1 | /* |
2 | This file is part of the KDE project |
3 | SPDX-FileCopyrightText: 2007, 2008, 2010 Andreas Hartmetz <ahartmetz@gmail.com> |
4 | |
5 | SPDX-License-Identifier: LGPL-2.0-or-later |
6 | */ |
7 | |
8 | #include "ksslcertificatemanager.h" |
9 | #include "ksslcertificatemanager_p.h" |
10 | |
11 | #ifdef WITH_QTDBUS |
12 | #include "kssld_interface.h" |
13 | #endif |
14 | |
15 | #include "ksslerroruidata_p.h" |
16 | |
17 | #include <KConfig> |
18 | #include <KConfigGroup> |
19 | #include <KLocalizedString> |
20 | |
21 | #include <QDebug> |
22 | #include <QDir> |
23 | #include <QFile> |
24 | #include <QSslConfiguration> |
25 | #include <QStandardPaths> |
26 | |
27 | #include <set> |
28 | |
29 | /* |
30 | Config file format: |
31 | [<MD5-Digest>] |
32 | <Host> = <Date> <List of ignored errors> |
33 | #for example |
34 | #mail.kdab.net = ExpireUTC 2008-08-20T18:22:14, SelfSigned, Expired |
35 | #very.old.com = ExpireUTC 2008-08-20T18:22:14, TooWeakEncryption <- not actually planned to implement |
36 | #clueless.admin.com = ExpireUTC 2008-08-20T18:22:14, HostNameMismatch |
37 | # |
38 | #Wildcard syntax |
39 | #* = ExpireUTC 2008-08-20T18:22:14, SelfSigned |
40 | #*.kdab.net = ExpireUTC 2008-08-20T18:22:14, SelfSigned |
41 | #mail.kdab.net = ExpireUTC 2008-08-20T18:22:14, All <- not implemented |
42 | #* = ExpireUTC 9999-12-31T23:59:59, Reject #we know that something is wrong with that certificate |
43 | CertificatePEM = <PEM-encoded certificate> #host entries are all lowercase, thus no clashes |
44 | |
45 | */ |
46 | |
47 | // TODO GUI for managing exception rules |
48 | |
49 | KSslCertificateRule::KSslCertificateRule(const QSslCertificate &cert, const QString &hostName) |
50 | : d(new KSslCertificateRulePrivate()) |
51 | { |
52 | d->certificate = cert; |
53 | d->hostName = hostName; |
54 | d->isRejected = false; |
55 | } |
56 | |
57 | KSslCertificateRule::KSslCertificateRule(const KSslCertificateRule &other) |
58 | : d(new KSslCertificateRulePrivate()) |
59 | { |
60 | *d = *other.d; |
61 | } |
62 | |
63 | KSslCertificateRule::~KSslCertificateRule() = default; |
64 | |
65 | KSslCertificateRule &KSslCertificateRule::operator=(const KSslCertificateRule &other) |
66 | { |
67 | *d = *other.d; |
68 | return *this; |
69 | } |
70 | |
71 | QSslCertificate KSslCertificateRule::certificate() const |
72 | { |
73 | return d->certificate; |
74 | } |
75 | |
76 | QString KSslCertificateRule::hostName() const |
77 | { |
78 | return d->hostName; |
79 | } |
80 | |
81 | void KSslCertificateRule::setExpiryDateTime(const QDateTime &dateTime) |
82 | { |
83 | d->expiryDateTime = dateTime; |
84 | } |
85 | |
86 | QDateTime KSslCertificateRule::expiryDateTime() const |
87 | { |
88 | return d->expiryDateTime; |
89 | } |
90 | |
91 | void KSslCertificateRule::setRejected(bool rejected) |
92 | { |
93 | d->isRejected = rejected; |
94 | } |
95 | |
96 | bool KSslCertificateRule::isRejected() const |
97 | { |
98 | return d->isRejected; |
99 | } |
100 | |
101 | bool KSslCertificateRule::isErrorIgnored(QSslError::SslError error) const |
102 | { |
103 | return d->ignoredErrors.contains(t: error); |
104 | } |
105 | |
106 | void KSslCertificateRule::setIgnoredErrors(const QList<QSslError> &errors) |
107 | { |
108 | d->ignoredErrors.clear(); |
109 | for (const QSslError &error : errors) { |
110 | if (!isErrorIgnored(error: error.error())) { |
111 | d->ignoredErrors.append(t: error.error()); |
112 | } |
113 | } |
114 | } |
115 | |
116 | void KSslCertificateRule::setIgnoredErrors(const QList<QSslError::SslError> &errors) |
117 | { |
118 | d->ignoredErrors.clear(); |
119 | for (QSslError::SslError error : errors) { |
120 | if (!isErrorIgnored(error)) { |
121 | d->ignoredErrors.append(t: error); |
122 | } |
123 | } |
124 | } |
125 | |
126 | QList<QSslError::SslError> KSslCertificateRule::ignoredErrors() const |
127 | { |
128 | return d->ignoredErrors; |
129 | } |
130 | |
131 | QList<QSslError> KSslCertificateRule::filterErrors(const QList<QSslError> &errors) const |
132 | { |
133 | QList<QSslError> ret; |
134 | for (const QSslError &error : errors) { |
135 | if (!isErrorIgnored(error: error.error())) { |
136 | ret.append(t: error); |
137 | } |
138 | } |
139 | return ret; |
140 | } |
141 | |
142 | //////////////////////////////////////////////////////////////////// |
143 | |
144 | static QList<QSslCertificate> deduplicate(const QList<QSslCertificate> &certs) |
145 | { |
146 | std::set<QByteArray> digests; |
147 | QList<QSslCertificate> ret; |
148 | for (const QSslCertificate &cert : certs) { |
149 | QByteArray digest = cert.digest(); |
150 | const auto [it, isInserted] = digests.insert(x: digest); |
151 | if (isInserted) { |
152 | ret.append(t: cert); |
153 | } |
154 | } |
155 | return ret; |
156 | } |
157 | |
158 | KSslCertificateManagerPrivate::KSslCertificateManagerPrivate() |
159 | : config(QStringLiteral("ksslcertificatemanager" ), KConfig::SimpleConfig) |
160 | #ifdef WITH_QTDBUS |
161 | , iface(new org::kde::KSSLDInterface(QStringLiteral("org.kde.kssld6" ), QStringLiteral("/modules/kssld" ), QDBusConnection::sessionBus())) |
162 | #endif |
163 | , isCertListLoaded(false) |
164 | , userCertDir(QStandardPaths::writableLocation(type: QStandardPaths::GenericDataLocation) + QStringLiteral("/kssl/userCaCertificates/" )) |
165 | { |
166 | } |
167 | |
168 | KSslCertificateManagerPrivate::~KSslCertificateManagerPrivate() |
169 | { |
170 | #ifdef WITH_QTDBUS |
171 | delete iface; |
172 | iface = nullptr; |
173 | #endif |
174 | } |
175 | |
176 | void KSslCertificateManagerPrivate::loadDefaultCaCertificates() |
177 | { |
178 | defaultCaCertificates.clear(); |
179 | |
180 | QList<QSslCertificate> certs = deduplicate(certs: QSslConfiguration::systemCaCertificates()); |
181 | |
182 | KConfig config(QStringLiteral("ksslcablacklist" ), KConfig::SimpleConfig); |
183 | KConfigGroup group = config.group(QStringLiteral("Blacklist of CA Certificates" )); |
184 | |
185 | certs.append(other: QSslCertificate::fromPath(path: userCertDir + QLatin1Char('*'), format: QSsl::Pem, syntax: QSslCertificate::PatternSyntax::Wildcard)); |
186 | |
187 | for (const QSslCertificate &cert : std::as_const(t&: certs)) { |
188 | const QByteArray digest = cert.digest().toHex(); |
189 | if (!group.hasKey(key: digest.constData())) { |
190 | defaultCaCertificates += cert; |
191 | } |
192 | } |
193 | |
194 | isCertListLoaded = true; |
195 | } |
196 | |
197 | bool KSslCertificateManagerPrivate::addCertificate(const KSslCaCertificate &in) |
198 | { |
199 | // qDebug() << Q_FUNC_INFO; |
200 | // cannot add a certificate to the system store |
201 | if (in.store == KSslCaCertificate::SystemStore) { |
202 | Q_ASSERT(false); |
203 | return false; |
204 | } |
205 | if (knownCerts.contains(value: in.certHash)) { |
206 | Q_ASSERT(false); |
207 | return false; |
208 | } |
209 | |
210 | QString certFilename = userCertDir + QString::fromLatin1(ba: in.certHash); |
211 | |
212 | QFile certFile(certFilename); |
213 | if (!QDir().mkpath(dirPath: userCertDir) || certFile.open(flags: QIODevice::ReadOnly)) { |
214 | return false; |
215 | } |
216 | if (!certFile.open(flags: QIODevice::WriteOnly)) { |
217 | return false; |
218 | } |
219 | if (certFile.write(data: in.cert.toPem()) < 1) { |
220 | return false; |
221 | } |
222 | knownCerts.insert(value: in.certHash); |
223 | |
224 | updateCertificateBlacklisted(cert: in); |
225 | |
226 | return true; |
227 | } |
228 | |
229 | bool KSslCertificateManagerPrivate::removeCertificate(const KSslCaCertificate &old) |
230 | { |
231 | // qDebug() << Q_FUNC_INFO; |
232 | // cannot remove a certificate from the system store |
233 | if (old.store == KSslCaCertificate::SystemStore) { |
234 | Q_ASSERT(false); |
235 | return false; |
236 | } |
237 | |
238 | if (!QFile::remove(fileName: userCertDir + QString::fromLatin1(ba: old.certHash))) { |
239 | // suppose somebody copied a certificate file into userCertDir without changing the |
240 | // filename to the digest. |
241 | // the rest of the code will work fine because it loads all certificate files from |
242 | // userCertDir without asking for the name, we just can't remove the certificate using |
243 | // its digest as filename - so search the whole directory. |
244 | // if the certificate was added with the digest as name *and* with a different name, we |
245 | // still fail to remove it completely at first try - BAD USER! BAD! |
246 | |
247 | bool removed = false; |
248 | QDir dir(userCertDir); |
249 | const QStringList dirList = dir.entryList(filters: QDir::Files); |
250 | for (const QString &certFilename : dirList) { |
251 | const QString certPath = userCertDir + certFilename; |
252 | QList<QSslCertificate> certs = QSslCertificate::fromPath(path: certPath); |
253 | |
254 | if (!certs.isEmpty() && certs.at(i: 0).digest().toHex() == old.certHash) { |
255 | if (QFile::remove(fileName: certPath)) { |
256 | removed = true; |
257 | } else { |
258 | // maybe the file is readable but not writable |
259 | return false; |
260 | } |
261 | } |
262 | } |
263 | if (!removed) { |
264 | // looks like the file is not there |
265 | return false; |
266 | } |
267 | } |
268 | |
269 | // note that knownCerts *should* need no updating due to the way setAllCertificates() works - |
270 | // it should never call addCertificate and removeCertificate for the same cert in one run |
271 | |
272 | // clean up the blacklist |
273 | setCertificateBlacklisted(certHash: old.certHash, isBlacklisted: false); |
274 | |
275 | return true; |
276 | } |
277 | |
278 | static bool certLessThan(const KSslCaCertificate &cacert1, const KSslCaCertificate &cacert2) |
279 | { |
280 | if (cacert1.store != cacert2.store) { |
281 | // SystemStore is numerically smaller so the system certs come first; this is important |
282 | // so that system certificates come first in case the user added an already-present |
283 | // certificate as a user certificate. |
284 | return cacert1.store < cacert2.store; |
285 | } |
286 | return cacert1.certHash < cacert2.certHash; |
287 | } |
288 | |
289 | void KSslCertificateManagerPrivate::setAllCertificates(const QList<KSslCaCertificate> &certsIn) |
290 | { |
291 | Q_ASSERT(knownCerts.isEmpty()); |
292 | QList<KSslCaCertificate> in = certsIn; |
293 | QList<KSslCaCertificate> old = allCertificates(); |
294 | std::sort(first: in.begin(), last: in.end(), comp: certLessThan); |
295 | std::sort(first: old.begin(), last: old.end(), comp: certLessThan); |
296 | |
297 | for (int ii = 0, oi = 0; ii < in.size() || oi < old.size(); ++ii, ++oi) { |
298 | // look at all elements in both lists, even if we reach the end of one early. |
299 | if (ii >= in.size()) { |
300 | removeCertificate(old: old.at(i: oi)); |
301 | continue; |
302 | } else if (oi >= old.size()) { |
303 | addCertificate(in: in.at(i: ii)); |
304 | continue; |
305 | } |
306 | |
307 | if (certLessThan(cacert1: old.at(i: oi), cacert2: in.at(i: ii))) { |
308 | // the certificate in "old" is not in "in". only advance the index of "old". |
309 | removeCertificate(old: old.at(i: oi)); |
310 | ii--; |
311 | } else if (certLessThan(cacert1: in.at(i: ii), cacert2: old.at(i: oi))) { |
312 | // the certificate in "in" is not in "old". only advance the index of "in". |
313 | addCertificate(in: in.at(i: ii)); |
314 | oi--; |
315 | } else { // in.at(ii) "==" old.at(oi) |
316 | if (in.at(i: ii).cert != old.at(i: oi).cert) { |
317 | // hash collision, be prudent(?) and don't do anything. |
318 | } else { |
319 | knownCerts.insert(value: old.at(i: oi).certHash); |
320 | if (in.at(i: ii).isBlacklisted != old.at(i: oi).isBlacklisted) { |
321 | updateCertificateBlacklisted(cert: in.at(i: ii)); |
322 | } |
323 | } |
324 | } |
325 | } |
326 | knownCerts.clear(); |
327 | QMutexLocker certListLocker(&certListMutex); |
328 | isCertListLoaded = false; |
329 | loadDefaultCaCertificates(); |
330 | } |
331 | |
332 | QList<KSslCaCertificate> KSslCertificateManagerPrivate::allCertificates() const |
333 | { |
334 | // qDebug() << Q_FUNC_INFO; |
335 | QList<KSslCaCertificate> ret; |
336 | const QList<QSslCertificate> list = deduplicate(certs: QSslConfiguration::systemCaCertificates()); |
337 | for (const QSslCertificate &cert : list) { |
338 | ret += KSslCaCertificate(cert, KSslCaCertificate::SystemStore, false); |
339 | } |
340 | |
341 | const QList<QSslCertificate> userList = QSslCertificate::fromPath(path: userCertDir + QLatin1Char('*'), format: QSsl::Pem, syntax: QSslCertificate::PatternSyntax::Wildcard); |
342 | for (const QSslCertificate &cert : userList) { |
343 | ret += KSslCaCertificate(cert, KSslCaCertificate::UserStore, false); |
344 | } |
345 | |
346 | KConfig config(QStringLiteral("ksslcablacklist" ), KConfig::SimpleConfig); |
347 | KConfigGroup group = config.group(QStringLiteral("Blacklist of CA Certificates" )); |
348 | for (KSslCaCertificate &cert : ret) { |
349 | if (group.hasKey(key: cert.certHash.constData())) { |
350 | cert.isBlacklisted = true; |
351 | // qDebug() << "is blacklisted"; |
352 | } |
353 | } |
354 | |
355 | return ret; |
356 | } |
357 | |
358 | bool KSslCertificateManagerPrivate::updateCertificateBlacklisted(const KSslCaCertificate &cert) |
359 | { |
360 | return setCertificateBlacklisted(certHash: cert.certHash, isBlacklisted: cert.isBlacklisted); |
361 | } |
362 | |
363 | bool KSslCertificateManagerPrivate::setCertificateBlacklisted(const QByteArray &certHash, bool isBlacklisted) |
364 | { |
365 | // qDebug() << Q_FUNC_INFO << isBlacklisted; |
366 | KConfig config(QStringLiteral("ksslcablacklist" ), KConfig::SimpleConfig); |
367 | KConfigGroup group = config.group(QStringLiteral("Blacklist of CA Certificates" )); |
368 | if (isBlacklisted) { |
369 | // TODO check against certificate list ? |
370 | group.writeEntry(key: certHash.constData(), value: QString()); |
371 | } else { |
372 | if (!group.hasKey(key: certHash.constData())) { |
373 | return false; |
374 | } |
375 | group.deleteEntry(key: certHash.constData()); |
376 | } |
377 | |
378 | return true; |
379 | } |
380 | |
381 | class KSslCertificateManagerContainer |
382 | { |
383 | public: |
384 | KSslCertificateManager sslCertificateManager; |
385 | }; |
386 | |
387 | Q_GLOBAL_STATIC(KSslCertificateManagerContainer, g_instance) |
388 | |
389 | KSslCertificateManager::KSslCertificateManager() |
390 | : d(new KSslCertificateManagerPrivate()) |
391 | { |
392 | } |
393 | |
394 | KSslCertificateManager::~KSslCertificateManager() = default; |
395 | |
396 | // static |
397 | KSslCertificateManager *KSslCertificateManager::self() |
398 | { |
399 | return &g_instance()->sslCertificateManager; |
400 | } |
401 | |
402 | void KSslCertificateManager::setRule(const KSslCertificateRule &rule) |
403 | { |
404 | #ifdef WITH_QTDBUS |
405 | d->iface->setRule(rule); |
406 | #endif |
407 | } |
408 | |
409 | void KSslCertificateManager::clearRule(const KSslCertificateRule &rule) |
410 | { |
411 | #ifdef WITH_QTDBUS |
412 | d->iface->clearRule(rule); |
413 | #endif |
414 | } |
415 | |
416 | void KSslCertificateManager::clearRule(const QSslCertificate &cert, const QString &hostName) |
417 | { |
418 | #ifdef WITH_QTDBUS |
419 | d->iface->clearRule(cert, hostName); |
420 | #endif |
421 | } |
422 | |
423 | KSslCertificateRule KSslCertificateManager::rule(const QSslCertificate &cert, const QString &hostName) const |
424 | { |
425 | #ifdef WITH_QTDBUS |
426 | return d->iface->rule(cert, hostName); |
427 | #else |
428 | return KSslCertificateRule(); |
429 | #endif |
430 | } |
431 | |
432 | QList<QSslCertificate> KSslCertificateManager::caCertificates() const |
433 | { |
434 | QMutexLocker certLocker(&d->certListMutex); |
435 | if (!d->isCertListLoaded) { |
436 | d->loadDefaultCaCertificates(); |
437 | } |
438 | return d->defaultCaCertificates; |
439 | } |
440 | |
441 | QList<QSslError> KSslCertificateManager::nonIgnorableErrors(const QList<QSslError> &errors) |
442 | { |
443 | QList<QSslError> ret; |
444 | // errors not handled in KSSLD |
445 | std::copy_if(first: errors.begin(), last: errors.end(), result: std::back_inserter(x&: ret), pred: [](const QSslError &e) { |
446 | return e.error() == QSslError::NoPeerCertificate || e.error() == QSslError::PathLengthExceeded || e.error() == QSslError::NoSslSupport; |
447 | }); |
448 | return ret; |
449 | } |
450 | |
451 | QList<KSslCaCertificate> _allKsslCaCertificates(KSslCertificateManager *cm) |
452 | { |
453 | return KSslCertificateManagerPrivate::get(q: cm)->allCertificates(); |
454 | } |
455 | |
456 | void _setAllKsslCaCertificates(KSslCertificateManager *cm, const QList<KSslCaCertificate> &certsIn) |
457 | { |
458 | KSslCertificateManagerPrivate::get(q: cm)->setAllCertificates(certsIn); |
459 | } |
460 | |
461 | #ifdef WITH_QTDBUS |
462 | #include "moc_kssld_interface.cpp" |
463 | #endif |
464 | |