bool SslServer::setCertificate(const QString &path, const QString &keyPath) { // Don't reset _isCertValid here, in case an older but valid certificate is still loaded. // Use temporary variables in order to avoid overwriting the existing certificates until // everything is confirmed good. QSslCertificate untestedCert; QList<QSslCertificate> untestedCA; QSslKey untestedKey; if (path.isEmpty()) return false; QFile certFile(path); if (!certFile.exists()) { quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist"; return false; } if (!certFile.open(QIODevice::ReadOnly)) { quWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error(); return false; } QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile); if (certList.isEmpty()) { quWarning() << "SslServer: Certificate file doesn't contain a certificate"; return false; } untestedCert = certList[0]; certList.removeFirst(); // remove server cert // store CA and intermediates certs untestedCA = certList; if (!certFile.reset()) { quWarning() << "SslServer: IO error reading certificate file"; return false; } // load key from keyPath if it differs from path, otherwise load key from path if(path != keyPath) { QFile keyFile(keyPath); if(!keyFile.exists()) { quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; return false; } if (!keyFile.open(QIODevice::ReadOnly)) { quWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error(); return false; } untestedKey = QSslKey(&keyFile, QSsl::Rsa); keyFile.close(); } else { untestedKey = QSslKey(&certFile, QSsl::Rsa); } certFile.close(); if (untestedCert.isNull()) { quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; return false; } // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. const QDateTime now = QDateTime::currentDateTime(); if (now < untestedCert.effectiveDate()) quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); else if (now > untestedCert.expiryDate()) quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block #if QT_VERSION < 0x050000 if (!untestedCert.isValid()) #else if (untestedCert.isBlacklisted()) #endif quWarning() << "SslServer: Certificate blacklisted"; } if (untestedKey.isNull()) { quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; return false; } _isCertValid = true; // All keys are valid, update the externally visible copy used for new connections. _cert = untestedCert; _ca = untestedCA; _key = untestedKey; return _isCertValid; }