verifyDepth = DWORD(q->peerVerifyDepth());
const auto &caCertificates = q->sslConfiguration().caCertificates();
+
+ if (!rootCertOnDemandLoadingAllowed()
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
+ // When verifying a peer Windows "helpfully" builds a chain that
+ // may include roots from the system store. But we don't want that if
+ // the user has set their own CA certificates.
+ // Since Windows claims this is not a partial chain the root is included
+ // and we have to check that it is one of our configured CAs.
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+ if (!caCertificates.contains(certificate)) {
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
+ sslErrors += error;
+ emit q->peerVerifyError(error);
+ if (q->state() != QAbstractSocket::ConnectedState)
+ return false;
+ }
+ }
+
QList<QSslCertificate> peerCertificateChain;
for (DWORD i = 0; i < verifyDepth; i++) {
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
--- /dev/null
+#!/bin/bash
+# Copyright (C) 2023 The Qt Company Ltd.
+# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+
+# Requires mkcert and openssl
+
+warn () { echo "$@" >&2; }
+die () { warn "$@"; exit 1; }
+
+
+command -v mkcert 1>/dev/null 2>&1 || die "Failed to find mkcert"
+command -v openssl 1>/dev/null 2>&1 || die "Failed to find openssl"
+
+SCRIPT=$(realpath "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+pushd "$SCRIPTPATH" || die "Unable to pushd to $SCRIPTPATH"
+mkcert 127.0.0.1
+mkcert -client 127.0.0.1
+warn "Remember to run mkcert -install if you haven't already"
+
+# Generate CA
+openssl genrsa -out ca-key.pem 2048
+openssl req -new -x509 -noenc -days 365 -key ca-key.pem -out rootCA.pem
+
+# Generate accepted client certificate
+openssl genrsa -out accepted-client-key.pem 2048
+openssl req -new -sha512 -nodes -key accepted-client-key.pem -out accepted-client.csr -config accepted-client.conf
+openssl x509 -req -sha512 -days 45 -in accepted-client.csr -CA rootCA.pem -CAkey ca-key.pem -CAcreateserial -out accepted-client.pem
+rm accepted-client.csr
+rm rootCA.srl
+
+popd || die "Unable to popd"
--- /dev/null
+// Copyright (C) 2023 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+
+#include <QtCore/qcoreapplication.h>
+
+#include <QtCore/qthread.h>
+#include <QtCore/qfile.h>
+#include <QtCore/qdir.h>
+
+#include <QtNetwork/qsslsocket.h>
+#include <QtNetwork/qsslserver.h>
+#include <QtNetwork/qsslconfiguration.h>
+#include <QtNetwork/qsslkey.h>
+
+// Client and/or server presents a certificate signed by a system-trusted CA
+// but the other side presents a certificate signed by a different CA.
+constexpr bool TestServerPresentsIncorrectCa = false;
+constexpr bool TestClientPresentsIncorrectCa = true;
+
+class ServerThread : public QThread
+{
+ Q_OBJECT
+public:
+ void run() override
+ {
+ QSslServer server;
+
+ QSslConfiguration config = server.sslConfiguration();
+ QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
+ config.setCaCertificates(certs);
+ config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem"))
+ .first());
+ QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem"));
+ if (!keyFile.open(QIODevice::ReadOnly))
+ qFatal("Failed to open key file");
+ config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
+ config.setPeerVerifyMode(QSslSocket::VerifyPeer);
+ server.setSslConfiguration(config);
+
+ connect(&server, &QSslServer::pendingConnectionAvailable, [&server]() {
+ QSslSocket *socket = static_cast<QSslSocket *>(server.nextPendingConnection());
+ qDebug() << "[s] newConnection" << socket->peerAddress() << socket->peerPort();
+ socket->disconnectFromHost();
+ qApp->quit();
+ });
+ connect(&server, &QSslServer::startedEncryptionHandshake, [](QSslSocket *socket) {
+ qDebug() << "[s] new handshake" << socket->peerAddress() << socket->peerPort();
+ });
+ connect(&server, &QSslServer::errorOccurred,
+ [](QSslSocket *socket, QAbstractSocket::SocketError error) {
+ qDebug() << "[s] errorOccurred" << socket->peerAddress() << socket->peerPort()
+ << error << socket->errorString();
+ });
+ connect(&server, &QSslServer::peerVerifyError,
+ [](QSslSocket *socket, const QSslError &error) {
+ qDebug() << "[s] peerVerifyError" << socket->peerAddress() << socket->peerPort()
+ << error;
+ });
+ server.listen(QHostAddress::LocalHost, 24242);
+
+ exec();
+
+ server.close();
+ }
+};
+
+int main(int argc, char **argv)
+{
+ QCoreApplication app(argc, argv);
+
+ using namespace Qt::StringLiterals;
+
+ if (!QFileInfo(u":/rootCA.pem"_s).exists())
+ qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?");
+
+ ServerThread serverThread;
+ serverThread.start();
+
+ QSslSocket socket;
+ QSslConfiguration config = socket.sslConfiguration();
+ QString certificatePath;
+ QString keyFileName;
+ if constexpr (TestClientPresentsIncorrectCa) { // true: Present cert signed with incorrect CA: should fail
+ certificatePath = u":/127.0.0.1-client.pem"_s;
+ keyFileName = u":/127.0.0.1-client-key.pem"_s;
+ } else { // false: Use correct CA: should succeed
+ certificatePath = u":/accepted-client.pem"_s;
+ keyFileName = u":/accepted-client-key.pem"_s;
+ }
+ config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first());
+ if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail
+ config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
+ QFile keyFile(keyFileName);
+ if (!keyFile.open(QIODevice::ReadOnly))
+ qFatal("Failed to open key file");
+ config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
+ socket.setSslConfiguration(config);
+
+ QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });
+ QObject::connect(&socket, &QSslSocket::errorOccurred,
+ [&socket](QAbstractSocket::SocketError error) {
+ qDebug() << "[c] errorOccurred" << error << socket.errorString();
+ qApp->quit();
+ });
+ QObject::connect(&socket, &QSslSocket::sslErrors, [](const QList<QSslError> &errors) {
+ qDebug() << "[c] sslErrors" << errors;
+ });
+ QObject::connect(&socket, &QSslSocket::connected, []() { qDebug() << "[c] connected"; });
+
+ socket.connectToHostEncrypted(QStringLiteral("127.0.0.1"), 24242);
+
+ const int res = app.exec();
+ serverThread.quit();
+ serverThread.wait();
+ return res;
+}
+
+#include "tst_manual_ssl_client_auth.moc"
projects / qt6-base.git / commitdiff