1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
// Copyright (C) 2021 The Qt Company Ltd.
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
#include <QRegularExpression>
#include <QUrl>
#include "certificate.h"
using namespace Qt::StringLiterals;
QT_BEGIN_NAMESPACE_AM
/*!
\qmlvaluetype Certificate
\inqmlmodule QtApplicationManager.SystemUI
\ingroup system-ui-non-instantiable
\since 6.11
\brief This class represents a digital certificate used for package signing.
The Certificate class encapsulates information about a digital certificate, including its
subject, serial number, key usages, validity period, fingerprints, and bound package-ids.
While it does allow you to read-only access to the most important X509 certificate information,
it does however \b not encapsulate the actual DER/ASN.1 encoded certificate blob.
For more information about X509 certificates, see \c{RFC 5280}.
\sa {Package Installation}
*/
/*! \qmlproperty bool Certificate::valid
This property holds whether the certificate is valid.
*/
/*! \qmlproperty variant Certificate::subject
Returns the subject of the certificate as a map of attribute names and values.
The attribute names follow the standard OID naming conventions, e.g. \c {commonName} instead
of \c{CN}.
*/
/*! \qmlproperty string Certificate::serialNumber
The serial number of the certificate as hex-encoded string.
*/
/*! \qmlproperty Certificate.KeyUsages Certificate::keyUsages
This property is an integer value representing the key usage of the certificate. The possible
key usage flags are defined as enum and they follow the bit values given in RFC 5280:
\list
\li Certificate.DigitalSignature
\li Certificate.NonRepudiation
\li Certificate.KeyEncipherment
\li Certificate.DataEncipherment
\li Certificate.KeyAgreement
\li Certificate.KeyCertSign
\li Certificate.CRLSign
\li Certificate.EncipherOnly
\li Certificate.DecipherOnly
\endlist
There are also two predefined combinations for common use cases within the application manager:
\list
\li Certificate.Store: Intended for store certificates used to sign packages for
distribution via an application store. It combines DigitalSignature, NonRepudiation,
KeyEncipherment, and EncipherOnly.
\li Certificate.Developer: Intended for developer certificates used to sign packages
during development and testing. It combines DigitalSignature, NonRepudiation,
KeyEncipherment, and DecipherOnly.
\endlist
You can use bitwise operations to check for specific key usage in the returned value.
*/
/*! \qmlproperty date Certificate::validityNotBefore
The validity start date for this certificate.
*/
/*! \qmlproperty date Certificate::validityNotAfter
The validity end date for this certificate.
*/
/*! \qmlproperty variant Certificate::fingerprints
This property holds the fingerprints of the certificate as a map of hash algorithm names
and their corresponding fingerprint values as hex-encoded strings:
Currently, the supported hash algorithms names are:
\list
\li \c{SHA-1}
\li \c{SHA-256}
\endlist
*/
/*! \qmlproperty list<string> Certificate::subjectAlternativeNames
The subject alternative names (SANs) of the certificate. This is the "raw" value from the X509
certificate. The application manager post-processes these entries to extract bound package-ids.
\sa packageIds
*/
/*! \qmlmethod list<string> Certificate::packageIds()
This function returns the list of package-ids the certificate is bound to.
*/
QStringList Certificate::packageIds() const
{
QStringList result;
for (const auto &san : m_subjectAlternativeNames) {
auto sanUrl = QUrl(san);
if (!sanUrl.isValid() || (sanUrl.scheme() != u"qtam") || (sanUrl.host() != u"packageid"))
continue;
result << sanUrl.path().mid(1); // skip leading '/'
}
return result;
}
/*!
\qmlmethod bool Certificate::matchPackageId(string packageId)
Returns \c true if the given \a packageId matches any of the package-ids the certificate is
bound to or \c false otherwise.
*/
bool Certificate::matchPackageId(const QString &packageId) const
{
if constexpr (QT_CONFIG(am_legacy_certificates)) {
if (m_subjectAlternativeNames.isEmpty())
return true;
}
bool foundMatch = false;
const auto certPackageIds = packageIds();
for (const auto &certPackageId : certPackageIds) {
if (certPackageId.contains(u'*')) { // wildcard match
const auto re = QRegularExpression::fromWildcard(certPackageId);
foundMatch = re.match(packageId).hasMatch();
} else { // exact match
foundMatch = (certPackageId == packageId);
}
if (foundMatch)
break;
}
return foundMatch;
}
bool Certificate::operator==(const Certificate &other) const
{
return (m_subject == other.m_subject)
&& (m_serialNumber == other.m_serialNumber)
&& (m_keyUsages == other.m_keyUsages)
&& (m_validityNotBefore == other.m_validityNotBefore)
&& (m_validityNotAfter == other.m_validityNotAfter)
&& (m_fingerprints == other.m_fingerprints)
&& (m_subjectAlternativeNames == other.m_subjectAlternativeNames);
}
bool Certificate::operator!=(const Certificate &other) const
{
return !((*this) == other);
}
/*!
\qmlmethod object Certificate::toVariant()
Returns a QVariantMap representation of this Certificate object.
*/
QVariant Certificate::toVariant() const
{
if (!isValid())
return QVariant::fromValue(nullptr);
return QVariantMap {
{ u"subject"_s, m_subject },
{ u"serialNumber"_s, m_serialNumber },
{ u"keyUsages"_s, m_keyUsages.toInt() },
{ u"validityNotBefore"_s, m_validityNotBefore },
{ u"validityNotAfter"_s, m_validityNotAfter },
{ u"fingerprints"_s, m_fingerprints },
{ u"subjectAlternativeNames"_s, m_subjectAlternativeNames }
};
}
QT_END_NAMESPACE_AM
|
