1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
// Copyright (C) 2016 The Qt Company Ltd.
// Copyright (C) 2015 ownCloud Inc
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
#include <QtNetwork/private/qtlsbackend_p.h>
#include <QtNetwork/qsslcertificate.h>
#include <QtCore/qglobal.h>
#include <QtCore/qdebug.h>
#ifdef Q_OS_MACOS
#include <QtCore/private/qcore_mac_p.h>
#include <CoreFoundation/CFArray.h>
#include <Security/Security.h>
#endif // Q_OS_MACOS
QT_BEGIN_NAMESPACE
#ifdef Q_OS_MACOS
namespace {
bool hasTrustedSslServerPolicy(SecPolicyRef policy, CFDictionaryRef props) {
QCFType<CFDictionaryRef> policyProps = SecPolicyCopyProperties(policy);
// only accept certificates with policies for SSL server validation for now
if (CFEqual(CFDictionaryGetValue(policyProps, kSecPolicyOid), kSecPolicyAppleSSL)) {
CFBooleanRef policyClient;
if (CFDictionaryGetValueIfPresent(policyProps, kSecPolicyClient, reinterpret_cast<const void**>(&policyClient)) &&
CFEqual(policyClient, kCFBooleanTrue)) {
return false; // no client certs
}
if (!CFDictionaryContainsKey(props, kSecTrustSettingsResult)) {
// as per the docs, no trust settings result implies full trust
return true;
}
CFNumberRef number = static_cast<CFNumberRef>(CFDictionaryGetValue(props, kSecTrustSettingsResult));
SecTrustSettingsResult settingsResult;
CFNumberGetValue(number, kCFNumberSInt32Type, &settingsResult);
switch (settingsResult) {
case kSecTrustSettingsResultTrustRoot:
case kSecTrustSettingsResultTrustAsRoot:
return true;
default:
return false;
}
}
return false;
}
bool isCaCertificateTrusted(SecCertificateRef cfCert, int domain)
{
QCFType<CFArrayRef> cfTrustSettings;
OSStatus status = SecTrustSettingsCopyTrustSettings(cfCert, SecTrustSettingsDomain(domain), &cfTrustSettings);
if (status == noErr) {
CFIndex size = CFArrayGetCount(cfTrustSettings);
// if empty, trust for everything (as per the Security Framework documentation)
if (size == 0) {
return true;
} else {
for (CFIndex i = 0; i < size; ++i) {
CFDictionaryRef props = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(cfTrustSettings, i));
if (CFDictionaryContainsKey(props, kSecTrustSettingsPolicy)) {
if (hasTrustedSslServerPolicy((SecPolicyRef)CFDictionaryGetValue(props, kSecTrustSettingsPolicy), props))
return true;
}
}
}
}
return false;
}
} // unnamed namespace
#endif // Q_OS_MACOS
namespace QTlsPrivate {
QList<QSslCertificate> systemCaCertificates()
{
QList<QSslCertificate> systemCerts;
// SecTrustSettingsCopyCertificates is not defined on iOS.
#ifdef Q_OS_MACOS
// iterate through all enum members, order:
// kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem
for (int dom = kSecTrustSettingsDomainUser; dom <= int(kSecTrustSettingsDomainSystem); dom++) {
QCFType<CFArrayRef> cfCerts;
OSStatus status = SecTrustSettingsCopyCertificates(SecTrustSettingsDomain(dom), &cfCerts);
if (status == noErr) {
const CFIndex size = CFArrayGetCount(cfCerts);
for (CFIndex i = 0; i < size; ++i) {
SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert);
if (isCaCertificateTrusted(cfCert, dom)) {
if (derData)
systemCerts << QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der);
}
}
}
}
#endif
return systemCerts;
}
} // namespace QTlsPrivate
QT_END_NAMESPACE
|