From 5c3a499c9ffbf2d4872dd6a6916b3a3a9a7d9cdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jeremy=20Lain=C3=A9?= <jeremy.laine@m4x.org>
Date: Sat, 30 Aug 2014 16:39:29 +0200
Subject: ssl: disable (broken) i/o on DER encoded keys

QSslKey currently has methods which supposedly allow decoding and
encoding private keys as DER protected by a passphrase. This is
broken by design as explained in QTBUG-41038, as storing the encrypted
DER data alone makes no sense: such a file lacks the necessary
information about the encryption algorithm and initialization vector.

This change:

- explicitly stops using the passphrase when decoding DER in the
  constructor. The behavior is unchanged, it is not possible to
  read the encrypted DER alone.

- refuses to honor the passphrase to DER encode a private key. The toDer
  method now outputs an empty QByteArray instead of garbage.

Task-number: QTBUG-41038
Change-Id: I4281050cf1104f12d154db201a173633bfe22bd9
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

(limited to 'tests')

diff --git a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
index ebe9f0f4d2..642b115bee 100644
--- a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
+++ b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
@@ -325,18 +325,10 @@ void tst_QSslKey::toEncryptedPemOrDer()
     }
 
     if (type == QSsl::PrivateKey) {
+        // verify that private keys are never "encrypted" by toDer() and
+        // instead an empty string is returned, see QTBUG-41038.
         QByteArray encryptedDer = key.toDer(pwBytes);
-        // ### at this point, encryptedDer is invalid, hence the below QEXPECT_FAILs
-        QVERIFY(!encryptedDer.isEmpty());
-        QSslKey keyDer(encryptedDer, algorithm, QSsl::Der, type, pwBytes);
-        if (type == QSsl::PrivateKey)
-            QEXPECT_FAIL(
-                QTest::currentDataTag(), "We're not able to decrypt these yet...", Continue);
-        QVERIFY(!keyDer.isNull());
-        if (type == QSsl::PrivateKey)
-            QEXPECT_FAIL(
-                QTest::currentDataTag(), "We're not able to decrypt these yet...", Continue);
-        QCOMPARE(keyDer.toPem(), key.toPem());
+        QVERIFY(encryptedDer.isEmpty());
     } else {
         // verify that public keys are never encrypted by toDer()
         QByteArray encryptedDer = key.toDer(pwBytes);
-- 
cgit v1.2.3