bool QgsAuthProviderIdentityCert::updateNetworkRequest( QNetworkRequest &request, const QString &authcfg )
{
// TODO: is this too restrictive, to intercept only HTTPS connections?
if ( request.url().scheme().toLower() != QString( "https" ) )
{
QgsDebugMsg( QString( "Update request SSL config SKIPPED for authcfg %1: not HTTPS" ).arg( authcfg ) );
return true;
}
QgsDebugMsg( QString( "Update request SSL config: HTTPS connection for authcfg: %1" ).arg( authcfg ) );
QgsPkiBundle * pkibundle = getPkiBundle( authcfg );
if ( !pkibundle || !pkibundle->isValid() )
{
QgsDebugMsg( QString( "Update request SSL config FAILED for authcfg: %1: PKI bundle invalid" ).arg( authcfg ) );
return false;
}
QgsDebugMsg( QString( "Update request SSL config: PKI bundle valid for authcfg: %1" ).arg( authcfg ) );
QSslConfiguration sslConfig = request.sslConfiguration();
//QSslConfiguration sslConfig( QSslConfiguration::defaultConfiguration() );
sslConfig.setLocalCertificate( pkibundle->clientCert() );
sslConfig.setPrivateKey( pkibundle->clientCertKey() );
request.setSslConfiguration( sslConfig );
return true;
}
const QgsPkiBundle QgsPkiBundle::fromPemPaths( const QString &certPath,
const QString &keyPath,
const QString &keyPass,
const QList<QSslCertificate> &caChain )
{
QgsPkiBundle pkibundle;
if ( !certPath.isEmpty() && !keyPath.isEmpty()
&& ( certPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive )
|| certPath.endsWith( QLatin1String( ".der" ), Qt::CaseInsensitive ) )
&& ( keyPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive )
|| keyPath.endsWith( QLatin1String( ".der" ), Qt::CaseInsensitive ) )
&& QFile::exists( certPath ) && QFile::exists( keyPath )
)
{
// client cert
bool pem = certPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive );
QSslCertificate clientcert( fileData_( certPath, pem ), pem ? QSsl::Pem : QSsl::Der );
pkibundle.setClientCert( clientcert );
// client key
bool pem_key = keyPath.endsWith( QLatin1String( ".pem" ), Qt::CaseInsensitive );
QByteArray keydata( fileData_( keyPath, pem_key ) );
QSslKey clientkey;
clientkey = QSslKey( keydata,
QSsl::Rsa,
pem_key ? QSsl::Pem : QSsl::Der,
QSsl::PrivateKey,
!keyPass.isNull() ? keyPass.toUtf8() : QByteArray() );
if ( clientkey.isNull() )
{
// try DSA algorithm, since Qt can't seem to determine it otherwise
clientkey = QSslKey( keydata,
QSsl::Dsa,
pem_key ? QSsl::Pem : QSsl::Der,
QSsl::PrivateKey,
!keyPass.isNull() ? keyPass.toUtf8() : QByteArray() );
}
pkibundle.setClientKey( clientkey );
if ( !caChain.isEmpty() )
{
pkibundle.setCaChain( caChain );
}
}
return pkibundle;
}
const QgsPkiBundle QgsPkiBundle::fromPkcs12Paths( const QString &bundlepath,
const QString &bundlepass )
{
QgsPkiBundle pkibundle;
if ( QCA::isSupported( "pkcs12" )
&& !bundlepath.isEmpty()
&& ( bundlepath.endsWith( QLatin1String( ".p12" ), Qt::CaseInsensitive )
|| bundlepath.endsWith( QLatin1String( ".pfx" ), Qt::CaseInsensitive ) )
&& QFile::exists( bundlepath ) )
{
QCA::SecureArray passarray;
if ( !bundlepass.isNull() )
passarray = QCA::SecureArray( bundlepass.toUtf8() );
QCA::ConvertResult res;
QCA::KeyBundle bundle( QCA::KeyBundle::fromFile( bundlepath, passarray, &res, QStringLiteral( "qca-ossl" ) ) );
if ( res == QCA::ConvertGood && !bundle.isNull() )
{
const QCA::CertificateChain cert_chain( bundle.certificateChain() );
QSslCertificate cert( cert_chain.primary().toPEM().toLatin1() );
if ( !cert.isNull() )
{
pkibundle.setClientCert( cert );
}
QSslKey cert_key( bundle.privateKey().toPEM().toLatin1(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey, QByteArray() );
if ( !cert_key.isNull() )
{
pkibundle.setClientKey( cert_key );
}
if ( cert_chain.size() > 1 )
{
QList<QSslCertificate> ca_chain;
for ( const auto &ca_cert : cert_chain )
{
if ( ca_cert != cert_chain.primary() )
{
ca_chain << QSslCertificate( ca_cert.toPEM().toLatin1() );
}
}
pkibundle.setCaChain( ca_chain );
}
}
}
return pkibundle;
}
