1	/*
2	* Copyright (C) 2003-2007 Justin Karneges <justin@affinix.com>
3	* Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net>
4	*
5	* This library is free software; you can redistribute it and/or
6	* modify it under the terms of the GNU Lesser General Public
7	* License as published by the Free Software Foundation; either
8	* version 2.1 of the License, or (at your option) any later version.
9	*
10	* This library is distributed in the hope that it will be useful,
11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13	* Lesser General Public License for more details.
14	*
15	* You should have received a copy of the GNU Lesser General Public
16	* License along with this library; if not, write to the Free Software
17	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
18	* 02110-1301 USA
19	*
20	*/
21
22	#include "qca_cert.h"
23
24	#include "qca_publickey.h"
25	#include "qcaprovider.h"
26
27	#include <QFile>
28	#include <QRegExp>
29	#include <QRegularExpression>
30	#include <QTextStream>
31	#include <QUrl>
32
33	#include <cstdlib>
34
35	namespace QCA {
36
37	Provider::Context *getContext(const QString &type, const QString &provider);
38	Provider::Context *getContext(const QString &type, Provider *p);
39
40	// from qca_publickey.cpp
41	bool stringToFile(const QString &fileName, const QString &content);
42	bool stringFromFile(const QString &fileName, QString *s);
43	bool arrayToFile(const QString &fileName, const QByteArray &content);
44	bool arrayFromFile(const QString &fileName, QByteArray *a);
45	bool ask_passphrase(const QString &fname, void *ptr, SecureArray *answer);
46	ProviderList allProviders();
47	Provider *providerForName(const QString &name);
48	bool use_asker_fallback(ConvertResult r);
49
50	// last 3 arguments must be valid, and chain must be empty
51	static bool get_pkcs12_der(const QByteArray &der,
52	const QString &fileName,
53	void *ptr,
54	const SecureArray &passphrase,
55	ConvertResult *result,
56	const QString &provider,
57	QString *name,
58	CertificateChain *chain,
59	PrivateKey *key)
60	{
61	QString _name;
62	QList<CertContext *> list;
63	PKeyContext *kc = nullptr;
64
65	PKCS12Context *pix = static_cast<PKCS12Context *>(getContext(QStringLiteral("pkcs12"), provider));
66	ConvertResult r = pix->fromPKCS12(in: der, passphrase, name: &_name, chain: &list, priv: &kc);
67
68	// error converting without passphrase? maybe a passphrase is needed
69	if (use_asker_fallback(r) && passphrase.isEmpty()) {
70	SecureArray pass;
71	if (ask_passphrase(fname: fileName, ptr, answer: &pass))
72	r = pix->fromPKCS12(in: der, passphrase: pass, name: &_name, chain: &list, priv: &kc);
73	}
74	delete pix;
75
76	if (result)
77	*result = r;
78
79	if (r == ConvertGood) {
80	*name = _name;
81	for (int n = 0; n < list.count(); ++n) {
82	Certificate cert;
83	cert.change(c: list[n]);
84	chain->append(t: cert);
85	}
86	key->change(c: kc);
87	return true;
88	}
89	return false;
90	}
91
92	static CertificateInfo orderedToMap(const CertificateInfoOrdered &info)
93	{
94	CertificateInfo out;
95
96	// first, do all but EmailLegacy
97	for (int n = 0; n < info.count(); ++n) {
98	const CertificateInfoPair &i = info[n];
99	if (i.type().known() != EmailLegacy)
100	out.insert(key: i.type(), value: i.value());
101	}
102
103	// lastly, apply EmailLegacy
104	for (int n = 0; n < info.count(); ++n) {
105	const CertificateInfoPair &i = info[n];
106	if (i.type().known() == EmailLegacy) {
107	// de-dup
108	const QList<QString> emails = out.values(key: Email);
109	if (!emails.contains(str: i.value()))
110	out.insert(key: Email, value: i.value());
111	}
112	}
113
114	return out;
115	}
116
117	static void moveMapValues(CertificateInfo *from, CertificateInfoOrdered *to, const CertificateInfoType &type)
118	{
119	const QList<QString> values = from->values(key: type);
120	from->remove(key: type);
121
122	// multimap values are stored in reverse. we'll insert backwards in
123	// order to right them.
124	for (int n = values.count() - 1; n >= 0; --n)
125	to->append(t: CertificateInfoPair(type, values[n]));
126	}
127
128	static CertificateInfoOrdered mapToOrdered(const CertificateInfo &info)
129	{
130	CertificateInfo in = info;
131	CertificateInfoOrdered out;
132
133	// have a specific order for some types
134	moveMapValues(from: &in, to: &out, type: CommonName);
135	moveMapValues(from: &in, to: &out, type: Country);
136	moveMapValues(from: &in, to: &out, type: Locality);
137	moveMapValues(from: &in, to: &out, type: State);
138	moveMapValues(from: &in, to: &out, type: Organization);
139	moveMapValues(from: &in, to: &out, type: OrganizationalUnit);
140	moveMapValues(from: &in, to: &out, type: Email);
141	moveMapValues(from: &in, to: &out, type: URI);
142	moveMapValues(from: &in, to: &out, type: DNS);
143	moveMapValues(from: &in, to: &out, type: IPAddress);
144	moveMapValues(from: &in, to: &out, type: XMPP);
145
146	// get remaining types
147	const QList<CertificateInfoType> typesLeft = in.keys();
148
149	// dedup
150	QList<CertificateInfoType> types;
151	for (int n = 0; n < typesLeft.count(); ++n) {
152	if (!types.contains(t: typesLeft[n]))
153	types += typesLeft[n];
154	}
155
156	// insert the rest of the types in the order we got them (map order)
157	for (int n = 0; n < types.count(); ++n)
158	moveMapValues(from: &in, to: &out, type: types[n]);
159
160	Q_ASSERT(in.isEmpty());
161
162	return out;
163	}
164
165	//----------------------------------------------------------------------------
166	// Global
167	//----------------------------------------------------------------------------
168	static const char CommonName_id[] = "2.5.4.3";
169	static const char Email_id[] = "GeneralName.rfc822Name";
170	static const char EmailLegacy_id[] = "1.2.840.113549.1.9.1";
171	static const char Organization_id[] = "2.5.4.10";
172	static const char OrganizationalUnit_id[] = "2.5.4.11";
173	static const char Locality_id[] = "2.5.4.7";
174	static const char IncorporationLocality_id[] = "1.3.6.1.4.1.311.60.2.1.1";
175	static const char State_id[] = "2.5.4.8";
176	static const char IncorporationState_id[] = "1.3.6.1.4.1.311.60.2.1.2";
177	static const char Country_id[] = "2.5.4.6";
178	static const char IncorporationCountry_id[] = "1.3.6.1.4.1.311.60.2.1.3";
179	static const char URI_id[] = "GeneralName.uniformResourceIdentifier";
180	static const char DNS_id[] = "GeneralName.dNSName";
181	static const char IPAddress_id[] = "GeneralName.iPAddress";
182	static const char XMPP_id[] = "1.3.6.1.5.5.7.8.5";
183
184	static const char DigitalSignature_id[] = "KeyUsage.digitalSignature";
185	static const char NonRepudiation_id[] = "KeyUsage.nonRepudiation";
186	static const char KeyEncipherment_id[] = "KeyUsage.keyEncipherment";
187	static const char DataEncipherment_id[] = "KeyUsage.dataEncipherment";
188	static const char KeyAgreement_id[] = "KeyUsage.keyAgreement";
189	static const char KeyCertificateSign_id[] = "KeyUsage.keyCertSign";
190	static const char CRLSign_id[] = "KeyUsage.crlSign";
191	static const char EncipherOnly_id[] = "KeyUsage.encipherOnly";
192	static const char DecipherOnly_id[] = "KeyUsage.decipherOnly";
193	static const char ServerAuth_id[] = "1.3.6.1.5.5.7.3.1";
194	static const char ClientAuth_id[] = "1.3.6.1.5.5.7.3.2";
195	static const char CodeSigning_id[] = "1.3.6.1.5.5.7.3.3";
196	static const char EmailProtection_id[] = "1.3.6.1.5.5.7.3.4";
197	static const char IPSecEndSystem_id[] = "1.3.6.1.5.5.7.3.5";
198	static const char IPSecTunnel_id[] = "1.3.6.1.5.5.7.3.6";
199	static const char IPSecUser_id[] = "1.3.6.1.5.5.7.3.7";
200	static const char TimeStamping_id[] = "1.3.6.1.5.5.7.3.8";
201	static const char OCSPSigning_id[] = "1.3.6.1.5.5.7.3.9";
202
203	static QString knownToId(CertificateInfoTypeKnown k)
204	{
205	const char *out = nullptr;
206	switch (k) {
207	case CommonName:
208	out = CommonName_id;
209	break;
210	case Email:
211	out = Email_id;
212	break;
213	case EmailLegacy:
214	out = EmailLegacy_id;
215	break;
216	case Organization:
217	out = Organization_id;
218	break;
219	case OrganizationalUnit:
220	out = OrganizationalUnit_id;
221	break;
222	case Locality:
223	out = Locality_id;
224	break;
225	case IncorporationLocality:
226	out = IncorporationLocality_id;
227	break;
228	case State:
229	out = State_id;
230	break;
231	case IncorporationState:
232	out = IncorporationState_id;
233	break;
234	case Country:
235	out = Country_id;
236	break;
237	case IncorporationCountry:
238	out = IncorporationCountry_id;
239	break;
240	case URI:
241	out = URI_id;
242	break;
243	case DNS:
244	out = DNS_id;
245	break;
246	case IPAddress:
247	out = IPAddress_id;
248	break;
249	case XMPP:
250	out = XMPP_id;
251	break;
252	}
253	Q_ASSERT(out);
254	if (!out)
255	abort();
256	return QString::fromLatin1(ba: out);
257	}
258
259	static int idToKnown(const QString &id)
260	{
261	if (id == QLatin1String(CommonName_id))
262	return CommonName;
263	else if (id == QLatin1String(Email_id))
264	return Email;
265	else if (id == QLatin1String(EmailLegacy_id))
266	return EmailLegacy;
267	else if (id == QLatin1String(Organization_id))
268	return Organization;
269	else if (id == QLatin1String(OrganizationalUnit_id))
270	return OrganizationalUnit;
271	else if (id == QLatin1String(Locality_id))
272	return Locality;
273	else if (id == QLatin1String(IncorporationLocality_id))
274	return IncorporationLocality;
275	else if (id == QLatin1String(State_id))
276	return State;
277	else if (id == QLatin1String(IncorporationState_id))
278	return IncorporationState;
279	else if (id == QLatin1String(Country_id))
280	return Country;
281	else if (id == QLatin1String(IncorporationCountry_id))
282	return IncorporationCountry;
283	else if (id == QLatin1String(URI_id))
284	return URI;
285	else if (id == QLatin1String(DNS_id))
286	return DNS;
287	else if (id == QLatin1String(IPAddress_id))
288	return IPAddress;
289	else if (id == QLatin1String(XMPP_id))
290	return XMPP;
291	else
292	return -1;
293	}
294
295	static CertificateInfoType::Section knownToSection(CertificateInfoTypeKnown k)
296	{
297	switch (k) {
298	case CommonName:
299	case EmailLegacy:
300	case Organization:
301	case OrganizationalUnit:
302	case Locality:
303	case IncorporationLocality:
304	case State:
305	case IncorporationState:
306	case Country:
307	case IncorporationCountry:
308	return CertificateInfoType::DN;
309	default:
310	break;
311	}
312	return CertificateInfoType::AlternativeName;
313	}
314
315	static const char *knownToShortName(CertificateInfoTypeKnown k)
316	{
317	switch (k) {
318	case CommonName:
319	return "CN";
320	case Locality:
321	return "L";
322	case State:
323	return "ST";
324	case Organization:
325	return "O";
326	case OrganizationalUnit:
327	return "OU";
328	case Country:
329	return "C";
330	case EmailLegacy:
331	return "emailAddress";
332	default:
333	break;
334	}
335	return nullptr;
336	}
337
338	static QString constraintKnownToId(ConstraintTypeKnown k)
339	{
340	const char *out = nullptr;
341	switch (k) {
342	case DigitalSignature:
343	out = DigitalSignature_id;
344	break;
345	case NonRepudiation:
346	out = NonRepudiation_id;
347	break;
348	case KeyEncipherment:
349	out = KeyEncipherment_id;
350	break;
351	case DataEncipherment:
352	out = DataEncipherment_id;
353	break;
354	case KeyAgreement:
355	out = KeyAgreement_id;
356	break;
357	case KeyCertificateSign:
358	out = KeyCertificateSign_id;
359	break;
360	case CRLSign:
361	out = CRLSign_id;
362	break;
363	case EncipherOnly:
364	out = EncipherOnly_id;
365	break;
366	case DecipherOnly:
367	out = DecipherOnly_id;
368	break;
369	case ServerAuth:
370	out = ServerAuth_id;
371	break;
372	case ClientAuth:
373	out = ClientAuth_id;
374	break;
375	case CodeSigning:
376	out = CodeSigning_id;
377	break;
378	case EmailProtection:
379	out = EmailProtection_id;
380	break;
381	case IPSecEndSystem:
382	out = IPSecEndSystem_id;
383	break;
384	case IPSecTunnel:
385	out = IPSecTunnel_id;
386	break;
387	case IPSecUser:
388	out = IPSecUser_id;
389	break;
390	case TimeStamping:
391	out = TimeStamping_id;
392	break;
393	case OCSPSigning:
394	out = OCSPSigning_id;
395	break;
396	}
397	Q_ASSERT(out);
398	if (!out)
399	abort();
400	return QString::fromLatin1(ba: out);
401	}
402
403	static int constraintIdToKnown(const QString &id)
404	{
405	if (id == QLatin1String(DigitalSignature_id))
406	return DigitalSignature;
407	else if (id == QLatin1String(NonRepudiation_id))
408	return NonRepudiation;
409	else if (id == QLatin1String(KeyEncipherment_id))
410	return KeyEncipherment;
411	else if (id == QLatin1String(DataEncipherment_id))
412	return DataEncipherment;
413	else if (id == QLatin1String(KeyAgreement_id))
414	return KeyAgreement;
415	else if (id == QLatin1String(KeyCertificateSign_id))
416	return KeyCertificateSign;
417	else if (id == QLatin1String(CRLSign_id))
418	return CRLSign;
419	else if (id == QLatin1String(EncipherOnly_id))
420	return EncipherOnly;
421	else if (id == QLatin1String(DecipherOnly_id))
422	return DecipherOnly;
423	else if (id == QLatin1String(ServerAuth_id))
424	return ServerAuth;
425	else if (id == QLatin1String(ClientAuth_id))
426	return ClientAuth;
427	else if (id == QLatin1String(CodeSigning_id))
428	return CodeSigning;
429	else if (id == QLatin1String(EmailProtection_id))
430	return EmailProtection;
431	else if (id == QLatin1String(IPSecEndSystem_id))
432	return IPSecEndSystem;
433	else if (id == QLatin1String(IPSecTunnel_id))
434	return IPSecTunnel;
435	else if (id == QLatin1String(IPSecUser_id))
436	return IPSecUser;
437	else if (id == QLatin1String(TimeStamping_id))
438	return TimeStamping;
439	else if (id == QLatin1String(OCSPSigning_id))
440	return OCSPSigning;
441	else
442	return -1;
443	}
444
445	static ConstraintType::Section constraintKnownToSection(ConstraintTypeKnown k)
446	{
447	switch (k) {
448	case DigitalSignature:
449	case NonRepudiation:
450	case KeyEncipherment:
451	case DataEncipherment:
452	case KeyAgreement:
453	case KeyCertificateSign:
454	case CRLSign:
455	case EncipherOnly:
456	case DecipherOnly:
457	return ConstraintType::KeyUsage;
458	default:
459	break;
460	}
461	return ConstraintType::ExtendedKeyUsage;
462	}
463
464	static QString dnLabel(const CertificateInfoType &type)
465	{
466	const char *str = knownToShortName(k: type.known());
467	if (str)
468	return QString::fromLatin1(ba: str);
469
470	const QString id = type.id();
471	// is it an oid?
472	if (id[0].isDigit())
473	return QStringLiteral("OID.") + id;
474
475	return QStringLiteral("qca.") + id;
476	}
477
478	QString orderedToDNString(const CertificateInfoOrdered &in)
479	{
480	QStringList parts;
481	foreach (const CertificateInfoPair &i, in) {
482	if (i.type().section() != CertificateInfoType::DN)
483	continue;
484
485	const QString name = dnLabel(type: i.type());
486	parts += name + QLatin1Char('=') + i.value();
487	}
488	return parts.join(QStringLiteral(", "));
489	}
490
491	CertificateInfoOrdered orderedDNOnly(const CertificateInfoOrdered &in)
492	{
493	CertificateInfoOrdered out;
494	for (int n = 0; n < in.count(); ++n) {
495	if (in[n].type().section() == CertificateInfoType::DN)
496	out += in[n];
497	}
498	return out;
499	}
500
501	static QString baseCertName(const CertificateInfo &info)
502	{
503	QString str = info.value(key: CommonName);
504	if (str.isEmpty()) {
505	str = info.value(key: Organization);
506	if (str.isEmpty())
507	str = QStringLiteral("Unnamed");
508	}
509	return str;
510	}
511
512	static QList<int> findSameName(const QString &name, const QStringList &list)
513	{
514	QList<int> out;
515	for (int n = 0; n < list.count(); ++n) {
516	if (list[n] == name)
517	out += n;
518	}
519	return out;
520	}
521
522	static QString
523	uniqueSubjectValue(const CertificateInfoType &type, const QList<int> &items, const QList<Certificate> &certs, int i)
524	{
525	QStringList vals = certs[items[i]].subjectInfo().values(key: type);
526	if (!vals.isEmpty()) {
527	foreach (int n, items) {
528	if (n == items[i])
529	continue;
530
531	const QStringList other_vals = certs[n].subjectInfo().values(key: type);
532	for (int k = 0; k < vals.count(); ++k) {
533	if (other_vals.contains(str: vals[k])) {
534	vals.removeAt(i: k);
535	break;
536	}
537	}
538
539	if (vals.isEmpty())
540	break;
541	}
542
543	if (!vals.isEmpty())
544	return vals[0];
545	}
546
547	return QString();
548	}
549
550	static QString uniqueIssuerName(const QList<int> &items, const QList<Certificate> &certs, int i)
551	{
552	const QString val = baseCertName(info: certs[items[i]].issuerInfo());
553
554	bool found = false;
555	foreach (int n, items) {
556	if (n == items[i])
557	continue;
558
559	const QString other_val = baseCertName(info: certs[n].issuerInfo());
560	if (other_val == val) {
561	found = true;
562	break;
563	}
564	}
565
566	if (!found)
567	return val;
568
569	return QString();
570	}
571
572	static const char *constraintToString(const ConstraintType &type)
573	{
574	switch (type.known()) {
575	case DigitalSignature:
576	return "DigitalSignature";
577	case NonRepudiation:
578	return "NonRepudiation";
579	case KeyEncipherment:
580	return "KeyEncipherment";
581	case DataEncipherment:
582	return "DataEncipherment";
583	case KeyAgreement:
584	return "KeyAgreement";
585	case KeyCertificateSign:
586	return "KeyCertificateSign";
587	case CRLSign:
588	return "CRLSign";
589	case EncipherOnly:
590	return "EncipherOnly";
591	case DecipherOnly:
592	return "DecipherOnly";
593	case ServerAuth:
594	return "ServerAuth";
595	case ClientAuth:
596	return "ClientAuth";
597	case CodeSigning:
598	return "CodeSigning";
599	case EmailProtection:
600	return "EmailProtection";
601	case IPSecEndSystem:
602	return "IPSecEndSystem";
603	case IPSecTunnel:
604	return "IPSecTunnel";
605	case IPSecUser:
606	return "IPSecUser";
607	case TimeStamping:
608	return "TimeStamping";
609	case OCSPSigning:
610	return "OCSPSigning";
611	}
612	return nullptr;
613	}
614
615	static QString
616	uniqueConstraintValue(const ConstraintType &type, const QList<int> &items, const QList<Certificate> &certs, int i)
617	{
618	if (certs[items[i]].constraints().contains(t: type)) {
619	bool found = false;
620	foreach (int n, items) {
621	if (n == items[i])
622	continue;
623
624	Constraints other_vals = certs[n].constraints();
625	if (other_vals.contains(t: type)) {
626	found = true;
627	break;
628	}
629	}
630
631	if (!found)
632	return QString::fromLatin1(ba: constraintToString(type));
633	}
634
635	return QString();
636	}
637
638	static QString makeUniqueName(const QList<int> &items, const QStringList &list, const QList<Certificate> &certs, int i)
639	{
640	QString str, name;
641
642	// different organization?
643	str = uniqueSubjectValue(type: Organization, items, certs, i);
644	if (!str.isEmpty()) {
645	name = list[items[i]] + QStringLiteral(" of ") + str;
646	goto end;
647	}
648
649	// different organizational unit?
650	str = uniqueSubjectValue(type: OrganizationalUnit, items, certs, i);
651	if (!str.isEmpty()) {
652	name = list[items[i]] + QStringLiteral(" of ") + str;
653	goto end;
654	}
655
656	// different email address?
657	str = uniqueSubjectValue(type: Email, items, certs, i);
658	if (!str.isEmpty()) {
659	name = list[items[i]] + QStringLiteral(" <") + str + QLatin1Char('>');
660	goto end;
661	}
662
663	// different xmpp addresses?
664	str = uniqueSubjectValue(type: XMPP, items, certs, i);
665	if (!str.isEmpty()) {
666	name = list[items[i]] + QStringLiteral(" <xmpp:") + str + QLatin1Char('>');
667	goto end;
668	}
669
670	// different issuers?
671	str = uniqueIssuerName(items, certs, i);
672	if (!str.isEmpty()) {
673	name = list[items[i]] + QStringLiteral(" by ") + str;
674	goto end;
675	}
676
677	// different usages?
678
679	// DigitalSignature
680	str = uniqueConstraintValue(type: DigitalSignature, items, certs, i);
681	if (!str.isEmpty()) {
682	name = list[items[i]] + QStringLiteral(" for ") + str;
683	goto end;
684	}
685
686	// ClientAuth
687	str = uniqueConstraintValue(type: ClientAuth, items, certs, i);
688	if (!str.isEmpty()) {
689	name = list[items[i]] + QStringLiteral(" for ") + str;
690	goto end;
691	}
692
693	// EmailProtection
694	str = uniqueConstraintValue(type: EmailProtection, items, certs, i);
695	if (!str.isEmpty()) {
696	name = list[items[i]] + QStringLiteral(" for ") + str;
697	goto end;
698	}
699
700	// DataEncipherment
701	str = uniqueConstraintValue(type: DataEncipherment, items, certs, i);
702	if (!str.isEmpty()) {
703	name = list[items[i]] + QStringLiteral(" for ") + str;
704	goto end;
705	}
706
707	// EncipherOnly
708	str = uniqueConstraintValue(type: EncipherOnly, items, certs, i);
709	if (!str.isEmpty()) {
710	name = list[items[i]] + QStringLiteral(" for ") + str;
711	goto end;
712	}
713
714	// DecipherOnly
715	str = uniqueConstraintValue(type: DecipherOnly, items, certs, i);
716	if (!str.isEmpty()) {
717	name = list[items[i]] + QStringLiteral(" for ") + str;
718	goto end;
719	}
720
721	// if there's nothing easily unique, then do a DN string
722	name = certs[items[i]].subjectInfoOrdered().toString();
723
724	end:
725	return name;
726	}
727
728	QStringList makeFriendlyNames(const QList<Certificate> &list)
729	{
730	QStringList names;
731
732	// give a base name to all certs first
733	foreach (const Certificate &cert, list)
734	names += baseCertName(info: cert.subjectInfo());
735
736	// come up with a collision list
737	QList<QList<int>> itemCollisions;
738	foreach (const QString &name, names) {
739	// anyone else using this name?
740	const QList<int> items = findSameName(name, list: names);
741	if (items.count() > 1) {
742	// don't save duplicate collisions
743	bool haveAlready = false;
744	foreach (const QList<int> &other, itemCollisions) {
745	foreach (int n, items) {
746	if (other.contains(t: n)) {
747	haveAlready = true;
748	break;
749	}
750	}
751
752	if (haveAlready)
753	break;
754	}
755
756	if (haveAlready)
757	continue;
758
759	itemCollisions += items;
760	}
761	}
762
763	// resolve collisions by providing extra details
764	foreach (const QList<int> &items, itemCollisions) {
765	// printf("%d items are using [%s]\n", items.count(), qPrintable(names[items[0]]));
766
767	for (int n = 0; n < items.count(); ++n) {
768	names[items[n]] = makeUniqueName(items, list: names, certs: list, i: n);
769	// printf(" %d: reassigning: [%s]\n", items[n], qPrintable(names[items[n]]));
770	}
771	}
772
773	return names;
774	}
775
776	//----------------------------------------------------------------------------
777	// CertificateInfoType
778	//----------------------------------------------------------------------------
779	class CertificateInfoType::Private : public QSharedData
780	{
781	public:
782	CertificateInfoType::Section section;
783	int known;
784	QString id;
785
786	Private()
787	: section(CertificateInfoType::DN)
788	, known(-1)
789	{
790	}
791	};
792
793	CertificateInfoType::CertificateInfoType()
794	: d(new Private)
795	{
796	}
797
798	CertificateInfoType::CertificateInfoType(CertificateInfoTypeKnown known)
799	: d(new Private)
800	{
801	d->section = knownToSection(k: known);
802	d->known = known;
803	d->id = knownToId(k: known); // always valid
804	}
805
806	CertificateInfoType::CertificateInfoType(const QString &id, Section section)
807	: d(new Private)
808	{
809	d->section = section;
810	d->known = idToKnown(id); // can be -1 for unknown
811	d->id = id;
812	}
813
814	CertificateInfoType::CertificateInfoType(const CertificateInfoType &from)
815	: d(from.d)
816	{
817	}
818
819	CertificateInfoType::~CertificateInfoType()
820	{
821	}
822
823	CertificateInfoType &CertificateInfoType::operator=(const CertificateInfoType &from)
824	{
825	d = from.d;
826	return *this;
827	}
828
829	CertificateInfoType::Section CertificateInfoType::section() const
830	{
831	return d->section;
832	}
833
834	CertificateInfoTypeKnown CertificateInfoType::known() const
835	{
836	return (CertificateInfoTypeKnown)d->known;
837	}
838
839	QString CertificateInfoType::id() const
840	{
841	return d->id;
842	}
843
844	bool CertificateInfoType::operator<(const CertificateInfoType &other) const
845	{
846	// sort by knowns (in enum order), then by ids (in string order)
847	if (d->known != -1) {
848	if (other.d->known == -1)
849	return true;
850	else if (d->known < other.d->known)
851	return true;
852	else
853	return false;
854	} else {
855	if (other.d->known != -1)
856	return false;
857	else if (d->id < other.d->id)
858	return true;
859	else
860	return false;
861	}
862	}
863
864	bool CertificateInfoType::operator==(const CertificateInfoType &other) const
865	{
866	// are both known types?
867	if (d->known != -1 && other.d->known != -1) {
868	// if so, compare the ints
869	if (d->known != other.d->known)
870	return false;
871	} else {
872	// otherwise, compare the string ids
873	if (d->id != other.d->id)
874	return false;
875	}
876
877	if (d->section != other.d->section)
878	return false;
879
880	return true;
881	}
882
883	//----------------------------------------------------------------------------
884	// CertificateInfoPair
885	//----------------------------------------------------------------------------
886	class CertificateInfoPair::Private : public QSharedData
887	{
888	public:
889	CertificateInfoType type;
890	QString value;
891	};
892
893	CertificateInfoPair::CertificateInfoPair()
894	: d(new Private)
895	{
896	}
897
898	CertificateInfoPair::CertificateInfoPair(const CertificateInfoType &type, const QString &value)
899	: d(new Private)
900	{
901	d->type = type;
902	d->value = value;
903	}
904
905	CertificateInfoPair::CertificateInfoPair(const CertificateInfoPair &from)
906	: d(from.d)
907	{
908	}
909
910	CertificateInfoPair::~CertificateInfoPair()
911	{
912	}
913
914	CertificateInfoPair &CertificateInfoPair::operator=(const CertificateInfoPair &from)
915	{
916	d = from.d;
917	return *this;
918	}
919
920	CertificateInfoType CertificateInfoPair::type() const
921	{
922	return d->type;
923	}
924
925	QString CertificateInfoPair::value() const
926	{
927	return d->value;
928	}
929
930	bool CertificateInfoPair::operator==(const CertificateInfoPair &other) const
931	{
932	if (d->type == other.d->type && d->value == other.d->value)
933	return true;
934	return false;
935	}
936
937	//----------------------------------------------------------------------------
938	// ConstraintType
939	//----------------------------------------------------------------------------
940	class ConstraintType::Private : public QSharedData
941	{
942	public:
943	ConstraintType::Section section;
944	int known;
945	QString id;
946
947	Private()
948	: section(ConstraintType::KeyUsage)
949	, known(-1)
950	{
951	}
952	};
953
954	ConstraintType::ConstraintType()
955	: d(new Private)
956	{
957	}
958
959	ConstraintType::ConstraintType(ConstraintTypeKnown known)
960	: d(new Private)
961	{
962	d->section = constraintKnownToSection(k: known);
963	d->known = known;
964	d->id = constraintKnownToId(k: known); // always valid
965	}
966
967	ConstraintType::ConstraintType(const QString &id, Section section)
968	: d(new Private)
969	{
970	d->section = section;
971	d->known = constraintIdToKnown(id); // can be -1 for unknown
972	d->id = id;
973	}
974
975	ConstraintType::ConstraintType(const ConstraintType &from)
976	: d(from.d)
977	{
978	}
979
980	ConstraintType::~ConstraintType()
981	{
982	}
983
984	ConstraintType &ConstraintType::operator=(const ConstraintType &from)
985	{
986	d = from.d;
987	return *this;
988	}
989
990	ConstraintType::Section ConstraintType::section() const
991	{
992	return d->section;
993	}
994
995	ConstraintTypeKnown ConstraintType::known() const
996	{
997	return (ConstraintTypeKnown)d->known;
998	}
999
1000	QString ConstraintType::id() const
1001	{
1002	return d->id;
1003	}
1004
1005	bool ConstraintType::operator<(const ConstraintType &other) const
1006	{
1007	// sort by knowns (in enum order), then by ids (in string order)
1008	if (d->known != -1) {
1009	if (other.d->known == -1)
1010	return true;
1011	else if (d->known < other.d->known)
1012	return true;
1013	else
1014	return false;
1015	} else {
1016	if (other.d->known != -1)
1017	return false;
1018	else if (d->id < other.d->id)
1019	return true;
1020	else
1021	return false;
1022	}
1023	}
1024
1025	bool ConstraintType::operator==(const ConstraintType &other) const
1026	{
1027	// are both known types?
1028	if (d->known != -1 && other.d->known != -1) {
1029	// if so, compare the ints
1030	if (d->known != other.d->known)
1031	return false;
1032	} else {
1033	// otherwise, compare the string ids
1034	if (d->id != other.d->id)
1035	return false;
1036	}
1037
1038	if (d->section != other.d->section)
1039	return false;
1040
1041	return true;
1042	}
1043
1044	//----------------------------------------------------------------------------
1045	// CertificateOptions
1046	//----------------------------------------------------------------------------
1047	class CertificateOptions::Private
1048	{
1049	public:
1050	CertificateRequestFormat format;
1051
1052	QString challenge;
1053	CertificateInfoOrdered info;
1054	CertificateInfo infoMap;
1055	Constraints constraints;
1056	QStringList policies;
1057	QStringList crlLocations, issuerLocations, ocspLocations;
1058	bool isCA;
1059	int pathLimit;
1060	BigInteger serial;
1061	QDateTime start, end;
1062
1063	Private()
1064	: isCA(false)
1065	, pathLimit(0)
1066	{
1067	}
1068	};
1069
1070	CertificateOptions::CertificateOptions(CertificateRequestFormat f)
1071	{
1072	d = new Private;
1073	d->format = f;
1074	}
1075
1076	CertificateOptions::CertificateOptions(const CertificateOptions &from)
1077	{
1078	d = new Private(*from.d);
1079	}
1080
1081	CertificateOptions::~CertificateOptions()
1082	{
1083	delete d;
1084	}
1085
1086	CertificateOptions &CertificateOptions::operator=(const CertificateOptions &from)
1087	{
1088	*d = *from.d;
1089	return *this;
1090	}
1091
1092	CertificateRequestFormat CertificateOptions::format() const
1093	{
1094	return d->format;
1095	}
1096
1097	void CertificateOptions::setFormat(CertificateRequestFormat f)
1098	{
1099	d->format = f;
1100	}
1101
1102	bool CertificateOptions::isValid() const
1103	{
1104	// logic from Botan
1105	if (d->infoMap.value(key: CommonName).isEmpty() || d->infoMap.value(key: Country).isEmpty())
1106	return false;
1107	if (d->infoMap.value(key: Country).length() != 2)
1108	return false;
1109	if (d->start >= d->end)
1110	return false;
1111	return true;
1112	}
1113
1114	QString CertificateOptions::challenge() const
1115	{
1116	return d->challenge;
1117	}
1118
1119	CertificateInfo CertificateOptions::info() const
1120	{
1121	return d->infoMap;
1122	}
1123
1124	CertificateInfoOrdered CertificateOptions::infoOrdered() const
1125	{
1126	return d->info;
1127	}
1128
1129	Constraints CertificateOptions::constraints() const
1130	{
1131	return d->constraints;
1132	}
1133
1134	QStringList CertificateOptions::policies() const
1135	{
1136	return d->policies;
1137	}
1138
1139	QStringList CertificateOptions::crlLocations() const
1140	{
1141	return d->crlLocations;
1142	}
1143
1144	QStringList CertificateOptions::issuerLocations() const
1145	{
1146	return d->issuerLocations;
1147	}
1148
1149	QStringList CertificateOptions::ocspLocations() const
1150	{
1151	return d->ocspLocations;
1152	}
1153
1154	bool CertificateOptions::isCA() const
1155	{
1156	return d->isCA;
1157	}
1158
1159	int CertificateOptions::pathLimit() const
1160	{
1161	return d->pathLimit;
1162	}
1163
1164	BigInteger CertificateOptions::serialNumber() const
1165	{
1166	return d->serial;
1167	}
1168
1169	QDateTime CertificateOptions::notValidBefore() const
1170	{
1171	return d->start;
1172	}
1173
1174	QDateTime CertificateOptions::notValidAfter() const
1175	{
1176	return d->end;
1177	}
1178
1179	void CertificateOptions::setChallenge(const QString &s)
1180	{
1181	d->challenge = s;
1182	}
1183
1184	void CertificateOptions::setInfo(const CertificateInfo &info)
1185	{
1186	d->info = mapToOrdered(info);
1187	d->infoMap = info;
1188	}
1189
1190	void CertificateOptions::setInfoOrdered(const CertificateInfoOrdered &info)
1191	{
1192	d->info = info;
1193	d->infoMap = orderedToMap(info);
1194	}
1195
1196	void CertificateOptions::setConstraints(const Constraints &constraints)
1197	{
1198	d->constraints = constraints;
1199	}
1200
1201	void CertificateOptions::setPolicies(const QStringList &policies)
1202	{
1203	d->policies = policies;
1204	}
1205
1206	void CertificateOptions::setCRLLocations(const QStringList &locations)
1207	{
1208	d->crlLocations = locations;
1209	}
1210
1211	void CertificateOptions::setIssuerLocations(const QStringList &locations)
1212	{
1213	d->issuerLocations = locations;
1214	}
1215
1216	void CertificateOptions::setOCSPLocations(const QStringList &locations)
1217	{
1218	d->ocspLocations = locations;
1219	}
1220
1221	void CertificateOptions::setAsCA(int pathLimit)
1222	{
1223	d->isCA = true;
1224	d->pathLimit = pathLimit;
1225	}
1226
1227	void CertificateOptions::setAsUser()
1228	{
1229	d->isCA = false;
1230	d->pathLimit = 0;
1231	}
1232
1233	void CertificateOptions::setSerialNumber(const BigInteger &i)
1234	{
1235	d->serial = i;
1236	}
1237
1238	void CertificateOptions::setValidityPeriod(const QDateTime &start, const QDateTime &end)
1239	{
1240	d->start = start;
1241	d->end = end;
1242	}
1243
1244	//----------------------------------------------------------------------------
1245	// Certificate
1246	//----------------------------------------------------------------------------
1247	// ip address string to binary (msb), adapted from jdns (adapted from qt)
1248	// return: size 4 = ipv4, size 16 = ipv6, size 0 = error
1249	static QByteArray ipaddr_str2bin(const QString &str)
1250	{
1251	// ipv6
1252	if (str.contains(c: QLatin1Char(':'))) {
1253	const QStringList parts = str.split(sep: QLatin1Char(':'), behavior: Qt::KeepEmptyParts);
1254	if (parts.count() < 3 || parts.count() > 8)
1255	return QByteArray();
1256
1257	QByteArray ipv6(16, 0);
1258	int at = 16;
1259	int fill = 9 - parts.count();
1260	for (int n = parts.count() - 1; n >= 0; --n) {
1261	if (at <= 0)
1262	return QByteArray();
1263
1264	if (parts[n].isEmpty()) {
1265	if (n == parts.count() - 1) {
1266	if (!parts[n - 1].isEmpty())
1267	return QByteArray();
1268	ipv6[--at] = 0;
1269	ipv6[--at] = 0;
1270	} else if (n == 0) {
1271	if (!parts[n + 1].isEmpty())
1272	return QByteArray();
1273	ipv6[--at] = 0;
1274	ipv6[--at] = 0;
1275	} else {
1276	for (int i = 0; i < fill; ++i) {
1277	if (at <= 0)
1278	return QByteArray();
1279	ipv6[--at] = 0;
1280	ipv6[--at] = 0;
1281	}
1282	}
1283	} else {
1284	if (parts[n].indexOf(ch: QLatin1Char('.')) == -1) {
1285	bool ok;
1286	int x = parts[n].toInt(ok: &ok, base: 16);
1287	if (!ok || x < 0 || x > 0xffff)
1288	return QByteArray();
1289	ipv6[--at] = x & 0xff;
1290	ipv6[--at] = (x >> 8) & 0xff;
1291	} else {
1292	if (n != parts.count() - 1)
1293	return QByteArray();
1294
1295	const QByteArray buf = ipaddr_str2bin(str: parts[n]);
1296	if (buf.isEmpty())
1297	return QByteArray();
1298
1299	ipv6[--at] = buf[3];
1300	ipv6[--at] = buf[2];
1301	ipv6[--at] = buf[1];
1302	ipv6[--at] = buf[0];
1303	--fill;
1304	}
1305	}
1306	}
1307
1308	return ipv6;
1309	} else if (str.contains(c: QLatin1Char('.'))) {
1310	const QStringList parts = str.split(sep: QLatin1Char('.'), behavior: Qt::KeepEmptyParts);
1311	if (parts.count() != 4)
1312	return QByteArray();
1313
1314	QByteArray out(4, 0);
1315	for (int n = 0; n < 4; ++n) {
1316	bool ok;
1317	int x = parts[n].toInt(ok: &ok);
1318	if (!ok || x < 0 || x > 0xff)
1319	return QByteArray();
1320	out[n] = (unsigned char)x;
1321	}
1322	return out;
1323	} else
1324	return QByteArray();
1325	}
1326
1327	// acedomain must be all lowercase, with no trailing dot or wildcards
1328	static bool cert_match_domain(const QString &certname, const QString &acedomain)
1329	{
1330	// KSSL strips start/end whitespace, even though such whitespace is
1331	// probably not legal anyway. (compat)
1332	QString name = certname.trimmed();
1333
1334	// KSSL strips trailing dot, even though the dot is probably not
1335	// legal anyway. (compat)
1336	if (name.length() > 0 && name[name.length() - 1] == QLatin1Char('.'))
1337	name.truncate(pos: name.length() - 1);
1338
1339	// after our compatibility modifications, make sure the name isn't
1340	// empty.
1341	if (name.isEmpty())
1342	return false;
1343
1344	// lowercase, for later performing case insensitive matching
1345	name = name.toLower();
1346
1347	// ensure the cert field contains valid characters only
1348	if (QRegularExpression(QStringLiteral("[^a-z0-9\\.\\*\\-]")).match(subject: name).hasMatch())
1349	return false;
1350
1351	// hack into parts, and require at least 1 part
1352	const QStringList parts_name = name.split(sep: QLatin1Char('.'), behavior: Qt::KeepEmptyParts);
1353	if (parts_name.isEmpty())
1354	return false;
1355
1356	// KSSL checks to make sure the last two parts don't contain
1357	// wildcards. I don't know where it is written that this
1358	// should be done, but for compat sake we'll do it.
1359	if (parts_name[parts_name.count() - 1].contains(c: QLatin1Char('*')))
1360	return false;
1361	if (parts_name.count() >= 2 && parts_name[parts_name.count() - 2].contains(c: QLatin1Char('*')))
1362	return false;
1363
1364	const QStringList parts_compare = acedomain.split(sep: QLatin1Char('.'), behavior: Qt::KeepEmptyParts);
1365	if (parts_compare.isEmpty())
1366	return false;
1367
1368	// don't allow empty parts
1369	foreach (const QString &s, parts_name) {
1370	if (s.isEmpty())
1371	return false;
1372	}
1373	foreach (const QString &s, parts_compare) {
1374	if (s.isEmpty())
1375	return false;
1376	}
1377
1378	// RFC2818: "Names may contain the wildcard character * which is
1379	// considered to match any single domain name component or
1380	// component fragment. E.g., *.a.com matches foo.a.com but not
1381	// bar.foo.a.com. f*.com matches foo.com but not bar.com."
1382	//
1383	// This means that for the domain to match it must have the
1384	// same number of components, wildcards or not. If there are
1385	// wildcards, their scope must only be within the component
1386	// they reside in.
1387	//
1388	// First, make sure the number of parts is equal.
1389	if (parts_name.count() != parts_compare.count())
1390	return false;
1391
1392	// Now compare each part
1393	for (int n = 0; n < parts_name.count(); ++n) {
1394	const QString &p1 = parts_name[n];
1395	const QString &p2 = parts_compare[n];
1396
1397	if (!QRegExp(p1, Qt::CaseSensitive, QRegExp::Wildcard).exactMatch(str: p2))
1398	return false;
1399	}
1400
1401	return true;
1402	}
1403
1404	// ipaddress must be an ipv4 or ipv6 address in binary format
1405	static bool cert_match_ipaddress(const QString &certname, const QByteArray &ipaddress)
1406	{
1407	// KSSL strips start/end whitespace, even though such whitespace is
1408	// probably not legal anyway. (compat)
1409	QString name = certname.trimmed();
1410
1411	// KSSL accepts IPv6 in brackets, which is usually done for URIs, but
1412	// IMO sounds very strange for a certificate. We'll follow this
1413	// behavior anyway. (compat)
1414	if (name.length() >= 2 && name[0] == QLatin1Char('[') && name[name.length() - 1] == QLatin1Char(']'))
1415	name = name.mid(position: 1, n: name.length() - 2); // chop off brackets
1416
1417	// after our compatibility modifications, make sure the name isn't
1418	// empty.
1419	if (name.isEmpty())
1420	return false;
1421
1422	// convert to binary form
1423	const QByteArray addr = ipaddr_str2bin(str: name);
1424	if (addr.isEmpty())
1425	return false;
1426
1427	// not the same?
1428	if (addr != ipaddress)
1429	return false;
1430
1431	return true;
1432	}
1433
1434	class Certificate::Private : public QSharedData
1435	{
1436	public:
1437	CertificateInfo subjectInfoMap, issuerInfoMap;
1438
1439	void update(CertContext *c)
1440	{
1441	if (c) {
1442	subjectInfoMap = orderedToMap(info: c->props()->subject);
1443	issuerInfoMap = orderedToMap(info: c->props()->issuer);
1444	} else {
1445	subjectInfoMap = CertificateInfo();
1446	issuerInfoMap = CertificateInfo();
1447	}
1448	}
1449	};
1450
1451	Certificate::Certificate()
1452	: d(new Private)
1453	{
1454	}
1455
1456	Certificate::Certificate(const QString &fileName)
1457	: d(new Private)
1458	{
1459	*this = fromPEMFile(fileName, result: nullptr, provider: QString());
1460	}
1461
1462	Certificate::Certificate(const CertificateOptions &opts, const PrivateKey &key, const QString &provider)
1463	: d(new Private)
1464	{
1465	CertContext *c = static_cast<CertContext *>(getContext(QStringLiteral("cert"), provider));
1466	if (c->createSelfSigned(opts, priv: *(static_cast<const PKeyContext *>(key.context()))))
1467	change(c);
1468	else
1469	delete c;
1470	}
1471
1472	Certificate::Certificate(const Certificate &from)
1473	: Algorithm(from)
1474	, d(from.d)
1475	{
1476	}
1477
1478	Certificate::~Certificate()
1479	{
1480	}
1481
1482	Certificate &Certificate::operator=(const Certificate &from)
1483	{
1484	Algorithm::operator=(from);
1485	d = from.d;
1486	return *this;
1487	}
1488
1489	bool Certificate::isNull() const
1490	{
1491	return (!context() ? true : false);
1492	}
1493
1494	QDateTime Certificate::notValidBefore() const
1495	{
1496	return static_cast<const CertContext *>(context())->props()->start;
1497	}
1498
1499	QDateTime Certificate::notValidAfter() const
1500	{
1501	return static_cast<const CertContext *>(context())->props()->end;
1502	}
1503
1504	CertificateInfo Certificate::subjectInfo() const
1505	{
1506	return d->subjectInfoMap;
1507	}
1508
1509	CertificateInfoOrdered Certificate::subjectInfoOrdered() const
1510	{
1511	return static_cast<const CertContext *>(context())->props()->subject;
1512	}
1513
1514	CertificateInfo Certificate::issuerInfo() const
1515	{
1516	return d->issuerInfoMap;
1517	}
1518
1519	CertificateInfoOrdered Certificate::issuerInfoOrdered() const
1520	{
1521	return static_cast<const CertContext *>(context())->props()->issuer;
1522	}
1523
1524	Constraints Certificate::constraints() const
1525	{
1526	return static_cast<const CertContext *>(context())->props()->constraints;
1527	}
1528
1529	QStringList Certificate::policies() const
1530	{
1531	return static_cast<const CertContext *>(context())->props()->policies;
1532	}
1533
1534	QStringList Certificate::crlLocations() const
1535	{
1536	return static_cast<const CertContext *>(context())->props()->crlLocations;
1537	}
1538
1539	QStringList Certificate::issuerLocations() const
1540	{
1541	return static_cast<const CertContext *>(context())->props()->issuerLocations;
1542	}
1543
1544	QStringList Certificate::ocspLocations() const
1545	{
1546	return static_cast<const CertContext *>(context())->props()->ocspLocations;
1547	}
1548
1549	QString Certificate::commonName() const
1550	{
1551	return d->subjectInfoMap.value(key: CommonName);
1552	}
1553
1554	BigInteger Certificate::serialNumber() const
1555	{
1556	return static_cast<const CertContext *>(context())->props()->serial;
1557	}
1558
1559	PublicKey Certificate::subjectPublicKey() const
1560	{
1561	PKeyContext *c = static_cast<const CertContext *>(context())->subjectPublicKey();
1562	PublicKey key;
1563	key.change(c);
1564	return key;
1565	}
1566
1567	bool Certificate::isCA() const
1568	{
1569	return static_cast<const CertContext *>(context())->props()->isCA;
1570	}
1571
1572	bool Certificate::isSelfSigned() const
1573	{
1574	return static_cast<const CertContext *>(context())->props()->isSelfSigned;
1575	}
1576
1577	bool Certificate::isIssuerOf(const Certificate &other) const
1578	{
1579	const CertContext *cc = static_cast<const CertContext *>(other.context());
1580	return static_cast<const CertContext *>(context())->isIssuerOf(other: cc);
1581	}
1582
1583	int Certificate::pathLimit() const
1584	{
1585	return static_cast<const CertContext *>(context())->props()->pathLimit;
1586	}
1587
1588	SignatureAlgorithm Certificate::signatureAlgorithm() const
1589	{
1590	return static_cast<const CertContext *>(context())->props()->sigalgo;
1591	}
1592
1593	QByteArray Certificate::subjectKeyId() const
1594	{
1595	return static_cast<const CertContext *>(context())->props()->subjectId;
1596	}
1597
1598	QByteArray Certificate::issuerKeyId() const
1599	{
1600	return static_cast<const CertContext *>(context())->props()->issuerId;
1601	}
1602
1603	Validity Certificate::validate(const CertificateCollection &trusted,
1604	const CertificateCollection &untrusted,
1605	UsageMode u,
1606	ValidateFlags vf) const
1607	{
1608	const QList<Certificate> issuers = trusted.certificates() + untrusted.certificates();
1609	CertificateChain chain;
1610	chain += *this;
1611	Validity result;
1612	chain = chain.complete(issuers, result: &result);
1613	if (result != ValidityGood)
1614	return result;
1615	return chain.validate(trusted, untrusted_crls: untrusted.crls(), u, vf);
1616	}
1617
1618	QByteArray Certificate::toDER() const
1619	{
1620	return static_cast<const CertContext *>(context())->toDER();
1621	}
1622
1623	QString Certificate::toPEM() const
1624	{
1625	return static_cast<const CertContext *>(context())->toPEM();
1626	}
1627
1628	bool Certificate::toPEMFile(const QString &fileName) const
1629	{
1630	return stringToFile(fileName, content: toPEM());
1631	}
1632
1633	Certificate Certificate::fromDER(const QByteArray &a, ConvertResult *result, const QString &provider)
1634	{
1635	Certificate c;
1636	CertContext *cc = static_cast<CertContext *>(getContext(QStringLiteral("cert"), provider));
1637	ConvertResult r = cc->fromDER(a);
1638	if (result)
1639	*result = r;
1640	if (r == ConvertGood)
1641	c.change(c: cc);
1642	else
1643	delete cc;
1644	return c;
1645	}
1646
1647	Certificate Certificate::fromPEM(const QString &s, ConvertResult *result, const QString &provider)
1648	{
1649	Certificate c;
1650	CertContext *cc = static_cast<CertContext *>(getContext(QStringLiteral("cert"), provider));
1651	ConvertResult r = cc->fromPEM(s);
1652	if (result)
1653	*result = r;
1654	if (r == ConvertGood)
1655	c.change(c: cc);
1656	else
1657	delete cc;
1658	return c;
1659	}
1660
1661	Certificate Certificate::fromPEMFile(const QString &fileName, ConvertResult *result, const QString &provider)
1662	{
1663	QString pem;
1664	if (!stringFromFile(fileName, s: &pem)) {
1665	if (result)
1666	*result = ErrorFile;
1667	return Certificate();
1668	}
1669	return fromPEM(s: pem, result, provider);
1670	}
1671
1672	// check for ip addresses in iPAddress, dNSName, then commonName
1673	// for all else, check in dNSName, then commonName
1674	bool Certificate::matchesHostName(const QString &host) const
1675	{
1676	const QByteArray ipaddr = ipaddr_str2bin(str: host);
1677	if (!ipaddr.isEmpty()) // ip address
1678	{
1679	// check iPAddress, dNSName, commonName
1680	const CertificateInfoOrdered subjectInfo = subjectInfoOrdered();
1681	for (const CertificateInfoPair &p : subjectInfo) {
1682	const CertificateInfoType type = p.type();
1683	if (type == IPAddress || type == DNS || type == CommonName) {
1684	if (cert_match_ipaddress(certname: p.value(), ipaddress: ipaddr))
1685	return true;
1686	}
1687	}
1688	} else // domain
1689	{
1690	// lowercase
1691	QString name = host.toLower();
1692
1693	// ACE
1694	name = QString::fromLatin1(ba: QUrl::toAce(domain: name));
1695
1696	// don't allow wildcards in the comparison host
1697	if (name.contains(c: QLatin1Char('*')))
1698	return false;
1699
1700	// strip out trailing dot
1701	if (name.length() > 0 && name[name.length() - 1] == QLatin1Char('.'))
1702	name.truncate(pos: name.length() - 1);
1703
1704	// make sure the name is not empty after our modifications
1705	if (name.isEmpty())
1706	return false;
1707
1708	// check dNSName, commonName
1709	const CertificateInfoOrdered subjectInfo = subjectInfoOrdered();
1710	for (const CertificateInfoPair &p : subjectInfo) {
1711	const CertificateInfoType type = p.type();
1712	if (type == DNS || type == CommonName) {
1713	if (cert_match_domain(certname: p.value(), acedomain: name))
1714	return true;
1715	}
1716	}
1717	}
1718
1719	return false;
1720	}
1721
1722	bool Certificate::operator==(const Certificate &otherCert) const
1723	{
1724	if (isNull()) {
1725	if (otherCert.isNull())
1726	return true;
1727	else
1728	return false;
1729	} else if (otherCert.isNull())
1730	return false;
1731
1732	const CertContext *other = static_cast<const CertContext *>(otherCert.context());
1733	return static_cast<const CertContext *>(context())->compare(other);
1734	}
1735
1736	void Certificate::change(CertContext *c)
1737	{
1738	Algorithm::change(c);
1739	d->update(c: static_cast<CertContext *>(context()));
1740	}
1741
1742	Validity Certificate::chain_validate(const CertificateChain &chain,
1743	const CertificateCollection &trusted,
1744	const QList<CRL> &untrusted_crls,
1745	UsageMode u,
1746	ValidateFlags vf) const
1747	{
1748	QList<CertContext *> chain_list;
1749	QList<CertContext *> trusted_list;
1750	QList<CRLContext *> crl_list;
1751
1752	QList<Certificate> chain_certs = chain;
1753	QList<Certificate> trusted_certs = trusted.certificates();
1754	QList<CRL> crls = trusted.crls() + untrusted_crls;
1755
1756	for (int n = 0; n < chain_certs.count(); ++n) {
1757	CertContext *c = static_cast<CertContext *>(chain_certs[n].context());
1758	chain_list += c;
1759	}
1760	for (int n = 0; n < trusted_certs.count(); ++n) {
1761	CertContext *c = static_cast<CertContext *>(trusted_certs[n].context());
1762	trusted_list += c;
1763	}
1764	for (int n = 0; n < crls.count(); ++n) {
1765	CRLContext *c = static_cast<CRLContext *>(crls[n].context());
1766	crl_list += c;
1767	}
1768
1769	return static_cast<const CertContext *>(context())->validate_chain(chain: chain_list, trusted: trusted_list, crls: crl_list, u, vf);
1770	}
1771
1772	CertificateChain
1773	Certificate::chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const
1774	{
1775	CertificateChain out;
1776	QList<Certificate> pool = issuers + chain.mid(pos: 1);
1777	out += chain.first();
1778	if (result)
1779	*result = ValidityGood;
1780	while (!out.last().isSelfSigned()) {
1781	// try to get next in chain
1782	int at = -1;
1783	for (int n = 0; n < pool.count(); ++n) {
1784	// QString str = QString("[%1] issued by [%2] ? ").arg(out.last().commonName()).arg(pool[n].commonName());
1785	if (pool[n].isIssuerOf(other: out.last())) {
1786	// printf("%s yes\n", qPrintable(str));
1787	at = n;
1788	break;
1789	}
1790	// printf("%s no\n", qPrintable(str));
1791	}
1792	if (at == -1) {
1793	if (result)
1794	*result = ErrorInvalidCA;
1795	break;
1796	}
1797
1798	// take it out of the pool
1799	Certificate next = pool.takeAt(i: at);
1800
1801	// make sure it isn't in the chain already (avoid loops)
1802	if (out.contains(t: next))
1803	break;
1804
1805	// append to the chain
1806	out += next;
1807	}
1808	return out;
1809	}
1810
1811	//----------------------------------------------------------------------------
1812	// CertificateRequest
1813	//----------------------------------------------------------------------------
1814	class CertificateRequest::Private : public QSharedData
1815	{
1816	public:
1817	CertificateInfo subjectInfoMap;
1818
1819	void update(CSRContext *c)
1820	{
1821	if (c)
1822	subjectInfoMap = orderedToMap(info: c->props()->subject);
1823	else
1824	subjectInfoMap = CertificateInfo();
1825	}
1826	};
1827
1828	CertificateRequest::CertificateRequest()
1829	: d(new Private)
1830	{
1831	}
1832
1833	CertificateRequest::CertificateRequest(const QString &fileName)
1834	: d(new Private)
1835	{
1836	*this = fromPEMFile(fileName, result: nullptr, provider: QString());
1837	}
1838
1839	CertificateRequest::CertificateRequest(const CertificateOptions &opts, const PrivateKey &key, const QString &provider)
1840	: d(new Private)
1841	{
1842	CSRContext *c = static_cast<CSRContext *>(getContext(QStringLiteral("csr"), provider));
1843	if (c->createRequest(opts, priv: *(static_cast<const PKeyContext *>(key.context()))))
1844	change(c);
1845	else
1846	delete c;
1847	}
1848
1849	CertificateRequest::CertificateRequest(const CertificateRequest &from)
1850	: Algorithm(from)
1851	, d(from.d)
1852	{
1853	}
1854
1855	CertificateRequest::~CertificateRequest()
1856	{
1857	}
1858
1859	CertificateRequest &CertificateRequest::operator=(const CertificateRequest &from)
1860	{
1861	Algorithm::operator=(from);
1862	d = from.d;
1863	return *this;
1864	}
1865
1866	bool CertificateRequest::isNull() const
1867	{
1868	return (!context() ? true : false);
1869	}
1870
1871	bool CertificateRequest::canUseFormat(CertificateRequestFormat f, const QString &provider)
1872	{
1873	CSRContext *c = static_cast<CSRContext *>(getContext(QStringLiteral("csr"), provider));
1874	bool ok = c->canUseFormat(f);
1875	delete c;
1876	return ok;
1877	}
1878
1879	CertificateRequestFormat CertificateRequest::format() const
1880	{
1881	if (isNull())
1882	return PKCS10; // some default so we don't explode
1883	return static_cast<const CSRContext *>(context())->props()->format;
1884	}
1885
1886	CertificateInfo CertificateRequest::subjectInfo() const
1887	{
1888	return d->subjectInfoMap;
1889	}
1890
1891	CertificateInfoOrdered CertificateRequest::subjectInfoOrdered() const
1892	{
1893	return static_cast<const CSRContext *>(context())->props()->subject;
1894	}
1895
1896	Constraints CertificateRequest::constraints() const
1897	{
1898	return static_cast<const CSRContext *>(context())->props()->constraints;
1899	}
1900
1901	QStringList CertificateRequest::policies() const
1902	{
1903	return static_cast<const CSRContext *>(context())->props()->policies;
1904	}
1905
1906	PublicKey CertificateRequest::subjectPublicKey() const
1907	{
1908	PKeyContext *c = static_cast<const CSRContext *>(context())->subjectPublicKey();
1909	PublicKey key;
1910	key.change(c);
1911	return key;
1912	}
1913
1914	bool CertificateRequest::isCA() const
1915	{
1916	return static_cast<const CSRContext *>(context())->props()->isCA;
1917	}
1918
1919	int CertificateRequest::pathLimit() const
1920	{
1921	return static_cast<const CSRContext *>(context())->props()->pathLimit;
1922	}
1923
1924	QString CertificateRequest::challenge() const
1925	{
1926	return static_cast<const CSRContext *>(context())->props()->challenge;
1927	}
1928
1929	SignatureAlgorithm CertificateRequest::signatureAlgorithm() const
1930	{
1931	return static_cast<const CSRContext *>(context())->props()->sigalgo;
1932	}
1933
1934	bool CertificateRequest::operator==(const CertificateRequest &otherCsr) const
1935	{
1936	if (isNull()) {
1937	if (otherCsr.isNull())
1938	return true;
1939	else
1940	return false;
1941	} else if (otherCsr.isNull())
1942	return false;
1943
1944	const CSRContext *other = static_cast<const CSRContext *>(otherCsr.context());
1945	return static_cast<const CSRContext *>(context())->compare(other);
1946	}
1947
1948	QByteArray CertificateRequest::toDER() const
1949	{
1950	return static_cast<const CSRContext *>(context())->toDER();
1951	}
1952
1953	QString CertificateRequest::toPEM() const
1954	{
1955	return static_cast<const CSRContext *>(context())->toPEM();
1956	}
1957
1958	bool CertificateRequest::toPEMFile(const QString &fileName) const
1959	{
1960	return stringToFile(fileName, content: toPEM());
1961	}
1962
1963	CertificateRequest CertificateRequest::fromDER(const QByteArray &a, ConvertResult *result, const QString &provider)
1964	{
1965	CertificateRequest c;
1966	CSRContext *csr = static_cast<CSRContext *>(getContext(QStringLiteral("csr"), provider));
1967	ConvertResult r = csr->fromDER(a);
1968	if (result)
1969	*result = r;
1970	if (r == ConvertGood)
1971	c.change(c: csr);
1972	else
1973	delete csr;
1974	return c;
1975	}
1976
1977	CertificateRequest CertificateRequest::fromPEM(const QString &s, ConvertResult *result, const QString &provider)
1978	{
1979	CertificateRequest c;
1980	CSRContext *csr = static_cast<CSRContext *>(getContext(QStringLiteral("csr"), provider));
1981	ConvertResult r = csr->fromPEM(s);
1982	if (result)
1983	*result = r;
1984	if (r == ConvertGood)
1985	c.change(c: csr);
1986	else
1987	delete csr;
1988	return c;
1989	}
1990
1991	CertificateRequest
1992	CertificateRequest::fromPEMFile(const QString &fileName, ConvertResult *result, const QString &provider)
1993	{
1994	QString pem;
1995	if (!stringFromFile(fileName, s: &pem)) {
1996	if (result)
1997	*result = ErrorFile;
1998	return CertificateRequest();
1999	}
2000	return fromPEM(s: pem, result, provider);
2001	}
2002
2003	QString CertificateRequest::toString() const
2004	{
2005	return static_cast<const CSRContext *>(context())->toSPKAC();
2006	}
2007
2008	CertificateRequest CertificateRequest::fromString(const QString &s, ConvertResult *result, const QString &provider)
2009	{
2010	CertificateRequest c;
2011	CSRContext *csr = static_cast<CSRContext *>(getContext(QStringLiteral("csr"), provider));
2012	ConvertResult r = csr->fromSPKAC(s);
2013	if (result)
2014	*result = r;
2015	if (r == ConvertGood)
2016	c.change(c: csr);
2017	else
2018	delete csr;
2019	return c;
2020	}
2021
2022	void CertificateRequest::change(CSRContext *c)
2023	{
2024	Algorithm::change(c);
2025	d->update(c: static_cast<CSRContext *>(context()));
2026	}
2027
2028	//----------------------------------------------------------------------------
2029	// CRLEntry
2030	//----------------------------------------------------------------------------
2031	CRLEntry::CRLEntry()
2032	{
2033	_reason = Unspecified;
2034	}
2035
2036	CRLEntry::CRLEntry(const Certificate &c, Reason r)
2037	{
2038	_serial = c.serialNumber();
2039	_time = QDateTime::currentDateTime();
2040	_reason = r;
2041	}
2042
2043	// TODO make serial const & when we break ABI
2044	CRLEntry::CRLEntry(
2045	const BigInteger serial, // clazy:exclude=function-args-by-ref NOLINT(performance-unnecessary-value-param)
2046	const QDateTime &time,
2047	Reason r)
2048	{
2049	_serial = serial;
2050	_time = time;
2051	_reason = r;
2052	}
2053
2054	CRLEntry::CRLEntry(const CRLEntry &from)
2055	: _serial(from._serial)
2056	, _time(from._time)
2057	, _reason(from._reason)
2058	{
2059	}
2060
2061	CRLEntry::~CRLEntry()
2062	{
2063	}
2064
2065	CRLEntry &CRLEntry::operator=(const CRLEntry &from)
2066	{
2067	_serial = from._serial;
2068	_time = from._time;
2069	_reason = from._reason;
2070	return *this;
2071	}
2072
2073	bool CRLEntry::isNull() const
2074	{
2075	return (_time.isNull());
2076	}
2077
2078	BigInteger CRLEntry::serialNumber() const
2079	{
2080	return _serial;
2081	}
2082
2083	QDateTime CRLEntry::time() const
2084	{
2085	return _time;
2086	}
2087
2088	CRLEntry::Reason CRLEntry::reason() const
2089	{
2090	return _reason;
2091	}
2092
2093	bool CRLEntry::operator==(const CRLEntry &otherEntry) const
2094	{
2095	if (isNull()) {
2096	if (otherEntry.isNull())
2097	return true;
2098	else
2099	return false;
2100	} else if (otherEntry.isNull())
2101	return false;
2102
2103	if ((_serial != otherEntry._serial) || (_time != otherEntry._time) || (_reason != otherEntry._reason)) {
2104	return false;
2105	}
2106	return true;
2107	}
2108
2109	bool CRLEntry::operator<(const CRLEntry &otherEntry) const
2110	{
2111	if (isNull() || otherEntry.isNull())
2112	return false;
2113
2114	if (_serial < otherEntry._serial)
2115	return true;
2116
2117	return false;
2118	}
2119
2120	//----------------------------------------------------------------------------
2121	// CRL
2122	//----------------------------------------------------------------------------
2123	class CRL::Private : public QSharedData
2124	{
2125	public:
2126	CertificateInfo issuerInfoMap;
2127
2128	void update(CRLContext *c)
2129	{
2130	if (c)
2131	issuerInfoMap = orderedToMap(info: c->props()->issuer);
2132	else
2133	issuerInfoMap = CertificateInfo();
2134	}
2135	};
2136
2137	CRL::CRL()
2138	: d(new Private)
2139	{
2140	}
2141
2142	CRL::CRL(const CRL &from)
2143	: Algorithm(from)
2144	, d(from.d)
2145	{
2146	}
2147
2148	CRL::~CRL()
2149	{
2150	}
2151
2152	CRL &CRL::operator=(const CRL &from)
2153	{
2154	Algorithm::operator=(from);
2155	d = from.d;
2156	return *this;
2157	}
2158
2159	bool CRL::isNull() const
2160	{
2161	return (!context() ? true : false);
2162	}
2163
2164	CertificateInfo CRL::issuerInfo() const
2165	{
2166	return d->issuerInfoMap;
2167	}
2168
2169	CertificateInfoOrdered CRL::issuerInfoOrdered() const
2170	{
2171	return static_cast<const CRLContext *>(context())->props()->issuer;
2172	}
2173
2174	int CRL::number() const
2175	{
2176	return static_cast<const CRLContext *>(context())->props()->number;
2177	}
2178
2179	QDateTime CRL::thisUpdate() const
2180	{
2181	return static_cast<const CRLContext *>(context())->props()->thisUpdate;
2182	}
2183
2184	QDateTime CRL::nextUpdate() const
2185	{
2186	return static_cast<const CRLContext *>(context())->props()->nextUpdate;
2187	}
2188
2189	QList<CRLEntry> CRL::revoked() const
2190	{
2191	return static_cast<const CRLContext *>(context())->props()->revoked;
2192	}
2193
2194	SignatureAlgorithm CRL::signatureAlgorithm() const
2195	{
2196	return static_cast<const CRLContext *>(context())->props()->sigalgo;
2197	}
2198
2199	QByteArray CRL::issuerKeyId() const
2200	{
2201	return static_cast<const CRLContext *>(context())->props()->issuerId;
2202	}
2203
2204	QByteArray CRL::toDER() const
2205	{
2206	return static_cast<const CRLContext *>(context())->toDER();
2207	}
2208
2209	QString CRL::toPEM() const
2210	{
2211	return static_cast<const CRLContext *>(context())->toPEM();
2212	}
2213
2214	bool CRL::operator==(const CRL &otherCrl) const
2215	{
2216	if (isNull()) {
2217	if (otherCrl.isNull())
2218	return true;
2219	else
2220	return false;
2221	} else if (otherCrl.isNull())
2222	return false;
2223
2224	const CRLContext *other = static_cast<const CRLContext *>(otherCrl.context());
2225	return static_cast<const CRLContext *>(context())->compare(other);
2226	}
2227
2228	CRL CRL::fromDER(const QByteArray &a, ConvertResult *result, const QString &provider)
2229	{
2230	CRL c;
2231	CRLContext *cc = static_cast<CRLContext *>(getContext(QStringLiteral("crl"), provider));
2232	ConvertResult r = cc->fromDER(a);
2233	if (result)
2234	*result = r;
2235	if (r == ConvertGood)
2236	c.change(c: cc);
2237	else
2238	delete cc;
2239	return c;
2240	}
2241
2242	CRL CRL::fromPEM(const QString &s, ConvertResult *result, const QString &provider)
2243	{
2244	CRL c;
2245	CRLContext *cc = static_cast<CRLContext *>(getContext(QStringLiteral("crl"), provider));
2246	ConvertResult r = cc->fromPEM(s);
2247	if (result)
2248	*result = r;
2249	if (r == ConvertGood)
2250	c.change(c: cc);
2251	else
2252	delete cc;
2253	return c;
2254	}
2255
2256	CRL CRL::fromPEMFile(const QString &fileName, ConvertResult *result, const QString &provider)
2257	{
2258	QString pem;
2259	if (!stringFromFile(fileName, s: &pem)) {
2260	if (result)
2261	*result = ErrorFile;
2262	return CRL();
2263	}
2264	return fromPEM(s: pem, result, provider);
2265	}
2266
2267	bool CRL::toPEMFile(const QString &fileName) const
2268	{
2269	return stringToFile(fileName, content: toPEM());
2270	}
2271
2272	void CRL::change(CRLContext *c)
2273	{
2274	Algorithm::change(c);
2275	d->update(c: static_cast<CRLContext *>(context()));
2276	}
2277
2278	//----------------------------------------------------------------------------
2279	// Store
2280	//----------------------------------------------------------------------------
2281	// CRL / X509 CRL
2282	// CERTIFICATE / X509 CERTIFICATE
2283	static QString readNextPem(QTextStream *ts, bool *isCRL)
2284	{
2285	QString pem;
2286	bool crl = false;
2287	bool found = false;
2288	bool done = false;
2289	while (!ts->atEnd()) {
2290	const QString line = ts->readLine();
2291	if (!found) {
2292	if (line.startsWith(s: QLatin1String("-----BEGIN "))) {
2293	if (line.contains(s: QLatin1String("CERTIFICATE"))) {
2294	found = true;
2295	pem += line + QLatin1Char('\n');
2296	crl = false;
2297	} else if (line.contains(s: QLatin1String("CRL"))) {
2298	found = true;
2299	pem += line + QLatin1Char('\n');
2300	crl = true;
2301	}
2302	}
2303	} else {
2304	pem += line + QLatin1Char('\n');
2305	if (line.startsWith(s: QLatin1String("-----END "))) {
2306	done = true;
2307	break;
2308	}
2309	}
2310	}
2311	if (!done)
2312	return QString();
2313	if (isCRL)
2314	*isCRL = crl;
2315	return pem;
2316	}
2317
2318	class CertificateCollection::Private : public QSharedData
2319	{
2320	public:
2321	QList<Certificate> certs;
2322	QList<CRL> crls;
2323	};
2324
2325	CertificateCollection::CertificateCollection()
2326	: d(new Private)
2327	{
2328	}
2329
2330	CertificateCollection::CertificateCollection(const CertificateCollection &from)
2331	: d(from.d)
2332	{
2333	}
2334
2335	CertificateCollection::~CertificateCollection()
2336	{
2337	}
2338
2339	CertificateCollection &CertificateCollection::operator=(const CertificateCollection &from)
2340	{
2341	d = from.d;
2342	return *this;
2343	}
2344
2345	void CertificateCollection::addCertificate(const Certificate &cert)
2346	{
2347	d->certs.append(t: cert);
2348	}
2349
2350	void CertificateCollection::addCRL(const CRL &crl)
2351	{
2352	d->crls.append(t: crl);
2353	}
2354
2355	QList<Certificate> CertificateCollection::certificates() const
2356	{
2357	return d->certs;
2358	}
2359
2360	QList<CRL> CertificateCollection::crls() const
2361	{
2362	return d->crls;
2363	}
2364
2365	void CertificateCollection::append(const CertificateCollection &other)
2366	{
2367	d->certs += other.d->certs;
2368	d->crls += other.d->crls;
2369	}
2370
2371	CertificateCollection CertificateCollection::operator+(const CertificateCollection &other) const
2372	{
2373	CertificateCollection c = *this;
2374	c.append(other);
2375	return c;
2376	}
2377
2378	CertificateCollection &CertificateCollection::operator+=(const CertificateCollection &other)
2379	{
2380	append(other);
2381	return *this;
2382	}
2383
2384	bool CertificateCollection::canUsePKCS7(const QString &provider)
2385	{
2386	return isSupported(features: "certcollection", provider);
2387	}
2388
2389	bool CertificateCollection::toFlatTextFile(const QString &fileName)
2390	{
2391	QFile f(fileName);
2392	if (!f.open(flags: QFile::WriteOnly))
2393	return false;
2394
2395	QTextStream ts(&f);
2396	int n;
2397	for (n = 0; n < d->certs.count(); ++n)
2398	ts << d->certs[n].toPEM();
2399	for (n = 0; n < d->crls.count(); ++n)
2400	ts << d->crls[n].toPEM();
2401	return true;
2402	}
2403
2404	bool CertificateCollection::toPKCS7File(const QString &fileName, const QString &provider)
2405	{
2406	CertCollectionContext *col =
2407	static_cast<CertCollectionContext *>(getContext(QStringLiteral("certcollection"), provider));
2408
2409	QList<CertContext *> cert_list;
2410	QList<CRLContext *> crl_list;
2411	int n;
2412	for (n = 0; n < d->certs.count(); ++n) {
2413	CertContext *c = static_cast<CertContext *>(d->certs[n].context());
2414	cert_list += c;
2415	}
2416	for (n = 0; n < d->crls.count(); ++n) {
2417	CRLContext *c = static_cast<CRLContext *>(d->crls[n].context());
2418	crl_list += c;
2419	}
2420
2421	const QByteArray result = col->toPKCS7(certs: cert_list, crls: crl_list);
2422	delete col;
2423
2424	return arrayToFile(fileName, content: result);
2425	}
2426
2427	CertificateCollection
2428	CertificateCollection::fromFlatTextFile(const QString &fileName, ConvertResult *result, const QString &provider)
2429	{
2430	QFile f(fileName);
2431	if (!f.open(flags: QFile::ReadOnly)) {
2432	if (result)
2433	*result = ErrorFile;
2434	return CertificateCollection();
2435	}
2436
2437	CertificateCollection certs;
2438	QTextStream ts(&f);
2439	while (true) {
2440	bool isCRL = false;
2441	QString pem = readNextPem(ts: &ts, isCRL: &isCRL);
2442	if (pem.isNull())
2443	break;
2444	if (isCRL) {
2445	CRL c = CRL::fromPEM(s: pem, result: nullptr, provider);
2446	if (!c.isNull())
2447	certs.addCRL(crl: c);
2448	} else {
2449	Certificate c = Certificate::fromPEM(s: pem, result: nullptr, provider);
2450	if (!c.isNull())
2451	certs.addCertificate(cert: c);
2452	}
2453	}
2454
2455	if (result)
2456	*result = ConvertGood;
2457
2458	return certs;
2459	}
2460
2461	CertificateCollection
2462	CertificateCollection::fromPKCS7File(const QString &fileName, ConvertResult *result, const QString &provider)
2463	{
2464	QByteArray der;
2465	if (!arrayFromFile(fileName, a: &der)) {
2466	if (result)
2467	*result = ErrorFile;
2468	return CertificateCollection();
2469	}
2470
2471	CertificateCollection certs;
2472
2473	QList<CertContext *> cert_list;
2474	QList<CRLContext *> crl_list;
2475	CertCollectionContext *col =
2476	static_cast<CertCollectionContext *>(getContext(QStringLiteral("certcollection"), provider));
2477	ConvertResult r = col->fromPKCS7(a: der, certs: &cert_list, crls: &crl_list);
2478	delete col;
2479
2480	if (result)
2481	*result = r;
2482	if (r == ConvertGood) {
2483	int n;
2484	for (n = 0; n < cert_list.count(); ++n) {
2485	Certificate c;
2486	c.change(c: cert_list[n]);
2487	certs.addCertificate(cert: c);
2488	}
2489	for (n = 0; n < crl_list.count(); ++n) {
2490	CRL c;
2491	c.change(c: crl_list[n]);
2492	certs.addCRL(crl: c);
2493	}
2494	}
2495	return certs;
2496	}
2497
2498	//----------------------------------------------------------------------------
2499	// CertificateAuthority
2500	//----------------------------------------------------------------------------
2501	CertificateAuthority::CertificateAuthority(const Certificate &cert, const PrivateKey &key, const QString &provider)
2502	: Algorithm(QStringLiteral("ca"), provider)
2503	{
2504	static_cast<CAContext *>(context())->setup(cert: *(static_cast<const CertContext *>(cert.context())),
2505	priv: *(static_cast<const PKeyContext *>(key.context())));
2506	}
2507
2508	CertificateAuthority::CertificateAuthority(const CertificateAuthority &from)
2509	: Algorithm(from)
2510	{
2511	}
2512
2513	CertificateAuthority::~CertificateAuthority()
2514	{
2515	}
2516
2517	CertificateAuthority &CertificateAuthority::operator=(const CertificateAuthority &from)
2518	{
2519	Algorithm::operator=(from);
2520	return *this;
2521	}
2522
2523	Certificate CertificateAuthority::certificate() const
2524	{
2525	Certificate c;
2526	c.change(c: static_cast<const CAContext *>(context())->certificate());
2527	return c;
2528	}
2529
2530	Certificate CertificateAuthority::signRequest(const CertificateRequest &req, const QDateTime &notValidAfter) const
2531	{
2532	Certificate c;
2533	CertContext *cc = static_cast<const CAContext *>(context())->signRequest(
2534	req: *(static_cast<const CSRContext *>(req.context())), notValidAfter);
2535	if (cc)
2536	c.change(c: cc);
2537	return c;
2538	}
2539
2540	CRL CertificateAuthority::createCRL(const QDateTime &nextUpdate) const
2541	{
2542	CRL crl;
2543	CRLContext *cc = static_cast<const CAContext *>(context())->createCRL(nextUpdate);
2544	if (cc)
2545	crl.change(c: cc);
2546	return crl;
2547	}
2548
2549	CRL CertificateAuthority::updateCRL(const CRL &crl, const QList<CRLEntry> &entries, const QDateTime &nextUpdate) const
2550	{
2551	CRL new_crl;
2552	CRLContext *cc = static_cast<const CAContext *>(context())->updateCRL(
2553	crl: *(static_cast<const CRLContext *>(crl.context())), entries, nextUpdate);
2554	if (cc)
2555	new_crl.change(c: cc);
2556	return new_crl;
2557	}
2558
2559	//----------------------------------------------------------------------------
2560	// KeyBundle
2561	//----------------------------------------------------------------------------
2562	class KeyBundle::Private : public QSharedData
2563	{
2564	public:
2565	QString name;
2566	CertificateChain chain;
2567	PrivateKey key;
2568	};
2569
2570	KeyBundle::KeyBundle()
2571	: d(new Private)
2572	{
2573	}
2574
2575	KeyBundle::KeyBundle(const QString &fileName, const SecureArray &passphrase)
2576	: d(new Private)
2577	{
2578	*this = fromFile(fileName, passphrase, result: nullptr, provider: QString());
2579	}
2580
2581	KeyBundle::KeyBundle(const KeyBundle &from)
2582	: d(from.d)
2583	{
2584	}
2585
2586	KeyBundle::~KeyBundle()
2587	{
2588	}
2589
2590	KeyBundle &KeyBundle::operator=(const KeyBundle &from)
2591	{
2592	d = from.d;
2593	return *this;
2594	}
2595
2596	bool KeyBundle::isNull() const
2597	{
2598	return d->chain.isEmpty();
2599	}
2600
2601	QString KeyBundle::name() const
2602	{
2603	return d->name;
2604	}
2605
2606	CertificateChain KeyBundle::certificateChain() const
2607	{
2608	return d->chain;
2609	}
2610
2611	PrivateKey KeyBundle::privateKey() const
2612	{
2613	return d->key;
2614	}
2615
2616	void KeyBundle::setName(const QString &s)
2617	{
2618	d->name = s;
2619	}
2620
2621	void KeyBundle::setCertificateChainAndKey(const CertificateChain &c, const PrivateKey &key)
2622	{
2623	d->chain = c;
2624	d->key = key;
2625	}
2626
2627	QByteArray KeyBundle::toArray(const SecureArray &passphrase, const QString &provider) const
2628	{
2629	PKCS12Context *pix = static_cast<PKCS12Context *>(getContext(QStringLiteral("pkcs12"), provider));
2630
2631	QList<const CertContext *> list;
2632	for (int n = 0; n < d->chain.count(); ++n)
2633	list.append(t: static_cast<const CertContext *>(d->chain[n].context()));
2634	const QByteArray buf =
2635	pix->toPKCS12(name: d->name, chain: list, priv: *(static_cast<const PKeyContext *>(d->key.context())), passphrase);
2636	delete pix;
2637
2638	return buf;
2639	}
2640
2641	bool KeyBundle::toFile(const QString &fileName, const SecureArray &passphrase, const QString &provider) const
2642	{
2643	return arrayToFile(fileName, content: toArray(passphrase, provider));
2644	}
2645
2646	KeyBundle
2647	KeyBundle::fromArray(const QByteArray &a, const SecureArray &passphrase, ConvertResult *result, const QString &provider)
2648	{
2649	KeyBundle bundle;
2650	get_pkcs12_der(
2651	der: a, fileName: QString(), ptr: (void *)&a, passphrase, result, provider, name: &bundle.d->name, chain: &bundle.d->chain, key: &bundle.d->key);
2652	return bundle;
2653	}
2654
2655	KeyBundle KeyBundle::fromFile(const QString &fileName,
2656	const SecureArray &passphrase,
2657	ConvertResult *result,
2658	const QString &provider)
2659	{
2660	QByteArray der;
2661	if (!arrayFromFile(fileName, a: &der)) {
2662	if (result)
2663	*result = ErrorFile;
2664	return KeyBundle();
2665	}
2666
2667	KeyBundle bundle;
2668	get_pkcs12_der(
2669	der, fileName, ptr: nullptr, passphrase, result, provider, name: &bundle.d->name, chain: &bundle.d->chain, key: &bundle.d->key);
2670	return bundle;
2671	}
2672
2673	//----------------------------------------------------------------------------
2674	// PGPKey
2675	//----------------------------------------------------------------------------
2676	PGPKey::PGPKey()
2677	{
2678	}
2679
2680	PGPKey::PGPKey(const QString &fileName)
2681	{
2682	*this = fromFile(fileName, result: nullptr, provider: QString());
2683	}
2684
2685	PGPKey::PGPKey(const PGPKey &from)
2686	: Algorithm(from)
2687	{
2688	}
2689
2690	PGPKey::~PGPKey()
2691	{
2692	}
2693
2694	PGPKey &PGPKey::operator=(const PGPKey &from)
2695	{
2696	Algorithm::operator=(from);
2697	return *this;
2698	}
2699
2700	bool PGPKey::isNull() const
2701	{
2702	return (!context() ? true : false);
2703	}
2704
2705	QString PGPKey::keyId() const
2706	{
2707	return static_cast<const PGPKeyContext *>(context())->props()->keyId;
2708	}
2709
2710	QString PGPKey::primaryUserId() const
2711	{
2712	return static_cast<const PGPKeyContext *>(context())->props()->userIds.first();
2713	}
2714
2715	QStringList PGPKey::userIds() const
2716	{
2717	return static_cast<const PGPKeyContext *>(context())->props()->userIds;
2718	}
2719
2720	bool PGPKey::isSecret() const
2721	{
2722	return static_cast<const PGPKeyContext *>(context())->props()->isSecret;
2723	}
2724
2725	QDateTime PGPKey::creationDate() const
2726	{
2727	return static_cast<const PGPKeyContext *>(context())->props()->creationDate;
2728	}
2729
2730	QDateTime PGPKey::expirationDate() const
2731	{
2732	return static_cast<const PGPKeyContext *>(context())->props()->expirationDate;
2733	}
2734
2735	QString PGPKey::fingerprint() const
2736	{
2737	return static_cast<const PGPKeyContext *>(context())->props()->fingerprint;
2738	}
2739
2740	bool PGPKey::inKeyring() const
2741	{
2742	return static_cast<const PGPKeyContext *>(context())->props()->inKeyring;
2743	}
2744
2745	bool PGPKey::isTrusted() const
2746	{
2747	return static_cast<const PGPKeyContext *>(context())->props()->isTrusted;
2748	}
2749
2750	QByteArray PGPKey::toArray() const
2751	{
2752	return static_cast<const PGPKeyContext *>(context())->toBinary();
2753	}
2754
2755	QString PGPKey::toString() const
2756	{
2757	return static_cast<const PGPKeyContext *>(context())->toAscii();
2758	}
2759
2760	bool PGPKey::toFile(const QString &fileName) const
2761	{
2762	return stringToFile(fileName, content: toString());
2763	}
2764
2765	PGPKey PGPKey::fromArray(const QByteArray &a, ConvertResult *result, const QString &provider)
2766	{
2767	PGPKey k;
2768	PGPKeyContext *kc = static_cast<PGPKeyContext *>(getContext(QStringLiteral("pgpkey"), provider));
2769	ConvertResult r = kc->fromBinary(a);
2770	if (result)
2771	*result = r;
2772	if (r == ConvertGood)
2773	k.change(c: kc);
2774	else
2775	delete kc;
2776	return k;
2777	}
2778
2779	PGPKey PGPKey::fromString(const QString &s, ConvertResult *result, const QString &provider)
2780	{
2781	PGPKey k;
2782	PGPKeyContext *kc = static_cast<PGPKeyContext *>(getContext(QStringLiteral("pgpkey"), provider));
2783	ConvertResult r = kc->fromAscii(s);
2784	if (result)
2785	*result = r;
2786	if (r == ConvertGood)
2787	k.change(c: kc);
2788	else
2789	delete kc;
2790	return k;
2791	}
2792
2793	PGPKey PGPKey::fromFile(const QString &fileName, ConvertResult *result, const QString &provider)
2794	{
2795	QString str;
2796	if (!stringFromFile(fileName, s: &str)) {
2797	if (result)
2798	*result = ErrorFile;
2799	return PGPKey();
2800	}
2801	return fromString(s: str, result, provider);
2802	}
2803
2804	//----------------------------------------------------------------------------
2805	// KeyLoader
2806	//----------------------------------------------------------------------------
2807	class KeyLoaderThread : public QThread
2808	{
2809	Q_OBJECT
2810	public:
2811	enum Type
2812	{
2813	PKPEMFile,
2814	PKPEM,
2815	PKDER,
2816	KBDERFile,
2817	KBDER
2818	};
2819
2820	class In
2821	{
2822	public:
2823	Type type;
2824	QString fileName, pem;
2825	SecureArray der;
2826	QByteArray kbder;
2827	};
2828
2829	class Out
2830	{
2831	public:
2832	ConvertResult convertResult;
2833	PrivateKey privateKey;
2834	KeyBundle keyBundle;
2835	};
2836
2837	In in;
2838	Out out;
2839
2840	KeyLoaderThread(QObject *parent = nullptr)
2841	: QThread(parent)
2842	{
2843	}
2844
2845	protected:
2846	void run() override
2847	{
2848	if (in.type == PKPEMFile)
2849	out.privateKey = PrivateKey::fromPEMFile(fileName: in.fileName, passphrase: SecureArray(), result: &out.convertResult);
2850	else if (in.type == PKPEM)
2851	out.privateKey = PrivateKey::fromPEM(s: in.pem, passphrase: SecureArray(), result: &out.convertResult);
2852	else if (in.type == PKDER)
2853	out.privateKey = PrivateKey::fromDER(a: in.der, passphrase: SecureArray(), result: &out.convertResult);
2854	else if (in.type == KBDERFile)
2855	out.keyBundle = KeyBundle::fromFile(fileName: in.fileName, passphrase: SecureArray(), result: &out.convertResult);
2856	else if (in.type == KBDER)
2857	out.keyBundle = KeyBundle::fromArray(a: in.kbder, passphrase: SecureArray(), result: &out.convertResult);
2858	}
2859	};
2860
2861	class KeyLoader::Private : public QObject
2862	{
2863	Q_OBJECT
2864	public:
2865	KeyLoader *q;
2866
2867	bool active;
2868	KeyLoaderThread *thread;
2869	KeyLoaderThread::In in;
2870	KeyLoaderThread::Out out;
2871
2872	Private(KeyLoader *_q)
2873	: QObject(_q)
2874	, q(_q)
2875	{
2876	active = false;
2877	}
2878
2879	void reset()
2880	{
2881	in = KeyLoaderThread::In();
2882	out = KeyLoaderThread::Out();
2883	}
2884
2885	void start()
2886	{
2887	active = true;
2888	thread = new KeyLoaderThread(this);
2889	// used queued for signal-safety
2890	connect(sender: thread, signal: &KeyLoaderThread::finished, context: this, slot: &KeyLoader::Private::thread_finished, type: Qt::QueuedConnection);
2891	thread->in = in;
2892	thread->start();
2893	}
2894
2895	private Q_SLOTS:
2896	void thread_finished()
2897	{
2898	out = thread->out;
2899	delete thread;
2900	thread = nullptr;
2901	active = false;
2902
2903	emit q->finished();
2904	}
2905	};
2906
2907	KeyLoader::KeyLoader(QObject *parent)
2908	: QObject(parent)
2909	{
2910	d = new Private(this);
2911	}
2912
2913	KeyLoader::~KeyLoader()
2914	{
2915	delete d;
2916	}
2917
2918	void KeyLoader::loadPrivateKeyFromPEMFile(const QString &fileName)
2919	{
2920	Q_ASSERT(!d->active);
2921	if (d->active)
2922	return;
2923
2924	d->reset();
2925	d->in.type = KeyLoaderThread::PKPEMFile;
2926	d->in.fileName = fileName;
2927	d->start();
2928	}
2929
2930	void KeyLoader::loadPrivateKeyFromPEM(const QString &s)
2931	{
2932	Q_ASSERT(!d->active);
2933	if (d->active)
2934	return;
2935
2936	d->reset();
2937	d->in.type = KeyLoaderThread::PKPEM;
2938	d->in.pem = s;
2939	d->start();
2940	}
2941
2942	void KeyLoader::loadPrivateKeyFromDER(const SecureArray &a)
2943	{
2944	Q_ASSERT(!d->active);
2945	if (d->active)
2946	return;
2947
2948	d->reset();
2949	d->in.type = KeyLoaderThread::PKDER;
2950	d->in.der = a;
2951	d->start();
2952	}
2953
2954	void KeyLoader::loadKeyBundleFromFile(const QString &fileName)
2955	{
2956	Q_ASSERT(!d->active);
2957	if (d->active)
2958	return;
2959
2960	d->reset();
2961	d->in.type = KeyLoaderThread::KBDERFile;
2962	d->in.fileName = fileName;
2963	d->start();
2964	}
2965
2966	void KeyLoader::loadKeyBundleFromArray(const QByteArray &a)
2967	{
2968	Q_ASSERT(!d->active);
2969	if (d->active)
2970	return;
2971
2972	d->reset();
2973	d->in.type = KeyLoaderThread::KBDERFile;
2974	d->in.kbder = a;
2975	d->start();
2976	}
2977
2978	ConvertResult KeyLoader::convertResult() const
2979	{
2980	return d->out.convertResult;
2981	}
2982
2983	PrivateKey KeyLoader::privateKey() const
2984	{
2985	return d->out.privateKey;
2986	}
2987
2988	KeyBundle KeyLoader::keyBundle() const
2989	{
2990	return d->out.keyBundle;
2991	}
2992
2993	}
2994
2995	#include "qca_cert.moc"
2996