-bool SslServer::setCertificate(const QString &path) {
- _certIsValid = false;
-
- if (path.isNull()) {
- return false;
- }
-
- QFile certFile(path);
- if (! certFile.exists()) {
- qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
- return false;
- }
-
- if (! certFile.open(QIODevice::ReadOnly)) {
- qWarning()
- << "SslServer: Failed to open certificate file" << qPrintable(path)
- << "error:" << certFile.error();
- return false;
- }
- _cert = QSslCertificate(&certFile);
-
- if (! certFile.reset()) {
- qWarning() << "SslServer: IO error reading certificate file";
- return false;
- }
-
- _key = QSslKey(&certFile, QSsl::Rsa);
- certFile.close();
-
- if (_cert.isNull()) {
- qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
- return false;
- }
- if (! _cert.isValid()) {
- qWarning() << "SslServer: Invalid certificate";
- return false;
- }
- if (_key.isNull()) {
- qWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
- return false;
- }
-
- _certIsValid = true;
-
- return _certIsValid;
+bool SslServer::setCertificate(const QString& path, const QString& keyPath)
+{
+ // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
+ // Use temporary variables in order to avoid overwriting the existing certificates until
+ // everything is confirmed good.
+ QSslCertificate untestedCert;
+ QList<QSslCertificate> untestedCA;
+ QSslKey untestedKey;
+
+ if (path.isEmpty())
+ return false;
+
+ QFile certFile(path);
+ if (!certFile.exists()) {
+ qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
+ return false;
+ }
+
+ if (!certFile.open(QIODevice::ReadOnly)) {
+ qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error();
+ return false;
+ }
+
+ QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
+
+ if (certList.isEmpty()) {
+ qWarning() << "SslServer: Certificate file doesn't contain a certificate";
+ return false;
+ }
+
+ untestedCert = certList[0];
+ certList.removeFirst(); // remove server cert
+
+ // store CA and intermediates certs
+ untestedCA = certList;
+
+ if (!certFile.reset()) {
+ qWarning() << "SslServer: IO error reading certificate file";
+ return false;
+ }
+
+ // load key from keyPath if it differs from path, otherwise load key from path
+ if (path != keyPath) {
+ QFile keyFile(keyPath);
+ if (!keyFile.exists()) {
+ qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
+ return false;
+ }
+
+ if (!keyFile.open(QIODevice::ReadOnly)) {
+ qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error();
+ return false;
+ }
+
+ untestedKey = loadKey(&keyFile);
+ keyFile.close();
+ }
+ else {
+ untestedKey = loadKey(&certFile);
+ }
+
+ certFile.close();
+
+ if (untestedCert.isNull()) {
+ qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
+ return false;
+ }
+
+ // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+ const QDateTime now = QDateTime::currentDateTime();
+ if (now < untestedCert.effectiveDate()) {
+ qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
+ }
+ else if (now > untestedCert.expiryDate()) {
+ qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
+ }
+ else if (untestedCert.isBlacklisted()) {
+ qWarning() << "SslServer: Certificate blacklisted";
+ }
+
+ if (untestedKey.isNull()) {
+ qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
+ return false;
+ }
+
+ _certificateExpires = untestedCert.expiryDate();
+ if (_metricsServer) {
+ _metricsServer->setCertificateExpires(_certificateExpires);
+ }
+
+ _isCertValid = true;
+
+ // All keys are valid, update the externally visible copy used for new connections.
+ _cert = untestedCert;
+ _ca = untestedCA;
+ _key = untestedKey;
+
+ return _isCertValid;
+}
+
+QSslKey SslServer::loadKey(QFile* keyFile)
+{
+ QSslKey key;
+ key = QSslKey(keyFile, QSsl::Rsa);
+ if (key.isNull()) {
+ if (!keyFile->reset()) {
+ qWarning() << "SslServer: IO error reading key file";
+ return key;
+ }
+ key = QSslKey(keyFile, QSsl::Ec);
+ }
+ return key;
+}
+
+void SslServer::setMetricsServer(MetricsServer* metricsServer) {
+ _metricsServer = metricsServer;
+ if (_metricsServer) {
+ _metricsServer->setCertificateExpires(_certificateExpires);
+ }