New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] SSL PKI integration for OWS connections #1588
Conversation
…less Spatial, US) - Add SSL certificate settings and utilities classes - Setup local ~/.qgis2/cert_store setup - Add QgsCredentials key passphrase support, with stacked widget to rotate between inputs (username/password or key passphrase) - Add SSL Certificate widget to new OWS connections (tabbed widget with Authentication) - Cache key passphrases in QgsNetworkManager singleton, since it did not work with QgsCredentials
…ache gets lost across threads?)
Since @jef-n has written QgsCredentials, I'm assigning the pull request to him. |
@jef-n I am refactoring the means of caching the PKI components (cert, key and optional issuer cert), to remove the bits from |
- Whole PKI group (cert, key and any issuer) are saved in cache - Private key (and all other PKI components) can be full paths - Private key path and password can be input when needed, and not stored
@jef-n Approach refactored to offer more robust storage of PKI group. More secure manner of dealing with private keys (path and any password are optionally only input when needed, and not stored). This is pretty solid here with my testing. And, I think the approach is more scalable now. Just need to add the support to other OWS services today, but I can do that after it is pushed, if that is OK with you. |
Sponsored by Boundless Spatial, US
Adds the following SSL PKI support
QgsSslCertificateWidget
, here inside WMS connection setup dialog):It does lightweight validation (dates, etc., see QSslCertificate.isValid() )
SSL certificate settings (QgsSslCertSettings) and utilities (QgsSslUtils) classes
Configures a local QGIS Store
~/.qgis2/cert_store
Add
QgsCredentials
key passphrase support, with stacked widget to rotate between inputs (username/password or key passphrase).Add SSL Certificate widget to new OWS connections (tabbed widget with Authentication).
Cache key passphrases in
QgsNetworkManager
singleton, since it did not work withQgsCredentials
.The Good Stuff
QgsCredentials
).Caveats
Only works for the WMS provider at this time. Need some feedback on whether this approach is sound, before adding PKI for other OWS connections ... should be fairly easy to do this week. ( @jef-n , @mhugent ?)
NOTE: the other OWS services do show the certificate GUI, but are not yet functional.
Base security is not so great. Since the QGIS local store is a know location, any plugin running with user-rights can find private keys, so those should always be passphrase-protected. (Important to note in the users guide).
Future Improvements
Testing
You will need an HTTPS web mapping service with user authentication via PKI turned on. See this page for some info on an
OpenGeo Suite
setup withGeoServer
.