[auth] Add method to exclude self-signed CAs from a list of certificates

qgis · Oct 16, 2017 · d293e8f · d293e8f
1 parent 032f225
commit d293e8f
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 0 deletions.
diff --git a/python/core/auth/qgsauthcertutils.sip b/python/core/auth/qgsauthcertutils.sip
@@ -127,6 +127,15 @@ Return list of concatenated certs from a PEM Base64 text block
  :rtype: list of QSslCertificate
 %End
 
+
+    static QList<QSslCertificate> casRemoveSelfSigned( const QList<QSslCertificate> &caList );
+%Docstring
+ casRemoveSelfSigned remove self-signed CA certificates from ``caList``
+ \param caList list of CA certificates
+ :return: a list of non self-signed certificates
+ :rtype: list of QSslCertificate
+%End
+
     static QStringList certKeyBundleToPem( const QString &certpath,
                                            const QString &keypath,
                                            const QString &keypass = QString(),

diff --git a/src/core/auth/qgsauthcertutils.cpp b/src/core/auth/qgsauthcertutils.cpp
@@ -224,6 +224,19 @@ QList<QSslCertificate> QgsAuthCertUtils::certsFromString( const QString &pemtext
   return certs;
 }
 
+QList<QSslCertificate> QgsAuthCertUtils::casRemoveSelfSigned( const QList<QSslCertificate> &caList )
+{
+  QList<QSslCertificate> certs;
+  for ( const auto cert : caList )
+  {
+    if ( ! cert.isSelfSigned( ) )
+    {
+      certs.append( cert );
+    }
+  }
+  return certs;
+}
+
 QStringList QgsAuthCertUtils::certKeyBundleToPem( const QString &certpath,
     const QString &keypath,
     const QString &keypass,

diff --git a/src/core/auth/qgsauthcertutils.h b/src/core/auth/qgsauthcertutils.h
@@ -136,6 +136,14 @@ class CORE_EXPORT QgsAuthCertUtils
     //! Return list of concatenated certs from a PEM Base64 text block
     static QList<QSslCertificate> certsFromString( const QString &pemtext );
 
+
+    /**
+     * \brief casRemoveSelfSigned remove self-signed CA certificates from \a caList
+     * \param caList list of CA certificates
+     * \return a list of non self-signed certificates
+     */
+    static QList<QSslCertificate> casRemoveSelfSigned( const QList<QSslCertificate> &caList );
+
     /**
      * Return list of certificate, private key and algorithm (as PEM text) from file path components
      * \param certpath File path to certificate

diff --git a/tests/src/python/test_qgsauthsystem.py b/tests/src/python/test_qgsauthsystem.py
@@ -603,6 +603,21 @@ def test_130_cas_merge(self):
 
         self.assertTrue(trusted[0] in merged)
 
+    def test_140_cas_remove_self_signed(self):
+        """Test CAs merge """
+        extra_path = PKIDATA + '/alice-cert_w-chain.pem'
+
+        extra = QgsAuthCertUtils.casFromFile(extra_path)
+        filtered = QgsAuthCertUtils.casRemoveSelfSigned(extra)
+
+        self.assertEqual(len(filtered), 1)
+        self.assertEqual(len(extra), 2)
+
+        self.assertTrue(extra[1].isSelfSigned())
+
+        for c in filtered:
+            self.assertFalse(c.isSelfSigned())
+
 
 if __name__ == '__main__':
     unittest.main()