A simple Qt based browser with no bullshit that supports PKCS#11 tokens (such as the SuisseID).
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

164 lines
5.2 KiB

#include "smartcardauth.h"
#include "pindialog.h"
#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h>
#include "engine_sct.h"
#include <string>
ENGINE* SmartCardAuth::e=NULL;
enum_certs_s* SmartCardAuth::certs_found=NULL;
QWidget* SmartCardAuth::parent=0;
bool SmartCardAuth::pin_configured=false;
bool SmartCardAuth::pin_rejected=false;
void SmartCardAuth::initialize() {
QSslSocketPrivate::ensureInitialized();
q_ENGINE_load_dynamic();
e = q_ENGINE_by_id("dynamic");
//! @todo add library-name
int r=q_ENGINE_ctrl_cmd_string(e, "SO_PATH", "...library-name...", 0);
r=q_ENGINE_ctrl_cmd_string(e, "ID", "act", 0);
r=q_ENGINE_ctrl_cmd_string(e, "LIST_ADD", "1", 0);
r=q_ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
if(!r)
{
unsigned int err = 0;
while((err = q_ERR_get_error()))
{
char *str = q_ERR_error_string(err, NULL);
fprintf(stderr,"%s\n", str);
}
}
r=q_ENGINE_init(e);
}
void SmartCardAuth::deinitialize() {
q_ENGINE_finish(e);
q_ENGINE_cleanup();
}
void SmartCardAuth::setPinDlgParent(QWidget* p) {
parent=p;
}
int SmartCardAuth::client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
// NB: Keep in mind that this function is called for EVERY SSL connection to be opened.
for(size_t i=certs_found->num_certs;i--;)
{
const char *id_p = certs_found->certificate[i].id;
if(id_p == NULL) continue;
// Name has the format "slot-x-name-SwissSign_digSig" for the certificate/key we're looking for
std::string name(certs_found->certificate[i].name);
std::string compare("-name-SwissSign_digSig");
// Compare the rightmost part of the retrieved name to locate the certificate/keypair
size_t pos = name.length() - compare.length();
if(name.substr(pos) != compare)
continue;
// // Filter out the correct certificate depending on well-known sorting criteria
// // Given example searches for a keyword in the certificate's subject, but since we've got
// // the decoded certificate as an X509* structure we can check all the fields.
// X509_NAME* subj_name = q_X509_get_subject_name(certs_found->certificate[i].cert);
// int maxlen = 2048;
// char buf[maxlen+1];
// buf[maxlen]=0;
// q_X509_NAME_oneline(subj_name, buf, maxlen);
// std::string subject(buf);
// const char *compare="CN=Carsten Pluntke";
// if(subject.find(compare) == std::string::npos)
// continue;
// Here we found a suitable certificate.
// Now prepare the reference to the SmartCard's private key and a copy of the certificate
// to pass back to the caller.
*x509 = q_X509_dup(certs_found->certificate[i].cert);
*pkey = NULL;
// If we don't have a PIN yet, pop up a dialog, ask for a PIN and pass it along to the engine
// for usage.
if(!pin_configured)
{
PinDialog dlg(parent);
int ok=dlg.exec();
if(ok!=1) return 0; // User cancelled
QByteArray pinByteArray=dlg.pin().toAscii();
char *pin_str = pinByteArray.data();
// The engine control command takes a copy and overwrites the source array
if(q_ENGINE_ctrl_cmd_string(e, "PIN", pin_str, 0))
pin_configured = true;
else
return 0; // Engine refuses to take the PIN
*pkey = q_ENGINE_load_private_key(e, id_p, NULL, NULL);
// We do a test authorization on loading of the private key. If the operation fails at all,
// DON'T try again (see below) or we would instantly lock the card in a single session because
// of the retries!
if(!*pkey)
pin_rejected = true;
}
// Second to nth iteration: We skipped the PIN dialog here, now load the key if we don't have the
// explicit information not to do it (because the PIN is wrong)
if(!*pkey && !pin_rejected)
*pkey = q_ENGINE_load_private_key(e, id_p, NULL, NULL);
break;
}
if(!*x509) {
qWarning("Unable to load certificate");
return 0;
}
if(!*pkey) {
qWarning("Unable to load key");
return 0;
}
return 1;
}
bool SmartCardAuth::hookInitSslContext(SSL_CTX *ctx)
{
bool result = false;
if(!certs_found)
result = (q_ENGINE_ctrl_cmd(e, "ENUM_CERTS", 0, &certs_found, NULL, 0) != 0);
else
result = true;
#ifdef USE_CERTIFICATE_FILE
// Load a specific intermediate certificate from a file
//! @todo PEM-File
BIO* cert_file= q_BIO_new_file("swsign_interm.pem", "r");
X509* interm=q_PEM_read_bio_X509(cert_file,NULL,NULL, NULL);
q_BIO_free(cert_file);
q_SSL_CTX_add_extra_chain_cert(ctx,interm);
#else
// Add all of the card's certificates without a private key as intermediate certs
for(size_t i=certs_found->num_certs;i--;)
{
if(certs_found->certificate[i].id == NULL)
q_SSL_CTX_add_extra_chain_cert(ctx, q_X509_dup(certs_found->certificate[i].cert));
}
#endif
q_SSL_CTX_set_client_cert_cb(ctx,client_cert_cb);
return true;
}