QSslSocket: remove certificate-related setters

They were deprecated with replacements in QSslConfiguration proposed (and some without alternative, which we'll provide if there is any demand in such an API). Special thanks to M.N. for a nice hint on how to amend the test without introducing a new API. Change-Id: I7841a5b3f30469d8204b61cb65921c34275e0650 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
2020-06-15 16:23:28 +02:00 · 2020-06-15 16:23:28 +02:00 · c2bf56fc3a
commit c2bf56fc3a
parent 29d3e7ce38
5 changed files with 14 additions and 214 deletions
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@ -1377,194 +1377,6 @@ QSslKey QSslSocket::privateKey() const
    return d->configuration.privateKey;
 }

-/*!
-  \deprecated
-
-  Use QSslConfiguration::addCaCertificate() instead.
-
-  Adds the \a certificate to this socket's CA certificate database.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  To add multiple certificates, use addCaCertificates().
-
-  \sa QSslConfiguration::caCertificates(),
-      QSslConfiguration::setCaCertificates()
-*/
-void QSslSocket::addCaCertificate(const QSslCertificate &certificate)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates += certificate;
-}
-
-/*!
-  \deprecated
-
-  Use QSslConfiguration::addCaCertificates() instead.
-
-  Adds the \a certificates to this socket's CA certificate database.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  For more precise control, use addCaCertificate().
-
-  \sa QSslConfiguration::caCertificates(), addDefaultCaCertificate()
-*/
-void QSslSocket::addCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates += certificates;
-}
-
-#if QT_DEPRECATED_SINCE(5, 5)
-/*!
-  \deprecated
-
-  Use QSslConfiguration::setCaCertificates() instead.
-
-  Sets this socket's CA certificate database to be \a certificates.
-  The certificate database must be set prior to the SSL handshake.
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  The CA certificate database can be reset to the current default CA
-  certificate database by calling this function with the list of CA
-  certificates returned by defaultCaCertificates().
-
-  \sa defaultCaCertificates()
-*/
-void QSslSocket::setCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    Q_D(QSslSocket);
-    d->configuration.caCertificates = certificates;
-    d->allowRootCertOnDemandLoading = false;
-}
-
-/*!
-  \deprecated
-
-  Use QSslConfiguration::caCertificates() instead.
-
-  Returns this socket's CA certificate database. The CA certificate
-  database is used by the socket during the handshake phase to
-  validate the peer's certificate. It can be moodified prior to the
-  handshake with addCaCertificate(), addCaCertificates(), and
-  setCaCertificates().
-
-  \note On Unix, this method may return an empty list if the root
-  certificates are loaded on demand.
-
-  \sa addCaCertificate(), addCaCertificates(), setCaCertificates()
-*/
-QList<QSslCertificate> QSslSocket::caCertificates() const
-{
-    Q_D(const QSslSocket);
-    return d->configuration.caCertificates;
-}
-#endif  // #if QT_DEPRECATED_SINCE(5, 5)
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead.
-
-    Adds \a certificate to the default CA certificate database.  Each
-    SSL socket's CA certificate database is initialized to the default
-    CA certificate database.
-
-    \sa QSslConfiguration::addCaCertificates()
-*/
-void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate)
-{
-    QSslSocketPrivate::addDefaultCaCertificate(certificate);
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead.
-
-    Adds \a certificates to the default CA certificate database.  Each
-    SSL socket's CA certificate database is initialized to the default
-    CA certificate database.
-
-    \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates()
-*/
-void QSslSocket::addDefaultCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    QSslSocketPrivate::addDefaultCaCertificates(certificates);
-}
-
-#if QT_DEPRECATED_SINCE(5, 5)
-/*!
-    \deprecated
-
-    Use QSslConfiguration::setCaCertificates() on the default QSslConfiguration instead.
-
-    Sets the default CA certificate database to \a certificates. The
-    default CA certificate database is originally set to your system's
-    default CA certificate database. You can override the default CA
-    certificate database with your own CA certificate database using
-    this function.
-
-    Each SSL socket's CA certificate database is initialized to the
-    default CA certificate database.
-
-    \sa addDefaultCaCertificate()
-*/
-void QSslSocket::setDefaultCaCertificates(const QList<QSslCertificate> &certificates)
-{
-    QSslSocketPrivate::setDefaultCaCertificates(certificates);
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::caCertificates() on the default QSslConfiguration instead.
-
-    Returns the current default CA certificate database. This database
-    is originally set to your system's default CA certificate database.
-    If no system default database is found, an empty database will be
-    returned. You can override the default CA certificate database
-    with your own CA certificate database using setDefaultCaCertificates().
-
-    Each SSL socket's CA certificate database is initialized to the
-    default CA certificate database.
-
-    \note On Unix, this method may return an empty list if the root
-    certificates are loaded on demand.
-
-    \sa caCertificates()
-*/
-QList<QSslCertificate> QSslSocket::defaultCaCertificates()
-{
-    return QSslSocketPrivate::defaultCaCertificates();
-}
-
-/*!
-    \deprecated
-
-    Use QSslConfiguration::systemDefaultCaCertificates instead.
-
-    This function provides the CA certificate database
-    provided by the operating system. The CA certificate database
-    returned by this function is used to initialize the database
-    returned by defaultCaCertificates(). You can replace that database
-    with your own with setDefaultCaCertificates().
-
-    \note: On OS X, only certificates that are either trusted for all
-    purposes or trusted for the purpose of SSL in the keychain will be
-    returned.
-
-    \sa caCertificates(), defaultCaCertificates(), setDefaultCaCertificates()
-*/
-QList<QSslCertificate> QSslSocket::systemCaCertificates()
-{
-    // we are calling ensureInitialized() in the method below
-    return QSslSocketPrivate::systemCaCertificates();
-}
-#endif  // #if QT_DEPRECATED_SINCE(5, 5)
-
 /*!
    Waits until the socket is connected, or \a msecs milliseconds,
    whichever happens first. If the connection has been established,
--- a/src/network/ssl/qsslsocket.h
+++ b/src/network/ssl/qsslsocket.h
@ -196,25 +196,6 @@ public:
                       const QByteArray &passPhrase = QByteArray());
    QSslKey privateKey() const;

-    // CA settings.
-#if QT_DEPRECATED_SINCE(5, 15)
-    QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificate()") void addCaCertificate(const QSslCertificate &certificate);
-    QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") void addCaCertificates(const QList<QSslCertificate> &certificates);
-#endif // QT_DEPRECATED_SINCE(5, 15)
-#if QT_DEPRECATED_SINCE(5, 5)
-    QT_DEPRECATED_X("Use QSslConfiguration::setCaCertificates()") void setCaCertificates(const QList<QSslCertificate> &certificates);
-    QT_DEPRECATED_X("Use QSslConfiguration::caCertificates()") QList<QSslCertificate> caCertificates() const;
-#endif // QT_DEPRECATED_SINCE(5, 5)
-#if QT_DEPRECATED_SINCE(5, 15)
-    QT_DEPRECATED static void addDefaultCaCertificate(const QSslCertificate &certificate);
-    QT_DEPRECATED static void addDefaultCaCertificates(const QList<QSslCertificate> &certificates);
-#endif // QT_DEPRECATED_SINCE(5, 15)
-#if QT_DEPRECATED_SINCE(5, 5)
-    QT_DEPRECATED static void setDefaultCaCertificates(const QList<QSslCertificate> &certificates);
-    QT_DEPRECATED static QList<QSslCertificate> defaultCaCertificates();
-    QT_DEPRECATED_X("Use QSslConfiguration::systemCaCertificates()") static QList<QSslCertificate> systemCaCertificates();
-#endif // QT_DEPRECATED_SINCE(5, 5)
-
    bool waitForConnected(int msecs = 30000) override;
    bool waitForEncrypted(int msecs = 30000);
    bool waitForReadyRead(int msecs = 30000) override;
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@ -1752,7 +1752,9 @@ void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertifi
    if (!trustedRoot.isNull() && !trustedRoot.isBlacklisted()) {
        if (s_loadRootCertsOnDemand) {
            //Add the new root cert to default cert list for use by future sockets
-            QSslSocket::addDefaultCaCertificate(trustedRoot);
+            auto defaultConfig = QSslConfiguration::defaultConfiguration();
+            defaultConfig.addCaCertificate(trustedRoot);
+            QSslConfiguration::setDefaultConfiguration(defaultConfig);
        }
        //Add the new root cert to this socket for future connections
        if (!configuration.caCertificates.contains(trustedRoot))
--- a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
+++ b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp
@ -32,6 +32,7 @@
 #include <qsslkey.h>
 #include <qsslsocket.h>
 #include <qsslcertificateextension.h>
+#include <qscopeguard.h>

 #ifndef QT_NO_OPENSSL
 #include <openssl/obj_mac.h>
@ -1000,11 +1001,15 @@ void tst_QSslCertificate::verify()

    // Verify a valid cert signed by a CA
    QList<QSslCertificate> caCerts = QSslCertificate::fromPath(testDataDir + "verify-certs/cacert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
-
-QT_WARNING_PUSH
-QT_WARNING_DISABLE_DEPRECATED
-    QSslSocket::addDefaultCaCertificate(caCerts.first());
-QT_WARNING_POP
+    // For the purpose of this test only, add (and then remove) the
+    // specific CA certificate.
+    const auto defaultConfig = QSslConfiguration::defaultConfiguration();
+    auto temporaryDefault = defaultConfig;
+    temporaryDefault.addCaCertificate(caCerts.first());
+    QSslConfiguration::setDefaultConfiguration(temporaryDefault);
+    const auto confGuard = qScopeGuard([&defaultConfig](){
+        QSslConfiguration::setDefaultConfiguration(defaultConfig);
+    });

    toVerify = QSslCertificate::fromPath(testDataDir + "verify-certs/test-ocsp-good-cert.pem", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);

--- a/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
@ -92,7 +92,7 @@ void tst_QSslSocket::systemCaCertificates()
  // Therefore this benchmark is only good for manual regression checking between
  // Qt versions.
  QBENCHMARK_ONCE {
-     QList<QSslCertificate> list = QSslSocket::systemCaCertificates();
+      QList<QSslCertificate> list = QSslConfiguration::defaultConfiguration().systemCaCertificates();
  }
 }