sharpetronics/QGIS
1
0
Fork 0
mirror of https://github.com/qgis/QGIS.git synced 2025-04-19 00:04:52 -04:00
Code Issues Packages Projects Releases Wiki Activity

[auth] Add certificate chain validation routine

Browse Source
This commit is contained in:
Alessandro Pasotti 2017-10-25 12:45:18 +02:00
parent e20e0764c9
commit 368b0df24e
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
python/core/auth/qgsauthcertutils.sip
View File

@ -275,6 +275,15 @@ Get short strings describing an SSL error
%End %End
static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;
%Docstring
validateCertChain validates the given ``certificateChain``
\param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
\param addRootCa if true the CA will be added to the trusted CAs for this validation check
:return: list of QSslError, if the list is empty then the cert chain is valid
:rtype: list of QSslError
%End
}; };
/************************************************************************ /************************************************************************

22
src/core/auth/qgsauthcertutils.cpp
View File

@ -1018,3 +1018,25 @@ QList<QPair<QSslError::SslError, QString> > QgsAuthCertUtils::sslErrorEnumString
QgsAuthCertUtils::sslErrorEnumString( QSslError::CertificateBlacklisted ) ); QgsAuthCertUtils::sslErrorEnumString( QSslError::CertificateBlacklisted ) );
return errenums; return errenums;
} }
QList<QSslError> QgsAuthCertUtils::validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName, bool addRootCa )
{
QList<QSslError> results;
// Merge in the root CA if present and asked for
if ( addRootCa && certificateChain.count() > 1 && certificateChain.last().isSelfSigned() )
{
static QMutex sMutex;
QMutexLocker lock( &sMutex );
QSslConfiguration oldSslConfig( QSslConfiguration::defaultConfiguration() );
QSslConfiguration sslConfig( oldSslConfig );
sslConfig.setCaCertificates( casMerge( sslConfig.caCertificates(), QList<QSslCertificate>() << certificateChain.last() ) );
QSslConfiguration::setDefaultConfiguration( sslConfig );
results = QSslCertificate::verify( certificateChain, hostName );
QSslConfiguration::setDefaultConfiguration( oldSslConfig );
}
else
{
results = QSslCertificate::verify( certificateChain, hostName );
}
return results;
}

8
src/core/auth/qgsauthcertutils.h
View File

@ -296,6 +296,14 @@ class CORE_EXPORT QgsAuthCertUtils
*/ */
static QList<QPair<QSslError::SslError, QString> > sslErrorEnumStrings() SIP_SKIP; static QList<QPair<QSslError::SslError, QString> > sslErrorEnumStrings() SIP_SKIP;
/**
* \brief validateCertChain validates the given \a certificateChain
* \param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
* \param addRootCa if true the CA will be added to the trusted CAs for this validation check
* \return list of QSslError, if the list is empty then the cert chain is valid
*/
static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;
private: private:
static void appendDirSegment_( QStringList &dirname, const QString &segment, QString value ); static void appendDirSegment_( QStringList &dirname, const QString &segment, QString value );
}; };