problem in making custom root certificate store fo

2019-05-31 21:55发布

问题:

I am developing my custom browser in Qt using QWebView and I am trying to make my own root cert store of trusted certificates which are taken from mozilla project.

I have used QSslSocket::setDefaultCaCertificates() to override the default certificates. But I am not able to load https://www.gmail.com , where as in mozilla it works.

I have set all required root certs for gmail to my store.

can anyone guide me ?

回答1:

The reason you can't connect is because the SSL certificate (with serial 2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:9A) presented to you when you connect to www.gmail.com is issued for a different domain - www.google.com. This has nothing to do with root CA certificate store because no root CA certificate is needed to compare cert's Subject CN field with the host you are trying to connect to. You can ignore this and other SSL errors by calling
void QNetworkReply::ignoreSslErrors () [virtual slot]
To avoid this error you can connect directly to https://mail.google.com which is the domain you are being redirected to when you try to connect to https://www.gmail.com

Below is a working example which will show you the exact SSL errors and QNAM level errors. Either line B1 or line B2 must be active at the same time. You can comment line A if you want to see what happens with the default (system) root CA certificate store. There are two certs used by this code; CA's cert with serial 30:00:00:02 should be placed in a file called ThawteSGCCA.crt and CA's cert with serial 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF should be placed in a file called BuiltinObjectToken-VerisignClass3PublicPrimaryCertificationAuthority.crt.

#include <QtGui/QApplication>
#include <QtCore/QDebug>
#include <QtCore/QList>
#include <QtNetwork/QNetworkAccessManager>
#include <QtNetwork/QNetworkRequest>
#include <QtNetwork/QNetworkReply>
#include <QtNetwork/QSslConfiguration>
#include <QtNetwork/QSslSocket>
#include <QtNetwork/QSslError>
#include <QtWebKit/QWebFrame>
#include <QtWebKit/QWebPage>



class Handler : public QObject{
    Q_OBJECT

public slots:

    void slotLoadFinished(bool ok) {
        if (ok) {
            qDebug() << "Page size: " << static_cast<QWebPage*>(sender())->mainFrame()->toHtml().size();
        }
    }

    void slotFinished(QNetworkReply * reply) {
        if (reply->error() == QNetworkReply::NoError) {
            qDebug() << "connected to " << reply->url();
            qDebug() << "HTTP status: " << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();

        } else {
            qDebug() << "error while connecting to " << reply->url();
            qDebug() << "error code: " << reply->error();
            qDebug() << "error string: " << reply->errorString();
        }
    }

    void slotSslErrors(QNetworkReply * reply, QList<QSslError> const & errors) {
        qDebug() << "SSL errors: " << errors;
        qDebug() << "peer's certificate: "
                 << reply->sslConfiguration().peerCertificate();
    }

};


int main(int argc, char *argv[])
{
    QApplication app(argc, argv);
    Handler handler;

    // CA certs for:
    // 1. cert with Subject.CN == mail.google.com cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12
    // 2. cert with Subject.CN == www.google.com cert with serial 2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:9A
    QList<QSslCertificate> CAcerts =
            // serial 30:00:00:02
            QSslCertificate::fromPath("ThawteSGCCA.crt") +
            // serial 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
            QSslCertificate::fromPath("BuiltinObjectToken-VerisignClass3PublicPrimaryCertificationAuthority.crt");

    qDebug() << "root CA certificates:\n"
             << CAcerts
             << "\n";
    QSslSocket::setDefaultCaCertificates(CAcerts); // line A

    QWebPage page;
    // OK because cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12 is for host mail.google.com
//  page.mainFrame()->load(QUrl("https://mail.google.com")); // line B1
    // SSL ERROR "The host name did not match any of the valid hosts for this certificate"
    // because cert with serial 1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12 is NOT for www.gmail.com
    page.mainFrame()->load(QUrl("https://www.gmail.com")); // line B2

    QObject::connect(page.networkAccessManager(), SIGNAL(finished(QNetworkReply*)), &handler, SLOT(slotFinished(QNetworkReply*)));
    QObject::connect(page.networkAccessManager(), SIGNAL(sslErrors(QNetworkReply*,QList<QSslError>)), &handler, SLOT(slotSslErrors(QNetworkReply*,QList<QSslError>)));
    QObject::connect(&page, SIGNAL(loadFinished(bool)), &handler, SLOT(slotLoadFinished(bool)));

    return app.exec();
}

#include "main.moc"