summaryrefslogtreecommitdiffstats
path: root/application/CertWorkaround.cpp
blob: 3bd1b16e4d444a4186d46543ad7594147af9a3c3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#include <stdexcept>
#include <iostream>

#include <QByteArray>
#include <QSslSocket>
#include <QDebug>

#include <Security/Security.h>

// CFRelease will crash if passed NULL
#define SafeCFRelease(ref)                                                                     \
	if (ref)                                                                                   \
		CFRelease(ref);

/*!
 * \brief LoadCertificatesFromKeyChain  Load all certificates from the KeyChain path provided
 * and return them as
 *                                      QSslCertificates.
 * \param keyChainPath                  The KeyChain path. Pass an empty string to use the
 * user's keychain.
 * \return                              A list of new QSslCertificates generated from the
 * KeyChain DER data.
 */
static QList<QSslCertificate>
LoadCertificatesFromKeyChain(const std::string &keyChainPath = std::string())
{
	QList<QSslCertificate> qtCerts;

	SecKeychainRef certsKeyChain = NULL;
	SecKeychainSearchRef searchItem = NULL;
	SecKeychainItemRef itemRef = NULL;
	CSSM_DATA certData = {0, 0};

	try
	{
		OSStatus status = errSecSuccess;

		// if a keychain path was provided, obtain a pointer
		if (!keyChainPath.empty())
		{
			status = SecKeychainOpen(keyChainPath.c_str(), &certsKeyChain);
			if (status != errSecSuccess)
			{
				throw status;
			}
		}

		// build a search query reference for certificates
		status = SecKeychainSearchCreateFromAttributes(certsKeyChain, kSecCertificateItemClass,
													   NULL, &searchItem);
		if (status != errSecSuccess)
		{
			throw status;
		}

		// loop through the certificates
		while (SecKeychainSearchCopyNext(searchItem, &itemRef) != errSecItemNotFound)
		{
			// copy the KeyChain item data into a CSSM_DATA struct - this will be the certs Der
			// data
			status = SecKeychainItemCopyContent(itemRef, NULL, NULL,
												reinterpret_cast<UInt32 *>(&certData.Length),
												reinterpret_cast<void **>(&certData.Data));

			if (status != errSecSuccess)
			{
				throw status;
			}

			// create a Qt byte array from the data - the data is NOT copied
			const QByteArray byteArray = QByteArray::fromRawData(
				reinterpret_cast<const char *>(certData.Data), certData.Length);

			// create a Qt certificate from the data and add it to the list
			QSslCertificate qtCert(byteArray, QSsl::Der);
			qDebug() << "COMMON NAME: "
					 << qtCert.issuerInfo(QSslCertificate::CommonName).join('\n')
					 << " ORG NAME: "
					 << qtCert.issuerInfo(QSslCertificate::Organization).join('\n');

			qtCerts << qtCert;
		}
	}
	catch (OSStatus status)
	{
		CFStringRef errorMessage = SecCopyErrorMessageString(status, NULL);
		std::cerr << CFStringGetCStringPtr(errorMessage, kCFStringEncodingMacRoman)
				  << std::endl;
		SafeCFRelease(errorMessage);
	}

	SecKeychainItemFreeContent(NULL, certData.Data);
	SafeCFRelease(itemRef);
	SafeCFRelease(searchItem);
	SafeCFRelease(certsKeyChain);

	return qtCerts;
}

void RebuildQtCertificates()
{
	const QList<QSslCertificate> existingCerts = QSslSocket::defaultCaCertificates();
	QList<QSslCertificate> certs = LoadCertificatesFromKeyChain();
	certs += LoadCertificatesFromKeyChain(
		"/System/Library/Keychains/SystemRootCertificates.keychain");

	Q_FOREACH (const QSslCertificate qtCert, certs)
	{
		if (!existingCerts.contains(qtCert))
		{
			qDebug() << "cert not known to Qt - adding";
			qDebug() << "COMMON NAME: "
					 << qtCert.issuerInfo(QSslCertificate::CommonName).join('\n')
					 << " ORG NAME: "
					 << qtCert.issuerInfo(QSslCertificate::Organization).join('\n');

			QSslSocket::addDefaultCaCertificate(qtCert);
		}
	}
}