Qt 6.x
The Qt SDK
Loading...
Searching...
No Matches
qx509_schannel.cpp
Go to the documentation of this file.
1// Copyright (C) 2021 The Qt Company Ltd.
2// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
3
4#include "qtlsbackend_schannel_p.h"
5#include "qtlskey_schannel_p.h"
6#include "qx509_schannel_p.h"
7
8#include <QtCore/private/qsystemerror_p.h>
9#include <QtNetwork/private/qsslcertificate_p.h>
10
11#include <memory>
12
13QT_BEGIN_NAMESPACE
14
15namespace QTlsPrivate {
16
17X509CertificateSchannel::X509CertificateSchannel() = default;
18
19X509CertificateSchannel::~X509CertificateSchannel()
20{
21 if (certificateContext)
22 CertFreeCertificateContext(certificateContext);
23}
24
25TlsKey *X509CertificateSchannel::publicKey() const
26{
27 auto key = std::make_unique<TlsKeySchannel>(QSsl::PublicKey);
28 if (publicKeyAlgorithm != QSsl::Opaque)
29 key->decodeDer(QSsl::PublicKey, publicKeyAlgorithm, publicKeyDerData, {}, false);
30
31 return key.release();
32}
33
34Qt::HANDLE X509CertificateSchannel::handle() const
35{
36 return Qt::HANDLE(certificateContext);
37}
38
39QSslCertificate X509CertificateSchannel::QSslCertificate_from_CERT_CONTEXT(const CERT_CONTEXT *certificateContext)
40{
41 QByteArray derData = QByteArray((const char *)certificateContext->pbCertEncoded,
42 certificateContext->cbCertEncoded);
43 QSslCertificate certificate(derData, QSsl::Der);
44
45 auto *certBackend = QTlsBackend::backend<X509CertificateSchannel>(certificate);
46 Q_ASSERT(certBackend);
47 certBackend->certificateContext = CertDuplicateCertificateContext(certificateContext);
48 return certificate;
49}
50
51bool X509CertificateSchannel::importPkcs12(QIODevice *device, QSslKey *key, QSslCertificate *cert,
52 QList<QSslCertificate> *caCertificates,
53 const QByteArray &passPhrase)
54{
55 // These are required
56 Q_ASSERT(device);
57 Q_ASSERT(key);
58 Q_ASSERT(cert);
59
60 QByteArray pkcs12data = device->readAll();
61 if (pkcs12data.size() == 0)
62 return false;
63
64 CRYPT_DATA_BLOB dataBlob;
65 dataBlob.cbData = pkcs12data.size();
66 dataBlob.pbData = reinterpret_cast<BYTE*>(pkcs12data.data());
67
68 const auto password = QString::fromUtf8(passPhrase);
69
70 const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_PREFER_CNG_KSP);
71
72 auto certStore = QHCertStorePointer(PFXImportCertStore(&dataBlob,
73 reinterpret_cast<LPCWSTR>(password.utf16()),
74 flags));
75
76 if (!certStore) {
77 qCWarning(lcTlsBackendSchannel, "Failed to import PFX data: %s",
78 qPrintable(QSystemError::windowsString()));
79 return false;
80 }
81
82 // first extract the certificate with the private key
83 const auto certContext = QPCCertContextPointer(CertFindCertificateInStore(certStore.get(),
84 X509_ASN_ENCODING |
85 PKCS_7_ASN_ENCODING,
86 0,
87 CERT_FIND_HAS_PRIVATE_KEY,
88 nullptr, nullptr));
89
90 if (!certContext) {
91 qCWarning(lcTlsBackendSchannel, "Failed to find certificate in PFX store: %s",
92 qPrintable(QSystemError::windowsString()));
93 return false;
94 }
95
96 *cert = QSslCertificate_from_CERT_CONTEXT(certContext.get());
97
98 // retrieve the private key for the certificate
99 NCRYPT_KEY_HANDLE keyHandle = {};
100 DWORD keyHandleSize = sizeof(keyHandle);
101 if (!CertGetCertificateContextProperty(certContext.get(), CERT_NCRYPT_KEY_HANDLE_PROP_ID,
102 &keyHandle, &keyHandleSize)) {
103 qCWarning(lcTlsBackendSchannel, "Failed to find private key handle in certificate context: %s",
104 qPrintable(QSystemError::windowsString()));
105 return false;
106 }
107
108 SECURITY_STATUS securityStatus = ERROR_SUCCESS;
109
110 // we need the 'NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG' to make NCryptExportKey succeed
111 DWORD policy = (NCRYPT_ALLOW_EXPORT_FLAG | NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG);
112 DWORD policySize = sizeof(policy);
113
114 securityStatus = NCryptSetProperty(keyHandle, NCRYPT_EXPORT_POLICY_PROPERTY,
115 reinterpret_cast<BYTE*>(&policy), policySize, 0);
116 if (securityStatus != ERROR_SUCCESS) {
117 qCWarning(lcTlsBackendSchannel, "Failed to update export policy of private key: 0x%x",
118 static_cast<unsigned int>(securityStatus));
119 return false;
120 }
121
122 DWORD blobSize = {};
123 securityStatus = NCryptExportKey(keyHandle, {}, BCRYPT_RSAFULLPRIVATE_BLOB,
124 nullptr, nullptr, 0, &blobSize, 0);
125 if (securityStatus != ERROR_SUCCESS) {
126 qCWarning(lcTlsBackendSchannel, "Failed to retrieve private key size: 0x%x",
127 static_cast<unsigned int>(securityStatus));
128 return false;
129 }
130
131 std::vector<BYTE> blob(blobSize);
132 securityStatus = NCryptExportKey(keyHandle, {}, BCRYPT_RSAFULLPRIVATE_BLOB,
133 nullptr, blob.data(), blobSize, &blobSize, 0);
134 if (securityStatus != ERROR_SUCCESS) {
135 qCWarning(lcTlsBackendSchannel, "Failed to retrieve private key from certificate: 0x%x",
136 static_cast<unsigned int>(securityStatus));
137 return false;
138 }
139
140 DWORD privateKeySize = {};
141
142 if (!CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, CNG_RSA_PRIVATE_KEY_BLOB,
143 blob.data(), nullptr, &privateKeySize)) {
144 qCWarning(lcTlsBackendSchannel, "Failed to encode private key to key info: %s",
145 qPrintable(QSystemError::windowsString()));
146 return false;
147 }
148
149 std::vector<BYTE> privateKeyData(privateKeySize);
150
151 CRYPT_PRIVATE_KEY_INFO privateKeyInfo = {};
152 privateKeyInfo.Algorithm.pszObjId = const_cast<PSTR>(szOID_RSA_RSA);
153 privateKeyInfo.PrivateKey.cbData = privateKeySize;
154 privateKeyInfo.PrivateKey.pbData = privateKeyData.data();
155
156 if (!CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
157 CNG_RSA_PRIVATE_KEY_BLOB, blob.data(),
158 privateKeyInfo.PrivateKey.pbData, &privateKeyInfo.PrivateKey.cbData)) {
159 qCWarning(lcTlsBackendSchannel, "Failed to encode private key to key info: %s",
160 qPrintable(QSystemError::windowsString()));
161 return false;
162 }
163
164
165 DWORD derSize = {};
166
167 if (!CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO,
168 &privateKeyInfo, nullptr, &derSize)) {
169 qCWarning(lcTlsBackendSchannel, "Failed to encode key info to DER format: %s",
170 qPrintable(QSystemError::windowsString()));
171
172 return false;
173 }
174
175 QByteArray derData(derSize, Qt::Uninitialized);
176
177 if (!CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO,
178 &privateKeyInfo, reinterpret_cast<BYTE*>(derData.data()), &derSize)) {
179 qCWarning(lcTlsBackendSchannel, "Failed to encode key info to DER format: %s",
180 qPrintable(QSystemError::windowsString()));
181
182 return false;
183 }
184
185 *key = QSslKey(derData, QSsl::Rsa, QSsl::Der, QSsl::PrivateKey);
186 if (key->isNull()) {
187 qCWarning(lcTlsBackendSchannel, "Failed to parse private key from DER format");
188 return false;
189 }
190
191 // fetch all the remaining certificates as CA certificates
192 if (caCertificates) {
193 PCCERT_CONTEXT caCertContext = nullptr;
194 while ((caCertContext = CertFindCertificateInStore(certStore.get(),
195 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
196 0, CERT_FIND_ANY, nullptr, caCertContext))) {
197 if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
198 certContext->pCertInfo, caCertContext->pCertInfo))
199 continue; // ignore the certificate with private key
200
201 auto caCertificate = QSslCertificate_from_CERT_CONTEXT(caCertContext);
202
203 caCertificates->append(caCertificate);
204 }
205 }
206
207 return true;
208}
209
210} // namespace QTlsPrivate
211
212QT_END_NAMESPACE
213
device
IOBluetoothDevice * device
Definition btl2capchannel.mm:17
QByteArray
\inmodule QtCore
Definition qbytearray.h:57
QByteArray::data
char * data()
\macro QT_NO_CAST_FROM_BYTEARRAY
Definition qbytearray.h:534
QByteArray::size
qsizetype size() const noexcept
Returns the number of bytes in this byte array.
Definition qbytearray.h:474
QIODevice
\inmodule QtCore \reentrant
Definition qiodevice.h:34
QList
Definition qlist.h:74
QList::append
void append(parameter_type t)
Definition qlist.h:441
QSslCertificate
The QSslCertificate class provides a convenient API for an X509 certificate.
Definition qsslcertificate.h:35
QSslKey
The QSslKey class provides an interface for private and public keys.
Definition qsslkey.h:23
QString::fromUtf8
static QString fromUtf8(QByteArrayView utf8)
This is an overloaded member function, provided for convenience. It differs from the above function o...
Definition qstring.cpp:5857
QTlsPrivate::TlsKey
TlsKey is an abstract class, that allows a TLS plugin to provide an underlying implementation for the...
Definition qtlsbackend_p.h:60
QTlsPrivate::X509CertificateSchannel::publicKey
TlsKey * publicKey() const override
Definition qx509_schannel.cpp:25
QTlsPrivate::X509CertificateSchannel::handle
Qt::HANDLE handle() const override
Definition qx509_schannel.cpp:34
QTlsPrivate::X509CertificateSchannel::importPkcs12
static bool importPkcs12(QIODevice *device, QSslKey *key, QSslCertificate *cert, QList< QSslCertificate > *caCertificates, const QByteArray &passPhrase)
Definition qx509_schannel.cpp:51
QTlsPrivate::X509CertificateSchannel::QSslCertificate_from_CERT_CONTEXT
static QSslCertificate QSslCertificate_from_CERT_CONTEXT(const CERT_CONTEXT *certificateContext)
Definition qx509_schannel.cpp:39
QSsl::PublicKey
@ PublicKey
Definition qssl.h:21
QSsl::PrivateKey
@ PrivateKey
Definition qssl.h:20
QSsl::Rsa
@ Rsa
Definition qssl.h:31
QSsl::Opaque
@ Opaque
Definition qssl.h:30
QSsl::Der
@ Der
Definition qssl.h:26
QT_BEGIN_NAMESPACE
Combined button and popup list for selecting options.
Definition qstandardpaths_haiku.cpp:21
QT_END_NAMESPACE
Definition qsharedpointer.cpp:1545
QTlsPrivate
Namespace containing onternal types that TLS backends implement.
Definition qocspresponse.h:40
Qt::HANDLE
void * HANDLE
Definition qnamespace.h:1535
Qt::Uninitialized
constexpr Initialization Uninitialized
Definition qnamespace.h:1587
qCWarning
#define qCWarning(category,...)
Definition qloggingcategory.h:125
key
GLuint64 key
Definition qopengles2ext.h:2268
flags
GLbitfield flags
Definition qopengles2ext.h:1026
Q_ASSERT
#define Q_ASSERT(cond)
Definition qrandom.cpp:47
qPrintable
#define qPrintable(string)
Definition qstring.h:1391
qtlsbackend_schannel_p.h
qtlskey_schannel_p.h
QPCCertContextPointer
std::unique_ptr< const CERT_CONTEXT, QPCCertContextDeleter > QPCCertContextPointer
Definition qwincrypt_p.h:51
QHCertStorePointer
std::unique_ptr< void, QHCertStoreDeleter > QHCertStorePointer
Definition qwincrypt_p.h:41
qx509_schannel_p.h
policy
QSizePolicy policy
Definition src_gui_widgets_qsplitter.cpp:6
cert
QList< QSslCertificate > cert
[0]
Definition src_network_access_qnetworkreply.cpp:7