Skip to content

Commit

Permalink
[auth] Add certificate chain validation routine
Browse files Browse the repository at this point in the history
  • Loading branch information
elpaso committed Oct 26, 2017
1 parent e20e076 commit 368b0df
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 0 deletions.
9 changes: 9 additions & 0 deletions python/core/auth/qgsauthcertutils.sip
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,15 @@ Get short strings describing an SSL error
%End


static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;
%Docstring
validateCertChain validates the given ``certificateChain``
\param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
\param addRootCa if true the CA will be added to the trusted CAs for this validation check
:return: list of QSslError, if the list is empty then the cert chain is valid
:rtype: list of QSslError
%End

};

/************************************************************************
Expand Down
22 changes: 22 additions & 0 deletions src/core/auth/qgsauthcertutils.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1018,3 +1018,25 @@ QList<QPair<QSslError::SslError, QString> > QgsAuthCertUtils::sslErrorEnumString
QgsAuthCertUtils::sslErrorEnumString( QSslError::CertificateBlacklisted ) );
return errenums;
}

QList<QSslError> QgsAuthCertUtils::validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName, bool addRootCa )
{
QList<QSslError> results;
// Merge in the root CA if present and asked for
if ( addRootCa && certificateChain.count() > 1 && certificateChain.last().isSelfSigned() )
{
static QMutex sMutex;
QMutexLocker lock( &sMutex );
QSslConfiguration oldSslConfig( QSslConfiguration::defaultConfiguration() );
QSslConfiguration sslConfig( oldSslConfig );
sslConfig.setCaCertificates( casMerge( sslConfig.caCertificates(), QList<QSslCertificate>() << certificateChain.last() ) );
QSslConfiguration::setDefaultConfiguration( sslConfig );
results = QSslCertificate::verify( certificateChain, hostName );
QSslConfiguration::setDefaultConfiguration( oldSslConfig );
}
else
{
results = QSslCertificate::verify( certificateChain, hostName );
}
return results;
}
8 changes: 8 additions & 0 deletions src/core/auth/qgsauthcertutils.h
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,14 @@ class CORE_EXPORT QgsAuthCertUtils
*/
static QList<QPair<QSslError::SslError, QString> > sslErrorEnumStrings() SIP_SKIP;

/**
* \brief validateCertChain validates the given \a certificateChain
* \param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
* \param addRootCa if true the CA will be added to the trusted CAs for this validation check
* \return list of QSslError, if the list is empty then the cert chain is valid
*/
static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;

private:
static void appendDirSegment_( QStringList &dirname, const QString &segment, QString value );
};
Expand Down

0 comments on commit 368b0df

Please sign in to comment.