Skip to content

Commit

Permalink
Merge pull request #5401 from boundlessgeo/pkcs8-to-pkcs1
Browse files Browse the repository at this point in the history
[auth] Convert PKCS8 to PKCS1 private keys (for macOS)
  • Loading branch information
dakcarto authored Oct 26, 2017
2 parents 1ae0857 + ef7a29d commit 3210f85
Show file tree
Hide file tree
Showing 21 changed files with 632 additions and 57 deletions.
5 changes: 5 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,11 @@ IF(WITH_CORE)
FIND_QCAOSSL_PLUGIN_CPP(ENABLE_TESTS)
ENDIF(NOT MSVC)

IF (APPLE)
# Libtasn1 is for DER-encoded PKI ASN.1 parsing/extracting workarounds
FIND_PACKAGE(Libtasn1 REQUIRED)
ENDIF (APPLE)

IF (SUPPRESS_QT_WARNINGS)
# Newer versions of UseQt4.cmake include Qt with -isystem automatically
# This can be used to force this behavior on older systems
Expand Down
45 changes: 45 additions & 0 deletions cmake/FindLibtasn1.cmake
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Find Libtasn1
# ~~~~~~~~~~~~~~~
# CMake module to search for Libtasn1 ASN.1 library and header(s) from:
# https://www.gnu.org/software/libtasn1/
#
# If it's found it sets LIBTASN1_FOUND to TRUE
# and following variables are set:
# LIBTASN1_INCLUDE_DIR
# LIBTASN1_LIBRARY
#
# Copyright (c) 2017, Boundless Spatial
# Author: Larry Shaffer <lshaffer (at) boundlessgeo (dot) com>
#
# Redistribution and use is allowed according to the terms of the BSD license.
# For details see the accompanying COPYING-CMAKE-SCRIPTS file.


find_path(LIBTASN1_INCLUDE_DIR
NAMES libtasn1.h
PATHS
${LIB_DIR}/include
"$ENV{LIB_DIR}/include"
$ENV{INCLUDE}
/usr/local/include
/usr/include
)

find_library(LIBTASN1_LIBRARY
NAMES tasn1
PATHS
${LIB_DIR}
"$ENV{LIB_DIR}"
$ENV{LIB}
/usr/local/lib
/usr/lib
)

include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(
Libtasn1
REQUIRED_VARS LIBTASN1_INCLUDE_DIR LIBTASN1_LIBRARY
FOUND_VAR LIBTASN1_FOUND
)

mark_as_advanced(LIBTASN1_INCLUDE_DIR LIBTASN1_LIBRARY)
19 changes: 19 additions & 0 deletions python/core/auth/qgsauthcertutils.sip
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,15 @@ Map certificate sha1 to certificate as simple cache
%End


static QByteArray fileData( const QString &path, bool astext = false );
%Docstring
Return data from a local file via a read-only operation
\param path Path to file to read
\param astext Whether to open the file as text, otherwise as binary
:return: All data contained in file or empty contents if file does not exist
:rtype: QByteArray
%End

static QList<QSslCertificate> certsFromFile( const QString &certspath );
%Docstring
Return list of concatenated certs from a PEM or DER formatted file
Expand Down Expand Up @@ -150,6 +159,16 @@ Return list of concatenated certs from a PEM Base64 text block
:rtype: list of str
%End

static bool pemIsPkcs8( const QString &keyPemTxt );
%Docstring
Determine if the PEM-encoded text of a key is PKCS#8 format
\param keyPemTxt PEM-encoded text
:return: True if PKCS#8, otherwise false
:rtype: bool
%End



static QStringList pkcs12BundleToPem( const QString &bundlepath,
const QString &bundlepass = QString(),
bool reencrypt = true );
Expand Down
6 changes: 6 additions & 0 deletions resources/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,9 @@ INSTALL(DIRECTORY data DESTINATION ${QGIS_DATA_DIR}/resources)
IF (WITH_SERVER)
INSTALL(DIRECTORY server DESTINATION ${QGIS_DATA_DIR}/resources)
ENDIF (WITH_SERVER)

IF (APPLE)
# ASN.1 definition files of PKIX elements
INSTALL(FILES pkcs8.asn
DESTINATION ${QGIS_DATA_DIR}/resources)
ENDIF (APPLE)
63 changes: 63 additions & 0 deletions resources/pkcs8.asn
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-8(8)
modules(1) pkcs-8(1)}

-- $Revision: 1.5 $

-- This module has been checked for conformance with the ASN.1
-- standard by the OSS ASN.1 Tools

DEFINITIONS EXPLICIT TAGS ::=

BEGIN

-- EXPORTS All --
-- All types and values defined in this module is exported for use in
-- other ASN.1 modules.

-- attribute data types --

Attribute ::= SEQUENCE {
type AttributeType,
values SET OF AttributeValue
-- at least one value is required --
}

AttributeType ::= OBJECT IDENTIFIER

AttributeValue ::= ANY DEFINED BY type

AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }

AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value

-- Private-key information syntax

PrivateKeyInfo ::= SEQUENCE {
version Version,
privateKeyAlgorithm AlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] Attributes OPTIONAL }

Version ::= INTEGER {v1(0)}

PrivateKey ::= OCTET STRING

Attributes ::= SET OF Attribute

-- Encrypted private-key information syntax

EncryptedPrivateKeyInfo ::= SEQUENCE {
encryptionAlgorithm AlgorithmIdentifier,
encryptedData EncryptedData
}

EncryptedData ::= OCTET STRING

END
11 changes: 11 additions & 0 deletions src/auth/pkipkcs12/qgsauthpkcs12method.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,12 @@ QgsPkiConfigBundle *QgsAuthPkcs12Method::getPkiConfigBundle( const QString &auth
QStringList bundlelist = QgsAuthCertUtils::pkcs12BundleToPem( mconfig.config( QStringLiteral( "bundlepath" ) ),
mconfig.config( QStringLiteral( "bundlepass" ) ), false );

if ( bundlelist.isEmpty() || bundlelist.size() < 2 )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: insert FAILED, PKCS#12 bundle parsing failed" ).arg( authcfg ) );
return bundle;
}

// init client cert
// Note: if this is not valid, no sense continuing
QSslCertificate clientcert( bundlelist.at( 0 ).toLatin1() );
Expand All @@ -292,6 +298,11 @@ QgsPkiConfigBundle *QgsAuthPkcs12Method::getPkiConfigBundle( const QString &auth
return bundle;
}

// !!! DON'T LEAVE THESE UNCOMMENTED !!!
// QgsDebugMsg( QString( "PKI bundle key for authcfg: \n%1" ).arg( bundlelist.at( 1 ) ) );
// QgsDebugMsg( QString( "PKI bundle key pass for authcfg: \n%1" )
// .arg( !mconfig.config( QStringLiteral( "bundlepass" ) ).isNull() ? mconfig.config( QStringLiteral( "bundlepass" ) ) : QStringLiteral() ) );

// init key
QSslKey clientkey( bundlelist.at( 1 ).toLatin1(),
QSsl::Rsa,
Expand Down
9 changes: 8 additions & 1 deletion src/core/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1181,6 +1181,13 @@ INCLUDE_DIRECTORIES(SYSTEM
${QTKEYCHAIN_INCLUDE_DIR}
)

IF (APPLE)
# Libtasn1 is for DER-encoded PKI ASN.1 parsing/extracting workarounds
INCLUDE_DIRECTORIES(SYSTEM
${LIBTASN1_INCLUDE_DIR}
)
ENDIF (APPLE)


#for PAL classes
IF (WIN32)
Expand Down Expand Up @@ -1251,7 +1258,7 @@ IF (WIN32)
ENDIF (WIN32)

IF (APPLE)
TARGET_LINK_LIBRARIES(qgis_core qgis_native)
TARGET_LINK_LIBRARIES(qgis_core qgis_native ${LIBTASN1_LIBRARY})
ENDIF (APPLE)

IF (NOT WITH_INTERNAL_QEXTSERIALPORT)
Expand Down
Loading

0 comments on commit 3210f85

Please sign in to comment.