Qt
Internal/Contributor docs for the Qt SDK. Note: These are NOT official API docs; those are found at https://doc.qt.io/
Loading...
Searching...
No Matches
qx509_openssl.cpp
Go to the documentation of this file.
1// Copyright (C) 2021 The Qt Company Ltd.
2// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
3// Qt-Security score:critical reason:cryptography
4
5#include "qsslsocket_openssl_symbols_p.h"
6#include "qtlsbackend_openssl_p.h"
7#include "qtlskey_openssl_p.h"
8#include "qx509_openssl_p.h"
9#include "qtls_openssl_p.h"
10
11#include <QtNetwork/private/qsslcertificate_p.h>
12
13#include <QtNetwork/qsslsocket.h>
14#include <QtNetwork/qhostaddress.h>
15
16#include <QtCore/qendian.h>
17#include <QtCore/qdatetime.h>
18#include <QtCore/qhash.h>
19#include <QtCore/qiodevice.h>
20#include <QtCore/qscopeguard.h>
21#include <QtCore/qtimezone.h>
22#include <QtCore/qvarlengtharray.h>
23
24QT_BEGIN_NAMESPACE
25
26using namespace Qt::StringLiterals;
27
28namespace QTlsPrivate {
29
30namespace {
31
32QByteArray asn1ObjectId(ASN1_OBJECT *object)
33{
34 if (!object)
35 return {};
36
37 char buf[80] = {}; // The openssl docs a buffer length of 80 should be more than enough
38 q_OBJ_obj2txt(buf, sizeof(buf), object, 1); // the 1 says always use the oid not the long name
39
40 return QByteArray(buf);
41}
42
43QByteArray asn1ObjectName(ASN1_OBJECT *object)
44{
45 if (!object)
46 return {};
47
48 const int nid = q_OBJ_obj2nid(object);
49 if (nid != NID_undef)
50 return QByteArray(q_OBJ_nid2sn(nid));
51
52 return asn1ObjectId(object);
53}
54
55QMultiMap<QByteArray, QString> mapFromX509Name(X509_NAME *name)
56{
57 if (!name)
58 return {};
59
60 QMultiMap<QByteArray, QString> info;
61 for (int i = 0; i < q_X509_NAME_entry_count(name); ++i) {
62 X509_NAME_ENTRY *e = q_X509_NAME_get_entry(name, i);
63
64 QByteArray name = asn1ObjectName(q_X509_NAME_ENTRY_get_object(e));
65 unsigned char *data = nullptr;
66 int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e));
67 info.insert(name, QString::fromUtf8((char*)data, size));
68 q_CRYPTO_free(data, nullptr, 0);
69 }
70
71 return info;
72}
73
74QDateTime dateTimeFromASN1(const ASN1_TIME *aTime)
75{
76 QDateTime result;
77 tm lTime;
78
79 if (q_ASN1_TIME_to_tm(aTime, &lTime)) {
80 QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday);
81 QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec);
82 result = QDateTime(resDate, resTime, QTimeZone::UTC);
83 }
84
85 return result;
86}
87
88
89#define BEGINCERTSTRING "-----BEGIN CERTIFICATE-----"
90#define ENDCERTSTRING "-----END CERTIFICATE-----"
91
92QByteArray x509ToQByteArray(X509 *x509, QSsl::EncodingFormat format)
93{
94 Q_ASSERT(x509);
95
96 // Use i2d_X509 to convert the X509 to an array.
97 const int length = q_i2d_X509(x509, nullptr);
98 if (length <= 0) {
99 QTlsBackendOpenSSL::logAndClearErrorQueue();
100 return {};
101 }
102
103 QByteArray array;
104 array.resize(length);
105
106 char *data = array.data();
107 char **dataP = &data;
108 unsigned char **dataPu = (unsigned char **)dataP;
109 if (q_i2d_X509(x509, dataPu) < 0)
110 return QByteArray();
111
112 if (format == QSsl::Der)
113 return array;
114
115 // Convert to Base64 - wrap at 64 characters.
116 array = array.toBase64();
117 QByteArray tmp;
118 for (int i = 0; i <= array.size() - 64; i += 64) {
119 tmp += QByteArray::fromRawData(array.data() + i, 64);
120 tmp += '\n';
121 }
122 if (int remainder = array.size() % 64) {
123 tmp += QByteArray::fromRawData(array.data() + array.size() - remainder, remainder);
124 tmp += '\n';
125 }
126
127 return BEGINCERTSTRING "\n" + tmp + ENDCERTSTRING "\n";
128}
129
130QString x509ToText(X509 *x509)
131{
132 Q_ASSERT(x509);
133
134 QByteArray result;
135 BIO *bio = q_BIO_new(q_BIO_s_mem());
136 if (!bio)
137 return QString();
138 const auto bioRaii = qScopeGuard([bio]{q_BIO_free(bio);});
139
140 q_X509_print(bio, x509);
141
142 QVarLengthArray<char, 16384> data;
143 int count = q_BIO_read(bio, data.data(), 16384);
144 if ( count > 0 )
145 result = QByteArray( data.data(), count );
146
147 return QString::fromLatin1(result);
148}
149
150QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext)
151{
152 // Get the extension specific method object if available
153 // we cast away the const-ness here because some versions of openssl
154 // don't use const for the parameters in the functions pointers stored
155 // in the object.
156 Q_ASSERT(ext);
157
158 X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext));
159 if (!meth) {
160 ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext);
161 Q_ASSERT(value);
162 QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(value)),
163 q_ASN1_STRING_length(value));
164 return result;
165 }
166
167 void *ext_internal = q_X509V3_EXT_d2i(ext);
168 if (!ext_internal)
169 return {};
170
171 const auto extCleaner = qScopeGuard([meth, ext_internal]{
172 Q_ASSERT(ext_internal && meth);
173
174 if (meth->it)
175 q_ASN1_item_free(static_cast<ASN1_VALUE *>(ext_internal), ASN1_ITEM_ptr(meth->it));
176 else if (meth->ext_free)
177 meth->ext_free(ext_internal);
178 else
179 qCWarning(lcTlsBackend, "No method to free an unknown extension, a potential memory leak?");
180 });
181
182 // If this extension can be converted
183 if (meth->i2v) {
184 STACK_OF(CONF_VALUE) *val = meth->i2v(meth, ext_internal, nullptr);
185 const auto stackCleaner = qScopeGuard([val]{
186 if (val)
187 q_OPENSSL_sk_pop_free((OPENSSL_STACK *)val, (void(*)(void*))q_X509V3_conf_free);
188 });
189
190 QVariantMap map;
191 QVariantList list;
192 bool isMap = false;
193
194 for (int j = 0; j < q_SKM_sk_num(val); j++) {
195 CONF_VALUE *nval = q_SKM_sk_value(CONF_VALUE, val, j);
196 if (nval->name && nval->value) {
197 isMap = true;
198 map[QString::fromUtf8(nval->name)] = QString::fromUtf8(nval->value);
199 } else if (nval->name) {
200 list << QString::fromUtf8(nval->name);
201 } else if (nval->value) {
202 list << QString::fromUtf8(nval->value);
203 }
204 }
205
206 if (isMap)
207 return map;
208 else
209 return list;
210 } else if (meth->i2s) {
211 const char *hexString = meth->i2s(meth, ext_internal);
212 QVariant result(hexString ? QString::fromUtf8(hexString) : QString{});
213 q_OPENSSL_free((void *)hexString);
214 return result;
215 } else if (meth->i2r) {
216 QByteArray result;
217
218 BIO *bio = q_BIO_new(q_BIO_s_mem());
219 if (!bio)
220 return result;
221
222 meth->i2r(meth, ext_internal, bio, 0);
223
224 char *bio_buffer;
225 long bio_size = q_BIO_get_mem_data(bio, &bio_buffer);
226 result = QByteArray(bio_buffer, bio_size);
227
228 q_BIO_free(bio);
229 return result;
230 }
231
232 return QVariant();
233}
234
235/*
236 * Convert extensions to a variant. The naming of the keys of the map are
237 * taken from RFC 5280, however we decided the capitalisation in the RFC
238 * was too silly for the real world.
239 */
240QVariant x509ExtensionToValue(X509_EXTENSION *ext)
241{
242 ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext);
243 int nid = q_OBJ_obj2nid(obj);
244
245 // We cast away the const-ness here because some versions of openssl
246 // don't use const for the parameters in the functions pointers stored
247 // in the object.
248 X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext));
249
250 void *ext_internal = nullptr; // The value, returned by X509V3_EXT_d2i.
251 const auto extCleaner = qScopeGuard([meth, &ext_internal]() {
252 if (!meth || !ext_internal)
253 return;
254
255 if (meth->it)
256 q_ASN1_item_free(static_cast<ASN1_VALUE *>(ext_internal), ASN1_ITEM_ptr(meth->it));
257 else if (meth->ext_free)
258 meth->ext_free(ext_internal);
259 else
260 qCWarning(lcTlsBackend, "Cannot free an extension, a potential memory leak?");
261 });
262
263 const char * hexString = nullptr; // The value returned by meth->i2s.
264 const auto hexStringCleaner = qScopeGuard([&hexString](){
265 if (hexString)
266 q_OPENSSL_free((void*)hexString);
267 });
268
269 switch (nid) {
270 case NID_basic_constraints:
271 {
272 BASIC_CONSTRAINTS *basic = reinterpret_cast<BASIC_CONSTRAINTS *>(q_X509V3_EXT_d2i(ext));
273 if (!basic)
274 return {};
275 QVariantMap result;
276 result["ca"_L1] = basic->ca ? true : false;
277 if (basic->pathlen)
278 result["pathLenConstraint"_L1] = (qlonglong)q_ASN1_INTEGER_get(basic->pathlen);
279
280 q_BASIC_CONSTRAINTS_free(basic);
281 return result;
282 }
283 break;
284 case NID_info_access:
285 {
286 AUTHORITY_INFO_ACCESS *info = reinterpret_cast<AUTHORITY_INFO_ACCESS *>(q_X509V3_EXT_d2i(ext));
287 if (!info)
288 return {};
289 QVariantMap result;
290 for (int i=0; i < q_SKM_sk_num(info); i++) {
291 ACCESS_DESCRIPTION *ad = q_SKM_sk_value(ACCESS_DESCRIPTION, info, i);
292
293 GENERAL_NAME *name = ad->location;
294 if (name->type == GEN_URI) {
295 int len = q_ASN1_STRING_length(name->d.uniformResourceIdentifier);
296 if (len < 0 || len >= 8192) {
297 // broken name
298 continue;
299 }
300
301 const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(name->d.uniformResourceIdentifier));
302 const QString uri = QString::fromUtf8(uriStr, len);
303
304 result[QString::fromUtf8(asn1ObjectName(ad->method))] = uri;
305 } else {
306 qCWarning(lcTlsBackend) << "Strange location type" << name->type;
307 }
308 }
309
310 q_AUTHORITY_INFO_ACCESS_free(info);
311 return result;
312 }
313 break;
314 case NID_subject_key_identifier:
315 {
316 ext_internal = q_X509V3_EXT_d2i(ext);
317 if (!ext_internal)
318 return {};
319
320 hexString = meth->i2s(meth, ext_internal);
321 return QVariant(QString::fromUtf8(hexString));
322 }
323 break;
324 case NID_authority_key_identifier:
325 {
326 AUTHORITY_KEYID *auth_key = reinterpret_cast<AUTHORITY_KEYID *>(q_X509V3_EXT_d2i(ext));
327 if (!auth_key)
328 return {};
329 QVariantMap result;
330
331 // keyid
332 if (auth_key->keyid) {
333 QByteArray keyid(reinterpret_cast<const char *>(auth_key->keyid->data),
334 auth_key->keyid->length);
335 result["keyid"_L1] = keyid.toHex();
336 }
337
338 // issuer
339 // TODO: GENERAL_NAMES
340
341 // serial
342 if (auth_key->serial)
343 result["serial"_L1] = (qlonglong)q_ASN1_INTEGER_get(auth_key->serial);
344
345 q_AUTHORITY_KEYID_free(auth_key);
346 return result;
347 }
348 break;
349 }
350
351 return {};
352}
353
354} // Unnamed namespace
355
356int qt_X509Callback(int ok, X509_STORE_CTX *ctx)
357{
358 if (!ok) {
359 // Store the error and at which depth the error was detected.
360 using ErrorListPtr = QList<QSslErrorEntry> *;
361 ErrorListPtr errors = nullptr;
362
363 // Error list is attached to either 'SSL' or 'X509_STORE'.
364 if (X509_STORE *store = q_X509_STORE_CTX_get0_store(ctx)) // We try store first:
365 errors = ErrorListPtr(q_X509_STORE_get_ex_data(store, 0));
366
367 if (!errors) {
368 // Not found on store? Try SSL and its external data then. According to the OpenSSL's
369 // documentation:
370 //
371 // "Whenever a X509_STORE_CTX object is created for the verification of the
372 // peer's certificate during a handshake, a pointer to the SSL object is
373 // stored into the X509_STORE_CTX object to identify the connection affected.
374 // To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can be
375 // used with the correct index."
376
377 // TLSTODO: verification callback has to change as soon as TlsCryptographer is in place.
378 // This is a temporary solution for now to ease the transition.
379 const auto offset = QTlsBackendOpenSSL::s_indexForSSLExtraData
380 + TlsCryptographOpenSSL::errorOffsetInExData;
381 if (SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(ctx, q_SSL_get_ex_data_X509_STORE_CTX_idx())))
382 errors = ErrorListPtr(q_SSL_get_ex_data(ssl, offset));
383 }
384
385 if (!errors) {
386 qCWarning(lcTlsBackend, "Neither X509_STORE, nor SSL contains error list, verification failed");
387 return 0;
388 }
389
390 errors->append(X509CertificateOpenSSL::errorEntryFromStoreContext(ctx));
391 }
392 // Always return OK to allow verification to continue. We handle the
393 // errors gracefully after collecting all errors, after verification has
394 // completed.
395 return 1;
396}
397
398X509CertificateOpenSSL::X509CertificateOpenSSL() = default;
399
400X509CertificateOpenSSL::~X509CertificateOpenSSL()
401{
402 if (x509)
403 q_X509_free(x509);
404}
405
406bool X509CertificateOpenSSL::isEqual(const X509Certificate &rhs) const
407{
408 //TLSTODO: to make it safe I'll check the backend type later.
409 const auto &other = static_cast<const X509CertificateOpenSSL &>(rhs);
410 if (x509 && other.x509) {
411 const int ret = q_X509_cmp(x509, other.x509);
412 if (ret >= -1 && ret <= 1)
413 return ret == 0;
414 QTlsBackendOpenSSL::logAndClearErrorQueue();
415 }
416
417 return false;
418}
419
420bool X509CertificateOpenSSL::isSelfSigned() const
421{
422 if (!x509)
423 return false;
424
425 return q_X509_check_issued(x509, x509) == X509_V_OK;
426}
427
428QMultiMap<QSsl::AlternativeNameEntryType, QString>
429X509CertificateOpenSSL::subjectAlternativeNames() const
430{
431 QMultiMap<QSsl::AlternativeNameEntryType, QString> result;
432
433 if (!x509)
434 return result;
435
436 auto *altNames = static_cast<STACK_OF(GENERAL_NAME) *>(q_X509_get_ext_d2i(x509, NID_subject_alt_name,
437 nullptr, nullptr));
438 if (!altNames)
439 return result;
440
441 auto altName = [](ASN1_IA5STRING *ia5, int len) {
442 const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(ia5));
443 return QString::fromLatin1(altNameStr, len);
444 };
445
446 for (int i = 0; i < q_sk_GENERAL_NAME_num(altNames); ++i) {
447 const GENERAL_NAME *genName = q_sk_GENERAL_NAME_value(altNames, i);
448 if (genName->type != GEN_DNS && genName->type != GEN_EMAIL && genName->type != GEN_IPADD)
449 continue;
450
451 const int len = q_ASN1_STRING_length(genName->d.ia5);
452 if (len < 0 || len >= 8192) {
453 // broken name
454 continue;
455 }
456
457 switch (genName->type) {
458 case GEN_DNS:
459 result.insert(QSsl::DnsEntry, altName(genName->d.ia5, len));
460 break;
461 case GEN_EMAIL:
462 result.insert(QSsl::EmailEntry, altName(genName->d.ia5, len));
463 break;
464 case GEN_IPADD: {
465 QHostAddress ipAddress;
466 switch (len) {
467 case 4: // IPv4
468 ipAddress = QHostAddress(qFromBigEndian(*reinterpret_cast<quint32 *>(genName->d.iPAddress->data)));
469 break;
470 case 16: // IPv6
471 ipAddress = QHostAddress(reinterpret_cast<quint8 *>(genName->d.iPAddress->data));
472 break;
473 default: // Unknown IP address format
474 break;
475 }
476 if (!ipAddress.isNull())
477 result.insert(QSsl::IpAddressEntry, ipAddress.toString());
478 break;
479 }
480 default:
481 break;
482 }
483 }
484
485 q_OPENSSL_sk_pop_free((OPENSSL_STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_GENERAL_NAME_free));
486
487 return result;
488}
489
490TlsKey *X509CertificateOpenSSL::publicKey() const
491{
492 if (!x509)
493 return {};
494
495 return TlsKeyOpenSSL::publicKeyFromX509(x509);
496}
497
498QByteArray X509CertificateOpenSSL::toPem() const
499{
500 if (!x509)
501 return {};
502
503 return x509ToQByteArray(x509, QSsl::Pem);
504}
505
506QByteArray X509CertificateOpenSSL::toDer() const
507{
508 if (!x509)
509 return {};
510
511 return x509ToQByteArray(x509, QSsl::Der);
512
513}
514QString X509CertificateOpenSSL::toText() const
515{
516 if (!x509)
517 return {};
518
519 return x509ToText(x509);
520}
521
522Qt::HANDLE X509CertificateOpenSSL::handle() const
523{
524 return Qt::HANDLE(x509);
525}
526
527size_t X509CertificateOpenSSL::hash(size_t seed) const noexcept
528{
529 if (x509) {
530 const EVP_MD *sha1 = q_EVP_sha1();
531 unsigned int len = 0;
532 unsigned char md[EVP_MAX_MD_SIZE];
533 q_X509_digest(x509, sha1, md, &len);
534 return qHashBits(md, len, seed);
535 }
536
537 return seed;
538}
539
540QSslCertificate X509CertificateOpenSSL::certificateFromX509(X509 *x509)
541{
542 QSslCertificate certificate;
543
544 auto *backend = QTlsBackend::backend<X509CertificateOpenSSL>(certificate);
545 if (!backend || !x509)
546 return certificate;
547
548 ASN1_TIME *nbef = q_X509_getm_notBefore(x509);
549 if (nbef)
550 backend->notValidBefore = dateTimeFromASN1(nbef);
551
552 ASN1_TIME *naft = q_X509_getm_notAfter(x509);
553 if (naft)
554 backend->notValidAfter = dateTimeFromASN1(naft);
555
556 backend->null = false;
557 backend->x509 = q_X509_dup(x509);
558
559 backend->issuerInfoEntries = mapFromX509Name(q_X509_get_issuer_name(x509));
560 backend->subjectInfoEntries = mapFromX509Name(q_X509_get_subject_name(x509));
561 backend->versionString = QByteArray::number(qlonglong(q_X509_get_version(x509)) + 1);
562
563 if (ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(x509)) {
564 QByteArray hexString;
565 hexString.reserve(serialNumber->length * 3);
566 for (int a = 0; a < serialNumber->length; ++a) {
567 hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0');
568 hexString += ':';
569 }
570 hexString.chop(1);
571 backend->serialNumberString = hexString;
572 }
573
574 backend->parseExtensions();
575
576 return certificate;
577}
578
579QList<QSslCertificate> X509CertificateOpenSSL::stackOfX509ToQSslCertificates(STACK_OF(X509) *x509)
580{
581 if (!x509)
582 return {};
583
584 QList<QSslCertificate> certificates;
585 for (int i = 0; i < q_sk_X509_num(x509); ++i) {
586 if (X509 *entry = q_sk_X509_value(x509, i))
587 certificates << certificateFromX509(entry);
588 }
589
590 return certificates;
591}
592
593QSslErrorEntry X509CertificateOpenSSL::errorEntryFromStoreContext(X509_STORE_CTX *ctx)
594{
595 Q_ASSERT(ctx);
596
597 return {q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx)};
598}
599
600QList<QSslError> X509CertificateOpenSSL::verify(const QList<QSslCertificate> &chain,
601 const QString &hostName)
602{
603 // This was previously QSslSocketPrivate::verify().
604 auto roots = QSslConfiguration::defaultConfiguration().caCertificates();
605#ifndef Q_OS_WIN
606 // On Windows, system CA certificates are already set as default ones.
607 // No need to add them again (and again) and also, if the default configuration
608 // has its own set of CAs, this probably should not be amended by the ones
609 // from the 'ROOT' store, since it's not what an application chose to trust.
610 if (QSslSocketPrivate::rootCertOnDemandLoadingSupported())
611 roots.append(QSslSocketPrivate::systemCaCertificates());
612#endif // Q_OS_WIN
613 return verify(roots, chain, hostName);
614}
615
616QList<QSslError> X509CertificateOpenSSL::verify(const QList<QSslCertificate> &caCertificates,
617 const QList<QSslCertificate> &certificateChain,
618 const QString &hostName)
619{
620 // This was previously QSslSocketPrivate::verify().
621 if (certificateChain.size() <= 0)
622 return {QSslError(QSslError::UnspecifiedError)};
623
624 QList<QSslError> errors;
625 X509_STORE *certStore = q_X509_STORE_new();
626 if (!certStore) {
627 qCWarning(lcTlsBackend) << "Unable to create certificate store";
628 errors << QSslError(QSslError::UnspecifiedError);
629 return errors;
630 }
631 const std::unique_ptr<X509_STORE, decltype(&q_X509_STORE_free)> storeGuard(certStore, q_X509_STORE_free);
632
633 const QDateTime now = QDateTime::currentDateTimeUtc();
634 for (const QSslCertificate &caCertificate : caCertificates) {
635 // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html:
636 //
637 // If several CA certificates matching the name, key identifier, and
638 // serial number condition are available, only the first one will be
639 // examined. This may lead to unexpected results if the same CA
640 // certificate is available with different expiration dates. If a
641 // ``certificate expired'' verification error occurs, no other
642 // certificate will be searched. Make sure to not have expired
643 // certificates mixed with valid ones.
644 //
645 // See also: QSslContext::sharedFromConfiguration()
646 if (caCertificate.expiryDate() >= now) {
647 q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle()));
648 }
649 }
650
651 QList<QSslErrorEntry> lastErrors;
652 if (!q_X509_STORE_set_ex_data(certStore, 0, &lastErrors)) {
653 qCWarning(lcTlsBackend) << "Unable to attach external data (error list) to a store";
654 errors << QSslError(QSslError::UnspecifiedError);
655 return errors;
656 }
657
658 // Register a custom callback to get all verification errors.
659 q_X509_STORE_set_verify_cb(certStore, qt_X509Callback);
660
661 // Build the chain of intermediate certificates
662 STACK_OF(X509) *intermediates = nullptr;
663 if (certificateChain.size() > 1) {
664 intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null();
665
666 if (!intermediates) {
667 errors << QSslError(QSslError::UnspecifiedError);
668 return errors;
669 }
670
671 bool first = true;
672 for (const QSslCertificate &cert : certificateChain) {
673 if (first) {
674 first = false;
675 continue;
676 }
677
678 q_OPENSSL_sk_push((OPENSSL_STACK *)intermediates, reinterpret_cast<X509 *>(cert.handle()));
679 }
680 }
681
682 X509_STORE_CTX *storeContext = q_X509_STORE_CTX_new();
683 if (!storeContext) {
684 errors << QSslError(QSslError::UnspecifiedError);
685 return errors;
686 }
687 std::unique_ptr<X509_STORE_CTX, decltype(&q_X509_STORE_CTX_free)> ctxGuard(storeContext, q_X509_STORE_CTX_free);
688
689 if (!q_X509_STORE_CTX_init(storeContext, certStore, reinterpret_cast<X509 *>(certificateChain[0].handle()), intermediates)) {
690 errors << QSslError(QSslError::UnspecifiedError);
691 return errors;
692 }
693
694 // Now we can actually perform the verification of the chain we have built.
695 // We ignore the result of this function since we process errors via the
696 // callback.
697 (void) q_X509_verify_cert(storeContext);
698 ctxGuard.reset();
699 q_OPENSSL_sk_free((OPENSSL_STACK *)intermediates);
700
701 // Now process the errors
702
703 if (certificateChain[0].isBlacklisted())
704 errors << QSslError(QSslError::CertificateBlacklisted, certificateChain[0]);
705
706 // Check the certificate name against the hostname if one was specified
707 if (!hostName.isEmpty() && !TlsCryptograph::isMatchingHostname(certificateChain[0], hostName)) {
708 // No matches in common names or alternate names.
709 QSslError error(QSslError::HostNameMismatch, certificateChain[0]);
710 errors << error;
711 }
712
713 // Translate errors from the error list into QSslErrors.
714 errors.reserve(errors.size() + lastErrors.size());
715 for (const auto &error : std::as_const(lastErrors))
716 errors << openSSLErrorToQSslError(error.code, certificateChain.value(error.depth));
717
718 return errors;
719}
720
721QList<QSslCertificate> X509CertificateOpenSSL::certificatesFromPem(const QByteArray &pem, int count)
722{
723 QList<QSslCertificate> certificates;
724
725 int offset = 0;
726 while (count == -1 || certificates.size() < count) {
727 int startPos = pem.indexOf(BEGINCERTSTRING, offset);
728 if (startPos == -1)
729 break;
730 startPos += sizeof(BEGINCERTSTRING) - 1;
731 if (!matchLineFeed(pem, &startPos))
732 break;
733
734 int endPos = pem.indexOf(ENDCERTSTRING, startPos);
735 if (endPos == -1)
736 break;
737
738 offset = endPos + sizeof(ENDCERTSTRING) - 1;
739 if (offset < pem.size() && !matchLineFeed(pem, &offset))
740 break;
741
742 QByteArray decoded = QByteArray::fromBase64(
743 QByteArray::fromRawData(pem.data() + startPos, endPos - startPos));
744 const unsigned char *data = (const unsigned char *)decoded.data();
745
746 if (X509 *x509 = q_d2i_X509(nullptr, &data, decoded.size())) {
747 certificates << certificateFromX509(x509);
748 q_X509_free(x509);
749 }
750 }
751
752 return certificates;
753}
754
755QList<QSslCertificate> X509CertificateOpenSSL::certificatesFromDer(const QByteArray &der, int count)
756{
757 QList<QSslCertificate> certificates;
758
759 const unsigned char *data = (const unsigned char *)der.data();
760 int size = der.size();
761
762 while (size > 0 && (count == -1 || certificates.size() < count)) {
763 if (X509 *x509 = q_d2i_X509(nullptr, &data, size)) {
764 certificates << certificateFromX509(x509);
765 q_X509_free(x509);
766 } else {
767 break;
768 }
769 size -= ((const char *)data - der.data());
770 }
771
772 return certificates;
773}
774
775bool X509CertificateOpenSSL::importPkcs12(QIODevice *device, QSslKey *key, QSslCertificate *cert,
776 QList<QSslCertificate> *caCertificates,
777 const QByteArray &passPhrase)
778{
779 // These are required
780 Q_ASSERT(device);
781 Q_ASSERT(key);
782 Q_ASSERT(cert);
783
784 // Read the file into a BIO
785 QByteArray pkcs12data = device->readAll();
786 if (pkcs12data.size() == 0)
787 return false;
788
789 BIO *bio = q_BIO_new_mem_buf(const_cast<char *>(pkcs12data.constData()), pkcs12data.size());
790 if (!bio) {
791 qCWarning(lcTlsBackend, "BIO_new_mem_buf returned null");
792 return false;
793 }
794 const auto bioRaii = qScopeGuard([bio]{q_BIO_free(bio);});
795
796 // Create the PKCS#12 object
797 PKCS12 *p12 = q_d2i_PKCS12_bio(bio, nullptr);
798 if (!p12) {
799 qCWarning(lcTlsBackend, "Unable to read PKCS#12 structure, %s",
800 q_ERR_error_string(q_ERR_get_error(), nullptr));
801 return false;
802 }
803 const auto p12Raii = qScopeGuard([p12]{q_PKCS12_free(p12);});
804
805 // Extract the data
806 EVP_PKEY *pkey = nullptr;
807 X509 *x509 = nullptr;
808 STACK_OF(X509) *ca = nullptr;
809
810 if (!q_PKCS12_parse(p12, passPhrase.constData(), &pkey, &x509, &ca)) {
811 qCWarning(lcTlsBackend, "Unable to parse PKCS#12 structure, %s",
812 q_ERR_error_string(q_ERR_get_error(), nullptr));
813 return false;
814 }
815
816 const auto x509Raii = qScopeGuard([x509]{q_X509_free(x509);});
817 const auto keyRaii = qScopeGuard([pkey]{q_EVP_PKEY_free(pkey);});
818 const auto caRaii = qScopeGuard([ca] {
819 q_OPENSSL_sk_pop_free(reinterpret_cast<OPENSSL_STACK *>(ca),
820 reinterpret_cast<void (*)(void *)>(q_X509_free));
821 });
822
823 // Convert to Qt types
824 auto *tlsKey = QTlsBackend::backend<TlsKeyOpenSSL>(*key);
825 if (!tlsKey || !tlsKey->fromEVP_PKEY(pkey)) {
826 qCWarning(lcTlsBackend, "Unable to convert private key");
827 return false;
828 }
829
830 *cert = certificateFromX509(x509);
831
832 if (caCertificates)
833 *caCertificates = stackOfX509ToQSslCertificates(ca);
834
835 return true;
836}
837
838QSslError X509CertificateOpenSSL::openSSLErrorToQSslError(int errorCode, const QSslCertificate &cert)
839{
840 QSslError error;
841 switch (errorCode) {
842 case X509_V_OK:
843 // X509_V_OK is also reported if the peer had no certificate.
844 break;
845 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
846 error = QSslError(QSslError::UnableToGetIssuerCertificate, cert); break;
847 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
848 error = QSslError(QSslError::UnableToDecryptCertificateSignature, cert); break;
849 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
850 error = QSslError(QSslError::UnableToDecodeIssuerPublicKey, cert); break;
851 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
852 error = QSslError(QSslError::CertificateSignatureFailed, cert); break;
853 case X509_V_ERR_CERT_NOT_YET_VALID:
854 error = QSslError(QSslError::CertificateNotYetValid, cert); break;
855 case X509_V_ERR_CERT_HAS_EXPIRED:
856 error = QSslError(QSslError::CertificateExpired, cert); break;
857 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
858 error = QSslError(QSslError::InvalidNotBeforeField, cert); break;
859 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
860 error = QSslError(QSslError::InvalidNotAfterField, cert); break;
861 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
862 error = QSslError(QSslError::SelfSignedCertificate, cert); break;
863 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
864 error = QSslError(QSslError::SelfSignedCertificateInChain, cert); break;
865 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
866 error = QSslError(QSslError::UnableToGetLocalIssuerCertificate, cert); break;
867 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
868 error = QSslError(QSslError::UnableToVerifyFirstCertificate, cert); break;
869 case X509_V_ERR_CERT_REVOKED:
870 error = QSslError(QSslError::CertificateRevoked, cert); break;
871 case X509_V_ERR_INVALID_CA:
872 error = QSslError(QSslError::InvalidCaCertificate, cert); break;
873 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
874 error = QSslError(QSslError::PathLengthExceeded, cert); break;
875 case X509_V_ERR_INVALID_PURPOSE:
876 error = QSslError(QSslError::InvalidPurpose, cert); break;
877 case X509_V_ERR_CERT_UNTRUSTED:
878 error = QSslError(QSslError::CertificateUntrusted, cert); break;
879 case X509_V_ERR_CERT_REJECTED:
880 error = QSslError(QSslError::CertificateRejected, cert); break;
881 default:
882 error = QSslError(QSslError::UnspecifiedError, cert); break;
883 }
884 return error;
885}
886
887void X509CertificateOpenSSL::parseExtensions()
888{
889 extensions.clear();
890
891 if (!x509)
892 return;
893
894 int count = q_X509_get_ext_count(x509);
895 if (count <= 0)
896 return;
897
898 extensions.reserve(count);
899
900 for (int i = 0; i < count; i++) {
901 X509_EXTENSION *ext = q_X509_get_ext(x509, i);
902 if (!ext) {
903 qCWarning(lcTlsBackend) << "Invalid (nullptr) extension at index" << i;
904 continue;
905 }
906
907 extensions << convertExtension(ext);
908 }
909
910 // Converting an extension may result in an error(s), clean them up:
911 QTlsBackendOpenSSL::clearErrorQueue();
912}
913
914X509CertificateBase::X509CertificateExtension X509CertificateOpenSSL::convertExtension(X509_EXTENSION *ext)
915{
916 Q_ASSERT(ext);
917
918 X509CertificateExtension result;
919
920 ASN1_OBJECT *obj = q_X509_EXTENSION_get_object(ext);
921 if (!obj)
922 return result;
923
924 result.oid = QString::fromUtf8(asn1ObjectId(obj));
925 result.name = QString::fromUtf8(asn1ObjectName(obj));
926
927 result.critical = bool(q_X509_EXTENSION_get_critical(ext));
928
929 // Lets see if we have custom support for this one
930 QVariant extensionValue = x509ExtensionToValue(ext);
931 if (extensionValue.isValid()) {
932 result.value = extensionValue;
933 result.supported = true;
934 return result;
935 }
936
937 extensionValue = x509UnknownExtensionToValue(ext);
938 if (extensionValue.isValid())
939 result.value = extensionValue;
940
941 result.supported = false;
942
943 return result;
944}
945
946} // namespace QTlsPrivate
947
948QT_END_NAMESPACE
QTlsBackendOpenSSL::logAndClearErrorQueue
static void logAndClearErrorQueue()
Definition qtlsbackend_openssl.cpp:83
QTlsPrivate::TlsKeyOpenSSL::publicKeyFromX509
static TlsKeyOpenSSL * publicKeyFromX509(X509 *x)
Definition qtlskey_openssl.cpp:529
QTlsPrivate::X509CertificateOpenSSL::errorEntryFromStoreContext
static QSslErrorEntry errorEntryFromStoreContext(X509_STORE_CTX *ctx)
Definition qx509_openssl.cpp:593
QTlsPrivate::X509CertificateOpenSSL::toPem
QByteArray toPem() const override
Definition qx509_openssl.cpp:498
QTlsPrivate::X509CertificateOpenSSL::toDer
QByteArray toDer() const override
Definition qx509_openssl.cpp:506
QTlsPrivate::X509CertificateOpenSSL::publicKey
TlsKey * publicKey() const override
Definition qx509_openssl.cpp:490
QTlsPrivate::X509CertificateOpenSSL::hash
size_t hash(size_t seed) const noexcept override
Definition qx509_openssl.cpp:527
QTlsPrivate::X509CertificateOpenSSL::isEqual
bool isEqual(const X509Certificate &rhs) const override
Definition qx509_openssl.cpp:406
QTlsPrivate::X509CertificateOpenSSL::handle
Qt::HANDLE handle() const override
Definition qx509_openssl.cpp:522
QTlsPrivate::X509CertificateOpenSSL::subjectAlternativeNames
QMultiMap< QSsl::AlternativeNameEntryType, QString > subjectAlternativeNames() const override
Definition qx509_openssl.cpp:429
QTlsPrivate
Namespace containing onternal types that TLS backends implement.
Definition qocspresponse.h:41
QTlsPrivate::qt_X509Callback
int qt_X509Callback(int ok, X509_STORE_CTX *ctx)
Definition qx509_openssl.cpp:356
q_X509_STORE_CTX_new
X509_STORE_CTX * q_X509_STORE_CTX_new()
q_OBJ_obj2nid
int q_OBJ_obj2nid(const ASN1_OBJECT *a)
q_ASN1_STRING_length
int q_ASN1_STRING_length(ASN1_STRING *a)
q_X509_STORE_get_ex_data
void * q_X509_STORE_get_ex_data(X509_STORE *r, int idx)
q_OPENSSL_sk_new_null
OPENSSL_STACK * q_OPENSSL_sk_new_null()
q_SSL_get_ex_data_X509_STORE_CTX_idx
int q_SSL_get_ex_data_X509_STORE_CTX_idx()
q_OBJ_nid2sn
const char * q_OBJ_nid2sn(int a)
q_X509_STORE_CTX_init
int q_X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain)
q_BASIC_CONSTRAINTS_free
void q_BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
q_ERR_get_error
unsigned long q_ERR_get_error()
q_X509_digest
int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len)
q_sk_GENERAL_NAME_value
#define q_sk_GENERAL_NAME_value(st, i)
Definition qsslsocket_openssl_symbols_p.h:542
q_ASN1_STRING_get0_data
const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x)
q_sk_X509_num
#define q_sk_X509_num(st)
Definition qsslsocket_openssl_symbols_p.h:546
q_EVP_sha1
const EVP_MD * q_EVP_sha1()
q_X509_dup
X509 * q_X509_dup(X509 *a)
q_d2i_PKCS12_bio
PKCS12 * q_d2i_PKCS12_bio(BIO *bio, PKCS12 **pkcs12)
q_X509_EXTENSION_get_critical
int q_X509_EXTENSION_get_critical(X509_EXTENSION *a)
q_BIO_get_mem_data
#define q_BIO_get_mem_data(b, pp)
Definition qsslsocket_openssl_symbols_p.h:538
q_X509_STORE_CTX_get_ex_data
void * q_X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
q_X509_STORE_set_verify_cb
void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb)
q_X509V3_conf_free
void q_X509V3_conf_free(CONF_VALUE *val)
q_X509V3_EXT_d2i
void * q_X509V3_EXT_d2i(X509_EXTENSION *a)
q_OPENSSL_sk_free
void q_OPENSSL_sk_free(OPENSSL_STACK *a)
q_CRYPTO_free
void q_CRYPTO_free(void *str, const char *file, int line)
q_EVP_PKEY_free
void q_EVP_PKEY_free(EVP_PKEY *a)
q_AUTHORITY_KEYID_free
void q_AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
q_X509_STORE_free
void q_X509_STORE_free(X509_STORE *store)
q_X509_NAME_ENTRY_get_data
ASN1_STRING * q_X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *a)
q_BIO_new
BIO * q_BIO_new(const BIO_METHOD *a)
q_i2d_X509
int q_i2d_X509(X509 *a, unsigned char **b)
q_X509_getm_notAfter
ASN1_TIME * q_X509_getm_notAfter(X509 *a)
q_X509_STORE_new
X509_STORE * q_X509_STORE_new()
q_PKCS12_free
void q_PKCS12_free(PKCS12 *pkcs12)
q_OPENSSL_sk_pop_free
void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void(*b)(void *))
q_SSL_get_ex_data
void * q_SSL_get_ex_data(const SSL *ssl, int idx)
q_AUTHORITY_INFO_ACCESS_free
void q_AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
q_X509_get_serialNumber
ASN1_INTEGER * q_X509_get_serialNumber(X509 *a)
q_ASN1_item_free
void q_ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
q_X509_check_issued
int q_X509_check_issued(X509 *a, X509 *b)
q_BIO_s_mem
const BIO_METHOD * q_BIO_s_mem()
q_ASN1_STRING_to_UTF8
int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b)
q_ERR_error_string
char * q_ERR_error_string(unsigned long a, char *b)
q_X509_EXTENSION_get_data
ASN1_OCTET_STRING * q_X509_EXTENSION_get_data(X509_EXTENSION *a)
q_OBJ_obj2txt
int q_OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *obj, int no_name)
q_SKM_sk_num
#define q_SKM_sk_num(st)
Definition qsslsocket_openssl_symbols_p.h:241
q_X509_NAME_get_entry
X509_NAME_ENTRY * q_X509_NAME_get_entry(X509_NAME *a, int b)
q_X509_print
void q_X509_print(BIO *a, X509 *b)
q_X509_free
void q_X509_free(X509 *a)
q_X509_STORE_CTX_get_error_depth
int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
q_X509_get_ext_d2i
void * q_X509_get_ext_d2i(X509 *a, int b, int *c, int *d)
q_X509V3_EXT_get
const X509V3_EXT_METHOD * q_X509V3_EXT_get(X509_EXTENSION *a)
q_sk_X509_value
#define q_sk_X509_value(st, i)
Definition qsslsocket_openssl_symbols_p.h:547
q_X509_get_ext_count
int q_X509_get_ext_count(X509 *a)
q_GENERAL_NAME_free
void q_GENERAL_NAME_free(GENERAL_NAME *a)
q_X509_verify_cert
int q_X509_verify_cert(X509_STORE_CTX *ctx)
q_X509_STORE_CTX_get0_store
X509_STORE * q_X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)
q_d2i_X509
X509 * q_d2i_X509(X509 **a, const unsigned char **b, long c)
q_X509_get_ext
X509_EXTENSION * q_X509_get_ext(X509 *a, int b)
q_ASN1_TIME_to_tm
int q_ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm)
q_X509_NAME_entry_count
int q_X509_NAME_entry_count(X509_NAME *a)
q_SKM_sk_value
#define q_SKM_sk_value(type, st, i)
Definition qsslsocket_openssl_symbols_p.h:242
q_BIO_free
int q_BIO_free(BIO *a)
q_X509_EXTENSION_get_object
ASN1_OBJECT * q_X509_EXTENSION_get_object(X509_EXTENSION *a)
q_OPENSSL_free
#define q_OPENSSL_free(addr)
Definition qsslsocket_openssl_symbols_p.h:670
q_X509_getm_notBefore
ASN1_TIME * q_X509_getm_notBefore(X509 *a)
q_sk_GENERAL_NAME_num
#define q_sk_GENERAL_NAME_num(st)
Definition qsslsocket_openssl_symbols_p.h:541
q_X509_STORE_CTX_get_error
int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
ENDCERTSTRING
#define ENDCERTSTRING
Definition qx509_openssl.cpp:90
BEGINCERTSTRING
#define BEGINCERTSTRING
Definition qx509_openssl.cpp:89