QgsPkiBundle *QgsAuthProviderPkiPkcs12::getPkiBundle( const QString &authcfg )
{
QgsPkiBundle * bundle = 0;
// check if it is cached
if ( mPkiBundleCache.contains( authcfg ) )
{
bundle = mPkiBundleCache.value( authcfg );
if ( bundle )
{
QgsDebugMsg( QString( "Retrieved PKI bundle for authcfg %1" ).arg( authcfg ) );
return bundle;
}
}
// else build PKI bundle
QgsAuthConfigPkiPkcs12 config;
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, config, true ) )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: FAILED to retrieve config" ).arg( authcfg ) );
return bundle;
}
// init client cert
// Note: if this is not valid, no sense continuing
QSslCertificate clientcert( QgsAuthProviderPkiPkcs12::certAsPem( config.bundlePath(), config.bundlePassphrase() ).toAscii() );
if ( !clientcert.isValid() )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: insert FAILED, client cert is not valid" ).arg( authcfg ) );
return bundle;
}
// init key
QByteArray keydata( QgsAuthProviderPkiPkcs12::keyAsPem( config.bundlePath(), config.bundlePassphrase() ).toAscii() );
if ( keydata.isNull() )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: insert FAILED, no key data read" ).arg( authcfg ) );
return bundle;
}
QSslKey clientkey( keydata,
QSsl::Rsa,
QSsl::Pem,
QSsl::PrivateKey,
!config.bundlePassphrase().isNull() ? config.bundlePassphrase().toUtf8() : QByteArray() );
bundle = new QgsPkiBundle( config, clientcert, clientkey );
// cache bundle
putPkiBundle( authcfg, bundle );
return bundle;
}
// static
const QByteArray QgsAuthProviderPkiPaths::certAsPem( const QString &certpath )
{
bool pem = certpath.endsWith( ".pem", Qt::CaseInsensitive );
if ( pem )
{
return fileData_( certpath, pem );
}
QSslCertificate clientcert( fileData_( certpath ), QSsl::Der );
return ( !clientcert.isNull() ? clientcert.toPem() : QByteArray() );
}
QgsPkiConfigBundle *QgsAuthIdentCertMethod::getPkiConfigBundle( const QString &authcfg )
{
QMutexLocker locker( &mMutex );
QgsPkiConfigBundle *bundle = nullptr;
// check if it is cached
if ( sPkiConfigBundleCache.contains( authcfg ) )
{
bundle = sPkiConfigBundleCache.value( authcfg );
if ( bundle )
{
QgsDebugMsg( QStringLiteral( "Retrieved PKI bundle for authcfg %1" ).arg( authcfg ) );
return bundle;
}
}
// else build PKI bundle
QgsAuthMethodConfig mconfig;
if ( !QgsApplication::authManager()->loadAuthenticationConfig( authcfg, mconfig, true ) )
{
QgsDebugMsg( QStringLiteral( "PKI bundle for authcfg %1: FAILED to retrieve config" ).arg( authcfg ) );
return bundle;
}
// get identity from database
QPair<QSslCertificate, QSslKey> cibundle( QgsApplication::authManager()->certIdentityBundle( mconfig.config( QStringLiteral( "certid" ) ) ) );
// init client cert
// Note: if this is not valid, no sense continuing
QSslCertificate clientcert( cibundle.first );
if ( !QgsAuthCertUtils::certIsViable( clientcert ) )
{
QgsDebugMsg( QStringLiteral( "PKI bundle for authcfg %1: insert FAILED, client cert is not viable" ).arg( authcfg ) );
return bundle;
}
// init key
QSslKey clientkey( cibundle.second );
if ( clientkey.isNull() )
{
QgsDebugMsg( QStringLiteral( "PKI bundle for authcfg %1: insert FAILED, PEM cert key could not be created" ).arg( authcfg ) );
return bundle;
}
bundle = new QgsPkiConfigBundle( mconfig, clientcert, clientkey );
// cache bundle
putPkiConfigBundle( authcfg, bundle );
return bundle;
}
QgsPkiBundle *QgsAuthProviderIdentityCert::getPkiBundle( const QString& authcfg )
{
QgsPkiBundle * bundle = 0;
// check if it is cached
if ( mPkiBundleCache.contains( authcfg ) )
{
bundle = mPkiBundleCache.value( authcfg );
if ( bundle )
{
QgsDebugMsg( QString( "Retrieved PKI bundle for authcfg %1" ).arg( authcfg ) );
return bundle;
}
}
// else build PKI bundle
QgsAuthConfigIdentityCert config;
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, config, true ) )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: FAILED to retrieve config" ).arg( authcfg ) );
return bundle;
}
// get identity from database
QPair<QSslCertificate, QSslKey> cibundle( QgsAuthManager::instance()->getCertIdentityBundle( config.certId() ) );
// init client cert
// Note: if this is not valid, no sense continuing
QSslCertificate clientcert( cibundle.first );
if ( !clientcert.isValid() )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: insert FAILED, client cert is not valid" ).arg( authcfg ) );
return bundle;
}
// init key
QSslKey clientkey( cibundle.second );
if ( clientkey.isNull() )
{
QgsDebugMsg( QString( "PKI bundle for authcfg %1: insert FAILED, PEM cert key could not be created" ).arg( authcfg ) );
return bundle;
}
bundle = new QgsPkiBundle( config, clientcert, clientkey );
// cache bundle
putPkiBundle( authcfg, bundle );
return bundle;
}
const QgsPkiBundle QgsPkiBundle::fromPemPaths( const QString &certPath,
const QString &keyPath,
const QString &keyPass,
const QList<QSslCertificate> &caChain )
{
QgsPkiBundle pkibundle;
if ( !certPath.isEmpty() && !keyPath.isEmpty()
&& ( certPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive )
|| certPath.endsWith( QLatin1String( ".der" ), Qt::CaseInsensitive ) )
&& ( keyPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive )
|| keyPath.endsWith( QLatin1String( ".der" ), Qt::CaseInsensitive ) )
&& QFile::exists( certPath ) && QFile::exists( keyPath )
)
{
// client cert
bool pem = certPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive );
QSslCertificate clientcert( fileData_( certPath, pem ), pem ? QSsl::Pem : QSsl::Der );
pkibundle.setClientCert( clientcert );
// client key
bool pem_key = keyPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive );
QByteArray keydata( fileData_( keyPath, pem_key ) );
QSslKey clientkey;
clientkey = QSslKey( keydata,
QSsl::Rsa,
pem_key ? QSsl::Pem : QSsl::Der,
QSsl::PrivateKey,
!keyPass.isNull() ? keyPass.toUtf8() : QByteArray() );
if ( clientkey.isNull() )
{
// try DSA algorithm, since Qt can't seem to determine it otherwise
clientkey = QSslKey( keydata,
QSsl::Dsa,
pem_key ? QSsl::Pem : QSsl::Der,
QSsl::PrivateKey,
!keyPass.isNull() ? keyPass.toUtf8() : QByteArray() );
}
pkibundle.setClientKey( clientkey );
if ( !caChain.isEmpty() )
{
pkibundle.setCaChain( caChain );
}
}
return pkibundle;
}