fenix/PDF4QT
1
0
Fork 0
mirror of https://github.com/JakubMelka/PDF4QT.git synced 2025-06-05 21:59:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Issue #55: Refactoring of certificates

Browse Source
This commit is contained in:
Jakub Melka
2023-12-22 19:12:35 +01:00
parent b3580560a4
commit 17f94a102c
22 changed files with 1247 additions and 868 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Pdf4QtLibCore/CMakeLists.txt
View File

@@ -144,6 +144,8 @@ add_library(Pdf4QtLibCore SHARED
sources/pdfwidgetsnapshot.cpp
sources/pdfwidgetsnapshot.h
cmaps.qrc
sources/pdfcertificatestore.h
sources/pdfcertificatestore.cpp
)
include(GenerateExportHeader)

170
Pdf4QtLibCore/sources/pdfcertificatemanager.cpp
View File

@@ -116,16 +116,9 @@ void PDFCertificateManager::createCertificate(const NewCertificateInfo& info)
QByteArray privateKeyPaswordUtf8 = info.privateKeyPasword.toUtf8();
// Write the data
openssl_ptr<PKCS12> pkcs12(PKCS12_create(privateKeyPaswordUtf8.constData(),
nullptr,
privateKey.get(),
certificate.get(),
nullptr,
0,
0,
PKCS12_DEFAULT_ITER,
PKCS12_DEFAULT_ITER,
0), &PKCS12_free);
openssl_ptr<PKCS12> pkcs12(PKCS12_init(NID_pkcs7_data), &PKCS12_free);
PKCS12_add_cert(&pkcs12->certs, certificate.get());
PKCS12_add_key(&pkcs12->keybags, privateKey.get(), 0, PKCS12_DEFAULT_ITER, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, privateKeyPaswordUtf8.data()));
i2d_PKCS12_bio(pksBuffer.get(), pkcs12.get());
BUF_MEM* pksMemoryBuffer = nullptr;
@@ -144,10 +137,55 @@ void PDFCertificateManager::createCertificate(const NewCertificateInfo& info)
}
}
QFileInfoList PDFCertificateManager::getCertificates()
PDFCertificateEntries PDFCertificateManager::getCertificates()
{
PDFCertificateEntries entries;
#ifdef Q_OS_WIN
entries = PDFCertificateStore::getPersonalCertificates();
#endif
QDir directory(getCertificateDirectory());
return directory.entryInfoList(QStringList() << "*.pfx", QDir::Files | QDir::NoDotAndDotDot | QDir::Readable, QDir::Name);
QFileInfoList pfxFiles = directory.entryInfoList(QStringList() << "*.pfx", QDir::Files | QDir::NoDotAndDotDot | QDir::Readable, QDir::Name);
for (const QFileInfo& fileInfo : pfxFiles)
{
QFile file(fileInfo.absoluteFilePath());
if (file.open(QFile::ReadOnly))
{
QByteArray data = file.readAll();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
{
EVP_PKEY* key = nullptr;
X509* certificatePtr = nullptr;
STACK_OF(X509)* certificates = nullptr;
// Parse PKCS12 with password
bool isParsed = PKCS12_parse(pkcs12.get(), nullptr, &key, &certificatePtr, &certificates) == 1;
if (isParsed)
{
std::optional<PDFCertificateInfo> info = PDFCertificateInfo::getCertificateInfo(certificatePtr);
if (info)
{
PDFCertificateEntry entry;
entry.type = PDFCertificateEntry::EntryType::System;
entry.info = qMove(*info);
entry.pkcs12 = data;
entries.emplace_back(qMove(entry));
}
}
}
file.close();
}
}
return entries;
}
QString PDFCertificateManager::getCertificateDirectory()
@@ -175,85 +213,75 @@ QString PDFCertificateManager::generateCertificateFileName()
return QString();
}
bool PDFCertificateManager::isCertificateValid(QString fileName, QString password)
bool PDFCertificateManager::isCertificateValid(const PDFCertificateEntry& certificateEntry, QString password)
{
QFile file(fileName);
if (file.open(QFile::ReadOnly))
QByteArray data = certificateEntry.info.getCertificateData();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
{
QByteArray data = file.readAll();
file.close();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
const char* passwordPointer = nullptr;
QByteArray passwordByteArray = password.isEmpty() ? QByteArray() : password.toUtf8();
if (!passwordByteArray.isEmpty())
{
const char* passwordPointer = nullptr;
QByteArray passwordByteArray = password.isEmpty() ? QByteArray() : password.toUtf8();
if (!passwordByteArray.isEmpty())
{
passwordPointer = passwordByteArray.constData();
}
return PKCS12_parse(pkcs12.get(), passwordPointer, nullptr, nullptr, nullptr) == 1;
passwordPointer = passwordByteArray.constData();
}
return PKCS12_parse(pkcs12.get(), passwordPointer, nullptr, nullptr, nullptr) == 1;
}
return false;
}
bool PDFSignatureFactory::sign(QString certificateName, QString password, QByteArray data, QByteArray& result)
bool PDFSignatureFactory::sign(const PDFCertificateEntry& certificateEntry, QString password, QByteArray data, QByteArray& result)
{
QFile file(certificateName);
if (file.open(QFile::ReadOnly))
QByteArray certificateData = certificateEntry.pkcs12;
openssl_ptr<BIO> certificateBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(certificateBuffer.get(), certificateData.constData(), certificateData.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(certificateBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
{
QByteArray certificateData = file.readAll();
file.close();
openssl_ptr<BIO> certificateBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(certificateBuffer.get(), certificateData.constData(), certificateData.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(certificateBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
const char* passwordPointer = nullptr;
QByteArray passwordByteArray = password.isEmpty() ? QByteArray() : password.toUtf8();
if (!passwordByteArray.isEmpty())
{
const char* passwordPointer = nullptr;
QByteArray passwordByteArray = password.isEmpty() ? QByteArray() : password.toUtf8();
if (!passwordByteArray.isEmpty())
passwordPointer = passwordByteArray.constData();
}
EVP_PKEY* key = nullptr;
X509* certificate = nullptr;
STACK_OF(X509)* certificates = nullptr;
if (PKCS12_parse(pkcs12.get(), passwordPointer, &key, &certificate, &certificates) == 1)
{
openssl_ptr<BIO> signedDataBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(signedDataBuffer.get(), data.constData(), data.length());
PKCS7* signature = PKCS7_sign(certificate, key, certificates, signedDataBuffer.get(), PKCS7_DETACHED | PKCS7_BINARY);
if (signature)
{
passwordPointer = passwordByteArray.constData();
}
openssl_ptr<BIO> outputBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
i2d_PKCS7_bio(outputBuffer.get(), signature);
EVP_PKEY* key = nullptr;
X509* certificate = nullptr;
STACK_OF(X509)* certificates = nullptr;
if (PKCS12_parse(pkcs12.get(), passwordPointer, &key, &certificate, &certificates) == 1)
{
openssl_ptr<BIO> signedDataBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(signedDataBuffer.get(), data.constData(), data.length());
BUF_MEM* pksMemoryBuffer = nullptr;
BIO_get_mem_ptr(outputBuffer.get(), &pksMemoryBuffer);
PKCS7* signature = PKCS7_sign(certificate, key, certificates, signedDataBuffer.get(), PKCS7_DETACHED | PKCS7_BINARY);
if (signature)
{
openssl_ptr<BIO> outputBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
i2d_PKCS7_bio(outputBuffer.get(), signature);
BUF_MEM* pksMemoryBuffer = nullptr;
BIO_get_mem_ptr(outputBuffer.get(), &pksMemoryBuffer);
result = QByteArray(pksMemoryBuffer->data, int(pksMemoryBuffer->length));
EVP_PKEY_free(key);
X509_free(certificate);
sk_X509_free(certificates);
return true;
}
result = QByteArray(pksMemoryBuffer->data, int(pksMemoryBuffer->length));
EVP_PKEY_free(key);
X509_free(certificate);
sk_X509_free(certificates);
return false;
return true;
}
EVP_PKEY_free(key);
X509_free(certificate);
sk_X509_free(certificates);
return false;
}
}

9
Pdf4QtLibCore/sources/pdfcertificatemanager.h
View File

@@ -1,4 +1,4 @@
// Copyright (C) 2022 Jakub Melka
// Copyright (C) 2022-2023 Jakub Melka
//
// This file is part of PDF4QT.
//
@@ -19,6 +19,7 @@
#define PDFCERTIFICATEMANAGER_H
#include "pdfglobal.h"
#include "pdfcertificatestore.h"
#include <QString>
#include <QFileInfoList>
@@ -49,16 +50,16 @@ public:
void createCertificate(const NewCertificateInfo& info);
static QFileInfoList getCertificates();
static PDFCertificateEntries getCertificates();
static QString getCertificateDirectory();
static QString generateCertificateFileName();
static bool isCertificateValid(QString fileName, QString password);
static bool isCertificateValid(const PDFCertificateEntry& certificateEntry, QString password);
};
class PDF4QTLIBCORESHARED_EXPORT PDFSignatureFactory
{
public:
static bool sign(QString certificateName, QString password, QByteArray data, QByteArray& result);
static bool sign(const PDFCertificateEntry& certificateEntry, QString password, QByteArray data, QByteArray& result);
};
} // namespace pdf

547
Pdf4QtLibCore/sources/pdfcertificatestore.cpp Normal file
View File

@@ -0,0 +1,547 @@
// Copyright (C) 2022-2023 Jakub Melka
//
// This file is part of PDF4QT.
//
// PDF4QT is free software: you can redistribute it and/or modify
// it under the terms of the GNU Lesser General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// with the written consent of the copyright owner, any later version.
//
// PDF4QT is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with PDF4QT. If not, see <https://www.gnu.org/licenses/>.
#include "pdfcertificatestore.h"
#include "pdfutils.h"
#if defined(PDF4QT_COMPILER_MINGW) || defined(PDF4QT_COMPILER_GCC)
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
#endif
#if defined(PDF4QT_COMPILER_MSVC)
#pragma warning(push)
#pragma warning(disable: 4996)
#endif
#include <openssl/err.h>
#include <openssl/sha.h>
#include <openssl/rsa.h>
#include <openssl/rsaerr.h>
#include <openssl/ts.h>
#include <openssl/tserr.h>
#include <QDir>
#include <QFileInfo>
#include <QLockFile>
#include <QDataStream>
#include <QStandardPaths>
#include "pdfdbgheap.h"
#include <array>
#ifdef Q_OS_UNIX
#include <time.h>
#endif
namespace pdf
{
QRecursiveMutex PDFOpenSSLGlobalLock::s_globalOpenSSLMutex;
PDFOpenSSLGlobalLock::PDFOpenSSLGlobalLock() :
m_mutexLocker(&s_globalOpenSSLMutex)
{
}
void PDFCertificateEntry::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << type;
stream << info;
}
void PDFCertificateEntry::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> type;
stream >> info;
}
void PDFCertificateInfo::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << m_version;
stream << m_keySize;
stream << m_publicKey;
stream << m_nameEntries;
stream << m_notValidBefore;
stream << m_notValidAfter;
stream << m_keyUsage;
stream << m_certificateData;
}
void PDFCertificateInfo::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> m_version;
stream >> m_keySize;
stream >> m_publicKey;
stream >> m_nameEntries;
stream >> m_notValidBefore;
stream >> m_notValidAfter;
stream >> m_keyUsage;
stream >> m_certificateData;
}
QDateTime PDFCertificateInfo::getNotValidBefore() const
{
return m_notValidBefore;
}
void PDFCertificateInfo::setNotValidBefore(const QDateTime& notValidBefore)
{
m_notValidBefore = notValidBefore;
}
QDateTime PDFCertificateInfo::getNotValidAfter() const
{
return m_notValidAfter;
}
void PDFCertificateInfo::setNotValidAfter(const QDateTime& notValidAfter)
{
m_notValidAfter = notValidAfter;
}
int32_t PDFCertificateInfo::getVersion() const
{
return m_version;
}
void PDFCertificateInfo::setVersion(int32_t version)
{
m_version = version;
}
PDFCertificateInfo::PublicKey PDFCertificateInfo::getPublicKey() const
{
return m_publicKey;
}
void PDFCertificateInfo::setPublicKey(const PublicKey& publicKey)
{
m_publicKey = publicKey;
}
int PDFCertificateInfo::getKeySize() const
{
return m_keySize;
}
void PDFCertificateInfo::setKeySize(int keySize)
{
m_keySize = keySize;
}
PDFCertificateInfo::KeyUsageFlags PDFCertificateInfo::getKeyUsage() const
{
return m_keyUsage;
}
void PDFCertificateInfo::setKeyUsage(KeyUsageFlags keyUsage)
{
m_keyUsage = keyUsage;
}
std::optional<PDFCertificateInfo> PDFCertificateInfo::getCertificateInfo(const QByteArray& certificateData)
{
std::optional<PDFCertificateInfo> result;
PDFOpenSSLGlobalLock lock;
const unsigned char* data = convertByteArrayToUcharPtr(certificateData);
if (X509* certificate = d2i_X509(nullptr, &data, certificateData.length()))
{
result = getCertificateInfo(certificate);
X509_free(certificate);
}
return result;
}
PDFCertificateInfo PDFCertificateInfo::getCertificateInfo(x509_st* certificate)
{
PDFCertificateInfo info;
auto getStringFromASN1_STRING = [](ASN1_STRING* string) -> QString
{
QString result;
if (string)
{
// Jakub Melka: we must convert entry to UTF8 encoding using function ASN1_STRING_to_UTF8
unsigned char* utf8Buffer = nullptr;
int errorCodeOrLength = ASN1_STRING_to_UTF8(&utf8Buffer, string);
if (errorCodeOrLength > 0)
{
result = QString::fromUtf8(reinterpret_cast<const char*>(utf8Buffer), errorCodeOrLength);
}
OPENSSL_free(utf8Buffer);
}
return result;
};
auto getStringFromX509Name = [&getStringFromASN1_STRING](X509_NAME* name, int nid) -> QString
{
QString result;
const int stringLocation = X509_NAME_get_index_by_NID(name, nid, -1);
X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, stringLocation);
return getStringFromASN1_STRING(X509_NAME_ENTRY_get_data(entry));
};
auto getDateTimeFromASN = [](const ASN1_TIME* time) -> QDateTime
{
QDateTime result;
if (time)
{
tm internalTime = { };
if (ASN1_TIME_to_tm(time, &internalTime) > 0)
{
#if defined(Q_OS_WIN)
time_t localTime = _mkgmtime(&internalTime);
#elif defined(Q_OS_UNIX)
time_t localTime = timegm(&internalTime);
#else
static_assert(false, "Implement this for another OS!");
#endif
result = QDateTime::fromSecsSinceEpoch(localTime, Qt::UTC);
}
}
return result;
};
if (X509_NAME* subjectName = X509_get_subject_name(certificate))
{
// List of these properties are in RFC 5280, section 4.1.2.4, these attributes
// are standard and all implementations must be prepared to process them.
QString countryName = getStringFromX509Name(subjectName, NID_countryName);
QString organizationName = getStringFromX509Name(subjectName, NID_organizationName);
QString organizationalUnitName = getStringFromX509Name(subjectName, NID_organizationalUnitName);
QString distinguishedName = getStringFromX509Name(subjectName, NID_distinguishedName);
QString stateOrProvinceName = getStringFromX509Name(subjectName, NID_stateOrProvinceName);
QString commonName = getStringFromX509Name(subjectName, NID_commonName);
QString serialNumber = getStringFromX509Name(subjectName, NID_serialNumber);
// These attributes are defined also in section 4.1.2.4, they are not mandatory,
// but application should be able to process them.
QString localityName = getStringFromX509Name(subjectName, NID_localityName);
QString title = getStringFromX509Name(subjectName, NID_title);
QString surname = getStringFromX509Name(subjectName, NID_surname);
QString givenName = getStringFromX509Name(subjectName, NID_givenName);
QString initials = getStringFromX509Name(subjectName, NID_initials);
QString pseudonym = getStringFromX509Name(subjectName, NID_pseudonym);
QString generationQualifier = getStringFromX509Name(subjectName, NID_generationQualifier);
// This entry is not defined in section 4.1.2.4, but is commonly used
QString email = getStringFromX509Name(subjectName, NID_pkcs9_emailAddress);
info.setName(PDFCertificateInfo::CountryName, qMove(countryName));
info.setName(PDFCertificateInfo::OrganizationName, qMove(organizationName));
info.setName(PDFCertificateInfo::OrganizationalUnitName, qMove(organizationalUnitName));
info.setName(PDFCertificateInfo::DistinguishedName, qMove(distinguishedName));
info.setName(PDFCertificateInfo::StateOrProvinceName, qMove(stateOrProvinceName));
info.setName(PDFCertificateInfo::CommonName, qMove(commonName));
info.setName(PDFCertificateInfo::SerialNumber, qMove(serialNumber));
info.setName(PDFCertificateInfo::LocalityName, qMove(localityName));
info.setName(PDFCertificateInfo::Title, qMove(title));
info.setName(PDFCertificateInfo::Surname, qMove(surname));
info.setName(PDFCertificateInfo::GivenName, qMove(givenName));
info.setName(PDFCertificateInfo::Initials, qMove(initials));
info.setName(PDFCertificateInfo::Pseudonym, qMove(pseudonym));
info.setName(PDFCertificateInfo::GenerationalQualifier, qMove(generationQualifier));
info.setName(PDFCertificateInfo::Email, qMove(email));
const long version = X509_get_version(certificate);
info.setVersion(version);
const ASN1_TIME* notBeforeTime = X509_get0_notBefore(certificate);
const ASN1_TIME* notAfterTime = X509_get0_notAfter(certificate);
info.setNotValidBefore(getDateTimeFromASN(notBeforeTime));
info.setNotValidAfter(getDateTimeFromASN(notAfterTime));
X509_PUBKEY* publicKey = X509_get_X509_PUBKEY(certificate);
EVP_PKEY* evpKey = X509_PUBKEY_get(publicKey);
const int keyType = EVP_PKEY_type(EVP_PKEY_base_id(evpKey));
PDFCertificateInfo::PublicKey key = PDFCertificateInfo::KeyUnknown;
switch (keyType)
{
case EVP_PKEY_RSA:
key = PDFCertificateInfo::KeyRSA;
break;
case EVP_PKEY_DSA:
key = PDFCertificateInfo::KeyDSA;
break;
case EVP_PKEY_DH:
key = PDFCertificateInfo::KeyDH;
break;
case EVP_PKEY_EC:
key = PDFCertificateInfo::KeyEC;
break;
default:
break;
}
info.setPublicKey(key);
const int bits = EVP_PKEY_bits(evpKey);
info.setKeySize(bits);
uint32_t keyUsage = X509_get_key_usage(certificate);
if (keyUsage != UINT32_MAX)
{
static_assert(PDFCertificateInfo::KeyUsageDigitalSignature == KU_DIGITAL_SIGNATURE, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageNonRepudiation == KU_NON_REPUDIATION, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageKeyEncipherment == KU_KEY_ENCIPHERMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageDataEncipherment == KU_DATA_ENCIPHERMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageAgreement == KU_KEY_AGREEMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageCertSign == KU_KEY_CERT_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageCrlSign == KU_CRL_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageEncipherOnly == KU_ENCIPHER_ONLY, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageDecipherOnly == KU_DECIPHER_ONLY, "Fix this code!");
if (X509_get_extension_flags(certificate) & EXFLAG_XKUSAGE)
{
const uint32_t extendedKeyUsage = X509_get_extended_key_usage(certificate);
Q_ASSERT(extendedKeyUsage != UINT32_MAX);
static_assert(PDFCertificateInfo::KeyUsageExtended_SSL_SERVER >> 16 == XKU_SSL_SERVER, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SSL_CLIENT >> 16 == XKU_SSL_CLIENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SMIME >> 16 == XKU_SMIME, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_CODE_SIGN >> 16 == XKU_CODE_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SGC >> 16 == XKU_SGC, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_OCSP_SIGN >> 16 == XKU_OCSP_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_TIMESTAMP >> 16 == XKU_TIMESTAMP, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_DVCS >> 16 == XKU_DVCS, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_ANYEKU >> 16 == XKU_ANYEKU, "Fix this code!");
keyUsage = keyUsage | (extendedKeyUsage << 16);
}
info.setKeyUsage(static_cast<PDFCertificateInfo::KeyUsageFlags>(keyUsage));
}
unsigned char* buffer = nullptr;
int length = i2d_X509(certificate, &buffer);
if (length >= 0)
{
Q_ASSERT(buffer);
info.setCertificateData(QByteArray(reinterpret_cast<const char*>(buffer), length));
OPENSSL_free(buffer);
}
}
return info;
}
QByteArray PDFCertificateInfo::getCertificateData() const
{
return m_certificateData;
}
void PDFCertificateInfo::setCertificateData(const QByteArray& certificateData)
{
m_certificateData = certificateData;
}
void PDFCertificateStore::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << m_certificates;
}
void PDFCertificateStore::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> m_certificates;
}
bool PDFCertificateStore::add(PDFCertificateEntry::EntryType type, const QByteArray& certificate)
{
if (auto certificateInfo = PDFCertificateInfo::getCertificateInfo(certificate))
{
return add(type, qMove(*certificateInfo));
}
return false;
}
bool PDFCertificateStore::add(PDFCertificateEntry::EntryType type, PDFCertificateInfo info)
{
auto it = std::find_if(m_certificates.cbegin(), m_certificates.cend(), [&info](const auto& entry) { return entry.info == info; });
if (it == m_certificates.cend())
{
m_certificates.push_back({ type, qMove(info) });
}
return true;
}
bool PDFCertificateStore::contains(const PDFCertificateInfo& info)
{
return std::find_if(m_certificates.cbegin(), m_certificates.cend(), [&info](const auto& entry) { return entry.info == info; }) != m_certificates.cend();
}
QString PDFCertificateStore::getDefaultCertificateStoreFileName() const
{
return QStandardPaths::writableLocation(QStandardPaths::AppConfigLocation) + "/TrustedCertStorage.bin";
}
void PDFCertificateStore::loadDefaultUserCertificates()
{
createDirectoryForDefaultUserCertificatesStore();
QString trustedCertificateStoreFileName = getDefaultCertificateStoreFileName();
QString trustedCertificateStoreLockFileName = trustedCertificateStoreFileName + ".lock";
QLockFile lockFile(trustedCertificateStoreLockFileName);
if (lockFile.lock())
{
QFile trustedCertificateStoreFile(trustedCertificateStoreFileName);
if (trustedCertificateStoreFile.open(QFile::ReadOnly))
{
QDataStream stream(&trustedCertificateStoreFile);
deserialize(stream);
trustedCertificateStoreFile.close();
}
lockFile.unlock();
}
}
void PDFCertificateStore::saveDefaultUserCertificates()
{
createDirectoryForDefaultUserCertificatesStore();
QString trustedCertificateStoreFileName = getDefaultCertificateStoreFileName();
QString trustedCertificateStoreLockFileName = trustedCertificateStoreFileName + ".lock";
QFileInfo fileInfo(trustedCertificateStoreFileName);
QDir dir = fileInfo.dir();
dir.mkpath(dir.path());
QLockFile lockFile(trustedCertificateStoreLockFileName);
if (lockFile.lock())
{
QFile trustedCertificateStoreFile(trustedCertificateStoreFileName);
if (trustedCertificateStoreFile.open(QFile::WriteOnly | QFile::Truncate))
{
QDataStream stream(&trustedCertificateStoreFile);
serialize(stream);
trustedCertificateStoreFile.close();
}
lockFile.unlock();
}
}
void PDFCertificateStore::createDirectoryForDefaultUserCertificatesStore()
{
QFileInfo fileInfo(getDefaultCertificateStoreFileName());
QString path = fileInfo.path();
QDir().mkpath(path);
}
} // namespace pdf
#ifdef Q_OS_WIN
#include <Windows.h>
#include <wincrypt.h>
#if defined(PDF4QT_USE_PRAGMA_LIB)
#pragma comment(lib, "crypt32.lib")
#endif
#endif
pdf::PDFCertificateEntries pdf::PDFCertificateStore::getSystemCertificates()
{
PDFCertificateEntries result;
#ifdef Q_OS_WIN
HCERTSTORE certStore = CertOpenSystemStore(0, L"ROOT");
PCCERT_CONTEXT context = nullptr;
if (certStore)
{
while (context = CertEnumCertificatesInStore(certStore, context))
{
const unsigned char* pointer = context->pbCertEncoded;
QByteArray data(reinterpret_cast<const char*>(pointer), context->cbCertEncoded);
std::optional<PDFCertificateInfo> info = PDFCertificateInfo::getCertificateInfo(data);
if (info)
{
PDFCertificateEntry entry;
entry.type = PDFCertificateEntry::EntryType::System;
entry.info = qMove(*info);
result.emplace_back(qMove(entry));
}
}
CertCloseStore(certStore, CERT_CLOSE_STORE_FORCE_FLAG);
}
#endif
return result;
}
pdf::PDFCertificateEntries pdf::PDFCertificateStore::getPersonalCertificates()
{
PDFCertificateEntries result;
#ifdef Q_OS_WIN
HCERTSTORE certStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
PCCERT_CONTEXT context = nullptr;
if (certStore)
{
while (context = CertEnumCertificatesInStore(certStore, context))
{
const unsigned char* pointer = context->pbCertEncoded;
QByteArray data(reinterpret_cast<const char*>(pointer), context->cbCertEncoded);
std::optional<PDFCertificateInfo> info = PDFCertificateInfo::getCertificateInfo(data);
if (info)
{
PDFCertificateEntry entry;
entry.type = PDFCertificateEntry::EntryType::System;
entry.info = qMove(*info);
result.emplace_back(qMove(entry));
}
}
CertCloseStore(certStore, CERT_CLOSE_STORE_FORCE_FLAG);
}
#endif
return result;
}
#if defined(PDF4QT_COMPILER_MINGW) || defined(PDF4QT_COMPILER_GCC)
#pragma GCC diagnostic pop
#endif
#if defined(PDF4QT_COMPILER_MSVC)
#pragma warning(pop)
#endif

254
Pdf4QtLibCore/sources/pdfcertificatestore.h Normal file
View File

@@ -0,0 +1,254 @@
// Copyright (C) 2023 Jakub Melka
//
// This file is part of PDF4QT.
//
// PDF4QT is free software: you can redistribute it and/or modify
// it under the terms of the GNU Lesser General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// with the written consent of the copyright owner, any later version.
//
// PDF4QT is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with PDF4QT. If not, see <https://www.gnu.org/licenses/>.
#ifndef PDFCERTIFICATESTORE_H
#define PDFCERTIFICATESTORE_H
#include "pdfglobal.h"
#include <QFlags>
#include <QDateTime>
#include <QRecursiveMutex>
#include <QMutexLocker>
class QDataStream;
struct x509_st;
namespace pdf
{
/// OpenSSL is not thread safe.
class PDF4QTLIBCORESHARED_EXPORT PDFOpenSSLGlobalLock
{
public:
explicit PDFOpenSSLGlobalLock();
inline ~PDFOpenSSLGlobalLock() = default;
private:
QMutexLocker<QRecursiveMutex> m_mutexLocker;
static QRecursiveMutex s_globalOpenSSLMutex;
};
/// Info about certificate, various details etc.
class PDF4QTLIBCORESHARED_EXPORT PDFCertificateInfo
{
public:
explicit inline PDFCertificateInfo() = default;
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
friend inline QDataStream& operator<<(QDataStream& stream, const PDFCertificateInfo& info) { info.serialize(stream); return stream; }
friend inline QDataStream& operator>>(QDataStream& stream, PDFCertificateInfo& info) { info.deserialize(stream); return stream; }
bool operator ==(const PDFCertificateInfo&) const = default;
bool operator !=(const PDFCertificateInfo&) const = default;
/// These entries are taken from RFC 5280, section 4.1.2.4,
/// they are supported and loaded from the certificate, with
/// exception of Email entry.
enum NameEntry
{
CountryName,
OrganizationName,
OrganizationalUnitName,
DistinguishedName,
StateOrProvinceName,
CommonName,
SerialNumber,
LocalityName,
Title,
Surname,
GivenName,
Initials,
Pseudonym,
GenerationalQualifier,
Email,
NameEnd
};
enum PublicKey
{
KeyRSA,
KeyDSA,
KeyEC,
KeyDH,
KeyUnknown
};
// This enum is defined in RFC 5280, chapter 4.2.1.3, Key Usage. Second part,
// are defined in extended key usage entry, if it is defined.
enum KeyUsageFlag : uint32_t
{
KeyUsageNone = 0x00000000,
KeyUsageDigitalSignature = 0x00000080,
KeyUsageNonRepudiation = 0x00000040,
KeyUsageKeyEncipherment = 0x00000020,
KeyUsageDataEncipherment = 0x00000010,
KeyUsageAgreement = 0x00000008,
KeyUsageCertSign = 0x00000004,
KeyUsageCrlSign = 0x00000002,
KeyUsageEncipherOnly = 0x00000001,
KeyUsageDecipherOnly = 0x00008000,
KeyUsageExtended_SSL_SERVER = 0x1 << 16,
KeyUsageExtended_SSL_CLIENT = 0x2 << 16,
KeyUsageExtended_SMIME = 0x4 << 16,
KeyUsageExtended_CODE_SIGN = 0x8 << 16,
KeyUsageExtended_SGC = 0x10 << 16,
KeyUsageExtended_OCSP_SIGN = 0x20 << 16,
KeyUsageExtended_TIMESTAMP = 0x40 << 16,
KeyUsageExtended_DVCS = 0x80 << 16,
KeyUsageExtended_ANYEKU = 0x100 << 16,
};
Q_DECLARE_FLAGS(KeyUsageFlags, KeyUsageFlag)
const QString& getName(NameEntry name) const { return m_nameEntries[name]; }
void setName(NameEntry name, QString string) { m_nameEntries[name] = qMove(string); }
QDateTime getNotValidBefore() const;
void setNotValidBefore(const QDateTime& notValidBefore);
QDateTime getNotValidAfter() const;
void setNotValidAfter(const QDateTime& notValidAfter);
int32_t getVersion() const;
void setVersion(int32_t version);
PublicKey getPublicKey() const;
void setPublicKey(const PublicKey& publicKey);
int getKeySize() const;
void setKeySize(int keySize);
KeyUsageFlags getKeyUsage() const;
void setKeyUsage(KeyUsageFlags keyUsage);
QByteArray getCertificateData() const;
void setCertificateData(const QByteArray& certificateData);
/// Creates certificate info from binary data. Binary data must
/// contain DER-encoded certificate.
/// \param certificateData Data
static std::optional<PDFCertificateInfo> getCertificateInfo(const QByteArray& certificateData);
/// Creates certificate info from certificate
static PDFCertificateInfo getCertificateInfo(x509_st* certificate);
private:
static constexpr int persist_version = 1;
int32_t m_version = 0;
int m_keySize = 0;
PublicKey m_publicKey = KeyUnknown;
std::array<QString, NameEnd> m_nameEntries;
QDateTime m_notValidBefore;
QDateTime m_notValidAfter;
KeyUsageFlags m_keyUsage;
QByteArray m_certificateData;
};
using PDFCertificateInfos = std::vector<PDFCertificateInfo>;
struct PDFCertificateEntry
{
enum class EntryType : int
{
User, ///< Certificate has been added manually by the user
System, ///< System certificate
};
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
friend inline QDataStream& operator<<(QDataStream& stream, const PDFCertificateEntry& entry) { entry.serialize(stream); return stream; }
friend inline QDataStream& operator>>(QDataStream& stream, PDFCertificateEntry& entry) { entry.deserialize(stream); return stream; }
static constexpr int persist_version = 1;
EntryType type = EntryType::User;
PDFCertificateInfo info;
QByteArray pkcs12;
};
using PDFCertificateEntries = std::vector<PDFCertificateEntry>;
/// Trusted certificate store. Contains list of trusted certificates. Store
/// can be persisted to the persistent storage trough serialization/deserialization.
/// Persisting method is versioned.
class PDF4QTLIBCORESHARED_EXPORT PDFCertificateStore
{
public:
explicit inline PDFCertificateStore() = default;
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
/// Tries to add new certificate to the certificate store. If certificate
/// is already here, then nothing happens and function returns true.
/// Otherwise data are checked, if they really contains a certificate,
/// and if yes, then it is added. Function returns false if, and only if,
/// error occured and certificate was not added.
/// \param type Type
/// \param certificate Certificate
bool add(PDFCertificateEntry::EntryType type, const QByteArray& certificate);
/// Tries to add new certificate to the certificate store. If certificate
/// is already here, then nothing happens and function returns true.
/// Otherwise data are checked, if they really contains a certificate,
/// and if yes, then it is added. Function returns false if, and only if,
/// error occured and certificate was not added.
/// \param type Type
/// \param info Certificate info
bool add(PDFCertificateEntry::EntryType type, PDFCertificateInfo info);
/// Returns true, if storage contains given certificate
/// \param info Certificate info
bool contains(const PDFCertificateInfo& info);
/// Get certificates stored in the store
const PDFCertificateEntries& getCertificates() const { return m_certificates; }
/// Set certificates
void setCertificates(PDFCertificateEntries certificates) { m_certificates = qMove(certificates); }
/// Returns default certificate store file name
QString getDefaultCertificateStoreFileName() const;
/// Load from default user certificate storage
void loadDefaultUserCertificates();
/// Save to default user certificate storage
void saveDefaultUserCertificates();
/// Creates default directory for certificate store
void createDirectoryForDefaultUserCertificatesStore();
/// Returns a list of system certificates
static PDFCertificateEntries getSystemCertificates();
/// Returns a list of personal certificates (usually used for signing documents)
static PDFCertificateEntries getPersonalCertificates();
private:
static constexpr int persist_version = 1;
PDFCertificateEntries m_certificates;
};
} // namespace pdf
#endif // PDFCERTIFICATESTORE_H

282
Pdf4QtLibCore/sources/pdfsecurityhandler.cpp
View File

@@ -1979,62 +1979,57 @@ PDFSecurityHandlerPointer PDFSecurityHandlerFactory::createSecurityHandler(const
publicKeyHandler->m_permissions = publicKeyHandler->m_permissions | PDFPublicKeySecurityHandler::PKSH_PrintHighResolution;
}
QFile file(settings.certificateFileName);
if (file.open(QFile::ReadOnly))
QByteArray data = settings.certificate.pkcs12;
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
{
QByteArray data = file.readAll();
file.close();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
QByteArray password = PDFStandardOrPublicSecurityHandler::adjustPassword(settings.userPassword, 0);
const char* passwordPointer = nullptr;
if (!password.isEmpty())
{
QByteArray password = PDFStandardOrPublicSecurityHandler::adjustPassword(settings.userPassword, 0);
const char* passwordPointer = nullptr;
if (!password.isEmpty())
passwordPointer = password.constData();
}
EVP_PKEY* keyPtr = nullptr;
X509* certificatePtr = nullptr;
STACK_OF(X509)* certificatesPtr = nullptr;
// Parse PKCS12 with password
bool isParsed = PKCS12_parse(pkcs12.get(), passwordPointer, &keyPtr, &certificatePtr, &certificatesPtr) == 1;
if (isParsed)
{
openssl_ptr<EVP_PKEY> key(keyPtr, EVP_PKEY_free);
openssl_ptr<X509> certificate(certificatePtr, X509_free);
openssl_ptr<STACK_OF(X509)> certificates(certificatesPtr, sk_x509_free_impl);
openssl_ptr<BIO> dataToBeSigned(BIO_new(BIO_s_mem()), BIO_free_all);
uint32_t permissions = qToLittleEndian(publicKeyHandler->m_permissions);
QRandomGenerator generator = QRandomGenerator::securelySeeded();
QByteArray randomKey = generateRandomByteArray(generator, 20);
BIO_write(dataToBeSigned.get(), randomKey.data(), randomKey.length());
BIO_write(dataToBeSigned.get(), &permissions, sizeof(permissions));
openssl_ptr<STACK_OF(X509)> recipientCertificates(sk_X509_new_null(), sk_x509_free_impl);
sk_X509_push(recipientCertificates.get(), certificate.get());
openssl_ptr<PKCS7> pkcs7(PKCS7_encrypt(recipientCertificates.get(), dataToBeSigned.get(), EVP_aes_256_cbc(), PKCS7_BINARY), PKCS7_free);
if (pkcs7)
{
passwordPointer = password.constData();
}
openssl_ptr<BIO> storedData(BIO_new(BIO_s_mem()), BIO_free_all);
EVP_PKEY* keyPtr = nullptr;
X509* certificatePtr = nullptr;
STACK_OF(X509)* certificatesPtr = nullptr;
// Parse PKCS12 with password
bool isParsed = PKCS12_parse(pkcs12.get(), passwordPointer, &keyPtr, &certificatePtr, &certificatesPtr) == 1;
if (isParsed)
{
openssl_ptr<EVP_PKEY> key(keyPtr, EVP_PKEY_free);
openssl_ptr<X509> certificate(certificatePtr, X509_free);
openssl_ptr<STACK_OF(X509)> certificates(certificatesPtr, sk_x509_free_impl);
openssl_ptr<BIO> dataToBeSigned(BIO_new(BIO_s_mem()), BIO_free_all);
uint32_t permissions = qToLittleEndian(publicKeyHandler->m_permissions);
QRandomGenerator generator = QRandomGenerator::securelySeeded();
QByteArray randomKey = generateRandomByteArray(generator, 20);
BIO_write(dataToBeSigned.get(), randomKey.data(), randomKey.length());
BIO_write(dataToBeSigned.get(), &permissions, sizeof(permissions));
openssl_ptr<STACK_OF(X509)> recipientCertificates(sk_X509_new_null(), sk_x509_free_impl);
sk_X509_push(recipientCertificates.get(), certificate.get());
openssl_ptr<PKCS7> pkcs7(PKCS7_encrypt(recipientCertificates.get(), dataToBeSigned.get(), EVP_aes_256_cbc(), PKCS7_BINARY), PKCS7_free);
if (pkcs7)
if (i2d_PKCS7_bio(storedData.get(), pkcs7.get()))
{
openssl_ptr<BIO> storedData(BIO_new(BIO_s_mem()), BIO_free_all);
BUF_MEM* memoryBuffer = nullptr;
BIO_get_mem_ptr(storedData.get(), &memoryBuffer);
if (i2d_PKCS7_bio(storedData.get(), pkcs7.get()))
{
BUF_MEM* memoryBuffer = nullptr;
BIO_get_mem_ptr(storedData.get(), &memoryBuffer);
QByteArray recipient(memoryBuffer->data, int(memoryBuffer->length));
publicKeyHandler->m_filterDefault.recipients << recipient;
}
QByteArray recipient(memoryBuffer->data, int(memoryBuffer->length));
publicKeyHandler->m_filterDefault.recipients << recipient;
}
}
}
@@ -2354,7 +2349,7 @@ bool PDFSecurityHandlerFactory::validate(const SecuritySettings& settings, QStri
case pdf::PDFSecurityHandlerFactory::Certificate:
{
if (!pdf::PDFCertificateManager::isCertificateValid(settings.certificateFileName, settings.userPassword))
if (!pdf::PDFCertificateManager::isCertificateValid(settings.certificate, settings.userPassword))
{
*errorMessage = tr("Invalid certificate or password.");
return false;
@@ -2401,8 +2396,8 @@ PDFSecurityHandler::AuthorizationResult PDFPublicKeySecurityHandler::authenticat
constexpr int revision = 0;
QByteArray password = adjustPassword(getPasswordCallback(&passwordObtained), revision);
QFileInfoList certificates = PDFCertificateManager::getCertificates();
if (certificates.isEmpty())
PDFCertificateEntries certificates = PDFCertificateManager::getCertificates();
if (certificates.empty())
{
return AuthorizationResult::Failed;
}
@@ -2421,114 +2416,109 @@ PDFSecurityHandler::AuthorizationResult PDFPublicKeySecurityHandler::authenticat
while (passwordObtained)
{
// We will iterate trough all certificates
for (const QFileInfo& certificateFileInfo : certificates)
for (const PDFCertificateEntry& certificateEntry : certificates)
{
if (!PDFCertificateManager::isCertificateValid(certificateFileInfo.absoluteFilePath(), password))
if (!PDFCertificateManager::isCertificateValid(certificateEntry, password))
{
continue;
}
QFile file(certificateFileInfo.absoluteFilePath());
if (file.open(QFile::ReadOnly))
QByteArray data = certificateEntry.info.getCertificateData();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
{
QByteArray data = file.readAll();
file.close();
openssl_ptr<BIO> pksBuffer(BIO_new(BIO_s_mem()), &BIO_free_all);
BIO_write(pksBuffer.get(), data.constData(), data.length());
openssl_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(pksBuffer.get(), nullptr), &PKCS12_free);
if (pkcs12)
const char* passwordPointer = nullptr;
if (!password.isEmpty())
{
const char* passwordPointer = nullptr;
if (!password.isEmpty())
passwordPointer = password.constData();
}
EVP_PKEY* keyPtr = nullptr;
X509* certificatePtr = nullptr;
STACK_OF(X509)* certificatesPtr = nullptr;
// Parse PKCS12 with password
bool isParsed = PKCS12_parse(pkcs12.get(), passwordPointer, &keyPtr, &certificatePtr, &certificatesPtr) == 1;
if (!isParsed)
{
continue;
}
openssl_ptr<EVP_PKEY> key(keyPtr, EVP_PKEY_free);
openssl_ptr<X509> certificate(certificatePtr, X509_free);
openssl_ptr<STACK_OF(X509)> certificates2(certificatesPtr, sk_x509_free_impl);
for (const auto& recipientItem : recipients)
{
PKCS7* pkcs7 = recipientItem.get();
openssl_ptr<BIO> dataBuffer(BIO_new(BIO_s_mem()), BIO_free_all);
if (PKCS7_decrypt(pkcs7, keyPtr, certificatePtr, dataBuffer.get(), PKCS7_BINARY) == 1)
{
passwordPointer = password.constData();
}
BUF_MEM* memoryBuffer = nullptr;
BIO_get_mem_ptr(dataBuffer.get(), &memoryBuffer);
EVP_PKEY* keyPtr = nullptr;
X509* certificatePtr = nullptr;
STACK_OF(X509)* certificatesPtr = nullptr;
// Acc. to chapter 7.6.5.3 - decrypted data
QByteArray decryptedData(memoryBuffer->data, int(memoryBuffer->length));
// Parse PKCS12 with password
bool isParsed = PKCS12_parse(pkcs12.get(), passwordPointer, &keyPtr, &certificatePtr, &certificatesPtr) == 1;
// Calculate file encryption key
EVP_MD_CTX* context = EVP_MD_CTX_new();
Q_ASSERT(context);
if (!isParsed)
{
continue;
}
openssl_ptr<EVP_PKEY> key(keyPtr, EVP_PKEY_free);
openssl_ptr<X509> certificate(certificatePtr, X509_free);
openssl_ptr<STACK_OF(X509)> certificates2(certificatesPtr, sk_x509_free_impl);
for (const auto& recipientItem : recipients)
{
PKCS7* pkcs7 = recipientItem.get();
openssl_ptr<BIO> dataBuffer(BIO_new(BIO_s_mem()), BIO_free_all);
if (PKCS7_decrypt(pkcs7, keyPtr, certificatePtr, dataBuffer.get(), PKCS7_BINARY) == 1)
switch (m_keyLength)
{
BUF_MEM* memoryBuffer = nullptr;
BIO_get_mem_ptr(dataBuffer.get(), &memoryBuffer);
case 128:
EVP_DigestInit(context, EVP_sha1());
break;
// Acc. to chapter 7.6.5.3 - decrypted data
QByteArray decryptedData(memoryBuffer->data, int(memoryBuffer->length));
case 256:
EVP_DigestInit(context, EVP_sha256());
break;
// Calculate file encryption key
EVP_MD_CTX* context = EVP_MD_CTX_new();
Q_ASSERT(context);
switch (m_keyLength)
{
case 128:
EVP_DigestInit(context, EVP_sha1());
break;
case 256:
EVP_DigestInit(context, EVP_sha256());
break;
default:
Q_ASSERT(false);
EVP_DigestInit(context, EVP_sha256());
break;
}
QByteArray seed = decryptedData.left(20);
// 7.6.5.3 a)
EVP_DigestUpdate(context, seed.constData(), seed.size());
// 7.6.5.3 b)
for (const QByteArray& recipient : m_filterDefault.recipients)
{
EVP_DigestUpdate(context, recipient.constData(), recipient.size());
}
// 7.6.5.3 c)
if (!isMetadataEncrypted())
{
constexpr uint32_t value = 0xFFFFFFFF;
EVP_DigestUpdate(context, &value, sizeof(value));
}
unsigned int size = EVP_MD_size(EVP_MD_CTX_md(context));
QByteArray digestBuffer(size, char());
EVP_DigestFinal_ex(context, convertByteArrayToUcharPtr(digestBuffer), &size);
EVP_MD_CTX_free(context);
if (decryptedData.size() == 20 + sizeof(uint32_t))
{
// We shall set permissions
m_permissions = qFromLittleEndian<uint32_t>(decryptedData.data() + 20);
}
m_authorizationData.fileEncryptionKey = digestBuffer.left(m_keyLength / 8);
m_authorizationData.authorizationResult = AuthorizationResult::UserAuthorized;
return AuthorizationResult::UserAuthorized;
default:
Q_ASSERT(false);
EVP_DigestInit(context, EVP_sha256());
break;
}
QByteArray seed = decryptedData.left(20);
// 7.6.5.3 a)
EVP_DigestUpdate(context, seed.constData(), seed.size());
// 7.6.5.3 b)
for (const QByteArray& recipient : m_filterDefault.recipients)
{
EVP_DigestUpdate(context, recipient.constData(), recipient.size());
}
// 7.6.5.3 c)
if (!isMetadataEncrypted())
{
constexpr uint32_t value = 0xFFFFFFFF;
EVP_DigestUpdate(context, &value, sizeof(value));
}
unsigned int size = EVP_MD_size(EVP_MD_CTX_md(context));
QByteArray digestBuffer(size, char());
EVP_DigestFinal_ex(context, convertByteArrayToUcharPtr(digestBuffer), &size);
EVP_MD_CTX_free(context);
if (decryptedData.size() == 20 + sizeof(uint32_t))
{
// We shall set permissions
m_permissions = qFromLittleEndian<uint32_t>(decryptedData.data() + 20);
}
m_authorizationData.fileEncryptionKey = digestBuffer.left(m_keyLength / 8);
m_authorizationData.authorizationResult = AuthorizationResult::UserAuthorized;
return AuthorizationResult::UserAuthorized;
}
}
}

4
Pdf4QtLibCore/sources/pdfsecurityhandler.h
View File

@@ -20,6 +20,7 @@
#include "pdfglobal.h"
#include "pdfobject.h"
#include "pdfcertificatestore.h"
#include <QByteArray>
#include <QSharedPointer>
@@ -477,7 +478,7 @@ public:
QString ownerPassword;
uint32_t permissions = 0;
QByteArray id;
QString certificateFileName;
PDFCertificateEntry certificate;
};
/// Creates security handler based on given settings. If security handler cannot
@@ -514,5 +515,4 @@ public:
} // namespace pdf
#endif // PDFSECURITYHANDLER_H

397
Pdf4QtLibCore/sources/pdfsignaturehandler.cpp
View File

@@ -60,19 +60,6 @@ namespace pdf
template<typename T>
using openssl_ptr = std::unique_ptr<T, void(*)(T*)>;
static QRecursiveMutex s_globalOpenSSLMutex;
/// OpenSSL is not thread safe.
class PDFOpenSSLGlobalLock
{
public:
explicit inline PDFOpenSSLGlobalLock() : m_mutexLocker(&s_globalOpenSSLMutex) { }
inline ~PDFOpenSSLGlobalLock() = default;
private:
QMutexLocker<QRecursiveMutex> m_mutexLocker;
};
PDFSignatureReference PDFSignatureReference::parse(const PDFObjectStorage* storage, PDFObject object)
{
PDFSignatureReference result;
@@ -1569,263 +1556,7 @@ BIO* PDFSignatureHandler_adbe_pkcs7_sha1::getSignedDataBuffer(PDFSignatureVerifi
PDFCertificateInfo PDFPublicKeySignatureHandler::getCertificateInfo(X509* certificate)
{
PDFCertificateInfo info;
if (X509_NAME* subjectName = X509_get_subject_name(certificate))
{
// List of these properties are in RFC 5280, section 4.1.2.4, these attributes
// are standard and all implementations must be prepared to process them.
QString countryName = getStringFromX509Name(subjectName, NID_countryName);
QString organizationName = getStringFromX509Name(subjectName, NID_organizationName);
QString organizationalUnitName = getStringFromX509Name(subjectName, NID_organizationalUnitName);
QString distinguishedName = getStringFromX509Name(subjectName, NID_distinguishedName);
QString stateOrProvinceName = getStringFromX509Name(subjectName, NID_stateOrProvinceName);
QString commonName = getStringFromX509Name(subjectName, NID_commonName);
QString serialNumber = getStringFromX509Name(subjectName, NID_serialNumber);
// These attributes are defined also in section 4.1.2.4, they are not mandatory,
// but application should be able to process them.
QString localityName = getStringFromX509Name(subjectName, NID_localityName);
QString title = getStringFromX509Name(subjectName, NID_title);
QString surname = getStringFromX509Name(subjectName, NID_surname);
QString givenName = getStringFromX509Name(subjectName, NID_givenName);
QString initials = getStringFromX509Name(subjectName, NID_initials);
QString pseudonym = getStringFromX509Name(subjectName, NID_pseudonym);
QString generationQualifier = getStringFromX509Name(subjectName, NID_generationQualifier);
// This entry is not defined in section 4.1.2.4, but is commonly used
QString email = getStringFromX509Name(subjectName, NID_pkcs9_emailAddress);
info.setName(PDFCertificateInfo::CountryName, qMove(countryName));
info.setName(PDFCertificateInfo::OrganizationName, qMove(organizationName));
info.setName(PDFCertificateInfo::OrganizationalUnitName, qMove(organizationalUnitName));
info.setName(PDFCertificateInfo::DistinguishedName, qMove(distinguishedName));
info.setName(PDFCertificateInfo::StateOrProvinceName, qMove(stateOrProvinceName));
info.setName(PDFCertificateInfo::CommonName, qMove(commonName));
info.setName(PDFCertificateInfo::SerialNumber, qMove(serialNumber));
info.setName(PDFCertificateInfo::LocalityName, qMove(localityName));
info.setName(PDFCertificateInfo::Title, qMove(title));
info.setName(PDFCertificateInfo::Surname, qMove(surname));
info.setName(PDFCertificateInfo::GivenName, qMove(givenName));
info.setName(PDFCertificateInfo::Initials, qMove(initials));
info.setName(PDFCertificateInfo::Pseudonym, qMove(pseudonym));
info.setName(PDFCertificateInfo::GenerationalQualifier, qMove(generationQualifier));
info.setName(PDFCertificateInfo::Email, qMove(email));
const long version = X509_get_version(certificate);
info.setVersion(version);
const ASN1_TIME* notBeforeTime = X509_get0_notBefore(certificate);
const ASN1_TIME* notAfterTime = X509_get0_notAfter(certificate);
info.setNotValidBefore(getDateTimeFromASN(notBeforeTime));
info.setNotValidAfter(getDateTimeFromASN(notAfterTime));
X509_PUBKEY* publicKey = X509_get_X509_PUBKEY(certificate);
EVP_PKEY* evpKey = X509_PUBKEY_get(publicKey);
const int keyType = EVP_PKEY_type(EVP_PKEY_base_id(evpKey));
PDFCertificateInfo::PublicKey key = PDFCertificateInfo::KeyUnknown;
switch (keyType)
{
case EVP_PKEY_RSA:
key = PDFCertificateInfo::KeyRSA;
break;
case EVP_PKEY_DSA:
key = PDFCertificateInfo::KeyDSA;
break;
case EVP_PKEY_DH:
key = PDFCertificateInfo::KeyDH;
break;
case EVP_PKEY_EC:
key = PDFCertificateInfo::KeyEC;
break;
default:
break;
}
info.setPublicKey(key);
const int bits = EVP_PKEY_bits(evpKey);
info.setKeySize(bits);
uint32_t keyUsage = X509_get_key_usage(certificate);
if (keyUsage != UINT32_MAX)
{
static_assert(PDFCertificateInfo::KeyUsageDigitalSignature == KU_DIGITAL_SIGNATURE, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageNonRepudiation == KU_NON_REPUDIATION, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageKeyEncipherment == KU_KEY_ENCIPHERMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageDataEncipherment == KU_DATA_ENCIPHERMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageAgreement == KU_KEY_AGREEMENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageCertSign == KU_KEY_CERT_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageCrlSign == KU_CRL_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageEncipherOnly == KU_ENCIPHER_ONLY, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageDecipherOnly == KU_DECIPHER_ONLY, "Fix this code!");
if (X509_get_extension_flags(certificate) & EXFLAG_XKUSAGE)
{
const uint32_t extendedKeyUsage = X509_get_extended_key_usage(certificate);
Q_ASSERT(extendedKeyUsage != UINT32_MAX);
static_assert(PDFCertificateInfo::KeyUsageExtended_SSL_SERVER >> 16 == XKU_SSL_SERVER, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SSL_CLIENT >> 16 == XKU_SSL_CLIENT, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SMIME >> 16 == XKU_SMIME, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_CODE_SIGN >> 16 == XKU_CODE_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_SGC >> 16 == XKU_SGC, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_OCSP_SIGN >> 16 == XKU_OCSP_SIGN, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_TIMESTAMP >> 16 == XKU_TIMESTAMP, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_DVCS >> 16 == XKU_DVCS, "Fix this code!");
static_assert(PDFCertificateInfo::KeyUsageExtended_ANYEKU >> 16 == XKU_ANYEKU, "Fix this code!");
keyUsage = keyUsage | (extendedKeyUsage << 16);
}
info.setKeyUsage(static_cast<PDFCertificateInfo::KeyUsageFlags>(keyUsage));
}
unsigned char* buffer = nullptr;
int length = i2d_X509(certificate, &buffer);
if (length >= 0)
{
Q_ASSERT(buffer);
info.setCertificateData(QByteArray(reinterpret_cast<const char*>(buffer), length));
OPENSSL_free(buffer);
}
}
return info;
}
void PDFCertificateInfo::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << m_version;
stream << m_keySize;
stream << m_publicKey;
stream << m_nameEntries;
stream << m_notValidBefore;
stream << m_notValidAfter;
stream << m_keyUsage;
stream << m_certificateData;
}
void PDFCertificateInfo::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> m_version;
stream >> m_keySize;
stream >> m_publicKey;
stream >> m_nameEntries;
stream >> m_notValidBefore;
stream >> m_notValidAfter;
stream >> m_keyUsage;
stream >> m_certificateData;
}
QDateTime PDFCertificateInfo::getNotValidBefore() const
{
return m_notValidBefore;
}
void PDFCertificateInfo::setNotValidBefore(const QDateTime& notValidBefore)
{
m_notValidBefore = notValidBefore;
}
QDateTime PDFCertificateInfo::getNotValidAfter() const
{
return m_notValidAfter;
}
void PDFCertificateInfo::setNotValidAfter(const QDateTime& notValidAfter)
{
m_notValidAfter = notValidAfter;
}
int32_t PDFCertificateInfo::getVersion() const
{
return m_version;
}
void PDFCertificateInfo::setVersion(int32_t version)
{
m_version = version;
}
PDFCertificateInfo::PublicKey PDFCertificateInfo::getPublicKey() const
{
return m_publicKey;
}
void PDFCertificateInfo::setPublicKey(const PublicKey& publicKey)
{
m_publicKey = publicKey;
}
int PDFCertificateInfo::getKeySize() const
{
return m_keySize;
}
void PDFCertificateInfo::setKeySize(int keySize)
{
m_keySize = keySize;
}
PDFCertificateInfo::KeyUsageFlags PDFCertificateInfo::getKeyUsage() const
{
return m_keyUsage;
}
void PDFCertificateInfo::setKeyUsage(KeyUsageFlags keyUsage)
{
m_keyUsage = keyUsage;
}
std::optional<PDFCertificateInfo> PDFCertificateInfo::getCertificateInfo(const QByteArray& certificateData)
{
std::optional<PDFCertificateInfo> result;
PDFOpenSSLGlobalLock lock;
const unsigned char* data = convertByteArrayToUcharPtr(certificateData);
if (X509* certificate = d2i_X509(nullptr, &data, certificateData.length()))
{
result = PDFPublicKeySignatureHandler::getCertificateInfo(certificate);
X509_free(certificate);
}
return result;
}
QByteArray PDFCertificateInfo::getCertificateData() const
{
return m_certificateData;
}
void PDFCertificateInfo::setCertificateData(const QByteArray& certificateData)
{
m_certificateData = certificateData;
}
void PDFCertificateStore::CertificateEntry::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << type;
stream << info;
}
void PDFCertificateStore::CertificateEntry::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> type;
stream >> info;
return PDFCertificateInfo::getCertificateInfo(certificate);
}
QString PDFPublicKeySignatureHandler::getStringFromX509Name(X509_NAME* name, int nid)
@@ -1938,100 +1669,6 @@ void PDFPublicKeySignatureHandler::addSignatureDateFromSignerInfoStack(STACK_OF(
}
}
void PDFCertificateStore::serialize(QDataStream& stream) const
{
stream << persist_version;
stream << m_certificates;
}
void PDFCertificateStore::deserialize(QDataStream& stream)
{
int persistVersionDeserialized = 0;
stream >> persistVersionDeserialized;
stream >> m_certificates;
}
bool PDFCertificateStore::add(EntryType type, const QByteArray& certificate)
{
if (auto certificateInfo = PDFCertificateInfo::getCertificateInfo(certificate))
{
return add(type, qMove(*certificateInfo));
}
return false;
}
bool PDFCertificateStore::add(EntryType type, PDFCertificateInfo info)
{
auto it = std::find_if(m_certificates.cbegin(), m_certificates.cend(), [&info](const auto& entry) { return entry.info == info; });
if (it == m_certificates.cend())
{
m_certificates.push_back({ type, qMove(info) });
}
return true;
}
bool PDFCertificateStore::contains(const PDFCertificateInfo& info)
{
return std::find_if(m_certificates.cbegin(), m_certificates.cend(), [&info](const auto& entry) { return entry.info == info; }) != m_certificates.cend();
}
QString PDFCertificateStore::getDefaultCertificateStoreFileName() const
{
return QStandardPaths::writableLocation(QStandardPaths::AppConfigLocation) + "/TrustedCertStorage.bin";
}
void PDFCertificateStore::loadDefaultUserCertificates()
{
createDirectoryForDefaultUserCertificatesStore();
QString trustedCertificateStoreFileName = getDefaultCertificateStoreFileName();
QString trustedCertificateStoreLockFileName = trustedCertificateStoreFileName + ".lock";
QLockFile lockFile(trustedCertificateStoreLockFileName);
if (lockFile.lock())
{
QFile trustedCertificateStoreFile(trustedCertificateStoreFileName);
if (trustedCertificateStoreFile.open(QFile::ReadOnly))
{
QDataStream stream(&trustedCertificateStoreFile);
deserialize(stream);
trustedCertificateStoreFile.close();
}
lockFile.unlock();
}
}
void PDFCertificateStore::saveDefaultUserCertificates()
{
createDirectoryForDefaultUserCertificatesStore();
QString trustedCertificateStoreFileName = getDefaultCertificateStoreFileName();
QString trustedCertificateStoreLockFileName = trustedCertificateStoreFileName + ".lock";
QFileInfo fileInfo(trustedCertificateStoreFileName);
QDir dir = fileInfo.dir();
dir.mkpath(dir.path());
QLockFile lockFile(trustedCertificateStoreLockFileName);
if (lockFile.lock())
{
QFile trustedCertificateStoreFile(trustedCertificateStoreFileName);
if (trustedCertificateStoreFile.open(QFile::WriteOnly | QFile::Truncate))
{
QDataStream stream(&trustedCertificateStoreFile);
serialize(stream);
trustedCertificateStoreFile.close();
}
lockFile.unlock();
}
}
void PDFCertificateStore::createDirectoryForDefaultUserCertificatesStore()
{
QFileInfo fileInfo(getDefaultCertificateStoreFileName());
QString path = fileInfo.path();
QDir().mkpath(path);
}
} // namespace pdf
@@ -2047,7 +1684,7 @@ void pdf::PDFPublicKeySignatureHandler::addTrustedCertificates(X509_STORE* store
{
if (m_parameters.store)
{
const PDFCertificateStore::CertificateEntries& certificates = m_parameters.store->getCertificates();
const PDFCertificateEntries& certificates = m_parameters.store->getCertificates();
for (const auto& entry : certificates)
{
QByteArray certificateData = entry.info.getCertificateData();
@@ -2085,36 +1722,6 @@ void pdf::PDFPublicKeySignatureHandler::addTrustedCertificates(X509_STORE* store
#endif
}
pdf::PDFCertificateStore::CertificateEntries pdf::PDFCertificateStore::getSystemCertificates()
{
CertificateEntries result;
#ifdef Q_OS_WIN
HCERTSTORE certStore = CertOpenSystemStore(0, L"ROOT");
PCCERT_CONTEXT context = nullptr;
if (certStore)
{
while (context = CertEnumCertificatesInStore(certStore, context))
{
const unsigned char* pointer = context->pbCertEncoded;
QByteArray data(reinterpret_cast<const char*>(pointer), context->cbCertEncoded);
std::optional<PDFCertificateInfo> info = PDFCertificateInfo::getCertificateInfo(data);
if (info)
{
CertificateEntry entry;
entry.type = EntryType::System;
entry.info = qMove(*info);
result.emplace_back(qMove(entry));
}
}
CertCloseStore(certStore, CERT_CLOSE_STORE_FORCE_FLAG);
}
#endif
return result;
}
#if defined(PDF4QT_COMPILER_MINGW) || defined(PDF4QT_COMPILER_GCC)
#pragma GCC diagnostic pop
#endif

201
Pdf4QtLibCore/sources/pdfsignaturehandler.h
View File

@@ -21,6 +21,7 @@
#include "pdfglobal.h"
#include "pdfobject.h"
#include "pdfutils.h"
#include "pdfcertificatestore.h"
#include <QString>
#include <QDateTime>
@@ -152,124 +153,6 @@ private:
AuthentificationType m_propType = AuthentificationType::Invalid;
};
/// Info about certificate, various details etc.
class PDF4QTLIBCORESHARED_EXPORT PDFCertificateInfo
{
public:
explicit inline PDFCertificateInfo() = default;
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
friend inline QDataStream& operator<<(QDataStream& stream, const PDFCertificateInfo& info) { info.serialize(stream); return stream; }
friend inline QDataStream& operator>>(QDataStream& stream, PDFCertificateInfo& info) { info.deserialize(stream); return stream; }
bool operator ==(const PDFCertificateInfo&) const = default;
bool operator !=(const PDFCertificateInfo&) const = default;
/// These entries are taken from RFC 5280, section 4.1.2.4,
/// they are supported and loaded from the certificate, with
/// exception of Email entry.
enum NameEntry
{
CountryName,
OrganizationName,
OrganizationalUnitName,
DistinguishedName,
StateOrProvinceName,
CommonName,
SerialNumber,
LocalityName,
Title,
Surname,
GivenName,
Initials,
Pseudonym,
GenerationalQualifier,
Email,
NameEnd
};
enum PublicKey
{
KeyRSA,
KeyDSA,
KeyEC,
KeyDH,
KeyUnknown
};
// This enum is defined in RFC 5280, chapter 4.2.1.3, Key Usage. Second part,
// are defined in extended key usage entry, if it is defined.
enum KeyUsageFlag : uint32_t
{
KeyUsageNone = 0x00000000,
KeyUsageDigitalSignature = 0x00000080,
KeyUsageNonRepudiation = 0x00000040,
KeyUsageKeyEncipherment = 0x00000020,
KeyUsageDataEncipherment = 0x00000010,
KeyUsageAgreement = 0x00000008,
KeyUsageCertSign = 0x00000004,
KeyUsageCrlSign = 0x00000002,
KeyUsageEncipherOnly = 0x00000001,
KeyUsageDecipherOnly = 0x00008000,
KeyUsageExtended_SSL_SERVER = 0x1 << 16,
KeyUsageExtended_SSL_CLIENT = 0x2 << 16,
KeyUsageExtended_SMIME = 0x4 << 16,
KeyUsageExtended_CODE_SIGN = 0x8 << 16,
KeyUsageExtended_SGC = 0x10 << 16,
KeyUsageExtended_OCSP_SIGN = 0x20 << 16,
KeyUsageExtended_TIMESTAMP = 0x40 << 16,
KeyUsageExtended_DVCS = 0x80 << 16,
KeyUsageExtended_ANYEKU = 0x100 << 16,
};
Q_DECLARE_FLAGS(KeyUsageFlags, KeyUsageFlag)
const QString& getName(NameEntry name) const { return m_nameEntries[name]; }
void setName(NameEntry name, QString string) { m_nameEntries[name] = qMove(string); }
QDateTime getNotValidBefore() const;
void setNotValidBefore(const QDateTime& notValidBefore);
QDateTime getNotValidAfter() const;
void setNotValidAfter(const QDateTime& notValidAfter);
int32_t getVersion() const;
void setVersion(int32_t version);
PublicKey getPublicKey() const;
void setPublicKey(const PublicKey& publicKey);
int getKeySize() const;
void setKeySize(int keySize);
KeyUsageFlags getKeyUsage() const;
void setKeyUsage(KeyUsageFlags keyUsage);
QByteArray getCertificateData() const;
void setCertificateData(const QByteArray& certificateData);
/// Creates certificate info from binary data. Binary data must
/// contain DER-encoded certificate.
/// \param certificateData Data
static std::optional<PDFCertificateInfo> getCertificateInfo(const QByteArray& certificateData);
private:
static constexpr int persist_version = 1;
int32_t m_version = 0;
int m_keySize = 0;
PublicKey m_publicKey = KeyUnknown;
std::array<QString, NameEnd> m_nameEntries;
QDateTime m_notValidBefore;
QDateTime m_notValidAfter;
KeyUsageFlags m_keyUsage;
QByteArray m_certificateData;
};
using PDFCertificateInfos = std::vector<PDFCertificateInfo>;
class PDF4QTLIBCORESHARED_EXPORT PDFSignatureVerificationResult
{
public:
@@ -462,88 +345,6 @@ private:
static PDFSignatureHandler* createHandler(const PDFFormFieldSignature* signatureField, const QByteArray& sourceData, const Parameters& parameters);
};
/// Trusted certificate store. Contains list of trusted certificates. Store
/// can be persisted to the persistent storage trough serialization/deserialization.
/// Persisting method is versioned.
class PDF4QTLIBCORESHARED_EXPORT PDFCertificateStore
{
public:
explicit inline PDFCertificateStore() = default;
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
enum class EntryType : int
{
User, ///< Certificate has been added manually by the user
EUTL, ///< Certificate comes EU trusted list
System, ///< System certificate
};
struct CertificateEntry
{
void serialize(QDataStream& stream) const;
void deserialize(QDataStream& stream);
friend inline QDataStream& operator<<(QDataStream& stream, const CertificateEntry& entry) { entry.serialize(stream); return stream; }
friend inline QDataStream& operator>>(QDataStream& stream, CertificateEntry& entry) { entry.deserialize(stream); return stream; }
static constexpr int persist_version = 1;
EntryType type = EntryType::User;
PDFCertificateInfo info;
};
using CertificateEntries = std::vector<CertificateEntry>;
/// Tries to add new certificate to the certificate store. If certificate
/// is already here, then nothing happens and function returns true.
/// Otherwise data are checked, if they really contains a certificate,
/// and if yes, then it is added. Function returns false if, and only if,
/// error occured and certificate was not added.
/// \param type Type
/// \param certificate Certificate
bool add(EntryType type, const QByteArray& certificate);
/// Tries to add new certificate to the certificate store. If certificate
/// is already here, then nothing happens and function returns true.
/// Otherwise data are checked, if they really contains a certificate,
/// and if yes, then it is added. Function returns false if, and only if,
/// error occured and certificate was not added.
/// \param type Type
/// \param info Certificate info
bool add(EntryType type, PDFCertificateInfo info);
/// Returns true, if storage contains given certificate
/// \param info Certificate info
bool contains(const PDFCertificateInfo& info);
/// Get certificates stored in the store
const CertificateEntries& getCertificates() const { return m_certificates; }
/// Set certificates
void setCertificates(CertificateEntries certificates) { m_certificates = qMove(certificates); }
/// Returns default certificate store file name
QString getDefaultCertificateStoreFileName() const;
/// Load from default user certificate storage
void loadDefaultUserCertificates();
/// Save to default user certificate storage
void saveDefaultUserCertificates();
/// Creates default directory for certificate store
void createDirectoryForDefaultUserCertificatesStore();
/// Returns a list of system certificates
static CertificateEntries getSystemCertificates();
private:
static constexpr int persist_version = 1;
CertificateEntries m_certificates;
};
} // namespace pdf
#endif // PDFSIGNATUREHANDLER_H

1
Pdf4QtLibCore/sources/pdfutils.cpp
View File

@@ -36,6 +36,7 @@
#include <security.h>
#if defined(PDF4QT_USE_PRAGMA_LIB)
#pragma comment(lib, "Secur32.lib")
#pragma comment(lib, "Ncrypt.lib")
#endif
#endif