1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssl: Add common key parser for backends

Browse Source 
This internal implementation of QSslKey can be used when OpenSSL is not
available. Encrypted keys are not supported, as the cryptography must
be supplied by a separate library.

With this commit, WinRT is migrated to the new implementation,
but qsslkey_winrt.cpp is left in place so that the missing crypto
implementation can be added later. This also means most of the expected
failures for that platform can be removed from the autotest.

Change-Id: I24a3ad1053bb72311613b28b3ae845aa1645a321
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
This commit is contained in:
Jeremy Lainé 2014-08-28 23:56:03 +02:00
parent def5a56b03
commit 6a4cb8d62b
6 changed files with 217 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/network/ssl/qsslkey_p.cpp
View File

@ -228,7 +228,11 @@ QSslKey::QSslKey(QIODevice *device, QSsl::KeyAlgorithm algorithm, QSsl::Encoding
QSslKey::QSslKey(Qt::HANDLE handle, QSsl::KeyType type)
: d(new QSslKeyPrivate)
{
#ifndef QT_NO_OPENSSL
d->opaque = reinterpret_cast<EVP_PKEY *>(handle);
#else
d->opaque = handle;
#endif
d->algorithm = QSsl::Opaque;
d->type = type;
d->isNull = !d->opaque;
@ -323,7 +327,15 @@ QByteArray QSslKey::toDer(const QByteArray &passPhrase) const
if (d->isNull || d->algorithm == QSsl::Opaque)
return QByteArray();
#ifndef QT_NO_OPENSSL
return d->derFromPem(toPem(passPhrase));
#else
// Encrypted DER is nonsense, see QTBUG-41038.
if (d->type == QSsl::PrivateKey && !passPhrase.isEmpty())
return QByteArray();
return d->derData;
#endif
}
/*!

20
src/network/ssl/qsslkey_p.h
View File

@ -61,10 +61,6 @@
#ifndef QT_NO_OPENSSL
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#else
struct RSA;
struct DSA;
struct EVP_PKEY;
#endif
QT_BEGIN_NAMESPACE
@ -73,9 +69,11 @@ class QSslKeyPrivate
{
public:
inline QSslKeyPrivate()
: rsa(0)
: opaque(0)
#ifndef QT_NO_OPENSSL
, rsa(0)
, dsa(0)
, opaque(0)
#endif
{
clear();
}
@ -85,7 +83,9 @@ public:
void clear(bool deep = true);
#ifndef QT_NO_OPENSSL
bool fromEVP_PKEY(EVP_PKEY *pkey);
#endif
void decodeDer(const QByteArray &der, const QByteArray &passPhrase,
bool deepClear = true);
void decodePem(const QByteArray &pem, const QByteArray &passPhrase,
@ -102,9 +102,15 @@ public:
bool isNull;
QSsl::KeyType type;
QSsl::KeyAlgorithm algorithm;
#ifndef QT_NO_OPENSSL
EVP_PKEY *opaque;
RSA *rsa;
DSA *dsa;
EVP_PKEY *opaque;
#else
Qt::HANDLE opaque;
QByteArray derData;
int keyLength;
#endif
QAtomicInt ref;

185
src/network/ssl/qsslkey_qt.cpp Normal file
View File

@ -0,0 +1,185 @@
/****************************************************************************
**
** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
** Contact: http://www.qt-project.org/legal
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and Digia. For licensing terms and
** conditions see http://qt.digia.com/licensing. For further information
** use the contact form at http://qt.digia.com/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 2.1 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 2.1 requirements
** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
**
** In addition, as a special exception, Digia gives you certain additional
** rights. These rights are described in the Digia Qt LGPL Exception
** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3.0 as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU General Public License version 3.0 requirements will be
** met: http://www.gnu.org/copyleft/gpl.html.
**
**
** $QT_END_LICENSE$
**
****************************************************************************/
#include "qsslkey.h"
#include "qsslkey_p.h"
#include "qasn1element_p.h"
QT_USE_NAMESPACE
static const quint8 bits_table[256] = {
0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
};
static int numberOfBits(const QByteArray &modulus)
{
int bits = modulus.size() * 8;
for (int i = 0; i < modulus.size(); ++i) {
quint8 b = modulus[i];
bits -= 8;
if (b != 0) {
bits += bits_table[b];
break;
}
}
return bits;
}
void QSslKeyPrivate::clear(bool deep)
{
Q_UNUSED(deep);
isNull = true;
derData.clear();
keyLength = -1;
}
void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase,
bool deepClear)
{
clear(deepClear);
if (der.isEmpty())
return;
if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) {
Q_UNIMPLEMENTED();
return;
}
QAsn1Element elem;
if (!elem.read(der) || elem.type() != QAsn1Element::SequenceType)
return;
if (type == QSsl::PublicKey) {
// key info
QDataStream keyStream(elem.value());
if (!elem.read(keyStream) || elem.type() != QAsn1Element::SequenceType)
return;
QVector<QAsn1Element> infoItems = elem.toVector();
if (infoItems.size() < 2 || infoItems[0].type() != QAsn1Element::ObjectIdentifierType)
return;
if (algorithm == QSsl::Rsa) {
if (infoItems[0].toObjectId() != "1.2.840.113549.1.1.1")
return;
// key data
if (!elem.read(keyStream) || elem.type() != QAsn1Element::BitStringType || elem.value().isEmpty())
return;
if (!elem.read(elem.value().mid(1)) || elem.type() != QAsn1Element::SequenceType)
return;
if (!elem.read(elem.value()) || elem.type() != QAsn1Element::IntegerType)
return;
keyLength = numberOfBits(elem.value());
} else if (algorithm == QSsl::Dsa) {
if (infoItems[0].toObjectId() != "1.2.840.10040.4.1")
return;
if (infoItems[1].type() != QAsn1Element::SequenceType)
return;
// key params
QVector<QAsn1Element> params = infoItems[1].toVector();
if (params.isEmpty() || params[0].type() != QAsn1Element::IntegerType)
return;
keyLength = numberOfBits(params[0].value());
}
} else {
QVector<QAsn1Element> items = elem.toVector();
if (items.isEmpty())
return;
// version
if (items[0].type() != QAsn1Element::IntegerType || items[0].value().toHex() != "00")
return;
if (algorithm == QSsl::Rsa) {
if (items.size() != 9 || items[1].type() != QAsn1Element::IntegerType)
return;
keyLength = numberOfBits(items[1].value());
} else if (algorithm == QSsl::Dsa) {
if (items.size() != 6 || items[1].type() != QAsn1Element::IntegerType)
return;
keyLength = numberOfBits(items[1].value());
}
}
derData = der;
isNull = false;
}
void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase,
bool deepClear)
{
decodeDer(derFromPem(pem), passPhrase, deepClear);
}
int QSslKeyPrivate::length() const
{
return keyLength;
}
QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const
{
if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) {
Q_UNIMPLEMENTED();
return QByteArray();
}
return pemFromDer(derData);
}
Qt::HANDLE QSslKeyPrivate::handle() const
{
return opaque;
}

134
src/network/ssl/qsslkey_winrt.cpp
View File

@ -59,136 +59,4 @@ using namespace ABI::Windows::Security::Cryptography::Certificates;
using namespace ABI::Windows::Security::Cryptography::Core;
using namespace ABI::Windows::Storage::Streams;
QT_BEGIN_NAMESPACE
struct SslKeyGlobal
{
SslKeyGlobal()
{
HRESULT hr;
hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_CryptographicBuffer).Get(),
&bufferFactory);
Q_ASSERT_SUCCEEDED(hr);
ComPtr<IAsymmetricKeyAlgorithmProviderStatics> keyProviderFactory;
hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricKeyAlgorithmProvider).Get(),
&keyProviderFactory);
Q_ASSERT_SUCCEEDED(hr);
ComPtr<IAsymmetricAlgorithmNamesStatics> algorithmNames;
hr = GetActivationFactory(HString::MakeReference(RuntimeClass_Windows_Security_Cryptography_Core_AsymmetricAlgorithmNames).Get(),
&algorithmNames);
Q_ASSERT_SUCCEEDED(hr);
HString algorithmName;
// The algorithm name doesn't matter for imports, so just use PKCS1
hr = algorithmNames->get_RsaPkcs1(algorithmName.GetAddressOf());
Q_ASSERT_SUCCEEDED(hr);
hr = keyProviderFactory->OpenAlgorithm(algorithmName.Get(), &keyProvider);
Q_ASSERT_SUCCEEDED(hr);
}
ComPtr<ICryptographicBufferStatics> bufferFactory;
ComPtr<IAsymmetricKeyAlgorithmProvider> keyProvider;
};
Q_GLOBAL_STATIC(SslKeyGlobal, g)
// Use the opaque struct for key storage
struct EVP_PKEY {
ComPtr<ICryptographicKey> key;
};
void QSslKeyPrivate::clear(bool deep)
{
isNull = true;
if (opaque) {
if (deep) {
delete opaque;
opaque = 0;
} else {
opaque->key.Reset();
}
}
}
void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase,
bool deepClear)
{
Q_UNUSED(passPhrase);
clear(deepClear);
if (der.isEmpty())
return;
if (type != QSsl::PublicKey) {
qWarning("The WinRT SSL backend does not support importing private keys.");
return;
}
HRESULT hr;
ComPtr<IBuffer> buffer;
hr = g->bufferFactory->CreateFromByteArray(der.length(), (BYTE *)der.data(), &buffer);
Q_ASSERT_SUCCEEDED(hr);
if (!opaque)
opaque = new EVP_PKEY;
hr = g->keyProvider->ImportDefaultPublicKeyBlob(buffer.Get(), &opaque->key);
RETURN_VOID_IF_FAILED("Failed to import public key");
isNull = false;
}
void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase,
bool deepClear)
{
decodeDer(derFromPem(pem), passPhrase, deepClear);
}
int QSslKeyPrivate::length() const
{
if (isNull)
return -1;
Q_ASSERT(opaque && opaque->key);
HRESULT hr;
UINT32 keySize;
hr = opaque->key->get_KeySize(&keySize);
Q_ASSERT_SUCCEEDED(hr);
return keySize;
}
QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const
{
Q_UNUSED(passPhrase);
QByteArray result;
if (isNull)
return result;
Q_ASSERT(opaque && opaque->key);
HRESULT hr;
ComPtr<IBuffer> buffer;
hr = opaque->key->ExportDefaultPublicKeyBlobType(&buffer);
RETURN_IF_FAILED("Failed to export key", return result);
ComPtr<Windows::Storage::Streams::IBufferByteAccess> byteAccess;
hr = buffer.As(&byteAccess);
Q_ASSERT_SUCCEEDED(hr);
char *data;
hr = byteAccess->Buffer(reinterpret_cast<byte **>(&data));
Q_ASSERT_SUCCEEDED(hr);
UINT32 size;
hr = buffer->get_Length(&size);
Q_ASSERT_SUCCEEDED(hr);
result = pemFromDer(QByteArray::fromRawData(data, size));
return result;
}
Qt::HANDLE QSslKeyPrivate::handle() const
{
return opaque ? opaque->key.Get() : 0;
}
QT_END_NAMESPACE
QT_USE_NAMESPACE

1
src/network/ssl/ssl.pri
View File

@ -28,6 +28,7 @@ contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, op
winrt {
HEADERS += ssl/qsslsocket_winrt_p.h
SOURCES += ssl/qsslcertificate_qt.cpp \
ssl/qsslkey_qt.cpp \
ssl/qsslkey_winrt.cpp \
ssl/qsslsocket_winrt.cpp
}

31
tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp
View File

@ -47,14 +47,6 @@
#include <QtNetwork/qhostaddress.h>
#include <QtNetwork/qnetworkproxy.h>
#ifdef Q_OS_WINRT
#define WINRT_EXPECT_FAILURES \
if (type == QSsl::PrivateKey) \
QEXPECT_FAIL("", "No support for private keys on WinRT: QTBUG-40688", Abort); \
if (strstr(QTest::currentDataTag(), "rsa-pub-40")) \
QEXPECT_FAIL("", "Weak public keys are not supported on WinRT", Abort);
#endif
class tst_QSslKey : public QObject
{
Q_OBJECT
@ -179,10 +171,6 @@ void tst_QSslKey::constructor()
QFETCH(QSsl::KeyType, type);
QFETCH(QSsl::EncodingFormat, format);
#ifdef Q_OS_WINRT
WINRT_EXPECT_FAILURES
#endif
QByteArray encoded = readFile(absFilePath);
QSslKey key(encoded, algorithm, format, type);
QVERIFY(!key.isNull());
@ -244,10 +232,6 @@ void tst_QSslKey::length()
QFETCH(int, length);
QFETCH(QSsl::EncodingFormat, format);
#ifdef Q_OS_WINRT
WINRT_EXPECT_FAILURES
#endif
QByteArray encoded = readFile(absFilePath);
QSslKey key(encoded, algorithm, format, type);
QVERIFY(!key.isNull());
@ -269,10 +253,6 @@ void tst_QSslKey::toPemOrDer()
QFETCH(QSsl::KeyType, type);
QFETCH(QSsl::EncodingFormat, format);
#ifdef Q_OS_WINRT
WINRT_EXPECT_FAILURES
#endif
QByteArray encoded = readFile(absFilePath);
QSslKey key(encoded, algorithm, format, type);
QVERIFY(!key.isNull());
@ -317,10 +297,6 @@ void tst_QSslKey::toEncryptedPemOrDer()
QFETCH(QSsl::EncodingFormat, format);
QFETCH(QString, password);
#ifdef Q_OS_WINRT
WINRT_EXPECT_FAILURES
#endif
QByteArray plain = readFile(absFilePath);
QSslKey key(plain, algorithm, format, type);
QVERIFY(!key.isNull());
@ -328,6 +304,9 @@ void tst_QSslKey::toEncryptedPemOrDer()
QByteArray pwBytes(password.toLatin1());
if (type == QSsl::PrivateKey) {
#ifdef QT_NO_OPENSSL
QSKIP("Encrypted keys require support from the SSL backend");
#endif
QByteArray encryptedPem = key.toPem(pwBytes);
QVERIFY(!encryptedPem.isEmpty());
QSslKey keyPem(encryptedPem, algorithm, QSsl::Pem, type, pwBytes);
@ -398,8 +377,8 @@ void tst_QSslKey::passphraseChecks()
QSslKey key(&keyFile,QSsl::Rsa,QSsl::Pem, QSsl::PrivateKey, "WRONG!");
QVERIFY(key.isNull()); // wrong passphrase => should not be able to decode key
}
#ifdef Q_OS_WINRT
QEXPECT_FAIL("", "The WinRT backend does not support private key imports: QTBUG-40688", Abort);
#ifdef QT_NO_OPENSSL
QEXPECT_FAIL("", "Encrypted keys require support from the SSL backend", Abort);
#endif
{
if (!keyFile.isOpen())