From 1068d579ee848edf08db5ac611b292c76c30a39b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= Date: Mon, 23 Sep 2019 14:51:14 +0200 Subject: QSslConfiguration: Add functions for adding CA certificates The QSslSocket versions of these will be deprecated. Change-Id: I88c788f88e13f190e015d6a78b958e81c2d483a1 Reviewed-by: Jesus Fernandez Reviewed-by: Timur Pocheptsov --- src/network/ssl/qsslconfiguration.cpp | 78 ++++++++++++++++++++++++++++++++--- src/network/ssl/qsslconfiguration.h | 5 +++ 2 files changed, 77 insertions(+), 6 deletions(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 7e92d3a526..a2e694ec92 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -631,11 +631,10 @@ QList QSslConfiguration::supportedCiphers() Returns this connection's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. It can be modified prior to the - handshake with setCaCertificates(), or with \l{QSslSocket}'s - \l{QSslSocket::}{addCaCertificate()} and - \l{QSslSocket::}{addCaCertificates()}. + handshake with setCaCertificates(), or with addCaCertificate() and + addCaCertificates(). - \sa setCaCertificates() + \sa setCaCertificates(), addCaCertificate(), addCaCertificates() */ QList QSslConfiguration::caCertificates() const { @@ -652,7 +651,7 @@ QList QSslConfiguration::caCertificates() const that is not available (as is commonly the case on iOS), the default database is empty. - \sa caCertificates() + \sa caCertificates(), addCaCertificates(), addCaCertificate() */ void QSslConfiguration::setCaCertificates(const QList &certificates) { @@ -660,6 +659,72 @@ void QSslConfiguration::setCaCertificates(const QList &certific d->allowRootCertOnDemandLoading = false; } +/*! + Searches all files in the \a path for certificates encoded in the + specified \a format and adds them to this socket's CA certificate + database. \a path must be a file or a pattern matching one or more + files, as specified by \a syntax. Returns \c true if one or more + certificates are added to the socket's CA certificate database; + otherwise returns \c false. + + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + For more precise control, use addCaCertificate(). + + \sa addCaCertificate(), QSslCertificate::fromPath() +*/ +bool QSslConfiguration::addCaCertificates(const QString &path, QSsl::EncodingFormat format, + QRegExp::PatternSyntax syntax) +{ + QList certs = QSslCertificate::fromPath(path, format, syntax); + if (certs.isEmpty()) + return false; + + d->caCertificates += certs; + return true; +} + +/*! + \since 5.15 + + Adds \a certificate to this configuration's CA certificate database. + The certificate database must be set prior to the SSL handshake. + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + \note The default configuration uses the system CA certificate database. If + that is not available (as is commonly the case on iOS), the default database + is empty. + + \sa caCertificates(), setCaCertificates(), addCaCertificates() +*/ +void QSslConfiguration::addCaCertificate(const QSslCertificate &certificate) +{ + d->caCertificates += certificate; + d->allowRootCertOnDemandLoading = false; +} + +/*! + \since 5.15 + + Adds \a certificates to this configuration's CA certificate database. + The certificate database must be set prior to the SSL handshake. + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + \note The default configuration uses the system CA certificate database. If + that is not available (as is commonly the case on iOS), the default database + is empty. + + \sa caCertificates(), setCaCertificates(), addCaCertificate() +*/ +void QSslConfiguration::addCaCertificates(const QList &certificates) +{ + d->caCertificates += certificates; + d->allowRootCertOnDemandLoading = false; +} + /*! \since 5.5 @@ -668,7 +733,8 @@ void QSslConfiguration::setCaCertificates(const QList &certific returned by this function is used to initialize the database returned by caCertificates() on the default QSslConfiguration. - \sa caCertificates(), setCaCertificates(), defaultConfiguration() + \sa caCertificates(), setCaCertificates(), defaultConfiguration(), + addCaCertificate(), addCaCertificates() */ QList QSslConfiguration::systemCaCertificates() { diff --git a/src/network/ssl/qsslconfiguration.h b/src/network/ssl/qsslconfiguration.h index c25c2686de..247f3aecc9 100644 --- a/src/network/ssl/qsslconfiguration.h +++ b/src/network/ssl/qsslconfiguration.h @@ -131,6 +131,11 @@ public: // Certificate Authority (CA) settings QList caCertificates() const; void setCaCertificates(const QList &certificates); + bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, + QRegExp::PatternSyntax syntax = QRegExp::FixedString); + void addCaCertificate(const QSslCertificate &certificate); + void addCaCertificates(const QList &certificates); + static QList systemCaCertificates(); void setSslOption(QSsl::SslOption option, bool on); -- cgit v1.2.3 From 665b387d68d3102adb001b449409be98ae8679a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= Date: Mon, 23 Sep 2019 14:53:31 +0200 Subject: QSslSocket: Deprecate add[Default]CaCertificate[s] As a separation of concerns the QSslSocket should not be dealing what is QSslConfiguration's job. The other related functions (e.g. setCaCertificates) was deprecated in Qt 5.5. Change-Id: I3f214148adc5270ae651d0b27d83fe374b1516b8 Reviewed-by: Timur Pocheptsov --- src/network/ssl/qsslsocket.cpp | 47 ++++++++++++++++++++++++++++++++++++------ src/network/ssl/qsslsocket.h | 16 ++++++++------ 2 files changed, 51 insertions(+), 12 deletions(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index e302aa1761..690251727d 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -139,10 +139,21 @@ before the handshake phase with setLocalCertificate() and setPrivateKey(). \li The CA certificate database can be extended and customized with - addCaCertificate(), addCaCertificates(), addDefaultCaCertificate(), - addDefaultCaCertificates(), and QSslConfiguration::defaultConfiguration().setCaCertificates(). + QSslConfiguration::addCaCertificate(), + QSslConfiguration::addCaCertificates(). \endlist + To extend the list of \e default CA certificates used by the SSL sockets + during the SSL handshake you must update the default configuration, as + in the snippet below: + + \code + QList certificates = getCertificates(); + QSslConfiguration configuration = QSslConfiguration::defaultConfiguration(); + configuration.addCaCertificates(certificates); + QSslConfiguration::setDefaultConfiguration(configuration); + \endcode + \note If available, root certificates on Unix (excluding \macos) will be loaded on demand from the standard certificate directories. If you do not want to load root certificates on demand, you need to call either @@ -1384,6 +1395,10 @@ QList QSslSocket::supportedCiphers() #endif // #if QT_DEPRECATED_SINCE(5, 5) /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() instead. + Searches all files in the \a path for certificates encoded in the specified \a format and adds them to this socket's CA certificate database. \a path must be a file or a pattern matching one or more @@ -1411,6 +1426,10 @@ bool QSslSocket::addCaCertificates(const QString &path, QSsl::EncodingFormat for } /*! + \deprecated + + Use QSslConfiguration::addCaCertificate() instead. + Adds the \a certificate to this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. @@ -1427,6 +1446,10 @@ void QSslSocket::addCaCertificate(const QSslCertificate &certificate) } /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() instead. + Adds the \a certificates to this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. @@ -1489,6 +1512,10 @@ QList QSslSocket::caCertificates() const #endif // #if QT_DEPRECATED_SINCE(5, 5) /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead. + Searches all files in the \a path for certificates with the specified \a encoding and adds them to the default CA certificate database. \a path can be an explicit file, or it can contain @@ -1498,8 +1525,8 @@ QList QSslSocket::caCertificates() const Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::caCertificates(), addCaCertificates(), - addDefaultCaCertificate() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates(), + QSslConfiguration::addDefaultCaCertificate() */ bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat encoding, QRegExp::PatternSyntax syntax) @@ -1508,11 +1535,15 @@ bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFor } /*! + \deprecated + + Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead. + Adds \a certificate to the default CA certificate database. Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::caCertificates(), addCaCertificates() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates() */ void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate) { @@ -1520,11 +1551,15 @@ void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate) } /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead. + Adds \a certificates to the default CA certificate database. Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::caCertificates(), addCaCertificates() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates() */ void QSslSocket::addDefaultCaCertificates(const QList &certificates) { diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h index 35943c7d7e..843e2d15f5 100644 --- a/src/network/ssl/qsslsocket.h +++ b/src/network/ssl/qsslsocket.h @@ -164,18 +164,22 @@ public: #endif // QT_DEPRECATED_SINCE(5, 5) // CA settings. - bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, +#if QT_DEPRECATED_SINCE(5, 15) + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, QRegExp::PatternSyntax syntax = QRegExp::FixedString); - void addCaCertificate(const QSslCertificate &certificate); - void addCaCertificates(const QList &certificates); + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificate()") void addCaCertificate(const QSslCertificate &certificate); + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") void addCaCertificates(const QList &certificates); +#endif // QT_DEPRECATED_SINCE(5, 15) #if QT_DEPRECATED_SINCE(5, 5) QT_DEPRECATED_X("Use QSslConfiguration::setCaCertificates()") void setCaCertificates(const QList &certificates); QT_DEPRECATED_X("Use QSslConfiguration::caCertificates()") QList caCertificates() const; #endif // QT_DEPRECATED_SINCE(5, 5) - static bool addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, +#if QT_DEPRECATED_SINCE(5, 15) + QT_DEPRECATED static bool addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, QRegExp::PatternSyntax syntax = QRegExp::FixedString); - static void addDefaultCaCertificate(const QSslCertificate &certificate); - static void addDefaultCaCertificates(const QList &certificates); + QT_DEPRECATED static void addDefaultCaCertificate(const QSslCertificate &certificate); + QT_DEPRECATED static void addDefaultCaCertificates(const QList &certificates); +#endif // QT_DEPRECATED_SINCE(5, 15) #if QT_DEPRECATED_SINCE(5, 5) QT_DEPRECATED static void setDefaultCaCertificates(const QList &certificates); QT_DEPRECATED static QList defaultCaCertificates(); -- cgit v1.2.3