diff --git a/core/daemon.cpp b/core/daemon.cpp index 3ec70bdd7..ee76b507a 100644 --- a/core/daemon.cpp +++ b/core/daemon.cpp @@ -90,7 +90,14 @@ void Daemon::init() // Read remembered paired devices const QStringList &list = KdeConnectConfig::instance().trustedDevices(); for (const QString &id : list) { - addDevice(new Device(this, id)); + Device *d = new Device(this, id); + // prune away devices with malformed certificates + if (d->hasInvalidCertificate()) { + qCDebug(KDECONNECT_CORE) << "Certificate for device " << id << "illegal, deleting the device"; + KdeConnectConfig::instance().removeTrustedDevice(id); + } else { + addDevice(d); + } } qCDebug(KDECONNECT_CORE) << "Paired devices added"; diff --git a/core/device.cpp b/core/device.cpp index 0288c0e8d..f3fdb223f 100644 --- a/core/device.cpp +++ b/core/device.cpp @@ -320,7 +320,11 @@ bool Device::updateDeviceInfo(const DeviceInfo &newDeviceInfo) return hasChanges; } - +bool Device::hasInvalidCertificate() +{ + QDateTime now = QDateTime::currentDateTime(); + return certificate().isNull() || certificate().effectiveDate() >= now || certificate().expiryDate() <= now; +} void Device::linkDestroyed(QObject *o) { removeLink(static_cast(o)); diff --git a/core/device.h b/core/device.h index e3d420929..a64b5ea98 100644 --- a/core/device.h +++ b/core/device.h @@ -74,6 +74,8 @@ public: bool updateDeviceInfo(const DeviceInfo &deviceInfo); + bool hasInvalidCertificate(); + PairState pairState() const; Q_SCRIPTABLE int pairStateAsInt() const; // Hack because qdbus doesn't like enums Q_SCRIPTABLE bool isPaired() const; diff --git a/core/kdeconnectconfig.cpp b/core/kdeconnectconfig.cpp index 39d37763a..9e4e54a92 100644 --- a/core/kdeconnectconfig.cpp +++ b/core/kdeconnectconfig.cpp @@ -215,6 +215,12 @@ void KdeConnectConfig::removeTrustedDevice(const QString &deviceId) // We do not remove the config files. } +void KdeConnectConfig::removeAllTrustedDevices() +{ + d->m_trustedDevices->clear(); + d->m_trustedDevices->sync(); +} + // Utility functions to set and get a value void KdeConnectConfig::setDeviceProperty(const QString &deviceId, const QString &key, const QString &value) { @@ -276,10 +282,18 @@ bool KdeConnectConfig::loadPrivateKey(const QString &keyPath) bool KdeConnectConfig::loadCertificate(const QString &certPath) { QFile cert(certPath); + QDateTime now = QDateTime::currentDateTime(); + if (cert.exists() && cert.open(QIODevice::ReadOnly)) { d->m_certificate = QSslCertificate(cert.readAll()); if (d->m_certificate.isNull()) { qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "is not valid"; + } else if (d->m_certificate.effectiveDate() >= now) { + qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "not yet effective: " << d->m_certificate.effectiveDate(); + return true; + } else if (d->m_certificate.expiryDate() <= now) { + qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "expired: " << d->m_certificate.expiryDate(); + return true; } } return d->m_certificate.isNull(); @@ -294,6 +308,7 @@ void KdeConnectConfig::loadOrGeneratePrivateKeyAndCertificate(const QString &key generatePrivateKey(keyPath); } if (needsToGenerateCert) { + removeAllTrustedDevices(); generateCertificate(certPath); } diff --git a/core/kdeconnectconfig.h b/core/kdeconnectconfig.h index 3cb4cb100..3cc426ef2 100644 --- a/core/kdeconnectconfig.h +++ b/core/kdeconnectconfig.h @@ -77,6 +77,8 @@ private: void generatePrivateKey(const QString &path); void generateCertificate(const QString &path); + void removeAllTrustedDevices(); + struct KdeConnectConfigPrivate *d; }; diff --git a/core/sslhelper.cpp b/core/sslhelper.cpp index c41bed34e..c3bb90452 100644 --- a/core/sslhelper.cpp +++ b/core/sslhelper.cpp @@ -200,7 +200,7 @@ QSslCertificate generateSelfSignedCertificate(const QSslKey &qtPrivateKey, const } // Set the certificate validity period. - int a_year_in_seconds = 356 * 24 * 60 * 60; + int a_year_in_seconds = 365 * 24 * 60 * 60; X509_gmtime_adj(X509_getm_notBefore(x509.get()), -a_year_in_seconds); X509_gmtime_adj(X509_getm_notAfter(x509.get()), 10 * a_year_in_seconds);