QT 5.15 QSSLCertificate::importpkcs12 returns false, how do I debug the reason?

JonB

@Dadde said in QT 5.15 QSSLCertificate::importpkcs12 returns false, how do I debug the reason?:

Is it because I pass pfxFile as a QFile when the input parameter is actually QIODevice, even though QFile is inheriting QIODevice and therefore seems to compile?

No, that is fine.
I do not have an answer to how you discover exactly what is wrong.

SGaist

Hi,

Which version of Qt are you using ?
On which platform ?
Would it be possible for you to share how one can generate such a certificate to test ?
The Python code you are using as well so people can double check in conditions similar as yours.

ChrisW67

Have you installed the relevant OpenSSL libraries into the runtime path of your executable?
Have you provided the correct password for the input file?

Dadde

@SGaist I'm using QT version 5.15.2, visual studio

I don't know myself how to create the certificate since I'm new to these topics but I will see what I can accomplish after the weekend.

I think I can provide the python code though:

import base64
import requests
import jwt
import hashlib
import uuid
from datetime import datetime, timedelta
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import pkcs12
 
token_endpoint = 'https://xxx.yyy/zzz/oauth2/token'
 
# ADFS endpoint URL
authority = 'https://xxx.yyy/zzz'
 
# PFX certificate file path and password
cert_file = 'C:/xxx/yyy/zzz.pfx'
cert_password = 'password'
 
# Client ID and Secret for your registered application on ADFS
client_id = 'xxx-yyy-zzz-vvv-www'
 
# Define the scope of the access token
scope = ['https://xxx.yyy.zzz.vvv']
 
# Load the PFX certificate
with open(cert_file, 'rb') as f:
    pfx_data = f.read()
 
# Load the PFX data and extract the private key
private_key, cert, ca_certs = pkcs12.load_key_and_certificates(pfx_data, cert_password.encode(), default_backend())
 
def hex_string_readable(bytes):
        return ["{:02X}".format(x) for x in bytes]
fingerprint = hex_string_readable(cert.fingerprint(hashes.SHA1()))
print(",".join(str(element) for element in fingerprint))
 
# Serialize the private key to PEM format
private_key_pem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
)
# Convert bytes to string
private_key_pem_str = private_key_pem.decode()
 
print(private_key_pem_str)
 
# Create a client assertion
now = datetime.utcnow()
expiry = now + timedelta(minutes=10)  # Set expiry time for 10 minutes from now
 
kid = "".join(str(element) for element in fingerprint)
 
cert_sha1 = hashlib.sha1()
cert_sha1.update(cert.public_bytes(serialization.Encoding.DER))
 
# Convert the SHA-1 hash to base64
x5t = base64.urlsafe_b64encode(cert_sha1.digest()).rstrip(b'=').decode()
 
claims = {
    "aud": token_endpoint,
    "iss": client_id,
    "sub": client_id,
    "jti": str(uuid.uuid4()),
    "exp": expiry,
}
 
header = {
    "kid": kid,
    "x5t": x5t
}
# Encode and sign the JWT using the private key
client_assertion_bytes = jwt.encode(claims, private_key_pem_str, algorithm='RS256', headers=header)
 
# Prepare data for token request
token_request_data = {
    'grant_type': 'client_credentials',
    'client_id': client_id,
    'scope': scope,
    'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
    'client_assertion': client_assertion_bytes,
}
 
# Send token request to ADFS token endpoint
response = requests.post(token_endpoint, data=token_request_data)
 
# Check if the token request was successful
if response.status_code == 200:
    # Print the access token
    access_token = response.json()['access_token']
    print("Access token:", access_token)
else:
    print("Failed to acquire token:", response.text)
 
url = "https://xxx.yyy.zzz.vvv/v2/data.xml"
 
payload = "Change to your request"
headers = {
  'Content-Type': 'application/xml',
  'Authorization': 'Bearer '+access_token
}
 
response = requests.request("POST", url, headers=headers, data=payload)
 
print(response.text)

Dadde

@ChrisW67 My hope was that the QT framework has the tools I need to accomplish oauth2 communication(with certification) and it seems that it does, at least for this step with creating the pkcs12 file? Will I still need OpenSsl?

Dadde

@Dadde I did some reading and I think I already have openssl configured since I previously included QtNetwork which should contain these tools: https://doc.qt.io/qt-5/ssl.html

JonB

@Dadde
I do not use SSL nor build Qt from source, so I could easily be incorrect here. But I think you have to do something/check that you do have OpenSSL installed and found from Qt app.

I think they come with OS or Qt binary installer or you download or build them yourself. @ChrisW67 asked you above

Have you installed the relevant OpenSSL libraries into the runtime path of your executable?

What OpenSSL libraries do you have where on what platform, and how is your program run such that it will locate and load them?

Dadde

@JonB @ChrisW67 I haven't "explicitly" installed openssl, so I'm not 100% sure myself, but there is a QSslSocket::sllLibraryBuildVersionString() function that tells the openssl version found and used. I think it is fairly safe to say it is what is used for the QSslCertificate() function as well since it is part of the QTNetwork module which I have installed. I think it is the closest I can get to know if openssl is used?

Here's what the function says when I run it in my program: "OpenSSL 1.1.1g 21 Apr 2020".

I will update the code in the main post.

Dadde

@Dadde Update: I added "Q_ASSERT(QSslSocket::supportsSsl());" and it returns false, so I guess I haven't actually properly implemented openssl then, also previous function "QSslSocket::sllLibraryBuildVersionString()" only checks what version it finds during compile time, "QSslSocket::sslLibraryVersionNumber();" is for runtime and it returns "0". I will look into implementing openssl properly and update if it solved my issue.

ChrisW67

QSslSocket::sllLibraryBuildVersionString() "Returns the version string of the SSL library in use at compile time. " That is, the version of the OpenSSL libraries that the Qt binaries you are using were built to match. This does not mean those libraries are present in your runtime environment: they are detected and used if present.

So, your runtime environment needs to have OpenSSL 1.1.1 libraries. You may be able to access a compatible version through the Qt Online Installer. Ensuring it is in the run time environment (application binary directory or PATH on Windows, LD_LIBRARY_PATH on Linux etc.) is largely up to you.