1 /****************************************************************************
2 **
3 ** Copyright (C) 2018 The Qt Company Ltd.
4 ** Contact: https://www.qt.io/licensing/
5 **
6 ** This file is part of the QtNetwork module of the Qt Toolkit.
7 **
8 ** $QT_BEGIN_LICENSE:LGPL$
9 ** Commercial License Usage
10 ** Licensees holding valid commercial Qt licenses may use this file in
11 ** accordance with the commercial license agreement provided with the
12 ** Software or, alternatively, in accordance with the terms contained in
13 ** a written agreement between you and The Qt Company. For licensing terms
14 ** and conditions see https://www.qt.io/terms-conditions. For further
15 ** information use the contact form at https://www.qt.io/contact-us.
16 **
17 ** GNU Lesser General Public License Usage
18 ** Alternatively, this file may be used under the terms of the GNU Lesser
19 ** General Public License version 3 as published by the Free Software
20 ** Foundation and appearing in the file LICENSE.LGPL3 included in the
21 ** packaging of this file. Please review the following information to
22 ** ensure the GNU Lesser General Public License version 3 requirements
23 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
24 **
25 ** GNU General Public License Usage
26 ** Alternatively, this file may be used under the terms of the GNU
27 ** General Public License version 2.0 or (at your option) the GNU General
28 ** Public license version 3 or any later version approved by the KDE Free
29 ** Qt Foundation. The licenses are as published by the Free Software
30 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
31 ** included in the packaging of this file. Please review the following
32 ** information to ensure the GNU General Public License requirements will
33 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and
34 ** https://www.gnu.org/licenses/gpl-3.0.html.
35 **
36 ** $QT_END_LICENSE$
37 **
38 ****************************************************************************/
39
40 #include "qwindowscarootfetcher_p.h"
41
42 #include <QtCore/QThread>
43 #include <QtGlobal>
44
45 #include <QtCore/qscopeguard.h>
46
47 #ifdef QSSLSOCKET_DEBUG
48 #include "qssl_p.h" // for debug categories
49 #include <QtCore/QElapsedTimer>
50 #endif
51
52 #include "qsslsocket_p.h" // Transitively includes Wincrypt.h
53
54 #if QT_CONFIG(openssl)
55 #include "qsslsocket_openssl_p.h"
56 #endif
57
58 QT_BEGIN_NAMESPACE
59
60 class QWindowsCaRootFetcherThread : public QThread
61 {
62 public:
QWindowsCaRootFetcherThread()63 QWindowsCaRootFetcherThread()
64 {
65 qRegisterMetaType<QSslCertificate>();
66 setObjectName(QStringLiteral("QWindowsCaRootFetcher"));
67 start();
68 }
~QWindowsCaRootFetcherThread()69 ~QWindowsCaRootFetcherThread()
70 {
71 quit();
72 wait(15500); // worst case, a running request can block for 15 seconds
73 }
74 };
75
76 Q_GLOBAL_STATIC(QWindowsCaRootFetcherThread, windowsCaRootFetcherThread);
77
78 #if QT_CONFIG(openssl)
79 namespace {
80
buildVerifiedChain(const QList<QSslCertificate> & caCertificates,PCCERT_CHAIN_CONTEXT chainContext,const QString & peerVerifyName)81 const QList<QSslCertificate> buildVerifiedChain(const QList<QSslCertificate> &caCertificates,
82 PCCERT_CHAIN_CONTEXT chainContext,
83 const QString &peerVerifyName)
84 {
85 // We ended up here because OpenSSL verification failed to
86 // build a chain, with intermediate certificate missing
87 // but "Authority Information Access" extension present.
88 // Also, apparently the normal CA fetching path was disabled
89 // by setting custom CA certificates. We convert wincrypt's
90 // structures in QSslCertificate and give OpenSSL the second
91 // chance to verify the now (apparently) complete chain.
92 // In addition, wincrypt gives us a benifit of some checks
93 // we don't have in OpenSSL back-end.
94 Q_ASSERT(chainContext);
95
96 if (!chainContext->cChain)
97 return {};
98
99 QList<QSslCertificate> verifiedChain;
100
101 CERT_SIMPLE_CHAIN *chain = chainContext->rgpChain[chainContext->cChain - 1];
102 if (!chain)
103 return {};
104
105 if (chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
106 return {}; // No need to mess with OpenSSL (the chain is still incomplete).
107
108 for (DWORD i = 0; i < chain->cElement; ++i) {
109 CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
110 QSslCertificate cert(QByteArray(reinterpret_cast<const char*>(element->pCertContext->pbCertEncoded),
111 int(element->pCertContext->cbCertEncoded)), QSsl::Der);
112
113 if (cert.isBlacklisted())
114 return {};
115
116 if (element->TrustStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED) // Good to know!
117 return {};
118
119 if (element->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID)
120 return {};
121
122 verifiedChain.append(cert);
123 }
124
125 // We rely on OpenSSL's ability to find other problems.
126 const auto tlsErrors = QSslSocketBackendPrivate::verify(caCertificates, verifiedChain, peerVerifyName);
127 if (tlsErrors.size())
128 verifiedChain.clear();
129
130 return verifiedChain;
131 }
132
133 } // unnamed namespace
134 #endif // QT_CONFIG(openssl)
135
QWindowsCaRootFetcher(const QSslCertificate & certificate,QSslSocket::SslMode sslMode,const QList<QSslCertificate> & caCertificates,const QString & hostName)136 QWindowsCaRootFetcher::QWindowsCaRootFetcher(const QSslCertificate &certificate, QSslSocket::SslMode sslMode,
137 const QList<QSslCertificate> &caCertificates, const QString &hostName)
138 : cert(certificate), mode(sslMode), explicitlyTrustedCAs(caCertificates), peerVerifyName(hostName)
139 {
140 moveToThread(windowsCaRootFetcherThread());
141 }
142
~QWindowsCaRootFetcher()143 QWindowsCaRootFetcher::~QWindowsCaRootFetcher()
144 {
145 }
146
start()147 void QWindowsCaRootFetcher::start()
148 {
149 QByteArray der = cert.toDer();
150 PCCERT_CONTEXT wincert = CertCreateCertificateContext(X509_ASN_ENCODING, (const BYTE *)der.constData(), der.length());
151 if (!wincert) {
152 #ifdef QSSLSOCKET_DEBUG
153 qCDebug(lcSsl, "QWindowsCaRootFetcher failed to convert certificate to windows form");
154 #endif
155 emit finished(cert, QSslCertificate());
156 deleteLater();
157 return;
158 }
159
160 CERT_CHAIN_PARA parameters;
161 memset(¶meters, 0, sizeof(parameters));
162 parameters.cbSize = sizeof(parameters);
163 // set key usage constraint
164 parameters.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
165 parameters.RequestedUsage.Usage.cUsageIdentifier = 1;
166 LPSTR oid = (LPSTR)(mode == QSslSocket::SslClientMode ? szOID_PKIX_KP_SERVER_AUTH : szOID_PKIX_KP_CLIENT_AUTH);
167 parameters.RequestedUsage.Usage.rgpszUsageIdentifier = &oid;
168
169 #ifdef QSSLSOCKET_DEBUG
170 QElapsedTimer stopwatch;
171 stopwatch.start();
172 #endif
173 PCCERT_CHAIN_CONTEXT chain;
174 auto additionalStore = createAdditionalStore();
175 BOOL result = CertGetCertificateChain(
176 nullptr, //default engine
177 wincert,
178 nullptr, //current date/time
179 additionalStore.get(), //default store (nullptr) or CAs an application trusts
180 ¶meters,
181 0, //default dwFlags
182 nullptr, //reserved
183 &chain);
184 #ifdef QSSLSOCKET_DEBUG
185 qCDebug(lcSsl) << "QWindowsCaRootFetcher" << stopwatch.elapsed() << "ms to get chain";
186 #endif
187
188 QSslCertificate trustedRoot;
189 if (result) {
190 #ifdef QSSLSOCKET_DEBUG
191 qCDebug(lcSsl) << "QWindowsCaRootFetcher - examining windows chains";
192 if (chain->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR)
193 qCDebug(lcSsl) << " - TRUSTED";
194 else
195 qCDebug(lcSsl) << " - NOT TRUSTED" << chain->TrustStatus.dwErrorStatus;
196 if (chain->TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED)
197 qCDebug(lcSsl) << " - SELF SIGNED";
198 qCDebug(lcSsl) << "QSslSocketBackendPrivate::fetchCaRootForCert - dumping simple chains";
199 for (unsigned int i = 0; i < chain->cChain; i++) {
200 if (chain->rgpChain[i]->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR)
201 qCDebug(lcSsl) << " - TRUSTED SIMPLE CHAIN" << i;
202 else
203 qCDebug(lcSsl) << " - UNTRUSTED SIMPLE CHAIN" << i << "reason:" << chain->rgpChain[i]->TrustStatus.dwErrorStatus;
204 for (unsigned int j = 0; j < chain->rgpChain[i]->cElement; j++) {
205 QSslCertificate foundCert(QByteArray((const char *)chain->rgpChain[i]->rgpElement[j]->pCertContext->pbCertEncoded
206 , chain->rgpChain[i]->rgpElement[j]->pCertContext->cbCertEncoded), QSsl::Der);
207 qCDebug(lcSsl) << " - " << foundCert;
208 }
209 }
210 qCDebug(lcSsl) << " - and" << chain->cLowerQualityChainContext << "low quality chains"; //expect 0, we haven't asked for them
211 #endif
212
213 //based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa377182%28v=vs.85%29.aspx
214 //about the final chain rgpChain[cChain-1] which must begin with a trusted root to be valid
215 if (chain->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR
216 && chain->cChain > 0) {
217 const PCERT_SIMPLE_CHAIN finalChain = chain->rgpChain[chain->cChain - 1];
218 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa377544%28v=vs.85%29.aspx
219 // rgpElement[0] is the end certificate chain element. rgpElement[cElement-1] is the self-signed "root" certificate element.
220 if (finalChain->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR
221 && finalChain->cElement > 0) {
222 trustedRoot = QSslCertificate(QByteArray((const char *)finalChain->rgpElement[finalChain->cElement - 1]->pCertContext->pbCertEncoded
223 , finalChain->rgpElement[finalChain->cElement - 1]->pCertContext->cbCertEncoded), QSsl::Der);
224 }
225 } else if (explicitlyTrustedCAs.size()) {
226 // Setting custom CA in configuration, and those CAs are not trusted by MS.
227 #if QT_CONFIG(openssl)
228 const auto verifiedChain = buildVerifiedChain(explicitlyTrustedCAs, chain, peerVerifyName);
229 if (verifiedChain.size())
230 trustedRoot = verifiedChain.last();
231 #else
232 //It's only OpenSSL code-path that can trigger such a fetch.
233 Q_UNREACHABLE();
234 #endif
235 }
236 CertFreeCertificateChain(chain);
237 }
238 CertFreeCertificateContext(wincert);
239
240 emit finished(cert, trustedRoot);
241 deleteLater();
242 }
243
createAdditionalStore() const244 QHCertStorePointer QWindowsCaRootFetcher::createAdditionalStore() const
245 {
246 QHCertStorePointer customStore;
247 if (explicitlyTrustedCAs.isEmpty())
248 return customStore;
249
250 if (HCERTSTORE rawPtr = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, nullptr)) {
251 customStore.reset(rawPtr);
252
253 unsigned rootsAdded = 0;
254 for (const QSslCertificate &caCert : explicitlyTrustedCAs) {
255 const auto der = caCert.toDer();
256 PCCERT_CONTEXT winCert = CertCreateCertificateContext(X509_ASN_ENCODING,
257 reinterpret_cast<const BYTE *>(der.data()),
258 DWORD(der.length()));
259 if (!winCert) {
260 #if defined(QSSLSOCKET_DEBUG)
261 qCWarning(lcSsl) << "CA fetcher, failed to convert QSslCertificate"
262 << "to the native representation";
263 #endif // QSSLSOCKET_DEBUG
264 continue;
265 }
266 const auto deleter = qScopeGuard([winCert](){
267 CertFreeCertificateContext(winCert);
268 });
269 if (CertAddCertificateContextToStore(customStore.get(), winCert, CERT_STORE_ADD_ALWAYS, nullptr))
270 ++rootsAdded;
271 #if defined(QSSLSOCKET_DEBUG)
272 else //Why assert? With flags we're using and winCert check - should not happen!
273 Q_ASSERT("CertAddCertificateContextToStore() failed");
274 #endif // QSSLSOCKET_DEBUG
275 }
276 if (!rootsAdded) //Useless store, no cert was added.
277 customStore.reset();
278 #if defined(QSSLSOCKET_DEBUG)
279 } else {
280
281 qCWarning(lcSsl) << "CA fetcher, failed to create a custom"
282 << "store for explicitly trusted CA certificate";
283 #endif // QSSLSOCKET_DEBUG
284 }
285
286 return customStore;
287 }
288
289 QT_END_NAMESPACE
290