qsslcertificate.cpp source code [qtbase/src/network/ssl/qsslcertificate.cpp]

1	/****************************************************************************
2	**
3	** Copyright (C) 2016 The Qt Company Ltd.
4	** Contact: https://www.qt.io/licensing/
5	**
6	** This file is part of the QtNetwork module of the Qt Toolkit.
7	**
8	** $QT_BEGIN_LICENSE:LGPL$
9	** Commercial License Usage
10	** Licensees holding valid commercial Qt licenses may use this file in
11	** accordance with the commercial license agreement provided with the
12	** Software or, alternatively, in accordance with the terms contained in
13	** a written agreement between you and The Qt Company. For licensing terms
14	** and conditions see https://www.qt.io/terms-conditions. For further
15	** information use the contact form at https://www.qt.io/contact-us.
16	**
17	** GNU Lesser General Public License Usage
18	** Alternatively, this file may be used under the terms of the GNU Lesser
19	** General Public License version 3 as published by the Free Software
20	** Foundation and appearing in the file LICENSE.LGPL3 included in the
21	** packaging of this file. Please review the following information to
22	** ensure the GNU Lesser General Public License version 3 requirements
23	** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
24	**
25	** GNU General Public License Usage
26	** Alternatively, this file may be used under the terms of the GNU
27	** General Public License version 2.0 or (at your option) the GNU General
28	** Public license version 3 or any later version approved by the KDE Free
29	** Qt Foundation. The licenses are as published by the Free Software
30	** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
31	** included in the packaging of this file. Please review the following
32	** information to ensure the GNU General Public License requirements will
33	** be met: https://www.gnu.org/licenses/gpl-2.0.html and
34	** https://www.gnu.org/licenses/gpl-3.0.html.
35	**
36	** $QT_END_LICENSE$
37	**
38	****************************************************************************/
39
40
41	/!*
42	\class QSslCertificate
43	\brief The QSslCertificate class provides a convenient API for an X509 certificate.
44	\since 4.3
45
46	\reentrant
47	\ingroup network
48	\ingroup ssl
49	\ingroup shared
50	\inmodule QtNetwork
51
52	QSslCertificate stores an X509 certificate, and is commonly used
53	to verify the identity and store information about the local host,
54	a remotely connected peer, or a trusted third party Certificate
55	Authority.
56
57	There are many ways to construct a QSslCertificate. The most
58	common way is to call QSslSocket::peerCertificate(), which returns
59	a QSslCertificate object, or QSslSocket::peerCertificateChain(),
60	which returns a list of them. You can also load certificates from
61	a DER (binary) or PEM (Base64) encoded bundle, typically stored as
62	one or more local files, or in a Qt Resource.
63
64	You can call isNull() to check if your certificate is null. By default,
65	QSslCertificate constructs a null certificate. A null certificate is
66	invalid, but an invalid certificate is not necessarily null. If you want
67	to reset all contents in a certificate, call clear().
68
69	After loading a certificate, you can find information about the
70	certificate, its subject, and its issuer, by calling one of the
71	many accessor functions, including version(), serialNumber(),
72	issuerInfo() and subjectInfo(). You can call effectiveDate() and
73	expiryDate() to check when the certificate starts being
74	effective and when it expires.
75	The publicKey() function returns the certificate
76	subject's public key as a QSslKey. You can call issuerInfo() or
77	subjectInfo() to get detailed information about the certificate
78	issuer and its subject.
79
80	Internally, QSslCertificate is stored as an X509 structure. You
81	can access this handle by calling handle(), but the results are
82	likely to not be portable.
83
84	\sa QSslSocket, QSslKey, QSslCipher, QSslError
85	*/
86
87	/!*
88	\enum QSslCertificate::SubjectInfo
89
90	Describes keys that you can pass to QSslCertificate::issuerInfo() or
91	QSslCertificate::subjectInfo() to get information about the certificate
92	issuer or subject.
93
94	\value Organization "O" The name of the organization.
95
96	\value CommonName "CN" The common name; most often this is used to store
97	the host name.
98
99	\value LocalityName "L" The locality.
100
101	\value OrganizationalUnitName "OU" The organizational unit name.
102
103	\value CountryName "C" The country.
104
105	\value StateOrProvinceName "ST" The state or province.
106
107	\value DistinguishedNameQualifier The distinguished name qualifier
108
109	\value SerialNumber The certificate's serial number
110
111	\value EmailAddress The email address associated with the certificate
112	*/
113
114	/!*
115	\enum QSslCertificate::PatternSyntax
116	\since 5.15
117
118	The syntax used to interpret the meaning of the pattern.
119
120	\value RegularExpression A rich Perl-like pattern matching syntax.
121
122	\value Wildcard This provides a simple pattern matching syntax
123	similar to that used by shells (command interpreters) for "file
124	globbing". See \l {QRegularExpression#Wildcard matching}
125	{QRegularExpression Wildcard Matching}.
126
127	\value FixedString The pattern is a fixed string. This is
128	equivalent to using the RegularExpression pattern on a string in
129	which all metacharacters are escaped using escape(). This is the
130	default.
131	*/
132
133	#include <QtNetwork/qtnetworkglobal.h>
134	#ifndef QT_NO_OPENSSL
135	#include "qsslsocket_openssl_symbols_p.h"
136	#endif
137	#if defined(Q_OS_WINRT) && QT_CONFIG(ssl)
138	#include "qsslsocket_winrt_p.h"
139	#endif
140	#ifdef QT_SECURETRANSPORT
141	#include "qsslsocket_mac_p.h"
142	#endif
143	#if QT_CONFIG(schannel)
144	#include "qsslsocket_schannel_p.h"
145	#endif
146	#if QT_CONFIG(regularexpression)
147	#include "qregularexpression.h"
148	#endif
149	#include "qssl_p.h"
150	#include "qsslcertificate.h"
151	#include "qsslcertificate_p.h"
152	#ifndef QT_NO_SSL
153	#include "qsslkey_p.h"
154	#endif
155
156	#include <QtCore/qdir.h>
157	#include <QtCore/qdiriterator.h>
158	#include <QtCore/qfile.h>
159
160	QT_BEGIN_NAMESPACE
161
162	/!*
163	Constructs a QSslCertificate by reading \a format encoded data
164	from \a device and using the first certificate found. You can
165	later call isNull() to see if \a device contained a certificate,
166	and if this certificate was loaded successfully.
167	*/
168	QSslCertificate::QSslCertificate(QIODevice *device, QSsl::EncodingFormat format)
169	: d (new QSslCertificatePrivate)
170	{
171	#ifndef QT_NO_OPENSSL
172	QSslSocketPrivate::ensureInitialized();
173	if (device && QSslSocket::supportsSsl())
174	#else
175	if (device)
176	#endif
177	d ->init(data: device->readAll(), format);
178	}
179
180	/!*
181	Constructs a QSslCertificate by parsing the \a format encoded
182	\a data and using the first available certificate found. You can
183	later call isNull() to see if \a data contained a certificate,
184	and if this certificate was loaded successfully.
185	*/
186	QSslCertificate::QSslCertificate(const QByteArray &data, QSsl::EncodingFormat format)
187	: d (new QSslCertificatePrivate)
188	{
189	#ifndef QT_NO_OPENSSL
190	QSslSocketPrivate::ensureInitialized();
191	if (QSslSocket::supportsSsl())
192	#endif
193	d ->init(data, format);
194	}
195
196	/!*
197	Constructs an identical copy of \a other.
198	*/
199	QSslCertificate::QSslCertificate(const QSslCertificate &other) : d (other.d)
200	{
201	}
202
203	/!*
204	Destroys the QSslCertificate.
205	*/
206	QSslCertificate::~QSslCertificate()
207	{
208	}
209
210	/!*
211	Copies the contents of \a other into this certificate, making the two
212	certificates identical.
213	*/
214	QSslCertificate &QSslCertificate::operator=(const QSslCertificate &other)
215	{
216	d = other.d;
217	return *this;
218	}
219
220	/!*
221	\fn void QSslCertificate::swap(QSslCertificate &other)
222	\since 5.0
223
224	Swaps this certificate instance with \a other. This function is
225	very fast and never fails.
226	*/
227
228	/!*
229	\fn bool QSslCertificate::operator==(const QSslCertificate &other) const
230
231	Returns \c true if this certificate is the same as \a other; otherwise
232	returns \c false.
233	*/
234
235	/!*
236	\fn bool QSslCertificate::operator!=(const QSslCertificate &other) const
237
238	Returns \c true if this certificate is not the same as \a other; otherwise
239	returns \c false.
240	*/
241
242	/!*
243	\fn bool QSslCertificate::isNull() const
244
245	Returns \c true if this is a null certificate (i.e., a certificate
246	with no contents); otherwise returns \c false.
247
248	By default, QSslCertificate constructs a null certificate.
249
250	\sa clear()
251	*/
252
253	#if QT_DEPRECATED_SINCE(5,0)
254	/!*
255	\fn bool QSslCertificate::isValid() const
256	\obsolete
257
258	To verify a certificate, use verify().
259	To check if a certificate is blacklisted, use isBlacklisted().
260	To check if a certificate has expired or is not yet valid, compare
261	expiryDate() and effectiveDate() with QDateTime::currentDateTime()
262
263	This function checks that the current
264	date-time is within the date-time range during which the
265	certificate is considered valid, and checks that the
266	certificate is not in a blacklist of fraudulent certificates.
267
268	\sa isNull(), verify(), isBlacklisted(), expiryDate(), effectiveDate()
269	*/
270	#endif
271
272	/!*
273	Returns \c true if this certificate is blacklisted; otherwise
274	returns \c false.
275
276	\sa isNull()
277	*/
278	bool QSslCertificate::isBlacklisted() const
279	{
280	return QSslCertificatePrivate::isBlacklisted(certificate: *this);
281	}
282
283	/!*
284	\fn bool QSslCertificate::isSelfSigned() const
285	\since 5.4
286
287	Returns \c true if this certificate is self signed; otherwise
288	returns \c false.
289
290	A certificate is considered self-signed its issuer and subject
291	are identical.
292	*/
293
294	/!*
295	Clears the contents of this certificate, making it a null
296	certificate.
297
298	\sa isNull()
299	*/
300	void QSslCertificate::clear()
301	{
302	if (isNull())
303	return;
304	d = new QSslCertificatePrivate;
305	}
306
307	/!*
308	\fn QByteArray QSslCertificate::version() const
309	Returns the certificate's version string.
310	*/
311
312	/!*
313	\fn QByteArray QSslCertificate::serialNumber() const
314
315	Returns the certificate's serial number string in hexadecimal format.
316	*/
317
318	/!*
319	Returns a cryptographic digest of this certificate. By default,
320	an MD5 digest will be generated, but you can also specify a
321	custom \a algorithm.
322	*/
323	QByteArray QSslCertificate::digest(QCryptographicHash::Algorithm algorithm) const
324	{
325	return QCryptographicHash::hash(data: toDer(), method: algorithm);
326	}
327
328	/!*
329	\fn QString QSslCertificate::issuerInfo(SubjectInfo subject) const
330
331	Returns the issuer information for the \a subject from the
332	certificate, or an empty list if there is no information for
333	\a subject in the certificate. There can be more than one entry
334	of each type.
335
336	\sa subjectInfo()
337	*/
338
339	/!*
340	\fn QStringList QSslCertificate::issuerInfo(const QByteArray &attribute) const
341
342	Returns the issuer information for \a attribute from the certificate,
343	or an empty list if there is no information for \a attribute in the
344	certificate. There can be more than one entry for an attribute.
345
346	\sa subjectInfo()
347	*/
348
349	/!*
350	\fn QString QSslCertificate::subjectInfo(SubjectInfo subject) const
351
352	Returns the information for the \a subject, or an empty list if
353	there is no information for \a subject in the certificate. There
354	can be more than one entry of each type.
355
356	\sa issuerInfo()
357	*/
358
359	/!*
360	\fn QStringList QSslCertificate::subjectInfo(const QByteArray &attribute) const
361
362	Returns the subject information for \a attribute, or an empty list if
363	there is no information for \a attribute in the certificate. There
364	can be more than one entry for an attribute.
365
366	\sa issuerInfo()
367	*/
368
369	/!*
370	\fn QList<QByteArray> QSslCertificate::subjectInfoAttributes() const
371
372	\since 5.0
373	Returns a list of the attributes that have values in the subject
374	information of this certificate. The information associated
375	with a given attribute can be accessed using the subjectInfo()
376	method. Note that this list may include the OIDs for any
377	elements that are not known by the SSL backend.
378
379	\sa subjectInfo()
380	*/
381
382	/!*
383	\fn QList<QByteArray> QSslCertificate::issuerInfoAttributes() const
384
385	\since 5.0
386	Returns a list of the attributes that have values in the issuer
387	information of this certificate. The information associated
388	with a given attribute can be accessed using the issuerInfo()
389	method. Note that this list may include the OIDs for any
390	elements that are not known by the SSL backend.
391
392	\sa subjectInfo()
393	*/
394
395	#if QT_DEPRECATED_SINCE(5,0)
396	/!*
397	\fn QMultiMap<QSsl::AlternateNameEntryType, QString> QSslCertificate::alternateSubjectNames() const
398	\obsolete
399
400	Use QSslCertificate::subjectAlternativeNames();
401	*/
402	#endif
403
404	/!*
405	\fn QMultiMap<QSsl::AlternativeNameEntryType, QString> QSslCertificate::subjectAlternativeNames() const
406
407	Returns the list of alternative subject names for this
408	certificate. The alternative names typically contain host
409	names, optionally with wildcards, that are valid for this
410	certificate.
411
412	These names are tested against the connected peer's host name, if
413	either the subject information for \l CommonName doesn't define a
414	valid host name, or the subject info name doesn't match the peer's
415	host name.
416
417	\sa subjectInfo()
418	*/
419
420	/!*
421	\fn QDateTime QSslCertificate::effectiveDate() const
422
423	Returns the date-time that the certificate becomes valid, or an
424	empty QDateTime if this is a null certificate.
425
426	\sa expiryDate()
427	*/
428
429	/!*
430	\fn QDateTime QSslCertificate::expiryDate() const
431
432	Returns the date-time that the certificate expires, or an empty
433	QDateTime if this is a null certificate.
434
435	\sa effectiveDate()
436	*/
437
438	/!*
439	\fn Qt::HANDLE QSslCertificate::handle() const
440	Returns a pointer to the native certificate handle, if there is
441	one, else \nullptr.
442
443	You can use this handle, together with the native API, to access
444	extended information about the certificate.
445
446	\warning Use of this function has a high probability of being
447	non-portable, and its return value may vary from platform to
448	platform or change from minor release to minor release.
449	*/
450
451	/!*
452	\fn QSslKey QSslCertificate::publicKey() const
453	Returns the certificate subject's public key.
454	*/
455
456	/!*
457	\fn QList<QSslCertificateExtension> QSslCertificate::extensions() const
458
459	Returns a list containing the X509 extensions of this certificate.
460	\since 5.0
461	*/
462
463	/!*
464	\fn QByteArray QSslCertificate::toPem() const
465
466	Returns this certificate converted to a PEM (Base64) encoded
467	representation.
468	*/
469
470	/!*
471	\fn QByteArray QSslCertificate::toDer() const
472
473	Returns this certificate converted to a DER (binary) encoded
474	representation.
475	*/
476
477	/!*
478	\fn QString QSslCertificate::toText() const
479
480	Returns this certificate converted to a human-readable text
481	representation.
482
483	\since 5.0
484	*/
485
486	#if QT_DEPRECATED_SINCE(5,15)
487	/!*
488	\obsolete
489
490	Searches all files in the \a path for certificates encoded in the
491	specified \a format and returns them in a list. \a path must be a file
492	or a pattern matching one or more files, as specified by \a syntax.
493
494	Example:
495
496	\snippet code/src_network_ssl_qsslcertificate.cpp 0
497
498	\sa fromData()
499	*/
500	QList<QSslCertificate> QSslCertificate::fromPath(const QString &path,
501	QSsl::EncodingFormat format,
502	QRegExp::PatternSyntax syntax)
503	{
504	// $, (,), , +, ., ?, [, ,], ^, {, \| and }.*
505
506	// make sure to use the same path separators on Windows and Unix like systems.
507	QString sourcePath = QDir::fromNativeSeparators(pathName: path);
508
509	// Find the path without the filename
510	QString pathPrefix = sourcePath.left(n: sourcePath.lastIndexOf(c: QLatin1Char (`'/'`)));
511
512	// Check if the path contains any special chars
513	int pos = -`1`;
514	if (syntax == QRegExp::Wildcard)
515	pos = pathPrefix.indexOf(QRegExp (QLatin1String ("[*?[]")));
516	else if (syntax != QRegExp::FixedString)
517	pos = sourcePath.indexOf(QRegExp (QLatin1String ("[\\$\$\$\\*\\+\\.\\?\\[\\]\\^\\{\\}\\\|]")));
518	if (pos != -`1`) {
519	// there was a special char in the path so cut of the part containing that char.
520	pathPrefix = pathPrefix.left(n: pos);
521	const int lastIndexOfSlash = pathPrefix.lastIndexOf(c: QLatin1Char (`'/'`));
522	if (lastIndexOfSlash != -`1`)
523	pathPrefix = pathPrefix.left(n: lastIndexOfSlash);
524	else
525	pathPrefix.clear();
526	} else {
527	// Check if the path is a file.
528	if (QFileInfo (sourcePath).isFile()) {
529	QFile file(sourcePath);
530	QIODevice::OpenMode openMode = QIODevice::ReadOnly;
531	if (format == QSsl::Pem)
532	openMode \|= QIODevice::Text;
533	if (file.open(flags: openMode))
534	return QSslCertificate::fromData(data: file.readAll(), format);
535	return QList<QSslCertificate>();
536	}
537	}
538
539	// Special case - if the prefix ends up being nothing, use "." instead.
540	int startIndex = `0`;
541	if (pathPrefix.isEmpty()) {
542	pathPrefix = QLatin1String (".");
543	startIndex = `2`;
544	}
545
546	// The path can be a file or directory.
547	QList<QSslCertificate> certs;
548	QRegExp pattern(sourcePath, Qt::CaseSensitive, syntax);
549	QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks \| QDirIterator::Subdirectories);
550	while (it.hasNext()) {
551	QString filePath = startIndex == `0` ? it.next() : it.next().mid(position: startIndex);
552	if (!pattern.exactMatch(str: filePath))
553	continue;
554
555	QFile file(filePath);
556	QIODevice::OpenMode openMode = QIODevice::ReadOnly;
557	if (format == QSsl::Pem)
558	openMode \|= QIODevice::Text;
559	if (file.open(flags: openMode))
560	certs += QSslCertificate::fromData(data: file.readAll(), format);
561	}
562	return certs;
563	}
564	#endif // QT_DEPRECATED_SINCE(5,15)
565
566	/!*
567	\since 5.15
568
569	Searches all files in the \a path for certificates encoded in the
570	specified \a format and returns them in a list. \a path must be a file
571	or a pattern matching one or more files, as specified by \a syntax.
572
573	Example:
574
575	\snippet code/src_network_ssl_qsslcertificate.cpp 1
576
577	\sa fromData()
578	*/
579	QList<QSslCertificate> QSslCertificate::fromPath(const QString &path,
580	QSsl::EncodingFormat format,
581	PatternSyntax syntax)
582	{
583	// $, (,), , +, ., ?, [, ,], ^, {, \| and }.*
584
585	// make sure to use the same path separators on Windows and Unix like systems.
586	QString sourcePath = QDir::fromNativeSeparators(pathName: path);
587
588	// Find the path without the filename
589	QString pathPrefix = sourcePath.left(n: sourcePath.lastIndexOf(c: QLatin1Char (`'/'`)));
590
591	// Check if the path contains any special chars
592	int pos = -`1`;
593
594	#if QT_CONFIG(regularexpression)
595	if (syntax == PatternSyntax::Wildcard)
596	pos = pathPrefix.indexOf(re: QRegularExpression (QLatin1String ("[*?[]")));
597	else if (syntax == PatternSyntax::RegularExpression)
598	pos = sourcePath.indexOf(re: QRegularExpression (QLatin1String ("[\\$\$\$\\*\\+\\.\\?\\[\\]\\^\\{\\}\\\|]")));
599	#else
600	if (syntax == PatternSyntax::Wildcard \|\| syntax == PatternSyntax::RegExp)
601	qWarning("Regular expression support is disabled in this build. Only fixed string can be searched");
602	return QList<QSslCertificate>();
603	#endif
604
605	if (pos != -`1`) {
606	// there was a special char in the path so cut of the part containing that char.
607	pathPrefix = pathPrefix.left(n: pos);
608	const int lastIndexOfSlash = pathPrefix.lastIndexOf(c: QLatin1Char (`'/'`));
609	if (lastIndexOfSlash != -`1`)
610	pathPrefix = pathPrefix.left(n: lastIndexOfSlash);
611	else
612	pathPrefix.clear();
613	} else {
614	// Check if the path is a file.
615	if (QFileInfo (sourcePath).isFile()) {
616	QFile file(sourcePath);
617	QIODevice::OpenMode openMode = QIODevice::ReadOnly;
618	if (format == QSsl::Pem)
619	openMode \|= QIODevice::Text;
620	if (file.open(flags: openMode))
621	return QSslCertificate::fromData(data: file.readAll(), format);
622	return QList<QSslCertificate>();
623	}
624	}
625
626	// Special case - if the prefix ends up being nothing, use "." instead.
627	int startIndex = `0`;
628	if (pathPrefix.isEmpty()) {
629	pathPrefix = QLatin1String (".");
630	startIndex = `2`;
631	}
632
633	// The path can be a file or directory.
634	QList<QSslCertificate> certs;
635
636	#if QT_CONFIG(regularexpression)
637	if (syntax == PatternSyntax::Wildcard)
638	sourcePath = QRegularExpression::wildcardToRegularExpression(str: sourcePath);
639
640	QRegularExpression pattern(QRegularExpression::anchoredPattern(expression: sourcePath));
641	#endif
642
643	QDirIterator it(pathPrefix, QDir::Files, QDirIterator::FollowSymlinks \| QDirIterator::Subdirectories);
644	while (it.hasNext()) {
645	QString filePath = startIndex == `0` ? it.next() : it.next().mid(position: startIndex);
646
647	#if QT_CONFIG(regularexpression)
648	if (!pattern.match(subject: filePath).hasMatch())
649	continue;
650	#else
651	if (sourcePath != filePath)
652	continue;
653	#endif
654
655	QFile file(filePath);
656	QIODevice::OpenMode openMode = QIODevice::ReadOnly;
657	if (format == QSsl::Pem)
658	openMode \|= QIODevice::Text;
659	if (file.open(flags: openMode))
660	certs += QSslCertificate::fromData(data: file.readAll(), format);
661	}
662	return certs;
663	}
664
665	/!*
666	Searches for and parses all certificates in \a device that are
667	encoded in the specified \a format and returns them in a list of
668	certificates.
669
670	\sa fromData()
671	*/
672	QList<QSslCertificate> QSslCertificate::fromDevice(QIODevice *device, QSsl::EncodingFormat format)
673	{
674	if (!device) {
675	qCWarning(lcSsl, "QSslCertificate::fromDevice: cannot read from a null device");
676	return QList<QSslCertificate>();
677	}
678	return fromData(data: device->readAll(), format);
679	}
680
681	/!*
682	Searches for and parses all certificates in \a data that are
683	encoded in the specified \a format and returns them in a list of
684	certificates.
685
686	\sa fromDevice()
687	*/
688	QList<QSslCertificate> QSslCertificate::fromData(const QByteArray &data, QSsl::EncodingFormat format)
689	{
690	return (format == QSsl::Pem)
691	? QSslCertificatePrivate::certificatesFromPem(pem: data)
692	: QSslCertificatePrivate::certificatesFromDer(der: data);
693	}
694
695	#ifndef QT_NO_SSL
696
697	/!*
698	Verifies a certificate chain. The chain to be verified is passed in the
699	\a certificateChain parameter. The first certificate in the list should
700	be the leaf certificate of the chain to be verified. If \a hostName is
701	specified then the certificate is also checked to see if it is valid for
702	the specified host name.
703
704	Note that the root (CA) certificate should not be included in the list to be verified,
705	this will be looked up automatically using the CA list specified in the
706	default QSslConfiguration, and, in addition, if possible, CA certificates loaded on
707	demand on Unix and Windows.
708
709	\since 5.0
710	*/
711	#if QT_VERSION >= QT_VERSION_CHECK(6,0,0)
712	QList<QSslError> QSslCertificate::verify(const QList<QSslCertificate> &certificateChain, const QString &hostName)
713	#else
714	QList<QSslError> QSslCertificate::verify(QList<QSslCertificate> certificateChain, const QString &hostName)
715	#endif
716	{
717	return QSslSocketBackendPrivate::verify(certificateChain, hostName);
718	}
719
720	/!*
721	\since 5.4
722
723	Imports a PKCS#12 (pfx) file from the specified \a device. A PKCS#12
724	file is a bundle that can contain a number of certificates and keys.
725	This method reads a single \a key, its \a certificate and any
726	associated \a caCertificates from the bundle. If a \a passPhrase is
727	specified then this will be used to decrypt the bundle. Returns
728	\c true if the PKCS#12 file was successfully loaded.
729
730	\note The \a device must be open and ready to be read from.
731	*/
732	bool QSslCertificate::importPkcs12(QIODevice *device,
733	QSslKey key, QSslCertificate certificate,
734	QList<QSslCertificate> *caCertificates,
735	const QByteArray &passPhrase)
736	{
737	return QSslSocketBackendPrivate::importPkcs12(device, key, cert: certificate, caCertificates, passPhrase);
738	}
739
740	#endif
741
742	// These certificates are known to be fraudulent and were created during the comodo
743	// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
744	static const char *const certificate_blacklist[] = {
745	"04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", "mail.google.com", // Comodo
746	"f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", "www.google.com", // Comodo
747	"d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", "login.yahoo.com", // Comodo
748	"39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", "login.yahoo.com", // Comodo
749	"3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", "login.yahoo.com", // Comodo
750	"e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", "login.skype.com", // Comodo
751	"92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", "addons.mozilla.org", // Comodo
752	"b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", "login.live.com", // Comodo
753	"d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", "global trustee", // Comodo
754
755	"05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56", ".google.com", // leaf certificate issued by DigiNotar*
756	"0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c", "DigiNotar Root CA", // DigiNotar root
757	"f1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49", "DigiNotar Services CA", // DigiNotar intermediate signed by DigiNotar Root
758	"36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38", "DigiNotar Services 1024 CA", // DigiNotar intermediate signed by DigiNotar Root
759	"0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e", "DigiNotar Root CA G2", // other DigiNotar Root CA
760	"a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21", "CertiID Enterprise Certificate Authority", // DigiNotar intermediate signed by "DigiNotar Root CA G2"
761	"5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41", "DigiNotar Qualified CA", // DigiNotar intermediate signed by DigiNotar Root
762
763	"46:9c:2c:b0", "DigiNotar Services 1024 CA", // DigiNotar intermediate cross-signed by Entrust
764	"07:27:10:0d", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust
765	"07:27:0f:f9", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust
766	"07:27:10:03", "DigiNotar Cyber CA", // DigiNotar intermediate cross-signed by CyberTrust
767	"01:31:69:b0", "DigiNotar PKIoverheid CA Overheid en Bedrijven", // DigiNotar intermediate cross-signed by the Dutch government
768	"01:31:34:bf", "DigiNotar PKIoverheid CA Organisatie - G2", // DigiNotar intermediate cross-signed by the Dutch government
769	"d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4", "DigiNotar Extended Validation CA", // DigiNotar intermediate signed by DigiNotar EV Root
770	"1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04", "DigiNotar Public CA 2025", // DigiNotar intermediate
771	// "(has not been seen in the wild so far)", "DigiNotar Public CA - G2", // DigiNotar intermediate
772	// "(has not been seen in the wild so far)", "Koninklijke Notariele Beroepsorganisatie CA", // compromised during DigiNotar breach
773	// "(has not been seen in the wild so far)", "Stichting TTP Infos CA," // compromised during DigiNotar breach
774	"46:9c:2c:af", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust
775	"46:9c:3c:c9", "DigiNotar Root CA", // DigiNotar intermediate cross-signed by Entrust
776
777	"07:27:14:a9", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
778	"4c:0e:63:6a", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
779	"72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate
780	"41", "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/
781
782	"08:27", ".EGO.GOV.TR", // Turktrust mis-issued intermediate certificate*
783	"08:64", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
784
785	"03:1d:a7", "AC DG Tr\xC3\xA9sor SSL", // intermediate certificate linking back to ANSSI French National Security Agency
786	"27:83", "NIC Certifying Authority", // intermediate certificate from NIC India (2007)
787	"27:92", "NIC CA 2011", // intermediate certificate from NIC India (2011)
788	"27:b1", "NIC CA 2014", // intermediate certificate from NIC India (2014)
789	nullptr
790	};
791
792	bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
793	{
794	for (int a = `0`; certificate_blacklist[a] != nullptr; a++) {
795	QString blacklistedCommonName = QString::fromUtf8(str: certificate_blacklist[(a+`1`)]);
796	if (certificate.serialNumber() == certificate_blacklist[a++] &&
797	(certificate.subjectInfo(info: QSslCertificate::CommonName).contains(str: blacklistedCommonName) \|\|
798	certificate.issuerInfo(info: QSslCertificate::CommonName).contains(str: blacklistedCommonName)))
799	return true;
800	}
801	return false;
802	}
803
804	QByteArray QSslCertificatePrivate::subjectInfoToString(QSslCertificate::SubjectInfo info)
805	{
806	QByteArray str;
807	switch (info) {
808	case QSslCertificate::Organization: str = QByteArray ("O"); break;
809	case QSslCertificate::CommonName: str = QByteArray ("CN"); break;
810	case QSslCertificate::LocalityName: str = QByteArray ("L"); break;
811	case QSslCertificate::OrganizationalUnitName: str = QByteArray ("OU"); break;
812	case QSslCertificate::CountryName: str = QByteArray ("C"); break;
813	case QSslCertificate::StateOrProvinceName: str = QByteArray ("ST"); break;
814	case QSslCertificate::DistinguishedNameQualifier: str = QByteArray ("dnQualifier"); break;
815	case QSslCertificate::SerialNumber: str = QByteArray ("serialNumber"); break;
816	case QSslCertificate::EmailAddress: str = QByteArray ("emailAddress"); break;
817	}
818	return str;
819	}
820
821	/!*
822	\since 5.12
823
824	Returns a name that describes the issuer. It returns the QSslCertificate::CommonName
825	if available, otherwise falls back to the first QSslCertificate::Organization or the
826	first QSslCertificate::OrganizationalUnitName.
827
828	\sa issuerInfo()
829	*/
830	QString QSslCertificate::issuerDisplayName() const
831	{
832	QStringList names;
833	names = issuerInfo(info: QSslCertificate::CommonName);
834	if (!names.isEmpty())
835	return names.first();
836	names = issuerInfo(info: QSslCertificate::Organization);
837	if (!names.isEmpty())
838	return names.first();
839	names = issuerInfo(info: QSslCertificate::OrganizationalUnitName);
840	if (!names.isEmpty())
841	return names.first();
842
843	return QString ();
844	}
845
846	/!*
847	\since 5.12
848
849	Returns a name that describes the subject. It returns the QSslCertificate::CommonName
850	if available, otherwise falls back to the first QSslCertificate::Organization or the
851	first QSslCertificate::OrganizationalUnitName.
852
853	\sa subjectInfo()
854	*/
855	QString QSslCertificate::subjectDisplayName() const
856	{
857	QStringList names;
858	names = subjectInfo(info: QSslCertificate::CommonName);
859	if (!names.isEmpty())
860	return names.first();
861	names = subjectInfo(info: QSslCertificate::Organization);
862	if (!names.isEmpty())
863	return names.first();
864	names = subjectInfo(info: QSslCertificate::OrganizationalUnitName);
865	if (!names.isEmpty())
866	return names.first();
867
868	return QString ();
869	}
870
871	/!*
872	\fn uint qHash(const QSslCertificate &key, uint seed)
873
874	Returns the hash value for the \a key, using \a seed to seed the calculation.
875	\since 5.4
876	\relates QHash
877	*/
878
879	#ifndef QT_NO_DEBUG_STREAM
880	QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
881	{
882	QDebugStateSaver saver(debug);
883	debug.resetFormat().nospace();
884	debug << "QSslCertificate("
885	<< certificate.version()
886	<< ", " << certificate.serialNumber()
887	<< ", " << certificate.digest().toBase64()
888	<< ", " << certificate.issuerDisplayName()
889	<< ", " << certificate.subjectDisplayName()
890	<< ", " << certificate.subjectAlternativeNames()
891	#if QT_CONFIG(datestring)
892	<< ", " << certificate.effectiveDate()
893	<< ", " << certificate.expiryDate()
894	#endif
895	<< `')'`;
896	return debug;
897	}
898	QDebug operator<<(QDebug debug, QSslCertificate::SubjectInfo info)
899	{
900	switch (info) {
901	case QSslCertificate::Organization: debug << "Organization"; break;
902	case QSslCertificate::CommonName: debug << "CommonName"; break;
903	case QSslCertificate::CountryName: debug << "CountryName"; break;
904	case QSslCertificate::LocalityName: debug << "LocalityName"; break;
905	case QSslCertificate::OrganizationalUnitName: debug << "OrganizationalUnitName"; break;
906	case QSslCertificate::StateOrProvinceName: debug << "StateOrProvinceName"; break;
907	case QSslCertificate::DistinguishedNameQualifier: debug << "DistinguishedNameQualifier"; break;
908	case QSslCertificate::SerialNumber: debug << "SerialNumber"; break;
909	case QSslCertificate::EmailAddress: debug << "EmailAddress"; break;
910	}
911	return debug;
912	}
913	#endif
914
915	QT_END_NAMESPACE
916

source code of qtbase/src/network/ssl/qsslcertificate.cpp