如何在Mac OSX的Qt中使用pkcs12/pfx成功执行SSL加密? [英] How to perform successful SSL encryption with pkcs12/pfx in Qt on Mac OSX?

问题描述

Qt的新手，并正在开发一个跨平台应用程序，该应用程序需要服务器和客户端进行SSL身份验证基于.pem的加密正在Linux，Android，Windows上运行.但是，Mac OSX存在问题.我们的代码如下:

Novice to Qt and developing a cross platform app, which requires SSL authentication from the server as well as client sides The .pem based encryption is working on Linux, Android, Windows. However there are problems with Mac OSX. Our code looks like below:

QFile privateKeyFile(":/Certificate.pem");  // --> has certificate + key
privateKeyFile.open(QIODevice::ReadOnly | QIODevice::Text);      
setLocalCertificateChain(QSslCertificate::fromPath(":/Certificate.pem", QSsl::Pem));
setPrivateKey(QSslKey(privateKeyFile.readAll(), QSsl::Rsa));

在上面的代码中，privateKey().isNull()对于Mac返回true.当我们引用这篇文章时，它表示Mac不支持基于.pem的加密.

In above code privateKey().isNull() returns true for Mac. When we referred this post, it says that Mac doesn't support .pem based encryption.

要卷曲的安全传输后端仅支持PKCS#12(P12)格式的客户端ID；请参阅第11页的『客户端ID』.它不支持PEM格式的客户端ID，因为Apple不允许我们在不使用私有API的情况下从PEM格式的身份文件创建安全身份.而且我们不能使用私有API，因为在任何Apple的应用商店中都不允许使用私有API的应用.

The Secure Transport back-end to curl only supports client IDs that are in PKCS#12 (P12) format; it does not support client IDs in PEM format because Apple does not allow us to create a security identity from an identity file in PEM format without using a private API. And we can't use the private API, because apps that use private API are not allowed in any of Apple's app stores.

在我有限的理解下，我认为.pem对于与服务器进行SSL通信不是一个好主意.如果有错，请阻止我！

With my limited understanding, I interpreted that .pem is not a good idea for SSL communication with the server. Please stop me if it's wrong!

因此，我们决定将所有平台都移至.pfx.我们已经有一个带密码短语的.pfx文件.我们将上面的代码转换为与.pfx兼容(即"Certificate.pfx"，我们将这个旧文件与"Certificate.pem"一起使用).我们尝试使用QSsl::Der代替QSsl::Pem.但是，正如预期的那样，它没有用.但是，也没有加密错误，但是我们确定我们做错了什么. :-)

Hence, we decided to move to .pfx for all the platforms. We already had a .pfx file with a passphrase. We converted above code to be compatible with .pfx (i.e. "Certificate.pfx", we had this old file along with "Certificate.pem"). Instead of QSsl::Pem, we tried QSsl::Der. But as expected, it didn't work. However, there was no encryption error either, but we are sure that we are doing something wrong. :-)

我们引用了这篇文章，并尝试从.pem再生一个.pfx，但这也无济于事.
QSslCertificate :: importPkcs12无法解析PFX文件
在上述情况下，QSslCertificate::importPkcs12()对于原始.pfx文件返回false.即使我们从命令行生成一个新的.pfx，上述功能也将失败.

We referred this post and try to regenerate a .pfx from .pem, but that also didn't help.
QSslCertificate::importPkcs12 fails to parse PFX file
In above case, the QSslCertificate::importPkcs12() returns false for the original .pfx file. Even if we generate a new .pfx from the command line, that also fails for the above function.

问题:有人可以帮助您使用服务器执行.pfx加密的确切方法吗?
.pem身份验证也可以.

Question: Can someone help with exact way of performing the .pfx encryption with the server?
.pem authentication is also fine.

注意:

• 服务器同时支持.pfx和& .pem.我们使用常规的C OpenSSL库进行了确认.但是我们想使用Qt来实现.
• 我们欢迎使用.pfx以外的其他格式，只要它们在所有平台上都可以使用

推荐答案

免责声明:由于我个人不拥有Mac，并且无法再对其进行验证，因此我是在脑海中写这篇文章的.

DISCLAIMER: I am writing this from the top of my mind, since I don't personally own a Mac and cannot verify it anymore.

大约一两年前，我在上一份工作中遇到了这个确切的问题. 归结为Apple放弃了对OpenSSL的支持.

We had this exact problem about a year or two ago at my last job. It all boils down to Apple dropping support for OpenSSL.

因此，在Mac上使用Qt5.6的Qt从OpenSSL后端切换到了Secure Transport后端.现在，安全传输实施缺少一些功能.例如，我们无法加载私钥pem文件.我认为从PKCS#8切换到PKCS#1很有帮助，它们都可以存储在.pem文件中，并且看起来几乎相同，因此花了一些时间才弄清楚.

Because of that, Qt switched from OpenSSL backend to Secure Transport backend on Mac with Qt5.6. Now the Secure Transport implementation is lacking some features. For example we were not able to load private key pem-files. I think switching from PKCS#8 to PKCS#1 helped, which can both be stored in .pem files and look almost identical, so that took a while to figure out.

我们还注意到，成功加载的私钥将存储在Mac的密钥存储区中，并且用户也可以从那里查看和导出该私钥.

We also noticed that a successfully loaded private key will be stored inside the Mac's key store and could be viewed and exported from there by the user, which we also did not want.

我们终于重新编译了QtNetwork模块，以使用OpenSSL而不是安全传输.您将需要为此提供OpenSSL，因为OSX不再包含标头.我认为自制安装就足够了.除此之外，编译过程令人惊讶且轻松快捷，因为您只需要编译一个小模块，而不是整个Qt.

We finally went with re-compiling the QtNetwork module to use OpenSSL instead of Secure Transport. You will need to provide OpenSSL for that, since OSX does not include the headers anymore. A homebrew installation was sufficient I think. Other than that the compilation was surprisingly painless and fast, since you just have to compile one small module, not the whole Qt.

最简单的方法是:

1. 下载正在运行的Qt版本的源代码发行版
2. ./configure它可以使用OpenSSL(我相信-openssl开关)
3. cd放入network文件夹
4. make
5. 将生成的QtNetwork.framework复制到您的Qt安装中，并替换现有的QtNetwork.framework.

1. download the source distribution of the Qt version you are running
2. ./configure it to use OpenSSL (the -openssl switch I believe)
3. cdinto the network folder
4. make
5. copy the generated QtNetwork.framework inside your Qt-Installation and replace the existing one.

一切正常.

这篇关于如何在Mac OSX的Qt中使用pkcs12/pfx成功执行SSL加密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！