api/3.10/qgsauthcertificateinfo_8cpp_source.html

 /***************************************************************************
     qgsauthcertificateinfo.cpp
     ---------------------
     begin                : April 26, 2015
     copyright            : (C) 2015 by Boundless Spatial, Inc. USA
     author               : Larry Shaffer
     email                : lshaffer at boundlessgeo dot com
  ***************************************************************************
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
  *   it under the terms of the GNU General Public License as published by  *
  *   the Free Software Foundation; either version 2 of the License, or     *
  *   (at your option) any later version.                                   *
  *                                                                         *
  ***************************************************************************/


 #include "qgsauthcertificateinfo.h"
 #include "ui_qgsauthcertificateinfo.h"

 #include <QtCrypto>
 #include <QDialogButtonBox>
 #include <QLineEdit>
 #include <QPlainTextEdit>
 #include <QPushButton>
 #include <QTextEdit>

 #include "qgsapplication.h"
 #include "qgsauthcertutils.h"
 #include "qgsauthguiutils.h"
 #include "qgsauthmanager.h"
 #include "qgslogger.h"


 static void setItemBold_( QTreeWidgetItem *item )
 {
   item->setFirstColumnSpanned( true );
   QFont secf( item->font( 0 ) );
   secf.setBold( true );
   item->setFont( 0, secf );
 }

 static void removeChildren_( QTreeWidgetItem *item )
 {
   const auto constTakeChildren = item->takeChildren();
   for ( QTreeWidgetItem *child : constTakeChildren )
   {
     delete child;
   }
 }

 QgsAuthCertInfo::QgsAuthCertInfo( const QSslCertificate &cert,
                                   bool manageCertTrust,
                                   QWidget *parent,
                                   const QList<QSslCertificate> &connectionCAs )
   : QWidget( parent )
   , mConnectionCAs( connectionCAs )
   , mDefaultItemForeground( QBrush() )
   , mManageTrust( manageCertTrust )
   , mTrustCacheRebuilt( false )
   , mDefaultTrustPolicy( QgsAuthCertUtils::DefaultTrust )
   , mCurrentTrustPolicy( QgsAuthCertUtils::DefaultTrust )

 {
   if ( QgsApplication::authManager()->isDisabled() )
   {
     mAuthNotifyLayout = new QVBoxLayout;
     this->setLayout( mAuthNotifyLayout );
     mAuthNotify = new QLabel( QgsApplication::authManager()->disabledMessage(), this );
     mAuthNotifyLayout->addWidget( mAuthNotify );
   }
   else
   {
     setupUi( this );
     connect( btnSaveTrust, &QToolButton::clicked, this, &QgsAuthCertInfo::btnSaveTrust_clicked );

     lblError->setHidden( true );

     treeHierarchy->setRootIsDecorated( false );

     connect( treeHierarchy, &QTreeWidget::currentItemChanged,
              this, &QgsAuthCertInfo::currentCertItemChanged );

     mCaCertsCache = QgsApplication::authManager()->caCertsCache();

     setUpCertDetailsTree();

     grpbxTrust->setVisible( mManageTrust );

     // trust policy is still queried, even if not managing the policy, so public getter will work
     mDefaultTrustPolicy = QgsApplication::authManager()->defaultCertTrustPolicy();
     mCurrentTrustPolicy = QgsAuthCertUtils::DefaultTrust;

     bool res;
     res = populateQcaCertCollection();
     if ( res )
       res = setQcaCertificate( cert );
     if ( res )
       res = populateCertChain();
     if ( res )
       setCertHierarchy();

     connect( cmbbxTrust, static_cast<void ( QComboBox::* )( int )>( &QComboBox::currentIndexChanged ),
              this, &QgsAuthCertInfo::currentPolicyIndexChanged );
   }
 }

 void QgsAuthCertInfo::setupError( const QString &msg )
 {
   lblError->setVisible( true );
   QString out = tr( "<b>Setup ERROR:</b>\n\n" );
   out += msg;
   lblError->setText( out );
   lblError->setStyleSheet( QgsAuthGuiUtils::redTextStyleSheet() );
 }

 void QgsAuthCertInfo::currentCertItemChanged( QTreeWidgetItem *current, QTreeWidgetItem *previous )
 {
   Q_UNUSED( previous )
   updateCurrentCert( current );
 }

 void QgsAuthCertInfo::updateCurrentCert( QTreeWidgetItem *item )
 {
   if ( !item )
     item = treeHierarchy->currentItem();
   if ( !item )
     return;

   int indx( item->data( 0, Qt::UserRole ).toInt() );
   updateCurrentCertInfo( indx );
 }

 bool QgsAuthCertInfo::populateQcaCertCollection()
 {
   const QList<QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > &certpairs( mCaCertsCache.values() );
   for ( int i = 0; i < certpairs.size(); ++i )
   {
     QCA::ConvertResult res;
     QCA::Certificate acert = QCA::Certificate::fromPEM( certpairs.at( i ).second.toPem(), &res, QStringLiteral( "qca-ossl" ) );
     if ( res == QCA::ConvertGood && !acert.isNull() )
     {
       mCaCerts.addCertificate( acert );
     }
   }
   if ( !mConnectionCAs.isEmpty() )
   {
     const auto constMConnectionCAs = mConnectionCAs;
     for ( const QSslCertificate &cert : constMConnectionCAs )
     {
       QCA::ConvertResult res;
       QCA::Certificate acert = QCA::Certificate::fromPEM( cert.toPem(), &res, QStringLiteral( "qca-ossl" ) );
       if ( res == QCA::ConvertGood && !acert.isNull() )
       {
         mCaCerts.addCertificate( acert );
       }
     }
   }

   if ( mCaCerts.certificates().empty() )
   {
     setupError( tr( "Could not populate QCA certificate collection" ) );
     return false;
   }
   return true;
 }

 bool QgsAuthCertInfo::setQcaCertificate( const QSslCertificate &cert )
 {
   QCA::ConvertResult res;
   mCert = QCA::Certificate::fromPEM( cert.toPem(), &res, QStringLiteral( "qca-ossl" ) );
   if ( res != QCA::ConvertGood || mCert.isNull() )
   {
     setupError( tr( "Could not set QCA certificate" ) );
     return false;
   }
   return true;
 }

 bool QgsAuthCertInfo::populateCertChain()
 {
   QCA::CertificateChain certchain( mCert );
   QCA::Validity valid;
   mACertChain = certchain.complete( mCaCerts.certificates(), &valid );
   if ( valid != QCA::ValidityGood && valid != QCA::ErrorInvalidCA )
   {
     // invalid CAs are skipped to allow an incomplete chain
     setupError( tr( "Invalid population of QCA certificate chain.<br><br>"
                     "Validity message: %1" ).arg( QgsAuthCertUtils::qcaValidityMessage( valid ) ) );
     return false;
   }

   if ( mACertChain.isEmpty() )
   {
     QgsDebugMsg( QStringLiteral( "Could not populate QCA certificate chain" ) );
     mACertChain = certchain;
   }

   if ( !mACertChain.last().isSelfSigned() )
   {
     // chain is incomplete, add null certificate to signify local missing parent CA
     mACertChain.append( QCA::Certificate() );
   }

   // mirror chain to QSslCertificate
   const auto constMACertChain = mACertChain;
   for ( QCA::Certificate cert : constMACertChain )
   {
     QSslCertificate qcert;
     if ( !cert.isNull() )
     {
       qcert = QSslCertificate( cert.toPEM().toLatin1() );
     }
     mQCertChain.append( qcert );
   }
   return true;
 }

 void QgsAuthCertInfo::setCertHierarchy()
 {
   QListIterator<QSslCertificate> it( mQCertChain );
   it.toBack();
   int i = mQCertChain.size();
   QTreeWidgetItem *item = nullptr;
   QTreeWidgetItem *previtem = nullptr;
   while ( it.hasPrevious() )
   {
     QSslCertificate cert( it.previous() );
     bool missingCA = cert.isNull();
     QString cert_source;
     if ( missingCA && it.hasPrevious() )
     {
       cert_source = QgsAuthCertUtils::resolvedCertName( it.peekPrevious(), true );
       cert_source += QStringLiteral( " (%1)" ).arg( tr( "Missing CA" ) );
     }
     else
     {
       cert_source = QgsAuthCertUtils::resolvedCertName( cert );
       QString sha = QgsAuthCertUtils::shaHexForCert( cert );
       if ( mCaCertsCache.contains( sha ) )
       {
         const QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate > &certpair( mCaCertsCache.value( sha ) );
         cert_source += QStringLiteral( " (%1)" ).arg( QgsAuthCertUtils::getCaSourceName( certpair.first, true ) );
       }
       else if ( mConnectionCAs.contains( cert ) )
       {
         cert_source += QStringLiteral( " (%1)" )
                        .arg( QgsAuthCertUtils::getCaSourceName( QgsAuthCertUtils::Connection, true ) );
       }
     }

     if ( !previtem )
     {
       item = new QTreeWidgetItem( treeHierarchy, QStringList() << cert_source );
     }
     else
     {
       item = new QTreeWidgetItem( previtem, QStringList() << cert_source );
     }
     if ( missingCA && it.hasPrevious() )
     {
       item->setFlags( Qt::ItemIsEnabled | Qt::ItemIsSelectable );
     }

     item->setData( 0, Qt::UserRole, --i );

     if ( mDefaultItemForeground.style() == Qt::NoBrush )
     {
       mDefaultItemForeground = item->foreground( 0 );
     }

     decorateCertTreeItem( cert, QgsApplication::authManager()->certificateTrustPolicy( cert ), item );

     item->setFirstColumnSpanned( true );
     if ( !previtem )
       treeHierarchy->addTopLevelItem( item );
     previtem = item;
   }
   treeHierarchy->setCurrentItem( item, 0, QItemSelectionModel::ClearAndSelect );
   treeHierarchy->expandAll();
 }

 void QgsAuthCertInfo::updateCurrentCertInfo( int chainindx )
 {
   btnSaveTrust->setEnabled( false );

   mCurrentQCert = mQCertChain.at( chainindx );
   mCurrentACert = mACertChain.at( chainindx );

   if ( mManageTrust )
   {
     grpbxTrust->setHidden( mCurrentQCert.isNull() );
   }

   if ( !mCurrentQCert.isNull() )
   {
     QgsAuthCertUtils::CertTrustPolicy trustpolicy( QgsApplication::authManager()->certificateTrustPolicy( mCurrentQCert ) );
     mCurrentTrustPolicy = trustpolicy;

     cmbbxTrust->setTrustPolicy( trustpolicy );
     if ( !QgsAuthCertUtils::certIsViable( mCurrentQCert ) )
     {
       cmbbxTrust->setDefaultTrustPolicy( QgsAuthCertUtils::Untrusted );
     }
   }

   populateCertInfo();
 }

 void QgsAuthCertInfo::setUpCertDetailsTree()
 {
   treeDetails->setColumnCount( 2 );
   treeDetails->setHeaderLabels( QStringList() << tr( "Field" ) << tr( "Value" ) );
   treeDetails->setColumnWidth( 0, 200 );

   QTreeWidgetItem *headeritem = treeDetails->headerItem();
   headeritem->setTextAlignment( 0, Qt::AlignRight );
   headeritem->setTextAlignment( 1, Qt::AlignLeft );

   treeDetails->setRootIsDecorated( true );
   treeDetails->setWordWrap( true );

   // add root items
   mSecGeneral = new QTreeWidgetItem(
     treeDetails,
     QStringList( tr( "General" ) ),
     static_cast<int>( DetailsSection ) );
   setItemBold_( mSecGeneral );
   mSecGeneral->setFirstColumnSpanned( true );
   mSecGeneral->setFlags( Qt::ItemIsEnabled );
   mSecGeneral->setExpanded( true );
   treeDetails->insertTopLevelItem( 0, mSecGeneral );

   mSecDetails = new QTreeWidgetItem(
     treeDetails,
     QStringList( tr( "Details" ) ),
     static_cast<int>( DetailsSection ) );
   setItemBold_( mSecDetails );
   mSecDetails->setFirstColumnSpanned( true );
   mSecDetails->setFlags( Qt::ItemIsEnabled );
   mSecDetails->setExpanded( false );
   treeDetails->insertTopLevelItem( 0, mSecDetails );

   // add details groups
   mGrpSubj = addGroupItem( mSecDetails, tr( "Subject Info" ) );
   mGrpIssu = addGroupItem( mSecDetails, tr( "Issuer Info" ) );
   mGrpCert = addGroupItem( mSecDetails, tr( "Certificate Info" ) );
   mGrpPkey = addGroupItem( mSecDetails, tr( "Public Key Info" ) );
   mGrpExts = addGroupItem( mSecDetails, tr( "Extensions" ) );

   mSecPemText = new QTreeWidgetItem(
     treeDetails,
     QStringList( tr( "PEM Text" ) ),
     static_cast<int>( DetailsSection ) );
   setItemBold_( mSecPemText );
   mSecPemText->setFirstColumnSpanned( true );
   mSecPemText->setFlags( Qt::ItemIsEnabled );
   mSecPemText->setExpanded( false );
   treeDetails->insertTopLevelItem( 0, mSecPemText );
 }

 void QgsAuthCertInfo::populateCertInfo()
 {
   mSecDetails->setHidden( false );
   mSecPemText->setHidden( false );

   populateInfoGeneralSection();
   populateInfoDetailsSection();
   populateInfoPemTextSection();
 }

 QTreeWidgetItem *QgsAuthCertInfo::addGroupItem( QTreeWidgetItem *parent, const QString &group )
 {
   QTreeWidgetItem *grpitem = new QTreeWidgetItem(
     parent,
     QStringList( group ),
     static_cast<int>( DetailsGroup ) );

   grpitem->setFirstColumnSpanned( true );
   grpitem->setFlags( Qt::ItemIsEnabled );
   grpitem->setExpanded( true );

   QBrush orgb( grpitem->foreground( 0 ) );
   orgb.setColor( QColor::fromRgb( 90, 90, 90 ) );
   grpitem->setForeground( 0, orgb );
   QFont grpf( grpitem->font( 0 ) );
   grpf.setItalic( true );
   grpitem->setFont( 0, grpf );

   return grpitem;
 }

 void QgsAuthCertInfo::addFieldItem( QTreeWidgetItem *parent, const QString &field, const QString &value,
                                     QgsAuthCertInfo::FieldWidget wdgt, const QColor &color )
 {
   if ( value.isEmpty() )
     return;

   QTreeWidgetItem *item = new QTreeWidgetItem(
     parent,
     QStringList() << field << ( wdgt == NoWidget ? value : QString() ),
     static_cast<int>( DetailsField ) );

   item->setTextAlignment( 0, Qt::AlignRight );
   item->setTextAlignment( 1, Qt::AlignLeft );

   QBrush fieldb( item->foreground( 0 ) );
   fieldb.setColor( QColor::fromRgb( 90, 90, 90 ) );
   item->setForeground( 0, fieldb );

   if ( wdgt == NoWidget )
   {
     if ( color.isValid() )
     {
       QBrush valueb( item->foreground( 1 ) );
       valueb.setColor( color );
       item->setForeground( 1, valueb );
     }
   }
   else if ( wdgt == LineEdit )
   {
     QLineEdit *le = new QLineEdit( value, treeDetails );
     le->setReadOnly( true );
     le->setAlignment( Qt::AlignLeft );
     le->setCursorPosition( 0 );
     if ( color.isValid() )
     {
       le->setStyleSheet( QStringLiteral( "QLineEdit { color: %1; }" ).arg( color.name() ) );
     }
     item->treeWidget()->setItemWidget( item, 1, le );
   }
   else if ( wdgt == TextEdit )
   {
     QPlainTextEdit *pte = new QPlainTextEdit( value, treeDetails );
     pte->setReadOnly( true );
     pte->setMinimumHeight( 75 );
     pte->setMaximumHeight( 75 );
     pte->moveCursor( QTextCursor::Start );
     if ( color.isValid() )
     {
       pte->setStyleSheet( QStringLiteral( "QPlainTextEdit { color: %1; }" ).arg( color.name() ) );
     }
     item->treeWidget()->setItemWidget( item, 1, pte );
   }

 }

 void QgsAuthCertInfo::populateInfoGeneralSection()
 {
   removeChildren_( mSecGeneral );

   if ( mCurrentQCert.isNull() )
   {
     addFieldItem( mSecGeneral, tr( "Type" ),
                   tr( "Missing CA (incomplete local CA chain)" ),
                   LineEdit );
     mSecGeneral->setExpanded( true );
     mSecDetails->setHidden( true );
     mSecPemText->setHidden( true );
     return;
   }

   QString certype;
   bool isselfsigned = mCurrentACert.isSelfSigned();
   QString selfsigned( tr( "self-signed" ) );

   QList<QgsAuthCertUtils::CertUsageType> usagetypes(
     QgsAuthCertUtils::certificateUsageTypes( mCurrentQCert ) );
   bool isca = usagetypes.contains( QgsAuthCertUtils::CertAuthorityUsage );
   bool isissuer = usagetypes.contains( QgsAuthCertUtils::CertIssuerUsage );
   bool issslserver = usagetypes.contains( QgsAuthCertUtils::TlsServerUsage );
   bool issslclient = usagetypes.contains( QgsAuthCertUtils::TlsClientUsage );

   if ( issslclient )
   {
     certype = QgsAuthCertUtils::certificateUsageTypeString( QgsAuthCertUtils::TlsClientUsage );
   }
   if ( issslserver )
   {
     certype = QgsAuthCertUtils::certificateUsageTypeString( QgsAuthCertUtils::TlsServerUsage );
   }
   if ( isissuer || ( isca && !isselfsigned ) )
   {
     certype = QgsAuthCertUtils::certificateUsageTypeString( QgsAuthCertUtils::CertIssuerUsage );
   }
   if ( ( isissuer || isca ) && isselfsigned )
   {
     certype = QStringLiteral( "%1 %2" )
               .arg( tr( "Root" ),
                     QgsAuthCertUtils::certificateUsageTypeString( QgsAuthCertUtils::CertAuthorityUsage ) );
   }
   if ( isselfsigned )
   {
     certype.append( certype.isEmpty() ? selfsigned : QStringLiteral( " (%1)" ).arg( selfsigned ) );
   }

   addFieldItem( mSecGeneral, tr( "Usage type" ),
                 certype,
                 LineEdit );
   addFieldItem( mSecGeneral, tr( "Subject" ),
                 QgsAuthCertUtils::resolvedCertName( mCurrentQCert ),
                 LineEdit );
   addFieldItem( mSecGeneral, tr( "Issuer" ),
                 QgsAuthCertUtils::resolvedCertName( mCurrentQCert, true ),
                 LineEdit );
   addFieldItem( mSecGeneral, tr( "Not valid after" ),
                 mCurrentQCert.expiryDate().toString(),
                 LineEdit,
                 mCurrentQCert.expiryDate() < QDateTime::currentDateTime() ? QgsAuthGuiUtils::redColor() : QColor() );

   QSslKey pubkey( mCurrentQCert.publicKey() );
   QString alg( pubkey.algorithm() == QSsl::Rsa ? "RSA" : "DSA" );
   int bitsize( pubkey.length() );
   addFieldItem( mSecGeneral, tr( "Public key" ),
                 QStringLiteral( "%1, %2 bits" ).arg( alg, bitsize == -1 ? QStringLiteral( "?" ) : QString::number( bitsize ) ),
                 LineEdit );
   addFieldItem( mSecGeneral, tr( "Signature algorithm" ),
                 QgsAuthCertUtils::qcaSignatureAlgorithm( mCurrentACert.signatureAlgorithm() ),
                 LineEdit );
 }

 void QgsAuthCertInfo::populateInfoDetailsSection()
 {
   removeChildren_( mGrpSubj );
   removeChildren_( mGrpIssu );
   removeChildren_( mGrpCert );
   removeChildren_( mGrpPkey );
   removeChildren_( mGrpExts );

   if ( mCurrentQCert.isNull() )
     return;

   // Subject Info
   addFieldItem( mGrpSubj, tr( "Country (C)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::CountryName ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "State/Province (ST)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::StateOrProvinceName ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Locality (L)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::LocalityName ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Organization (O)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::Organization ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Organizational unit (OU)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::OrganizationalUnitName ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Common name (CN)" ),
                 SSL_SUBJECT_INFO( mCurrentQCert, QSslCertificate::CommonName ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Email address (E)" ),
                 mCurrentACert.subjectInfo().value( QCA::Email ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Distinguished name" ),
                 QgsAuthCertUtils::getCertDistinguishedName( mCurrentQCert, mCurrentACert, false ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Email Legacy" ),
                 mCurrentACert.subjectInfo().value( QCA::EmailLegacy ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Incorporation Country" ),
                 mCurrentACert.subjectInfo().value( QCA::IncorporationCountry ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Incorporation State/Province" ),
                 mCurrentACert.subjectInfo().value( QCA::IncorporationState ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "Incorporation Locality" ),
                 mCurrentACert.subjectInfo().value( QCA::IncorporationLocality ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "URI" ),
                 mCurrentACert.subjectInfo().value( QCA::URI ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "DNS" ),
                 mCurrentACert.subjectInfo().value( QCA::DNS ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "IP Address" ),
                 mCurrentACert.subjectInfo().value( QCA::IPAddress ),
                 LineEdit );
   addFieldItem( mGrpSubj, tr( "XMPP" ),
                 mCurrentACert.subjectInfo().value( QCA::XMPP ),
                 LineEdit );

   QMultiMap<QSsl::AlternateNameEntryType, QString> alts( mCurrentQCert.alternateSubjectNames() );
   QStringList altslist;
   QString email( tr( "Email: " ) );
   QStringList emails( alts.values( QSsl::EmailEntry ) );
   if ( !emails.isEmpty() )
   {
     altslist << email + emails.join( '\n' + email );
   }
   QString dns( tr( "DNS: " ) );
   QStringList dnss( alts.values( QSsl::DnsEntry ) );
   if ( !dnss.isEmpty() )
   {
     altslist << dns + dnss.join( '\n' + dns );
   }
   addFieldItem( mGrpSubj, tr( "Alternate names" ),
                 altslist.join( QStringLiteral( "\n" ) ),
                 TextEdit );

   // Issuer Info
   addFieldItem( mGrpIssu, tr( "Country (C)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::CountryName ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "State/Province (ST)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::StateOrProvinceName ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Locality (L)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::LocalityName ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Organization (O)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::Organization ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Organizational unit (OU)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::OrganizationalUnitName ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Common name (CN)" ),
                 SSL_ISSUER_INFO( mCurrentQCert, QSslCertificate::CommonName ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Email address (E)" ),
                 mCurrentACert.issuerInfo().value( QCA::Email ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Distinguished name" ),
                 QgsAuthCertUtils::getCertDistinguishedName( mCurrentQCert, mCurrentACert, true ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Email Legacy" ),
                 mCurrentACert.issuerInfo().value( QCA::EmailLegacy ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Incorporation Country" ),
                 mCurrentACert.issuerInfo().value( QCA::IncorporationCountry ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Incorporation State/Province" ),
                 mCurrentACert.issuerInfo().value( QCA::IncorporationState ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "Incorporation Locality" ),
                 mCurrentACert.issuerInfo().value( QCA::IncorporationLocality ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "URI" ),
                 mCurrentACert.issuerInfo().value( QCA::URI ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "DNS" ),
                 mCurrentACert.issuerInfo().value( QCA::DNS ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "IP Address" ),
                 mCurrentACert.issuerInfo().value( QCA::IPAddress ),
                 LineEdit );
   addFieldItem( mGrpIssu, tr( "XMPP" ),
                 mCurrentACert.issuerInfo().value( QCA::XMPP ),
                 LineEdit );

   // Certificate Info
   addFieldItem( mGrpCert, tr( "Version" ),
                 mCurrentQCert.version(),
                 LineEdit );
   addFieldItem( mGrpCert, tr( "Serial #" ),
                 mCurrentQCert.serialNumber(),
                 LineEdit );
   addFieldItem( mGrpCert, tr( "Not valid before" ),
                 mCurrentQCert.effectiveDate().toString(),
                 LineEdit,
                 mCurrentQCert.effectiveDate() > QDateTime::currentDateTime() ? QgsAuthGuiUtils::redColor() : QColor() );
   addFieldItem( mGrpCert, tr( "Not valid after" ),
                 mCurrentQCert.expiryDate().toString(),
                 LineEdit,
                 mCurrentQCert.expiryDate() < QDateTime::currentDateTime() ? QgsAuthGuiUtils::redColor() : QColor() );
   addFieldItem( mGrpCert, tr( "Signature algorithm" ),
                 QgsAuthCertUtils::qcaSignatureAlgorithm( mCurrentACert.signatureAlgorithm() ),
                 LineEdit );
   addFieldItem( mGrpCert, tr( "MD5 fingerprint" ),
                 QgsAuthCertUtils::getColonDelimited( mCurrentQCert.digest().toHex().toUpper() ),
                 LineEdit );
   addFieldItem( mGrpCert, tr( "SHA1 fingerprint" ),
                 QgsAuthCertUtils::shaHexForCert( mCurrentQCert, true ).toUpper(),
                 LineEdit );

   QStringList crllocs( mCurrentACert.crlLocations() );
   if ( !crllocs.isEmpty() )
   {
     addFieldItem( mGrpCert, tr( "CRL locations" ),
                   crllocs.join( QStringLiteral( "\n" ) ),
                   TextEdit );
   }
   QStringList issulocs( mCurrentACert.issuerLocations() );
   if ( !issulocs.isEmpty() )
   {
     addFieldItem( mGrpCert, tr( "Issuer locations" ),
                   issulocs.join( QStringLiteral( "\n" ) ),
                   TextEdit );
   }
   QStringList ocsplocs( mCurrentACert.ocspLocations() );
   if ( !ocsplocs.isEmpty() )
   {
     addFieldItem( mGrpCert, tr( "OCSP locations" ),
                   ocsplocs.join( QStringLiteral( "\n" ) ),
                   TextEdit );
   }

   // Public Key Info
   // TODO: handle ECC (Elliptic Curve) keys when Qt supports them
   QSslKey pubqkey( mCurrentQCert.publicKey() );
   QString alg( pubqkey.algorithm() == QSsl::Rsa ? "RSA" : "DSA" );
   int bitsize( pubqkey.length() );
   addFieldItem( mGrpPkey, tr( "Algorithm" ),
                 bitsize == -1 ? QStringLiteral( "Unknown (possibly Elliptic Curve)" ) : alg,
                 LineEdit );
   addFieldItem( mGrpPkey, tr( "Key size" ),
                 bitsize == -1 ? QStringLiteral( "?" ) : QString::number( bitsize ),
                 LineEdit );
   if ( bitsize > 0 ) // ECC keys unsupported by Qt/QCA, so returned key size is 0
   {
     QCA::PublicKey pubakey( mCurrentACert.subjectPublicKey() );

     if ( pubqkey.algorithm() == QSsl::Rsa )
     {
       QCA::RSAPublicKey rsakey( pubakey.toRSA() );
       QCA::BigInteger modulus = rsakey.n();
       QByteArray modarray( modulus.toArray().toByteArray().toHex() );
       if ( modarray.size() > 2 && modarray.mid( 0, 2 ) == QByteArray( "00" ) )
       {
         modarray = modarray.mid( 2 );
       }
       QCA::BigInteger exponent = rsakey.e();
       addFieldItem( mGrpPkey, tr( "Public key" ),
                     QgsAuthCertUtils::getColonDelimited( modarray ).toUpper(),
                     TextEdit );
       addFieldItem( mGrpPkey, tr( "Exponent" ),
                     exponent.toString(),
                     LineEdit );
     }
     // TODO: how is DSA textually represented using QCA?
     // QCA::DSAPublicKey dsakey( pubakey.toDSA() );

     // TODO: how to get the signature and show it as hex?
     //  addFieldItem( mGrpPkey, tr( "Signature" ),
     //                mCurrentACert.???.toHex(),
     //                TextEdit );

     // key usage
     QStringList usage;
     if ( pubakey.canVerify() )
     {
       usage.append( tr( "Verify" ) );
     }

     // TODO: these two seem to always show up, why?
     if ( pubakey.canEncrypt() )
     {
       usage.append( tr( "Encrypt" ) );
     }
 #if QCA_VERSION >= 0x020100
     if ( pubakey.canDecrypt() )
     {
       usage.append( tr( "Decrypt" ) );
     }
 #endif
     if ( pubakey.canKeyAgree() )
     {
       usage.append( tr( "Key agreement" ) );
     }
     if ( pubakey.canExport() )
     {
       usage.append( tr( "Export" ) );
     }
     if ( !usage.isEmpty() )
     {
       addFieldItem( mGrpPkey, tr( "Key usage" ),
                     usage.join( QStringLiteral( ", " ) ),
                     LineEdit );
     }
   }

   // Extensions
   QStringList basicconst;
   basicconst << tr( "Certificate Authority: %1" ).arg( mCurrentACert.isCA() ? tr( "Yes" ) : tr( "No" ) )
              << tr( "Chain Path Limit: %1" ).arg( mCurrentACert.pathLimit() );
   addFieldItem( mGrpExts, tr( "Basic constraints" ),
                 basicconst.join( QStringLiteral( "\n" ) ),
                 TextEdit );

   QStringList keyusage;
   QStringList extkeyusage;
   QList<QCA::ConstraintType> certconsts = mCurrentACert.constraints();
   const auto constCertconsts = certconsts;
   for ( const QCA::ConstraintType &certconst : constCertconsts )
   {
     if ( certconst.section() == QCA::ConstraintType::KeyUsage )
     {
       keyusage.append( QgsAuthCertUtils::qcaKnownConstraint( certconst.known() ) );
     }
     else if ( certconst.section() == QCA::ConstraintType::ExtendedKeyUsage )
     {
       extkeyusage.append( QgsAuthCertUtils::qcaKnownConstraint( certconst.known() ) );
     }
   }
   if ( !keyusage.isEmpty() )
   {
     addFieldItem( mGrpExts, tr( "Key usage" ),
                   keyusage.join( QStringLiteral( "\n" ) ),
                   TextEdit );
   }
   if ( !extkeyusage.isEmpty() )
   {
     addFieldItem( mGrpExts, tr( "Extended key usage" ),
                   extkeyusage.join( QStringLiteral( "\n" ) ),
                   TextEdit );
   }

   addFieldItem( mGrpExts, tr( "Subject key ID" ),
                 QgsAuthCertUtils::getColonDelimited( mCurrentACert.subjectKeyId().toHex() ).toUpper(),
                 LineEdit );
   addFieldItem( mGrpExts, tr( "Authority key ID" ),
                 QgsAuthCertUtils::getColonDelimited( mCurrentACert.issuerKeyId().toHex() ).toUpper(),
                 LineEdit );
 }

 void QgsAuthCertInfo::populateInfoPemTextSection()
 {
   removeChildren_( mSecPemText );

   if ( mCurrentQCert.isNull() )
     return;

   QTreeWidgetItem *item = new QTreeWidgetItem(
     mSecPemText,
     QStringList( QString() ),
     static_cast<int>( DetailsField ) );

   item->setFirstColumnSpanned( true );

   QPlainTextEdit *pte = new QPlainTextEdit( mCurrentQCert.toPem(), treeDetails );
   pte->setReadOnly( true );
   pte->setMinimumHeight( 150 );
   pte->setMaximumHeight( 150 );
   pte->moveCursor( QTextCursor::Start );
   item->treeWidget()->setItemWidget( item, 0, pte );
 }

 void QgsAuthCertInfo::btnSaveTrust_clicked()
 {
   QgsAuthCertUtils::CertTrustPolicy newpolicy( cmbbxTrust->trustPolicy() );
   if ( !QgsApplication::authManager()->storeCertTrustPolicy( mCurrentQCert, newpolicy ) )
   {
     QgsDebugMsg( QStringLiteral( "Could not set trust policy for certificate" ) );
   }
   mCurrentTrustPolicy = newpolicy;
   decorateCertTreeItem( mCurrentQCert, newpolicy, nullptr );
   btnSaveTrust->setEnabled( false );

   // rebuild trust cache
   QgsApplication::authManager()->rebuildCertTrustCache();
   mTrustCacheRebuilt = true;
   QgsApplication::authManager()->rebuildTrustedCaCertsCache();
 }

 void QgsAuthCertInfo::currentPolicyIndexChanged( int indx )
 {
   QgsAuthCertUtils::CertTrustPolicy newpolicy( cmbbxTrust->trustPolicyForIndex( indx ) );
   btnSaveTrust->setEnabled( newpolicy != mCurrentTrustPolicy );
 }

 void QgsAuthCertInfo::decorateCertTreeItem( const QSslCertificate &cert,
     QgsAuthCertUtils::CertTrustPolicy trustpolicy,
     QTreeWidgetItem *item )
 {
   if ( !item )
   {
     item = treeHierarchy->currentItem();
   }
   if ( !item )
   {
     return;
   }

   if ( cert.isNull() || trustpolicy == QgsAuthCertUtils::NoPolicy )
   {
     item->setIcon( 0, QgsApplication::getThemeIcon( QStringLiteral( "/mIconCertificateMissing.svg" ) ) );
     // missing CA, color gray and italicize
     QBrush b( item->foreground( 0 ) );
     b.setColor( QColor::fromRgb( 90, 90, 90 ) );
     item->setForeground( 0, b );
     QFont f( item->font( 0 ) );
     f.setItalic( true );
     item->setFont( 0, f );
     return;
   }

   if ( !QgsAuthCertUtils::certIsViable( cert ) )
   {
     item->setIcon( 0, QgsApplication::getThemeIcon( QStringLiteral( "/mIconCertificateUntrusted.svg" ) ) );
     return;
   }

   if ( trustpolicy == QgsAuthCertUtils::Trusted )
   {
     item->setIcon( 0, QgsApplication::getThemeIcon( QStringLiteral( "/mIconCertificateTrusted.svg" ) ) );
   }
   else if ( trustpolicy == QgsAuthCertUtils::Untrusted
             || ( trustpolicy == QgsAuthCertUtils::DefaultTrust
                  && mDefaultTrustPolicy == QgsAuthCertUtils::Untrusted ) )
   {
     item->setIcon( 0, QgsApplication::getThemeIcon( QStringLiteral( "/mIconCertificateUntrusted.svg" ) ) );
   }
   else
   {
     item->setIcon( 0, QgsApplication::getThemeIcon( QStringLiteral( "/mIconCertificate.svg" ) ) );
   }
 }


 QgsAuthCertInfoDialog::QgsAuthCertInfoDialog( const QSslCertificate &cert,
     bool manageCertTrust,
     QWidget *parent,
     const QList<QSslCertificate> &connectionCAs )
   : QDialog( parent )

 {
   setWindowTitle( tr( "Certificate Information" ) );
   QVBoxLayout *layout = new QVBoxLayout( this );
   layout->setMargin( 6 );

   mCertInfoWdgt = new QgsAuthCertInfo( cert, manageCertTrust, this, connectionCAs );
   layout->addWidget( mCertInfoWdgt );

   QDialogButtonBox *buttonBox = new QDialogButtonBox( QDialogButtonBox::Close,
       Qt::Horizontal, this );
   buttonBox->button( QDialogButtonBox::Close )->setDefault( true );
   connect( buttonBox, &QDialogButtonBox::rejected, this, &QWidget::close );
   layout->addWidget( buttonBox );

   setLayout( layout );
 }

QgsAuthManager::rebuildTrustedCaCertsCache
bool rebuildTrustedCaCertsCache()
Rebuild trusted certificate authorities cache.
Definition: qgsauthmanager.cpp:2890

QgsAuthCertUtils::certificateUsageTypeString
static QString certificateUsageTypeString(QgsAuthCertUtils::CertUsageType usagetype)
Certificate usage type strings per enum.
Definition: qgsauthcertutils.cpp:901

QgsAuthCertInfo::QgsAuthCertInfo
QgsAuthCertInfo(const QSslCertificate &cert, bool manageCertTrust=false, QWidget *parent=nullptr, const QList< QSslCertificate > &connectionCAs=QList< QSslCertificate >())
Constructor for QgsAuthCertInfo.
Definition: qgsauthcertificateinfo.cpp:52

qgsauthmanager.h

QgsAuthCertUtils::Untrusted
Definition: qgsauthcertutils.h:57

QgsAuthCertUtils::qcaKnownConstraint
static QString qcaKnownConstraint(QCA::ConstraintTypeKnown constraint)
Certificate well-known constraint strings per enum.
Definition: qgsauthcertutils.cpp:856

QgsDebugMsg
#define QgsDebugMsg(str)
Definition: qgslogger.h:38

qgsauthcertificateinfo.h

QgsAuthCertUtils::TlsServerUsage
Definition: qgsauthcertutils.h:68

QgsAuthCertInfo
Widget for viewing detailed info on a certificate and its hierarchical trust chain.
Definition: qgsauthcertificateinfo.h:39

QgsApplication::getThemeIcon
static QIcon getThemeIcon(const QString &name)
Helper to get a theme icon.
Definition: qgsapplication.cpp:577

QgsAuthCertUtils::certificateUsageTypes
static QList< QgsAuthCertUtils::CertUsageType > certificateUsageTypes(const QSslCertificate &cert)
Try to determine the certificates usage types.
Definition: qgsauthcertutils.cpp:931

qgsauthcertutils.h

QgsAuthCertUtils
Utilities for working with certificates and keys.
Definition: qgsauthcertutils.h:40

QgsAuthCertUtils::TlsClientUsage
Definition: qgsauthcertutils.h:70

QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:550

QgsAuthCertUtils::certIsViable
static bool certIsViable(const QSslCertificate &cert)
certIsViable checks for viability errors of cert and whether it is NULL
Definition: qgsauthcertutils.cpp:1295

QgsAuthGuiUtils::redColor
static QColor redColor()
Red color representing invalid, untrusted, etc. certificate.
Definition: qgsauthguiutils.cpp:41

QgsAuthCertUtils::NoPolicy
Definition: qgsauthcertutils.h:58

QgsAuthCertUtils::Connection
Definition: qgsauthcertutils.h:49

QgsAuthCertUtils::getCertDistinguishedName
static QString getCertDistinguishedName(const QSslCertificate &qcert, const QCA::Certificate &acert=QCA::Certificate(), bool issuer=false)
Gets combined distinguished name for certificate.
Definition: qgsauthcertutils.cpp:660

qgsapplication.h

qgsauthguiutils.h

QgsAuthCertUtils::CertIssuerUsage
Definition: qgsauthcertutils.h:67

QgsAuthCertInfoDialog::QgsAuthCertInfoDialog
QgsAuthCertInfoDialog(const QSslCertificate &cert, bool manageCertTrust, QWidget *parent=nullptr, const QList< QSslCertificate > &connectionCAs=QList< QSslCertificate >())
Construct a dialog displaying detailed info on a certificate and its hierarchical trust chain...
Definition: qgsauthcertificateinfo.cpp:911

QgsAuthCertUtils::Trusted
Definition: qgsauthcertutils.h:56

QgsAuthManager::storeCertTrustPolicy
bool storeCertTrustPolicy(const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy)
Store user trust value for a certificate.
Definition: qgsauthmanager.cpp:2625

QgsAuthCertUtils::shaHexForCert
static QString shaHexForCert(const QSslCertificate &cert, bool formatted=false)
Gets the sha1 hash for certificate.
Definition: qgsauthcertutils.cpp:738

QgsApplication::authManager
static QgsAuthManager * authManager()
Returns the application&#39;s authentication manager instance.
Definition: qgsapplication.cpp:1231

QgsAuthGuiUtils::redTextStyleSheet
static QString redTextStyleSheet(const QString &selector="*")
Red text stylesheet representing invalid, untrusted, etc. certificate.
Definition: qgsauthguiutils.cpp:61

QgsAuthCertUtils::CertAuthorityUsage
Definition: qgsauthcertutils.h:66

SSL_SUBJECT_INFO
#define SSL_SUBJECT_INFO(var, prop)
Definition: qgsauthcertutils.h:34

QgsAuthCertUtils::qcaSignatureAlgorithm
static QString qcaSignatureAlgorithm(QCA::SignatureAlgorithm algorithm)
Certificate signature algorithm strings per enum.
Definition: qgsauthcertutils.cpp:825

QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:53

QgsAuthCertUtils::getColonDelimited
static QString getColonDelimited(const QString &txt)
Gets string with colon delimiters every 2 characters.
Definition: qgsauthcertutils.cpp:725

QgsAuthManager::defaultCertTrustPolicy
QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy()
Gets the default certificate trust policy preferred by user.
Definition: qgsauthmanager.cpp:2785

QgsAuthCertUtils::DefaultTrust
Definition: qgsauthcertutils.h:55

SSL_ISSUER_INFO
#define SSL_ISSUER_INFO(var, prop)
Definition: qgsauthcertutils.h:32

QgsAuthCertUtils::getCaSourceName
static QString getCaSourceName(QgsAuthCertUtils::CaCertSource source, bool single=false)
Gets the general name for CA source enum type.
Definition: qgsauthcertutils.cpp:598

QgsAuthCertUtils::resolvedCertName
static QString resolvedCertName(const QSslCertificate &cert, bool issuer=false)
Gets the general name via RFC 5280 resolution.
Definition: qgsauthcertutils.cpp:615

QgsAuthCertUtils::qcaValidityMessage
static QString qcaValidityMessage(QCA::Validity validity)
Certificate validity check messages per enum.
Definition: qgsauthcertutils.cpp:792

QgsAuthManager::rebuildCertTrustCache
bool rebuildCertTrustCache()
Rebuild certificate authority cache.
Definition: qgsauthmanager.cpp:2796

qgslogger.h