qt-everywhere-src-5.15.1/qtbase/src/network/ssl/qsslsocket_mac_shared.cpp - orbit - Git at Google

 /****************************************************************************
 **
 ** Copyright (C) 2016 The Qt Company Ltd.
 ** Copyright (C) 2015 ownCloud Inc
 ** Contact: https://www.qt.io/licensing/
 **
 ** This file is part of the QtNetwork module of the Qt Toolkit.
 **
 ** $QT_BEGIN_LICENSE:LGPL$
 ** Commercial License Usage
 ** Licensees holding valid commercial Qt licenses may use this file in
 ** accordance with the commercial license agreement provided with the
 ** Software or, alternatively, in accordance with the terms contained in
 ** a written agreement between you and The Qt Company. For licensing terms
 ** and conditions see https://www.qt.io/terms-conditions. For further
 ** information use the contact form at https://www.qt.io/contact-us.
 **
 ** GNU Lesser General Public License Usage
 ** Alternatively, this file may be used under the terms of the GNU Lesser
 ** General Public License version 3 as published by the Free Software
 ** Foundation and appearing in the file LICENSE.LGPL3 included in the
 ** packaging of this file. Please review the following information to
 ** ensure the GNU Lesser General Public License version 3 requirements
 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
 **
 ** GNU General Public License Usage
 ** Alternatively, this file may be used under the terms of the GNU
 ** General Public License version 2.0 or (at your option) the GNU General
 ** Public license version 3 or any later version approved by the KDE Free
 ** Qt Foundation. The licenses are as published by the Free Software
 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
 ** included in the packaging of this file. Please review the following
 ** information to ensure the GNU General Public License requirements will
 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and
 ** https://www.gnu.org/licenses/gpl-3.0.html.
 **
 ** $QT_END_LICENSE$
 **
 ****************************************************************************/

 //#define QSSLSOCKET_DEBUG
 //#define QT_DECRYPT_SSL_TRAFFIC

 #include "qssl_p.h"
 #include "qsslsocket.h"

 #ifndef QT_NO_OPENSSL
 #   include "qsslsocket_openssl_p.h"
 #   include "qsslsocket_openssl_symbols_p.h"
 #endif

 #include "qsslcertificate_p.h"

 #ifdef Q_OS_DARWIN
 #   include <private/qcore_mac_p.h>
 #endif

 #include <QtCore/qdebug.h>

 #ifdef Q_OS_MACOS
 #   include <Security/Security.h>
 #endif


 QT_BEGIN_NAMESPACE

 #ifdef Q_OS_MACOS
 namespace {

 bool hasTrustedSslServerPolicy(SecPolicyRef policy, CFDictionaryRef props) {
     QCFType<CFDictionaryRef> policyProps = SecPolicyCopyProperties(policy);
     // only accept certificates with policies for SSL server validation for now
     if (CFEqual(CFDictionaryGetValue(policyProps, kSecPolicyOid), kSecPolicyAppleSSL)) {
         CFBooleanRef policyClient;
         if (CFDictionaryGetValueIfPresent(policyProps, kSecPolicyClient, reinterpret_cast<const void**>(&policyClient)) &&
             CFEqual(policyClient, kCFBooleanTrue)) {
             return false; // no client certs
         }
         if (!CFDictionaryContainsKey(props, kSecTrustSettingsResult)) {
             // as per the docs, no trust settings result implies full trust
             return true;
         }
         CFNumberRef number = static_cast<CFNumberRef>(CFDictionaryGetValue(props, kSecTrustSettingsResult));
         SecTrustSettingsResult settingsResult;
         CFNumberGetValue(number, kCFNumberSInt32Type, &settingsResult);
         switch (settingsResult) {
         case kSecTrustSettingsResultTrustRoot:
         case kSecTrustSettingsResultTrustAsRoot:
             return true;
         default:
             return false;
         }
     }
     return false;
 }

 bool isCaCertificateTrusted(SecCertificateRef cfCert, int domain)
 {
     QCFType<CFArrayRef> cfTrustSettings;
     OSStatus status = SecTrustSettingsCopyTrustSettings(cfCert, SecTrustSettingsDomain(domain), &cfTrustSettings);
     if (status == noErr) {
         CFIndex size = CFArrayGetCount(cfTrustSettings);
         // if empty, trust for everything (as per the Security Framework documentation)
         if (size == 0) {
             return true;
         } else {
             for (CFIndex i = 0; i < size; ++i) {
                 CFDictionaryRef props = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(cfTrustSettings, i));
                 if (CFDictionaryContainsKey(props, kSecTrustSettingsPolicy)) {
                     if (hasTrustedSslServerPolicy((SecPolicyRef)CFDictionaryGetValue(props, kSecTrustSettingsPolicy), props))
                         return true;
                 }
             }
         }
     } else {
         qCWarning(lcSsl, "Error receiving trust for a CA certificate");
     }
     return false;
 }

 } // anon namespace
 #endif // Q_OS_MACOS

 QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
 {
     ensureInitialized();

     QList<QSslCertificate> systemCerts;
     // SecTrustSettingsCopyCertificates is not defined on iOS.
 #ifdef Q_OS_MACOS
     // iterate through all enum members, order:
     // kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem
     for (int dom = kSecTrustSettingsDomainUser; dom <= int(kSecTrustSettingsDomainSystem); dom++) {
         QCFType<CFArrayRef> cfCerts;
         OSStatus status = SecTrustSettingsCopyCertificates(SecTrustSettingsDomain(dom), &cfCerts);
         if (status == noErr) {
             const CFIndex size = CFArrayGetCount(cfCerts);
             for (CFIndex i = 0; i < size; ++i) {
                 SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
                 QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert);
                 if (isCaCertificateTrusted(cfCert, dom)) {
                     if (derData == NULL) {
                         qCWarning(lcSsl, "Error retrieving a CA certificate from the system store");
                     } else {
                         systemCerts << QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der);
                     }
                 }
             }
         }
     }
 #endif
     return systemCerts;
 }

 QT_END_NAMESPACE
	/****************************************************************************
	**
	** Copyright (C) 2016 The Qt Company Ltd.
	** Copyright (C) 2015 ownCloud Inc
	** Contact: https://www.qt.io/licensing/
	**
	** This file is part of the QtNetwork module of the Qt Toolkit.
	**
	** $QT_BEGIN_LICENSE:LGPL$
	** Commercial License Usage
	** Licensees holding valid commercial Qt licenses may use this file in
	** accordance with the commercial license agreement provided with the
	** Software or, alternatively, in accordance with the terms contained in
	** a written agreement between you and The Qt Company. For licensing terms
	** and conditions see https://www.qt.io/terms-conditions. For further
	** information use the contact form at https://www.qt.io/contact-us.
	**
	** GNU Lesser General Public License Usage
	** Alternatively, this file may be used under the terms of the GNU Lesser
	** General Public License version 3 as published by the Free Software
	** Foundation and appearing in the file LICENSE.LGPL3 included in the
	** packaging of this file. Please review the following information to
	** ensure the GNU Lesser General Public License version 3 requirements
	** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
	**
	** GNU General Public License Usage
	** Alternatively, this file may be used under the terms of the GNU
	** General Public License version 2.0 or (at your option) the GNU General
	** Public license version 3 or any later version approved by the KDE Free
	** Qt Foundation. The licenses are as published by the Free Software
	** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
	** included in the packaging of this file. Please review the following
	** information to ensure the GNU General Public License requirements will
	** be met: https://www.gnu.org/licenses/gpl-2.0.html and
	** https://www.gnu.org/licenses/gpl-3.0.html.
	**
	** $QT_END_LICENSE$
	**
	****************************************************************************/

	//#define QSSLSOCKET_DEBUG
	//#define QT_DECRYPT_SSL_TRAFFIC

	#include "qssl_p.h"
	#include "qsslsocket.h"

	#ifndef QT_NO_OPENSSL
	# include "qsslsocket_openssl_p.h"
	# include "qsslsocket_openssl_symbols_p.h"
	#endif

	#include "qsslcertificate_p.h"

	#ifdef Q_OS_DARWIN
	# include <private/qcore_mac_p.h>
	#endif

	#include <QtCore/qdebug.h>

	#ifdef Q_OS_MACOS
	# include <Security/Security.h>
	#endif


	QT_BEGIN_NAMESPACE

	#ifdef Q_OS_MACOS
	namespace {

	bool hasTrustedSslServerPolicy(SecPolicyRef policy, CFDictionaryRef props) {
	QCFType<CFDictionaryRef> policyProps = SecPolicyCopyProperties(policy);
	// only accept certificates with policies for SSL server validation for now
	if (CFEqual(CFDictionaryGetValue(policyProps, kSecPolicyOid), kSecPolicyAppleSSL)) {
	CFBooleanRef policyClient;
	if (CFDictionaryGetValueIfPresent(policyProps, kSecPolicyClient, reinterpret_cast<const void**>(&policyClient)) &&
	CFEqual(policyClient, kCFBooleanTrue)) {
	return false; // no client certs
	}
	if (!CFDictionaryContainsKey(props, kSecTrustSettingsResult)) {
	// as per the docs, no trust settings result implies full trust
	return true;
	}
	CFNumberRef number = static_cast<CFNumberRef>(CFDictionaryGetValue(props, kSecTrustSettingsResult));
	SecTrustSettingsResult settingsResult;
	CFNumberGetValue(number, kCFNumberSInt32Type, &settingsResult);
	switch (settingsResult) {
	case kSecTrustSettingsResultTrustRoot:
	case kSecTrustSettingsResultTrustAsRoot:
	return true;
	default:
	return false;
	}
	}
	return false;
	}

	bool isCaCertificateTrusted(SecCertificateRef cfCert, int domain)
	{
	QCFType<CFArrayRef> cfTrustSettings;
	OSStatus status = SecTrustSettingsCopyTrustSettings(cfCert, SecTrustSettingsDomain(domain), &cfTrustSettings);
	if (status == noErr) {
	CFIndex size = CFArrayGetCount(cfTrustSettings);
	// if empty, trust for everything (as per the Security Framework documentation)
	if (size == 0) {
	return true;
	} else {
	for (CFIndex i = 0; i < size; ++i) {
	CFDictionaryRef props = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(cfTrustSettings, i));
	if (CFDictionaryContainsKey(props, kSecTrustSettingsPolicy)) {
	if (hasTrustedSslServerPolicy((SecPolicyRef)CFDictionaryGetValue(props, kSecTrustSettingsPolicy), props))
	return true;
	}
	}
	}
	} else {
	qCWarning(lcSsl, "Error receiving trust for a CA certificate");
	}
	return false;
	}

	} // anon namespace
	#endif // Q_OS_MACOS

	QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
	{
	ensureInitialized();

	QList<QSslCertificate> systemCerts;
	// SecTrustSettingsCopyCertificates is not defined on iOS.
	#ifdef Q_OS_MACOS
	// iterate through all enum members, order:
	// kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem
	for (int dom = kSecTrustSettingsDomainUser; dom <= int(kSecTrustSettingsDomainSystem); dom++) {
	QCFType<CFArrayRef> cfCerts;
	OSStatus status = SecTrustSettingsCopyCertificates(SecTrustSettingsDomain(dom), &cfCerts);
	if (status == noErr) {
	const CFIndex size = CFArrayGetCount(cfCerts);
	for (CFIndex i = 0; i < size; ++i) {
	SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
	QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert);
	if (isCaCertificateTrusted(cfCert, dom)) {
	if (derData == NULL) {
	qCWarning(lcSsl, "Error retrieving a CA certificate from the system store");
	} else {
	systemCerts << QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der);
	}
	}
	}
	}
	}
	#endif
	return systemCerts;
	}

	QT_END_NAMESPACE