summaryrefslogtreecommitdiffstats
path: root/src/network/ssl/qsslsocket_openssl.cpp
diff options
context:
space:
mode:
authorPeter Hartmann <peter.hartmann@nokia.com>2010-05-19 16:47:42 (GMT)
committerZeno Albisser <zeno.albisser@nokia.com>2010-06-11 13:12:01 (GMT)
commit9a982779eabc4fafafe18dc9ad1b44fb2425563c (patch)
treef1212a9236e6dd17dbab18a31beba833852ec392 /src/network/ssl/qsslsocket_openssl.cpp
parent164f347aba7287407615223dc2219a016ebc8248 (diff)
downloadQt-9a982779eabc4fafafe18dc9ad1b44fb2425563c.zip
Qt-9a982779eabc4fafafe18dc9ad1b44fb2425563c.tar.gz
Qt-9a982779eabc4fafafe18dc9ad1b44fb2425563c.tar.bz2
make QSslSocket::systemCaCertificates() use system certs
before, we were shipping our own bundle of CA certificates. Now we read the certificates from the system CA store. Patch-by: Zeno Albisser and Peter Hartmann Reviewed-by: Thiago Task-number: QTBUG-8833 Task-number: QT-3361
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r--src/network/ssl/qsslsocket_openssl.cpp126
1 files changed, 110 insertions, 16 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 050fb1b..36a0cc7 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -57,12 +57,18 @@
#include <QtCore/qthread.h>
#include <QtCore/qurl.h>
#include <QtCore/qvarlengtharray.h>
-
-static void initNetworkResources()
-{
- // Initialize resources
- Q_INIT_RESOURCE(network);
-}
+#include <QLibrary> // for loading the security lib for the CA store
+
+#if defined(Q_OS_MAC)
+#define kSecTrustSettingsDomainSystem 2 // so we do not need to include the header file
+ PtrSecCertificateGetData QSslSocketPrivate::ptrSecCertificateGetData = 0;
+ PtrSecTrustSettingsCopyCertificates QSslSocketPrivate::ptrSecTrustSettingsCopyCertificates = 0;
+ PtrSecTrustCopyAnchorCertificates QSslSocketPrivate::ptrSecTrustCopyAnchorCertificates = 0;
+#elif defined(Q_OS_WIN)
+ PtrCertOpenSystemStoreW QSslSocketPrivate::ptrCertOpenSystemStoreW = 0;
+ PtrCertFindCertificateInStore QSslSocketPrivate::ptrCertFindCertificateInStore = 0;
+ PtrCertCloseStore QSslSocketPrivate::ptrCertCloseStore = 0;
+#endif
QT_BEGIN_NAMESPACE
@@ -406,9 +412,6 @@ bool QSslSocketPrivate::ensureInitialized()
if (!q_initialized) {
q_initialized = true;
- // Initialize resources
- initNetworkResources();
-
// Initialize OpenSSL.
q_CRYPTO_set_id_callback(id_function);
q_CRYPTO_set_locking_callback(locking_function);
@@ -448,6 +451,36 @@ bool QSslSocketPrivate::ensureInitialized()
resetDefaultCiphers();
setDefaultCaCertificates(systemCaCertificates());
}
+
+ //load symbols needed to receive certificates from system store
+#if defined(Q_OS_MAC)
+ QLibrary securityLib("/System/Library/Frameworks/Security.framework/Versions/Current/Security");
+ if (securityLib.load()) {
+ ptrSecCertificateGetData = (PtrSecCertificateGetData) securityLib.resolve("SecCertificateGetData");
+ if (!ptrSecCertificateGetData)
+ qWarning("could not resolve symbols in security library"); // should never happen
+
+ ptrSecTrustSettingsCopyCertificates = (PtrSecTrustSettingsCopyCertificates) securityLib.resolve("SecTrustSettingsCopyCertificates");
+ if (!ptrSecTrustSettingsCopyCertificates) { // method was introduced in Leopard, use legacy method if it's not there
+ ptrSecTrustCopyAnchorCertificates = (PtrSecTrustCopyAnchorCertificates) securityLib.resolve("SecTrustCopyAnchorCertificates");
+ if (!ptrSecTrustCopyAnchorCertificates)
+ qWarning("could not resolve symbols in security library"); // should never happen
+ }
+ } else {
+ qWarning("could not load security library");
+ }
+#elif defined(Q_OS_WIN)
+ HINSTANCE hLib = LoadLibraryW(L"Crypt32");
+ if (hLib) {
+ ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW");
+ ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore");
+ ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore");
+ if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore)
+ qWarning("could not resolve symbols in crypt32 library"); // should never happen
+ } else {
+ qWarning("could not load crypt32 library"); // should never happen
+ }
+#endif
return true;
}
@@ -486,13 +519,74 @@ void QSslSocketPrivate::resetDefaultCiphers()
QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
{
- // Qt provides a default bundle of certificates
- QFile caBundle(QLatin1String(":/trolltech/network/ssl/qt-ca-bundle.crt"));
- if (caBundle.open(QIODevice::ReadOnly | QIODevice::Text))
- return QSslCertificate::fromDevice(&caBundle);
-
- // Unreachable; return no bundle.
- return QList<QSslCertificate>();
+ ensureInitialized();
+ QList<QSslCertificate> systemCerts;
+#if defined(Q_OS_MAC)
+ CFArrayRef cfCerts;
+ OSStatus status = 1;
+
+ OSStatus SecCertificateGetData (
+ SecCertificateRef certificate,
+ CSSM_DATA_PTR data
+ );
+
+ if (ptrSecCertificateGetData) {
+ if (ptrSecTrustSettingsCopyCertificates)
+ status = ptrSecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts);
+ else if (ptrSecTrustCopyAnchorCertificates)
+ status = ptrSecTrustCopyAnchorCertificates(&cfCerts);
+ if (!status) {
+ CFIndex size = CFArrayGetCount(cfCerts);
+ for (CFIndex i = 0; i < size; ++i) {
+ SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
+ CSSM_DATA data;
+ CSSM_DATA_PTR dataPtr = &data;
+ if (ptrSecCertificateGetData(cfCert, dataPtr)) {
+ qWarning("error retrieving a CA certificate from the system store");
+ } else {
+ int len = data.Length;
+ char *rawData = reinterpret_cast<char *>(data.Data);
+ QByteArray rawCert(rawData, len);
+ systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der));
+ }
+ }
+ }
+ else {
+ // no detailed error handling here
+ qWarning("could not retrieve system CA certificates");
+ }
+ }
+#elif defined(Q_OS_WIN)
+ if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) {
+ HCERTSTORE hSystemStore;
+ hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT");
+ if(hSystemStore) {
+ PCCERT_CONTEXT pc = NULL;
+ while(1) {
+ pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc);
+ if(!pc)
+ break;
+ QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded));
+ QSslCertificate cert(der,QSsl::Der);
+ systemCerts.append(cert);
+ }
+ ptrCertCloseStore(hSystemStore, 0);
+ }
+ }
+#elif defined(Q_OS_AIX)
+ systemCerts.append(QSslCertificate::fromPath("/var/ssl/certs/*.pem", QSsl::Pem, QRegExp::Wildcard));
+#elif defined(Q_OS_SOLARIS)
+ systemCerts.append(QSslCertificate::fromPath("/usr/local/ssl/certs/*.pem", QSsl::Pem, QRegExp::Wildcard));
+#elif defined(Q_OS_HPUX)
+ systemCerts.append(QSslCertificate::fromPath("/opt/openssl/certs/*.pem", QSsl::Pem, QRegExp::Wildcard));
+#elif defined(Q_OS_LINUX)
+ systemCerts.append(QSslCertificate::fromPath("/etc/ssl/certs/*.pem", QSsl::Pem, QRegExp::Wildcard)); // (K)ubuntu, OpenSUSE, Mandriva, ...
+ systemCerts.append(QSslCertificate::fromPath("/etc/pki/tls/certs/ca-bundle.crt", QSsl::Pem)); // Fedora
+ systemCerts.append(QSslCertificate::fromPath("/usr/lib/ssl/certs/*.pem", QSsl::Pem, QRegExp::Wildcard)); // Gentoo, Mandrake
+ systemCerts.append(QSslCertificate::fromPath("/usr/share/ssl/*.pem", QSsl::Pem, QRegExp::Wildcard)); // Centos, Redhat, SuSE
+ systemCerts.append(QSslCertificate::fromPath("/usr/local/ssl/*.pem", QSsl::Pem, QRegExp::Wildcard)); // Normal OpenSSL Tarball
+#endif
+ return systemCerts;
}
void QSslSocketBackendPrivate::startClientEncryption()