dd/da5/qsslsocket__mac__shared_8cpp_source.html

// Copyright (C) 2016 The Qt Company Ltd.

// Copyright (C) 2015 ownCloud Inc

// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only


#include <QtNetwork/private/qtlsbackend_p.h>


#include <QtNetwork/qsslcertificate.h>


#include <QtCore/qloggingcategory.h>

#include <QtCore/qglobal.h>

#include <QtCore/qdebug.h>


#ifdef Q_OS_MACOS


#include <QtCore/private/qcore_mac_p.h>


#include <CoreFoundation/CFArray.h>

#include <Security/Security.h>


#endif // Q_OS_MACOS


QT_BEGIN_NAMESPACE


Q_LOGGING_CATEGORY(lcX509, "qt.mac.shared.x509");


#ifdef Q_OS_MACOS

namespace {


bool hasTrustedSslServerPolicy(SecPolicyRef policy, CFDictionaryRef props) {

    QCFType<CFDictionaryRef> policyProps = SecPolicyCopyProperties(policy);

    // only accept certificates with policies for SSL server validation for now

    if (CFEqual(CFDictionaryGetValue(policyProps, kSecPolicyOid), kSecPolicyAppleSSL)) {

        CFBooleanRef policyClient;

        if (CFDictionaryGetValueIfPresent(policyProps, kSecPolicyClient, reinterpret_cast<const void**>(&policyClient)) &&

            CFEqual(policyClient, kCFBooleanTrue)) {

            return false; // no client certs

        }

        if (!CFDictionaryContainsKey(props, kSecTrustSettingsResult)) {

            // as per the docs, no trust settings result implies full trust

            return true;

        }

        CFNumberRef number = static_cast<CFNumberRef>(CFDictionaryGetValue(props, kSecTrustSettingsResult));

        SecTrustSettingsResult settingsResult;

        CFNumberGetValue(number, kCFNumberSInt32Type, &settingsResult);

        switch (settingsResult) {

        case kSecTrustSettingsResultTrustRoot:

        case kSecTrustSettingsResultTrustAsRoot:

            return true;

        default:

            return false;

        }

    }

    return false;

}


bool isCaCertificateTrusted(SecCertificateRef cfCert, int domain)

{

    QCFType<CFArrayRef> cfTrustSettings;

    OSStatus status = SecTrustSettingsCopyTrustSettings(cfCert, SecTrustSettingsDomain(domain), &cfTrustSettings);

    if (status == noErr) {

        CFIndex size = CFArrayGetCount(cfTrustSettings);

        // if empty, trust for everything (as per the Security Framework documentation)

        if (size == 0) {

            return true;

        } else {

            for (CFIndex i = 0; i < size; ++i) {

                CFDictionaryRef props = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(cfTrustSettings, i));

                if (CFDictionaryContainsKey(props, kSecTrustSettingsPolicy)) {

                    if (hasTrustedSslServerPolicy((SecPolicyRef)CFDictionaryGetValue(props, kSecTrustSettingsPolicy), props))

                        return true;

                }

            }

        }

    }


    return false;

}


bool canDERBeParsed(CFDataRef derData, const QSslCertificate &qtCert)

{

    // We are observing certificates, that while accepted when we copy them

    // from the keychain(s), later give us 'Failed to create SslCertificate

    // from QSslCertificate'. It's interesting to know at what step the failure

    // occurred. Let's check it and skip it below if it's not valid.


    auto checkDer = [](CFDataRef derData, const char *source)

    {

        Q_ASSERT(source);

        Q_ASSERT(derData);


        const auto cfLength = CFDataGetLength(derData);

        if (cfLength <= 0) {

            qCWarning(lcX509) << source << "returned faulty DER data with invalid length.";

            return false;

        }


        QCFType<SecCertificateRef> secRef = SecCertificateCreateWithData(nullptr, derData);

        if (!secRef) {

            qCWarning(lcX509) << source << "returned faulty DER data which cannot be parsed back.";

            return false;

        }

        return true;

    };


    if (!checkDer(derData, "SecCertificateCopyData")) {

        qCDebug(lcX509) << "Faulty QSslCertificate is:" << qtCert;// Just in case we managed to parse something.

        return false;

    }


    // Generic parser failed?

    if (qtCert.isNull()) {

        qCWarning(lcX509, "QSslCertificate failed to parse DER");

        return false;

    }


    const QCFType<CFDataRef> qtDerData = qtCert.toDer().toCFData();

    if (!checkDer(qtDerData, "QSslCertificate")) {

        qCWarning(lcX509) << "Faulty QSslCertificate is:" << qtCert;

        return false;

    }


    return true;

}


} // unnamed namespace

#endif // Q_OS_MACOS


namespace QTlsPrivate {

QList<QSslCertificate> systemCaCertificates()

{

    QList<QSslCertificate> systemCerts;

    // SecTrustSettingsCopyCertificates is not defined on iOS.

#ifdef Q_OS_MACOS

    // iterate through all enum members, order:

    // kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem

    for (int dom = kSecTrustSettingsDomainUser; dom <= int(kSecTrustSettingsDomainSystem); dom++) {

        QCFType<CFArrayRef> cfCerts;

        OSStatus status = SecTrustSettingsCopyCertificates(SecTrustSettingsDomain(dom), &cfCerts);

        if (status == noErr) {

            const CFIndex size = CFArrayGetCount(cfCerts);

            for (CFIndex i = 0; i < size; ++i) {

                SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);

                QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert);

                if (isCaCertificateTrusted(cfCert, dom)) {

                    if (derData) {

                        const auto newCert = QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der);

                        if (!canDERBeParsed(derData, newCert)) {

                            // Last attempt to get some information about the certificate:

                            CFShow(cfCert);

                            continue;

                        }

                        systemCerts << newCert;

                    } else {

                        // "Returns NULL if the data passed in the certificate parameter

                        // is not a valid certificate object."

                        qCWarning(lcX509, "SecCertificateCopyData returned invalid DER data (nullptr).");

                    }

                }

            }

        }

    }

#endif

    return systemCerts;

}

} // namespace QTlsPrivate


QT_END_NAMESPACE

QCFType
Definition qcore_mac_p.h:150

QList
Definition qlist.h:74

QSslCertificate
The QSslCertificate class provides a convenient API for an X509 certificate.
Definition qsslcertificate.h:35

QSslCertificate::toDer
QByteArray toDer() const
Returns this certificate converted to a DER (binary) encoded representation.
Definition qsslcertificate.cpp:580

QSslCertificate::isNull
bool isNull() const
Returns true if this is a null certificate (i.e., a certificate with no contents); otherwise returns ...
Definition qsslcertificate.cpp:264

i
i
[1]
Definition doc_src_containers.cpp:167

QSsl::Der
@ Der
Definition qssl.h:26

QT_BEGIN_NAMESPACE
Combined button and popup list for selecting options.
Definition qstandardpaths_haiku.cpp:21

QT_END_NAMESPACE
Definition qsharedpointer.cpp:1545

QTlsPrivate
Namespace containing onternal types that TLS backends implement.
Definition qocspresponse.h:40

QTlsPrivate::systemCaCertificates
QList< QSslCertificate > systemCaCertificates()
Definition qtlsbackend_openssl.cpp:357

dom
Definition qwasmdom.cpp:16

Q_LOGGING_CATEGORY
#define Q_LOGGING_CATEGORY(name,...)
Definition qloggingcategory.h:112

qCWarning
#define qCWarning(category,...)
Definition qloggingcategory.h:125

qCDebug
#define qCDebug(category,...)
Definition qloggingcategory.h:123

size
GLenum GLuint GLintptr GLsizeiptr size
[1]
Definition qopengles2ext.h:660

props
GLenum GLuint GLsizei const GLenum * props
Definition qopengles2ext.h:3217

source
GLsizei GLsizei GLchar * source
Definition qopengles2ext.h:952

Q_ASSERT
#define Q_ASSERT(cond)
Definition qrandom.cpp:47

number
int number
[0]
Definition src_corelib_thread_qmutex.cpp:5

policy
QSizePolicy policy
Definition src_gui_widgets_qsplitter.cpp:6