diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index a5cdf011aac..3a70327020f 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -127,7 +127,7 @@ QT_BEGIN_NAMESPACE // forward declaration -static QMap _q_mapFromOnelineName(char *name); +static QMap _q_mapFromX509Name(X509_NAME *name); /*! Constructs a QSslCertificate by reading \a format encoded data @@ -324,7 +324,7 @@ QString QSslCertificate::issuerInfo(SubjectInfo info) const // lazy init if (d->issuerInfo.isEmpty() && d->x509) d->issuerInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_issuer_name(d->x509), 0, 0)); + _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); return d->issuerInfo.value(_q_SubjectInfoToString(info)); } @@ -341,7 +341,7 @@ QString QSslCertificate::issuerInfo(const QByteArray &tag) const // lazy init if (d->issuerInfo.isEmpty() && d->x509) d->issuerInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_issuer_name(d->x509), 0, 0)); + _q_mapFromX509Name(q_X509_get_issuer_name(d->x509)); return d->issuerInfo.value(QString::fromLatin1(tag)); } @@ -360,7 +360,7 @@ QString QSslCertificate::subjectInfo(SubjectInfo info) const // lazy init if (d->subjectInfo.isEmpty() && d->x509) d->subjectInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_subject_name(d->x509), 0, 0)); + _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); return d->subjectInfo.value(_q_SubjectInfoToString(info)); } @@ -376,7 +376,7 @@ QString QSslCertificate::subjectInfo(const QByteArray &tag) const // lazy init if (d->subjectInfo.isEmpty() && d->x509) d->subjectInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_subject_name(d->x509), 0, 0)); + _q_mapFromX509Name(q_X509_get_subject_name(d->x509)); return d->subjectInfo.value(QString::fromLatin1(tag)); } @@ -666,37 +666,17 @@ QByteArray QSslCertificatePrivate::QByteArray_from_X509(X509 *x509, QSsl::Encodi return BEGINCERTSTRING "\n" + tmp + ENDCERTSTRING "\n"; } -static QMap _q_mapFromOnelineName(char *name) +static QMap _q_mapFromX509Name(X509_NAME *name) { QMap info; - QString infoStr = QString::fromLocal8Bit(name); - q_CRYPTO_free(name); - - // ### The right-hand encoding seems to allow hex (Regulierungsbeh\xC8orde) - //entry.replace(QLatin1String("\\x"), QLatin1String("%")); - //entry = QUrl::fromPercentEncoding(entry.toLatin1()); - // ### See RFC-4630 for more details! - - QRegExp rx(QLatin1String("/([A-Za-z]+)=(.+)")); - - int pos = 0; - while ((pos = rx.indexIn(infoStr, pos)) != -1) { - const QString name = rx.cap(1); - - QString value = rx.cap(2); - const int valuePos = rx.pos(2); - - const int next = rx.indexIn(value); - if (next == -1) { - info.insert(name, value); - break; - } - - value = value.left(next); - info.insert(name, value); - pos = valuePos + value.length(); + for (int i = 0; i < q_X509_NAME_entry_count(name); ++i) { + X509_NAME_ENTRY *e = q_X509_NAME_get_entry(name, i); + const char *obj = q_OBJ_nid2sn(q_OBJ_obj2nid(q_X509_NAME_ENTRY_get_object(e))); + unsigned char *data = 0; + int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); + info[QString::fromUtf8(obj)] = QString::fromUtf8((char*)data, size); + q_CRYPTO_free(data); } - return info; } diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index b1310ccb8d0..6cb4794559c 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -101,6 +101,7 @@ DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, DEFINEFUNC(long, ASN1_INTEGER_get, ASN1_INTEGER *a, a, return 0, return) DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) DEFINEFUNC(int, ASN1_STRING_length, ASN1_STRING *a, a, return 0, return) +DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return); DEFINEFUNC4(long, BIO_ctrl, BIO *a, a, int b, b, long c, c, void *d, d, return -1, return) DEFINEFUNC(int, BIO_free, BIO *a, a, return 0, return) DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) @@ -248,7 +249,10 @@ DEFINEFUNC4(void *, X509_get_ext_d2i, X509 *a, a, int b, b, int *c, c, int *d, d DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) -DEFINEFUNC3(char *, X509_NAME_oneline, X509_NAME *a, a, char *b, b, int c, c, return 0, return) +DEFINEFUNC(int, X509_NAME_entry_count, X509_NAME *a, a, return 0, return) +DEFINEFUNC2(X509_NAME_ENTRY *, X509_NAME_get_entry, X509_NAME *a, a, int b, b, return 0, return) +DEFINEFUNC(ASN1_STRING *, X509_NAME_ENTRY_get_data, X509_NAME_ENTRY *a, a, return 0, return) +DEFINEFUNC(ASN1_OBJECT *, X509_NAME_ENTRY_get_object, X509_NAME_ENTRY *a, a, return 0, return) DEFINEFUNC(EVP_PKEY *, X509_PUBKEY_get, X509_PUBKEY *a, a, return 0, return) DEFINEFUNC(void, X509_STORE_free, X509_STORE *a, a, return, DUMMYARG) DEFINEFUNC(X509_STORE *, X509_STORE_new, DUMMYARG, DUMMYARG, return 0, return) @@ -647,6 +651,7 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(ASN1_INTEGER_get) RESOLVEFUNC(ASN1_STRING_data) RESOLVEFUNC(ASN1_STRING_length) + RESOLVEFUNC(ASN1_STRING_to_UTF8) RESOLVEFUNC(BIO_ctrl) RESOLVEFUNC(BIO_free) RESOLVEFUNC(BIO_new) @@ -736,7 +741,10 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSLv3_server_method) RESOLVEFUNC(SSLv23_server_method) RESOLVEFUNC(TLSv1_server_method) - RESOLVEFUNC(X509_NAME_oneline) + RESOLVEFUNC(X509_NAME_entry_count) + RESOLVEFUNC(X509_NAME_get_entry) + RESOLVEFUNC(X509_NAME_ENTRY_get_data) + RESOLVEFUNC(X509_NAME_ENTRY_get_object) RESOLVEFUNC(X509_PUBKEY_get) RESOLVEFUNC(X509_STORE_free) RESOLVEFUNC(X509_STORE_new) diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h index 49830acc1e9..ceff57d9d86 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -204,6 +204,7 @@ bool q_resolveOpenSslSymbols(); long q_ASN1_INTEGER_get(ASN1_INTEGER *a); unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); int q_ASN1_STRING_length(ASN1_STRING *a); +int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); long q_BIO_ctrl(BIO *a, int b, long c, void *d); int q_BIO_free(BIO *a); BIO *q_BIO_new(BIO_METHOD *a); @@ -360,7 +361,10 @@ void *q_X509_get_ext_d2i(X509 *a, int b, int *c, int *d); X509_NAME *q_X509_get_issuer_name(X509 *a); X509_NAME *q_X509_get_subject_name(X509 *a); int q_X509_verify_cert(X509_STORE_CTX *ctx); -char *q_X509_NAME_oneline(X509_NAME *a, char *b, int c); +int q_X509_NAME_entry_count(X509_NAME *a); +X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); +ASN1_STRING *q_X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *a); +ASN1_OBJECT *q_X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *a); EVP_PKEY *q_X509_PUBKEY_get(X509_PUBKEY *a); void q_X509_STORE_free(X509_STORE *store); X509_STORE *q_X509_STORE_new(); diff --git a/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem b/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem new file mode 100644 index 00000000000..e1b731d69bd --- /dev/null +++ b/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICkTCCAfqgAwIBAgIJAL1nF+PLAF2KMA0GCSqGSIb3DQEBBQUAMGkxKzApBgNV +BAoMIkjElcSCxrLDvyDKjeG6v8qI4bq34bi7IFLDqWPDtnJkxZ0xFTATBgNVBAsM +DOOIp0HjiYHvvatCQzEWMBQGA1UEAwwNSm9obm55IEd1aXRhcjELMAkGA1UEBhMC +Tk8wHhcNMTEwNTA1MDgxMzEwWhcNMTEwNjA0MDgxMzEwWjBpMSswKQYDVQQKDCJI +xJXEgsayw78gyo3hur/KiOG6t+G4uyBSw6ljw7ZyZMWdMRUwEwYDVQQLDAzjiKdB +44mB772rQkMxFjAUBgNVBAMMDUpvaG5ueSBHdWl0YXIxCzAJBgNVBAYTAk5PMIGf +MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2zSxS17I6596dJE/VAmGz+06D9S8n +3C0hnIGNVu+LwbgDJTvOw0SzNj4UP72UGgd3UI1KLBg5XWIsRNmE3COJMMh6syjI +L1Ept+tVXxGL6n4gl+0nZ7dkUyxJmeFtigYrL+qCH1yd5rmf3sC3jO4IosuAiG66 +IDkJEVo64NT8ZQIDAQABo0EwPzA9BgNVHREENjA0gQ9hcm5lQGZvb2Jhci5vcmeC +Dnd3dy5mb29iYXIub3JngRFiamFybmVAZm9vYmFyLm9yZzANBgkqhkiG9w0BAQUF +AAOBgQAqVhbC0/EUFdnKlYV3PrknwGX1dPEPGJuIQHa0KpoicvNiOhs1HxBDYbzc +F6wcAMEynq4YwGKhcQLZOs2mo0LreAjA9rU/yBnqrnUW/4gxtUUvmJKK+62IjfLp +eO1L+1NcEMJiaZf8fip4VXhXdOYUhgE8WUZ1UJRC6w3T/yAgcQ== +-----END CERTIFICATE----- diff --git a/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem.san b/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem.san new file mode 100644 index 00000000000..f46a637da4f --- /dev/null +++ b/tests/auto/qsslcertificate/certificates/cert-ss-san-utf8.pem.san @@ -0,0 +1,5 @@ +[subj_alt_name] +subjectAltName=\ + email:arne@foobar.org,\ + DNS:www.foobar.org,\ + email:bjarne@foobar.org diff --git a/tests/auto/qsslcertificate/certificates/gencertificates.sh b/tests/auto/qsslcertificate/certificates/gencertificates.sh index e705785d409..c8a5db65700 100755 --- a/tests/auto/qsslcertificate/certificates/gencertificates.sh +++ b/tests/auto/qsslcertificate/certificates/gencertificates.sh @@ -90,5 +90,15 @@ openssl req -x509 -in req-san.pem -out $outname -key rsa-pri-1024.pem \ -config san.cnf -extensions subj_alt_name /bin/cp san.cnf $outname.san +#--- Non-ASCII Subject --------------------------------------------------------------------- +echo -e "\n generating self signed root cert. with Subject containing UTF-8 characters ..." +outname=cert-ss-san-utf8.pem +#subject="/O=HĕĂƲÿ ʍếʈặḻ Récördŝ/OU=㈧A㉁ォBC/CN=Johnny Guitar/C=NO" +subject=$'/O=H\xc4\x95\xc4\x82\xc6\xb2\xc3\xbf \xca\x8d\xe1\xba\xbf\xca\x88\xe1\xba\xb7\xe1\xb8\xbb R\xc3\xa9c\xc3\xb6rd\xc5\x9d/OU=\xe3\x88\xa7A\xe3\x89\x81\xef\xbd\xabBC/CN=Johnny Guitar/C=NO' +openssl req -out req-san.pem -new -key rsa-pri-1024.pem -utf8 -subj "$subject" +openssl req -x509 -in req-san.pem -out $outname -key rsa-pri-1024.pem \ + -config san.cnf -extensions subj_alt_name -nameopt multiline,utf8,-esc_msb +/bin/cp san.cnf $outname.san + echo -e "\n cleaning up ..." /bin/rm rsa-pri-1024.pem rsa-pub-1024.* req*.pem diff --git a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp index 57f2fa8c049..a91bf0f80e9 100644 --- a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp +++ b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp @@ -96,6 +96,7 @@ private slots: void digest_data(); void digest(); void alternateSubjectNames_data(); + void utf8SubjectNames(); void alternateSubjectNames(); void publicKey_data(); void publicKey(); @@ -407,6 +408,27 @@ void tst_QSslCertificate::alternateSubjectNames() } } +void tst_QSslCertificate::utf8SubjectNames() +{ + QSslCertificate cert = QSslCertificate::fromPath("certificates/cert-ss-san-utf8.pem", QSsl::Pem, + QRegExp::FixedString).first(); + QVERIFY(!cert.isNull()); + + // O is "Heavy Metal Records" with heavy use of "decorations" like accents, umlauts etc., + // OU uses arabian / asian script letters near codepoint 64K. + // strings split where the compiler would otherwise find three-digit hex numbers + static const char *o = "H\xc4\x95\xc4\x82\xc6\xb2\xc3\xbf \xca\x8d\xe1\xba\xbf\xca\x88\xe1\xba" + "\xb7\xe1\xb8\xbb R\xc3\xa9" "c" "\xc3\xb6rd\xc5\x9d"; + static const char *ou = "\xe3\x88\xa7" "A" "\xe3\x89\x81\xef\xbd\xab" "BC"; + + // the following two tests should help find "\x"-literal encoding bugs in the test itself + QCOMPARE(cert.subjectInfo("O").length(), QString::fromUtf8(o).length()); + QCOMPARE (cert.subjectInfo("O").toUtf8().toHex(), QByteArray(o).toHex()); + + QCOMPARE(cert.subjectInfo("O"), QString::fromUtf8(o)); + QCOMPARE(cert.subjectInfo("OU"), QString::fromUtf8(ou)); +} + void tst_QSslCertificate::publicKey_data() { QTest::addColumn("certFilePath"); @@ -519,13 +541,13 @@ void tst_QSslCertificate::fromPath_data() QTest::newRow("\"certificates/*\" fixed der") << QString("certificates/*") << int(QRegExp::FixedString) << false << 0; QTest::newRow("\"certificates/*\" regexp pem") << QString("certificates/*") << int(QRegExp::RegExp) << true << 0; QTest::newRow("\"certificates/*\" regexp der") << QString("certificates/*") << int(QRegExp::RegExp) << false << 0; - QTest::newRow("\"certificates/*\" wildcard pem") << QString("certificates/*") << int(QRegExp::Wildcard) << true << 4; + QTest::newRow("\"certificates/*\" wildcard pem") << QString("certificates/*") << int(QRegExp::Wildcard) << true << 5; QTest::newRow("\"certificates/*\" wildcard der") << QString("certificates/*") << int(QRegExp::Wildcard) << false << 0; QTest::newRow("\"c*/c*.pem\" fixed pem") << QString("c*/c*.pem") << int(QRegExp::FixedString) << true << 0; QTest::newRow("\"c*/c*.pem\" fixed der") << QString("c*/c*.pem") << int(QRegExp::FixedString) << false << 0; QTest::newRow("\"c*/c*.pem\" regexp pem") << QString("c*/c*.pem") << int(QRegExp::RegExp) << true << 0; QTest::newRow("\"c*/c*.pem\" regexp der") << QString("c*/c*.pem") << int(QRegExp::RegExp) << false << 0; - QTest::newRow("\"c*/c*.pem\" wildcard pem") << QString("c*/c*.pem") << int(QRegExp::Wildcard) << true << 4; + QTest::newRow("\"c*/c*.pem\" wildcard pem") << QString("c*/c*.pem") << int(QRegExp::Wildcard) << true << 5; QTest::newRow("\"c*/c*.pem\" wildcard der") << QString("c*/c*.pem") << int(QRegExp::Wildcard) << false << 0; QTest::newRow("\"d*/c*.pem\" fixed pem") << QString("d*/c*.pem") << int(QRegExp::FixedString) << true << 0; QTest::newRow("\"d*/c*.pem\" fixed der") << QString("d*/c*.pem") << int(QRegExp::FixedString) << false << 0; @@ -535,7 +557,7 @@ void tst_QSslCertificate::fromPath_data() QTest::newRow("\"d*/c*.pem\" wildcard der") << QString("d*/c*.pem") << int(QRegExp::Wildcard) << false << 0; QTest::newRow("\"c.*/c.*.pem\" fixed pem") << QString("c.*/c.*.pem") << int(QRegExp::FixedString) << true << 0; QTest::newRow("\"c.*/c.*.pem\" fixed der") << QString("c.*/c.*.pem") << int(QRegExp::FixedString) << false << 0; - QTest::newRow("\"c.*/c.*.pem\" regexp pem") << QString("c.*/c.*.pem") << int(QRegExp::RegExp) << true << 4; + QTest::newRow("\"c.*/c.*.pem\" regexp pem") << QString("c.*/c.*.pem") << int(QRegExp::RegExp) << true << 5; QTest::newRow("\"c.*/c.*.pem\" regexp der") << QString("c.*/c.*.pem") << int(QRegExp::RegExp) << false << 0; QTest::newRow("\"c.*/c.*.pem\" wildcard pem") << QString("c.*/c.*.pem") << int(QRegExp::Wildcard) << true << 0; QTest::newRow("\"c.*/c.*.pem\" wildcard der") << QString("c.*/c.*.pem") << int(QRegExp::Wildcard) << false << 0; @@ -546,7 +568,7 @@ void tst_QSslCertificate::fromPath_data() QTest::newRow("\"d.*/c.*.pem\" wildcard pem") << QString("d.*/c.*.pem") << int(QRegExp::Wildcard) << true << 0; QTest::newRow("\"d.*/c.*.pem\" wildcard der") << QString("d.*/c.*.pem") << int(QRegExp::Wildcard) << false << 0; #ifdef Q_OS_LINUX - QTest::newRow("absolute path wildcard pem") << QString(QDir::currentPath() + "/certificates/*.pem") << int(QRegExp::Wildcard) << true << 4; + QTest::newRow("absolute path wildcard pem") << QString(QDir::currentPath() + "/certificates/*.pem") << int(QRegExp::Wildcard) << true << 5; #endif QTest::newRow("trailing-whitespace") << QString("more-certificates/trailing-whitespace.pem") << int(QRegExp::FixedString) << true << 1; @@ -769,7 +791,7 @@ void tst_QSslCertificate::nulInCN() QString cn = cert.subjectInfo(QSslCertificate::CommonName); QVERIFY(cn != "www.bank.com"); - static const char realCN[] = "www.bank.com\\x00.badguy.com"; + static const char realCN[] = "www.bank.com\0.badguy.com"; QCOMPARE(cn, QString::fromLatin1(realCN, sizeof realCN - 1)); }