QT为SSL制作自定义根证书存储时出现问题? [英] problem in making custom root certificate store for SSL using QT?

问题描述

我正在使用QWebView在Qt中开发自定义浏览器， 我正在尝试建立自己的受信任证书的根证书存储，这些证书来自mozilla项目.

I am developing my custom browser in Qt using QWebView and I am trying to make my own root cert store of trusted certificates which are taken from mozilla project.

我已经使用QSslSocket :: setDefaultCaCertificates()覆盖默认证书. 但是我无法加载 https://www.gmail.com ，就像在mozilla中一样.

I have used QSslSocket::setDefaultCaCertificates() to override the default certificates. But I am not able to load https://www.gmail.com , where as in mozilla it works.

我已经将gmail所需的所有根证书都设置到了我的商店.

I have set all required root certs for gmail to my store.

有人可以引导我吗?

推荐答案

无法连接的原因是，当您连接到www.gmail.com时，颁发给您的SSL证书(带有序列号2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:9A)已颁发对于其他域-www.google.com.这与根CA证书存储无关，因为不需要根CA证书即可将证书的主题CN"字段与您要连接的主机进行比较.您可以通过调用
来忽略此错误以及其他SSL错误 void QNetworkReply::ignoreSslErrors () [virtual slot]
为避免此错误，您可以直接连接到您正在使用的域 https://mail.google.com 尝试连接到 https://www.gmail.com

The reason you can't connect is because the SSL certificate (with serial 2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:9A) presented to you when you connect to www.gmail.com is issued for a different domain - www.google.com. This has nothing to do with root CA certificate store because no root CA certificate is needed to compare cert's Subject CN field with the host you are trying to connect to. You can ignore this and other SSL errors by calling
void QNetworkReply::ignoreSslErrors () [virtual slot]
To avoid this error you can connect directly to https://mail.google.com which is the domain you are being redirected to when you try to connect to https://www.gmail.com

下面是一个工作示例，它将为您显示确切的SSL错误和QNAM级别错误.线路B1或B2必须同时处于活动状态.如果要查看默认(系统)根CA证书存储会发生什么，可以在A行注释.该代码使用了两个证书.带有序列号30:00:00:02的CA证书应放置在名为ThawteSGCCA.crt的文件中，而带有序列号70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF的CA证书则应放置在名为BuiltinObjectToken-VerisignClass3PublicPrimaryCertificationAuthority.crt的文件中.

Below is a working example which will show you the exact SSL errors and QNAM level errors. Either line B1 or line B2 must be active at the same time. You can comment line A if you want to see what happens with the default (system) root CA certificate store. There are two certs used by this code; CA's cert with serial 30:00:00:02 should be placed in a file called ThawteSGCCA.crt and CA's cert with serial 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF should be placed in a file called BuiltinObjectToken-VerisignClass3PublicPrimaryCertificationAuthority.crt.

#include <QtGui/QApplication>
#include <QtCore/QDebug>
#include <QtCore/QList>
#include <QtNetwork/QNetworkAccessManager>
#include <QtNetwork/QNetworkRequest>
#include <QtNetwork/QNetworkReply>
#include <QtNetwork/QSslConfiguration>
#include <QtNetwork/QSslSocket>
#include <QtNetwork/QSslError>
#include <QtWebKit/QWebFrame>
#include <QtWebKit/QWebPage>



class Handler : public QObject{
    Q_OBJECT

public slots:

    void slotLoadFinished(bool ok) {
        if (ok) {
            qDebug() << "Page size: " << static_cast<QWebPage*>(sender())->mainFrame()->toHtml().size();
        }
    }

    void slotFinished(QNetworkReply * reply) {
        if (reply->error() == QNetworkReply::NoError) {
            qDebug() << "connected to " << reply->url();
            qDebug() << "HTTP status: " << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();

        } else {
            qDebug() << "error while connecting to " << reply->url();
            qDebug() << "error code: " << reply->error();
            qDebug() << "error string: " << reply->errorString();
        }
    }

    void slotSslErrors(QNetworkReply * reply, QList<QSslError> const & errors) {
        qDebug() << "SSL errors: " << errors;
        qDebug() << "peer's certificate: "
                 << reply->sslConfiguration().peerCertificate();
    }

};


int main(int argc, char *argv[])
{
    QApplication app(argc, argv);
    Handler handler;

    // CA certs for:
    // 1. cert with Subject.CN == mail.google.com cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12
    // 2. cert with Subject.CN == www.google.com cert with serial 2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:9A
    QList<QSslCertificate> CAcerts =
            // serial 30:00:00:02
            QSslCertificate::fromPath("ThawteSGCCA.crt") +
            // serial 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
            QSslCertificate::fromPath("BuiltinObjectToken-VerisignClass3PublicPrimaryCertificationAuthority.crt");

    qDebug() << "root CA certificates:\n"
             << CAcerts
             << "\n";
    QSslSocket::setDefaultCaCertificates(CAcerts); // line A

    QWebPage page;
    // OK because cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12 is for host mail.google.com
//  page.mainFrame()->load(QUrl("https://mail.google.com")); // line B1
    // SSL ERROR "The host name did not match any of the valid hosts for this certificate"
    // because cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12 is NOT for www.gmail.com
    page.mainFrame()->load(QUrl("https://www.gmail.com")); // line B2

    QObject::connect(page.networkAccessManager(), SIGNAL(finished(QNetworkReply*)), &handler, SLOT(slotFinished(QNetworkReply*)));
    QObject::connect(page.networkAccessManager(), SIGNAL(sslErrors(QNetworkReply*,QList<QSslError>)), &handler, SLOT(slotSslErrors(QNetworkReply*,QList<QSslError>)));
    QObject::connect(&page, SIGNAL(loadFinished(bool)), &handler, SLOT(slotLoadFinished(bool)));

    return app.exec();
}

#include "main.moc"

这篇关于QT为SSL制作自定义根证书存储时出现问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！