certificate handling after 10years

Auto reconfiguration of own certificate:

currently:
if kdeconncectd loads its certificate and its expired or not effective yet
it generates a new certificate

previously:
if kdeconncectd loads its certificate and its expired or not effective yet
it continues having the same certificate
This brings forth an issue: Other devices would refuse to connect to a device with 
an expired or non-effective certificate.


Auto-delete of orphan certificates:

currently:
Devices in kdeconnectd's devicelist that have illegal ssl certificates
(expired, not effective yet, empty) get automatically deleted from the
devicelist


previously:
they would just exist forever until the user deletes them


A year does not have 356 days: 

currently: int a_year_in_seconds = 365 * 24 * 60 * 60;

previously: int a_year_in_seconds = 356 * 24 * 60 * 60;
This commit is contained in:
Adam Liscak 2024-08-26 17:42:08 +00:00 committed by Albert Vaca Cintora
parent 0b0edbc27d
commit a4e6e11dd6
6 changed files with 33 additions and 3 deletions

View file

@ -90,7 +90,14 @@ void Daemon::init()
// Read remembered paired devices
const QStringList &list = KdeConnectConfig::instance().trustedDevices();
for (const QString &id : list) {
addDevice(new Device(this, id));
Device *d = new Device(this, id);
// prune away devices with malformed certificates
if (d->hasInvalidCertificate()) {
qCDebug(KDECONNECT_CORE) << "Certificate for device " << id << "illegal, deleting the device";
KdeConnectConfig::instance().removeTrustedDevice(id);
} else {
addDevice(d);
}
}
qCDebug(KDECONNECT_CORE) << "Paired devices added";

View file

@ -320,7 +320,11 @@ bool Device::updateDeviceInfo(const DeviceInfo &newDeviceInfo)
return hasChanges;
}
bool Device::hasInvalidCertificate()
{
QDateTime now = QDateTime::currentDateTime();
return certificate().isNull() || certificate().effectiveDate() >= now || certificate().expiryDate() <= now;
}
void Device::linkDestroyed(QObject *o)
{
removeLink(static_cast<DeviceLink *>(o));

View file

@ -74,6 +74,8 @@ public:
bool updateDeviceInfo(const DeviceInfo &deviceInfo);
bool hasInvalidCertificate();
PairState pairState() const;
Q_SCRIPTABLE int pairStateAsInt() const; // Hack because qdbus doesn't like enums
Q_SCRIPTABLE bool isPaired() const;

View file

@ -215,6 +215,12 @@ void KdeConnectConfig::removeTrustedDevice(const QString &deviceId)
// We do not remove the config files.
}
void KdeConnectConfig::removeAllTrustedDevices()
{
d->m_trustedDevices->clear();
d->m_trustedDevices->sync();
}
// Utility functions to set and get a value
void KdeConnectConfig::setDeviceProperty(const QString &deviceId, const QString &key, const QString &value)
{
@ -276,10 +282,18 @@ bool KdeConnectConfig::loadPrivateKey(const QString &keyPath)
bool KdeConnectConfig::loadCertificate(const QString &certPath)
{
QFile cert(certPath);
QDateTime now = QDateTime::currentDateTime();
if (cert.exists() && cert.open(QIODevice::ReadOnly)) {
d->m_certificate = QSslCertificate(cert.readAll());
if (d->m_certificate.isNull()) {
qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "is not valid";
} else if (d->m_certificate.effectiveDate() >= now) {
qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "not yet effective: " << d->m_certificate.effectiveDate();
return true;
} else if (d->m_certificate.expiryDate() <= now) {
qCWarning(KDECONNECT_CORE) << "Certificate from" << certPath << "expired: " << d->m_certificate.expiryDate();
return true;
}
}
return d->m_certificate.isNull();
@ -294,6 +308,7 @@ void KdeConnectConfig::loadOrGeneratePrivateKeyAndCertificate(const QString &key
generatePrivateKey(keyPath);
}
if (needsToGenerateCert) {
removeAllTrustedDevices();
generateCertificate(certPath);
}

View file

@ -77,6 +77,8 @@ private:
void generatePrivateKey(const QString &path);
void generateCertificate(const QString &path);
void removeAllTrustedDevices();
struct KdeConnectConfigPrivate *d;
};

View file

@ -200,7 +200,7 @@ QSslCertificate generateSelfSignedCertificate(const QSslKey &qtPrivateKey, const
}
// Set the certificate validity period.
int a_year_in_seconds = 356 * 24 * 60 * 60;
int a_year_in_seconds = 365 * 24 * 60 * 60;
X509_gmtime_adj(X509_getm_notBefore(x509.get()), -a_year_in_seconds);
X509_gmtime_adj(X509_getm_notAfter(x509.get()), 10 * a_year_in_seconds);