qt: Add the --extra-ca-certs option

gm-vm · Mar 1, 2024 · 0ce1a4f · 0ce1a4f
1 parent 2da1313
commit 0ce1a4f
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/openfortivpn-webview-qt/main.cpp b/openfortivpn-webview-qt/main.cpp
@@ -5,6 +5,7 @@
 #include <QCursor>
 #include <QRect>
 #include <QScreen>
+#include <QSslConfiguration>
 #include <iostream>
 
 static QScreen *findScreenWithCursor()
@@ -31,6 +32,8 @@ int main(int argc, char *argv[])
  auto defaultUrlRegex = "/sslvpn/portal\\.html";
  auto urlRegexDescription = QString("A regex to detect the URL that needs to be visited before printing SVPNCOOKIE.\nThe default is \"%1\".").arg(defaultUrlRegex);
  auto optionUrlRegex = QCommandLineOption("url-regex", urlRegexDescription, "url-regex", defaultUrlRegex);
+ auto extraCaCertsDescription = QString("Path to a file with extra certificates. The file should consist of one or more trusted certificates in PEM format.");
+ auto optionExtraCaCerts = QCommandLineOption("extra-ca-certs", extraCaCertsDescription, "extra-ca-certs");
  auto certificateToTrustDescription = QString("The fingerprint of a certificate to always trust, even if invalid. The details of invalid certificates, fingerprint included, will be dumped in the console.");
  auto optionCertificateToTrust = QCommandLineOption("trusted-cert", certificateToTrustDescription, "trusted-cert");
 
@@ -40,6 +43,7 @@ int main(int argc, char *argv[])
  parser.addOption(optionUrlRegex);
  parser.addOption(optionUrl);
  parser.addOption(optionKeepOpen);
+ parser.addOption(optionExtraCaCerts);
  parser.addOption(optionCertificateToTrust);
  parser.addOption(QCommandLineOption("remote-debugging-port", "Remote debugging server port.", "port"));
  parser.addHelpOption();
@@ -73,6 +77,18 @@ int main(int argc, char *argv[])
  exit(1);
  }
 
+ auto extraCaCertsPath = parser.value(optionExtraCaCerts);
+ QList<QSslCertificate> extraCaCerts;
+ if (!extraCaCertsPath.isEmpty()) {
+ // Add the custom CA to QSslConfiguration so that later we can verify the chain with it.
+ extraCaCerts = QSslCertificate::fromPath(extraCaCertsPath, QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
+ QSslConfiguration configuration = QSslConfiguration::defaultConfiguration();
+ auto certs = configuration.caCertificates();
+ certs.append(extraCaCerts);
+ configuration.setCaCertificates(extraCaCerts);
+ QSslConfiguration::setDefaultConfiguration(configuration);
+ }
+
  auto certificateToTrust = parser.value(optionCertificateToTrust);
 
  MainWindow w(keepOpen, urlRegex, certificateToTrust);

diff --git a/openfortivpn-webview-qt/mainwindow.cpp b/openfortivpn-webview-qt/mainwindow.cpp
@@ -3,6 +3,7 @@
 #include <QDebug>
 #include <QLoggingCategory>
 #include <QMenuBar>
+#include <QSslError>
 #include <QStandardPaths>
 #include <QTextStream>
 #include <QWebEngineCookieStore>
@@ -96,6 +97,16 @@ void MainWindow::onCertificateError(QWebEngineCertificateError certificateError)
  return;
  }
 
+ // Check the certificate chain using the possibly updated QSslConfiguration (--extra-ca-certs).
+ // The documentation states that the CA should not be included in the chain, so here we remove it.
+ auto chainWithoutCa = certificateError.certificateChain();
+ chainWithoutCa.removeLast();
+ auto errors = QSslCertificate::verify(chainWithoutCa, certificateError.url().host());
+ if (errors.isEmpty()) {
+ certificateError.acceptCertificate();
+ return;
+ }
+
  qCDebug(category) << "Found an invalid certificate:";
  for (auto& certificate : certificateError.certificateChain()) {
  qCDebug(category).noquote() << certificate.toText();