[auth] Merge CAs added by PKI bundles to the trusted CAs

qgis · Oct 16, 2017 · 032f225 · 032f225
1 parent 7b7dad0
commit 032f225
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 12 deletions.
diff --git a/src/auth/CMakeLists.txt b/src/auth/CMakeLists.txt
@@ -16,3 +16,4 @@ ADD_SUBDIRECTORY(basic)
 ADD_SUBDIRECTORY(identcert)
 ADD_SUBDIRECTORY(pkipaths)
 ADD_SUBDIRECTORY(pkipkcs12)
+ADD_SUBDIRECTORY(oauth2)
diff --git a/src/auth/pkipaths/qgsauthpkipathsmethod.cpp b/src/auth/pkipaths/qgsauthpkipathsmethod.cpp
@@ -98,22 +98,21 @@ bool QgsAuthPkiPathsMethod::updateNetworkRequest( QNetworkRequest &request, cons
   QSslConfiguration sslConfig = request.sslConfiguration();
   //QSslConfiguration sslConfig( QSslConfiguration::defaultConfiguration() );
 
-  sslConfig.setLocalCertificate( pkibundle->clientCert() );
   sslConfig.setPrivateKey( pkibundle->clientCertKey() );
+  sslConfig.setLocalCertificate( pkibundle->clientCert() );
 
-  // add extra CAs in the bundle
+  // add extra CAs from the bundle
+  // this does not work due to the fact that QNAM overrides it in createRequest!
   if ( pkibundle->config().config( QStringLiteral( "addcas" ), QStringLiteral( "false" ) ) ==  QStringLiteral( "true" ) )
   {
-    QList<QSslCertificate> cas;
-    cas = QgsAuthCertUtils::casMerge( QgsAuthManager::instance()->getTrustedCaCerts(), pkibundle->caChain() );
-    sslConfig.setCaCertificates( cas );
+    sslConfig.setCaCertificates( pkibundle->caChain() );
   }
-
   request.setSslConfiguration( sslConfig );
 
   return true;
 }
 
+
 bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionItems, const QString &authcfg,
     const QString &dataprovider )
 {

diff --git a/src/auth/pkipkcs12/qgsauthpkcs12method.cpp b/src/auth/pkipkcs12/qgsauthpkcs12method.cpp
@@ -103,9 +103,7 @@ bool QgsAuthPkcs12Method::updateNetworkRequest( QNetworkRequest &request, const
 
   if ( pkibundle->config().config( QStringLiteral( "addcas" ), QStringLiteral( "false" ) ) ==  QStringLiteral( "true" ) )
   {
-    QList<QSslCertificate> cas;
-    cas = QgsAuthCertUtils::casMerge( QgsAuthManager::instance()->getTrustedCaCerts(), pkibundle->caChain() );
-    sslConfig.setCaCertificates( cas );
+    sslConfig.setCaCertificates( pkibundle->caChain() );
   }
 
   request.setSslConfiguration( sslConfig );

diff --git a/src/core/auth/qgsauthmanager.cpp b/src/core/auth/qgsauthmanager.cpp
@@ -1401,7 +1401,6 @@ bool QgsAuthManager::updateNetworkRequest( QNetworkRequest &request, const QStri
     }
     return true;
   }
-
   return false;
 }
 

diff --git a/src/core/qgsnetworkaccessmanager.cpp b/src/core/qgsnetworkaccessmanager.cpp
@@ -184,8 +184,8 @@ QNetworkReply *QgsNetworkAccessManager::createRequest( QNetworkAccessManager::Op
   {
     QgsDebugMsg( "Adding trusted CA certs to request" );
     QSslConfiguration sslconfig( pReq->sslConfiguration() );
-    sslconfig.setCaCertificates( QgsAuthManager::instance()->getTrustedCaCertsCache() );
-
+    // Merge trusted CAs with any additional CAs added by the authentication methods
+    sslconfig.setCaCertificates( QgsAuthCertUtils::casMerge( QgsAuthManager::instance()->getTrustedCaCertsCache(), sslconfig.caCertificates( ) ) );
     // check for SSL cert custom config
     QString hostport( QStringLiteral( "%1:%2" )
                       .arg( pReq->url().host().trimmed() )

diff --git a/src/gui/auth/qgsauthsslerrorsdialog.cpp b/src/gui/auth/qgsauthsslerrorsdialog.cpp
@@ -135,6 +135,11 @@ void QgsAuthSslErrorsDialog::showCertificateChainInfo()
 
 void QgsAuthSslErrorsDialog::showCertificateChainCAsInfo()
 {
+  for ( const auto &cert : mSslConfiguration.caCertificates() )
+  {
+    qDebug() << cert.subjectInfo( QSslCertificate::SubjectInfo::CommonName );
+  }
+
   QgsAuthTrustedCAsDialog *dlg = new QgsAuthTrustedCAsDialog( this, mSslConfiguration.caCertificates() );
   dlg->setWindowModality( Qt::WindowModal );
   dlg->resize( 675, 500 );