Skip to content
Permalink
Browse files

[auth] Add certificate chain validation routine

  • Loading branch information
elpaso committed Oct 25, 2017
1 parent e20e076 commit 368b0df24e8343f89fca592bd1fc4d153360acdb
Showing with 39 additions and 0 deletions.
  1. +9 −0 python/core/auth/qgsauthcertutils.sip
  2. +22 −0 src/core/auth/qgsauthcertutils.cpp
  3. +8 −0 src/core/auth/qgsauthcertutils.h
@@ -275,6 +275,15 @@ Get short strings describing an SSL error
%End


static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;
%Docstring
validateCertChain validates the given ``certificateChain``
\param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
\param addRootCa if true the CA will be added to the trusted CAs for this validation check
:return: list of QSslError, if the list is empty then the cert chain is valid
:rtype: list of QSslError
%End

};

/************************************************************************
@@ -1018,3 +1018,25 @@ QList<QPair<QSslError::SslError, QString> > QgsAuthCertUtils::sslErrorEnumString
QgsAuthCertUtils::sslErrorEnumString( QSslError::CertificateBlacklisted ) );
return errenums;
}

QList<QSslError> QgsAuthCertUtils::validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName, bool addRootCa )
{
QList<QSslError> results;
// Merge in the root CA if present and asked for
if ( addRootCa && certificateChain.count() > 1 && certificateChain.last().isSelfSigned() )
{
static QMutex sMutex;
QMutexLocker lock( &sMutex );
QSslConfiguration oldSslConfig( QSslConfiguration::defaultConfiguration() );
QSslConfiguration sslConfig( oldSslConfig );
sslConfig.setCaCertificates( casMerge( sslConfig.caCertificates(), QList<QSslCertificate>() << certificateChain.last() ) );
QSslConfiguration::setDefaultConfiguration( sslConfig );
results = QSslCertificate::verify( certificateChain, hostName );
QSslConfiguration::setDefaultConfiguration( oldSslConfig );
}
else
{
results = QSslCertificate::verify( certificateChain, hostName );
}
return results;
}
@@ -296,6 +296,14 @@ class CORE_EXPORT QgsAuthCertUtils
*/
static QList<QPair<QSslError::SslError, QString> > sslErrorEnumStrings() SIP_SKIP;

/**
* \brief validateCertChain validates the given \a certificateChain
* \param certificateChain list of certificates to be checked, with leaf first and with optional root CA last
* \param addRootCa if true the CA will be added to the trusted CAs for this validation check
* \return list of QSslError, if the list is empty then the cert chain is valid
*/
static QList<QSslError> validateCertChain( const QList<QSslCertificate> &certificateChain, const QString &hostName = QString(), bool addRootCa = false ) ;

private:
static void appendDirSegment_( QStringList &dirname, const QString &segment, QString value );
};

0 comments on commit 368b0df

Please sign in to comment.
You can’t perform that action at this time.