst_QSslCertificate::nulInCN()
{
- if (isNonOpenSslTls)
+ if (currentBackend() != TLSBackend::OpenSSL)
QSKIP("Generic QSslCertificatePrivate fails this test");
QList<QSslCertificate> certList =
@@ -895,7 +916,7 @@ void tst_QSslCertificate::nulInCN()
void tst_QSslCertificate::nulInSan()
{
- if (isNonOpenSslTls)
+ if (currentBackend() != TLSBackend::OpenSSL)
QSKIP("Generic QSslCertificatePrivate fails this test");
QList<QSslCertificate> certList =
@@ -937,16 +958,18 @@ void tst_QSslCertificate::largeExpirationDate() // QTBUG-12489
const QSslCertificate &cert = certList.at(0);
QVERIFY(!cert.isNull());
- QCOMPARE(cert.effectiveDate().toUTC(), QDateTime(QDate(2010, 8, 4), QTime(9, 53, 41), Qt::UTC));
+ QCOMPARE(cert.effectiveDate().toUTC(),
+ QDateTime(QDate(2010, 8, 4), QTime(9, 53, 41), QTimeZone::UTC));
// if the date is larger than 2049, then the generalized time format is used
- QCOMPARE(cert.expiryDate().toUTC(), QDateTime(QDate(2051, 8, 29), QTime(9, 53, 41), Qt::UTC));
+ QCOMPARE(cert.expiryDate().toUTC(),
+ QDateTime(QDate(2051, 8, 29), QTime(9, 53, 41), QTimeZone::UTC));
}
void tst_QSslCertificate::blacklistedCertificates()
{
QList<QSslCertificate> blacklistedCerts = QSslCertificate::fromPath(testDataDir + "more-certificates/blacklisted*.pem", QSsl::Pem, QSslCertificate::PatternSyntax::Wildcard);
- QVERIFY(blacklistedCerts.count() > 0);
- for (int a = 0; a < blacklistedCerts.count(); a++) {
+ QVERIFY(blacklistedCerts.size() > 0);
+ for (int a = 0; a < blacklistedCerts.size(); a++) {
QVERIFY(blacklistedCerts.at(a).isBlacklisted());
}
}
@@ -960,7 +983,7 @@ void tst_QSslCertificate::selfsignedCertificates()
void tst_QSslCertificate::toText()
{
- if (isNonOpenSslTls)
+ if (currentBackend() != TLSBackend::OpenSSL)
QSKIP("QSslCertificate::toText is not implemented on platforms which do not use openssl");
QList<QSslCertificate> certList =
@@ -969,42 +992,26 @@ void tst_QSslCertificate::toText()
QCOMPARE(certList.size(), 1);
const QSslCertificate &cert = certList.at(0);
- // Openssl's cert dump method changed slightly between 0.9.8, 1.0.0 and 1.01 versions, so we want it to match any output
-
- QFile f098(testDataDir + "more-certificates/cert-large-expiration-date.txt.0.9.8");
- QVERIFY(f098.open(QIODevice::ReadOnly | QFile::Text));
- QByteArray txt098 = f098.readAll();
-
- QFile f100(testDataDir + "more-certificates/cert-large-expiration-date.txt.1.0.0");
- QVERIFY(f100.open(QIODevice::ReadOnly | QFile::Text));
- QByteArray txt100 = f100.readAll();
-
- QFile f101(testDataDir + "more-certificates/cert-large-expiration-date.txt.1.0.1");
- QVERIFY(f101.open(QIODevice::ReadOnly | QFile::Text));
- QByteArray txt101 = f101.readAll();
-
- QFile f101c(testDataDir + "more-certificates/cert-large-expiration-date.txt.1.0.1c");
- QVERIFY(f101c.open(QIODevice::ReadOnly | QFile::Text));
- QByteArray txt101c = f101c.readAll();
-
+ // Openssl's cert dump method changed slightly between 1.1.1 and 3.0.5 versions, so we want it to match any output
QFile f111(testDataDir + "more-certificates/cert-large-expiration-date.txt.1.1.1");
QVERIFY(f111.open(QIODevice::ReadOnly | QFile::Text));
QByteArray txt111 = f111.readAll();
+ QFile f305(testDataDir + "more-certificates/cert-large-expiration-date.txt.3.0.5");
+ QVERIFY(f305.open(QIODevice::ReadOnly | QFile::Text));
+ QByteArray txt305 = f305.readAll();
+
QString txtcert = cert.toText();
- QVERIFY(QString::fromLatin1(txt098) == txtcert ||
- QString::fromLatin1(txt100) == txtcert ||
- QString::fromLatin1(txt101) == txtcert ||
- QString::fromLatin1(txt101c) == txtcert ||
- QString::fromLatin1(txt111) == txtcert );
+ QVERIFY(QString::fromLatin1(txt111) == txtcert ||
+ QString::fromLatin1(txt305) == txtcert);
}
void tst_QSslCertificate::multipleCommonNames()
{
QList<QSslCertificate> certList =
QSslCertificate::fromPath(testDataDir + "more-certificates/test-cn-two-cns-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
- QVERIFY(certList.count() > 0);
+ QVERIFY(certList.size() > 0);
QStringList commonNames = certList[0].subjectInfo(QSslCertificate::CommonName);
QVERIFY(commonNames.contains(QString("www.example.com")));
@@ -1015,18 +1022,18 @@ void tst_QSslCertificate::subjectAndIssuerAttributes()
{
QList<QSslCertificate> certList =
QSslCertificate::fromPath(testDataDir + "more-certificates/test-cn-with-drink-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
- QVERIFY(certList.count() > 0);
+ QVERIFY(certList.size() > 0);
QList<QByteArray> attributes = certList[0].subjectInfoAttributes();
QVERIFY(attributes.contains(QByteArray("favouriteDrink")));
attributes.clear();
certList = QSslCertificate::fromPath(testDataDir + "more-certificates/natwest-banking.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
- QVERIFY(certList.count() > 0);
+ QVERIFY(certList.size() > 0);
QByteArray shortName("1.3.6.1.4.1.311.60.2.1.3");
#if !defined(QT_NO_OPENSSL) && defined(SN_jurisdictionCountryName)
- if (!isNonOpenSslTls)
+ if (currentBackend() == TLSBackend::OpenSSL)
shortName = SN_jurisdictionCountryName;
#endif
attributes = certList[0].subjectInfoAttributes();
@@ -1035,8 +1042,8 @@ void tst_QSslCertificate::subjectAndIssuerAttributes()
void tst_QSslCertificate::verify()
{
- if (isNonOpenSslTls)
- QSKIP("Not implemented in SecureTransport or Schannel");
+ if (currentBackend() != TLSBackend::OpenSSL)
+ QSKIP("Only implemented for OpenSSL");
QList<QSslError> errors;
QList<QSslCertificate> toVerify;
@@ -1049,7 +1056,7 @@ void tst_QSslCertificate::verify()
// Empty chain is unspecified error
errors = QSslCertificate::verify(toVerify);
- VERIFY_VERBOSE(errors.count() == 1);
+ VERIFY_VERBOSE(errors.size() == 1);
VERIFY_VERBOSE(errors[0] == QSslError(QSslError::UnspecifiedError));
errors.clear();
@@ -1068,14 +1075,14 @@ void tst_QSslCertificate::verify()
toVerify = QSslCertificate::fromPath(testDataDir + "verify-certs/test-ocsp-good-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
errors = QSslCertificate::verify(toVerify);
- VERIFY_VERBOSE(errors.count() == 0);
+ VERIFY_VERBOSE(errors.size() == 0);
errors.clear();
// Test a blacklisted certificate
toVerify = QSslCertificate::fromPath(testDataDir + "verify-certs/test-addons-mozilla-org-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
errors = QSslCertificate::verify(toVerify);
bool foundBlack = false;
- foreach (const QSslError &error, errors) {
+ for (const QSslError &error : std::as_const(errors)) {
if (error.error() == QSslError::CertificateBlacklisted) {
foundBlack = true;
break;
@@ -1103,11 +1110,11 @@ void tst_QSslCertificate::verify()
toVerify << QSslCertificate::fromPath(testDataDir + "verify-certs/test-intermediate-is-ca-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString).first();
toVerify << QSslCertificate::fromPath(testDataDir + "verify-certs/test-intermediate-ca-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString).first();
errors = QSslCertificate::verify(toVerify);
- VERIFY_VERBOSE(errors.count() == 0);
+ VERIFY_VERBOSE(errors.size() == 0);
// Recheck the above with hostname validation
errors = QSslCertificate::verify(toVerify, QLatin1String("example.com"));
- VERIFY_VERBOSE(errors.count() == 0);
+ VERIFY_VERBOSE(errors.size() == 0);
// Recheck the above with a bad hostname
errors = QSslCertificate::verify(toVerify, QLatin1String("fail.example.com"));
@@ -1121,9 +1128,8 @@ QString tst_QSslCertificate::toString(const QList<QSslError>& errors)
{
QStringList errorStrings;
- foreach (const QSslError& error, errors) {
+ for (const QSslError &error : errors)
errorStrings.append(QLatin1Char('"') + error.errorString() + QLatin1Char('"'));
- }
return QLatin1String("[ ") + errorStrings.join(QLatin1String(", ")) + QLatin1String(" ]");
}
@@ -1132,11 +1138,11 @@ void tst_QSslCertificate::extensions()
{
QList<QSslCertificate> certList =
QSslCertificate::fromPath(testDataDir + "more-certificates/natwest-banking.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
- QVERIFY(certList.count() > 0);
+ QVERIFY(certList.size() > 0);
QSslCertificate cert = certList[0];
QList<QSslCertificateExtension> extensions = cert.extensions();
- QCOMPARE(extensions.count(), 9);
+ QCOMPARE(extensions.size(), 9);
int unknown_idx = -1;
int authority_info_idx = -1;
@@ -1144,7 +1150,7 @@ void tst_QSslCertificate::extensions()
int subject_key_idx = -1;
int auth_key_idx = -1;
- for (int i=0; i < extensions.length(); ++i) {
+ for (int i=0; i < extensions.size(); ++i) {
QSslCertificateExtension ext = extensions[i];
//qDebug() << i << ":" << ext.name() << ext.oid();
@@ -1230,16 +1236,16 @@ void tst_QSslCertificate::extensionsCritical()
{
QList<QSslCertificate> certList =
QSslCertificate::fromPath(testDataDir + "verify-certs/test-addons-mozilla-org-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
- QVERIFY(certList.count() > 0);
+ QVERIFY(certList.size() > 0);
QSslCertificate cert = certList[0];
QList<QSslCertificateExtension> extensions = cert.extensions();
- QCOMPARE(extensions.count(), 9);
+ QCOMPARE(extensions.size(), 9);
int basic_constraints_idx = -1;
int key_usage_idx = -1;
- for (int i=0; i < extensions.length(); ++i) {
+ for (int i=0; i < extensions.size(); ++i) {
QSslCertificateExtension ext = extensions[i];
if (ext.name() == QStringLiteral("basicConstraints"))
@@ -1377,6 +1383,9 @@ void tst_QSslCertificate::pkcs12()
return;
}
+ if (currentBackend() == TLSBackend::OpenSSL && QSslSocket::sslLibraryVersionNumber() >= 0x30000000L)
+ QSKIP("leaf.p12 is using RC2, which is disabled by default in OpenSSL v >= 3");
+
QFile f(testDataDir + QLatin1String("pkcs12/leaf.p12"));
bool ok = f.open(QIODevice::ReadOnly);
QVERIFY(ok);
@@ -1385,8 +1394,8 @@ void tst_QSslCertificate::pkcs12()
QSslCertificate cert;
QList<QSslCertificate> caCerts;
- if (isNonOpenSslTls)
- QEXPECT_FAIL("", "pkcs12 imports are only supported when openssl is used", Abort); // TODO?
+ if (currentBackend() != TLSBackend::OpenSSL)
+ QEXPECT_FAIL("", "pkcs12 imports are not available with the current TLS backend", Abort); // TODO?
ok = QSslCertificate::importPkcs12(&f, &key, &cert, &caCerts);
QVERIFY(ok);
@@ -1418,7 +1427,8 @@ void tst_QSslCertificate::pkcs12()
QFile nocert(testDataDir + QLatin1String("pkcs12/leaf-nokey.p12"));
ok = nocert.open(QIODevice::ReadOnly);
QVERIFY(ok);
- QTest::ignoreMessage(QtWarningMsg, "Unable to convert private key");
+ if (currentBackend() == TLSBackend::OpenSSL)
+ QTest::ignoreMessage(QtWarningMsg, "Unable to convert private key");
ok = QSslCertificate::importPkcs12(&nocert, &key, &cert, &caCerts);
QVERIFY(!ok);
nocert.close();