Qt Cryptographic Architecture
|
Typedefs | |
typedef QMultiMap< CertificateInfoType, QString > | CertificateInfo |
typedef QList< ConstraintType > | Constraints |
typedef QList< Provider * > | ProviderList |
typedef QList< SecureMessageKey > | SecureMessageKeyList |
typedef QList< SecureMessageSignature > | SecureMessageSignatureList |
Functions | |
QCA_EXPORT void | appendPluginDiagnosticText (const QString &text) |
QCA_EXPORT QString | appName () |
QCA_EXPORT QString | arrayToBase64 (const QByteArray &array) |
QCA_EXPORT QString | arrayToHex (const QByteArray &array) |
QCA_EXPORT QByteArray | base64ToArray (const QString &base64String) |
QCA_EXPORT void | clearPluginDiagnosticText () |
QCA_EXPORT QStringList | defaultFeatures () |
QCA_EXPORT Provider * | defaultProvider () |
QCA_EXPORT void | deinit () |
QCA_EXPORT QByteArray | emsa3Encode (const QString &hashName, const QByteArray &digest, int size=-1) |
QCA_EXPORT Provider * | findProvider (const QString &name) |
QCA_EXPORT QVariant | getProperty (const QString &name) |
QCA_EXPORT QVariantMap | getProviderConfig (const QString &name) |
QCA_EXPORT QString | globalRandomProvider () |
QCA_EXPORT bool | haveSecureMemory () |
QCA_EXPORT bool | haveSecureRandom () |
QCA_EXPORT bool | haveSystemStore () |
QCA_EXPORT QByteArray | hexToArray (const QString &hexString) |
QCA_EXPORT void | init () |
QCA_EXPORT void | init (MemoryMode m, int prealloc) |
QCA_EXPORT bool | insertProvider (Provider *p, int priority=0) |
QCA_EXPORT bool | isSupported (const char *features, const QString &provider=QString()) |
QCA_EXPORT bool | isSupported (const QStringList &features, const QString &provider=QString()) |
QCA_EXPORT Logger * | logger () |
QCA_EXPORT QStringList | makeFriendlyNames (const QList< Certificate > &list) |
QCA_EXPORT const SecureArray | operator+ (const SecureArray &a, const SecureArray &b) |
QCA_EXPORT CertificateInfoOrdered | orderedDNOnly (const CertificateInfoOrdered &in) |
QCA_EXPORT QString | orderedToDNString (const CertificateInfoOrdered &in) |
QCA_EXPORT QString | pluginDiagnosticText () |
QCA_EXPORT QStringList | pluginPaths () |
QCA_EXPORT int | providerPriority (const QString &name) |
QCA_EXPORT ProviderList | providers () |
QCA_EXPORT void | saveProviderConfig (const QString &name) |
QCA_EXPORT void | scanForPlugins () |
QCA_EXPORT void | setAppName (const QString &name) |
QCA_EXPORT void | setGlobalRandomProvider (const QString &provider) |
QCA_EXPORT void | setProperty (const QString &name, const QVariant &value) |
QCA_EXPORT void | setProviderConfig (const QString &name, const QVariantMap &config) |
QCA_EXPORT void | setProviderPriority (const QString &name, int priority) |
QCA_EXPORT QStringList | supportedFeatures () |
QCA_EXPORT CertificateCollection | systemStore () |
QCA_EXPORT void | unloadAllPlugins () |
QCA_EXPORT bool | unloadProvider (const QString &name) |
QCA - the Qt Cryptographic Architecture.
typedef QMultiMap<CertificateInfoType, QString> QCA::CertificateInfo |
Certificate properties type.
With this container, the information is not necessarily stored in the same sequence as the certificate format itself. Use this container if the order the information is/was stored does not matter for you (this is the case with most applications).
Additionally, the EmailLegacy type should not be used with this container. Use Email instead.
typedef QList<ConstraintType> QCA::Constraints |
Certificate constraints type
typedef QList<Provider *> QCA::ProviderList |
Convenience representation for the plugin providers.
You can get a list of providers using the providers() function
A list of message keys.
A list of signatures.
Certificate Request Format.
Enumerator | |
---|---|
PKCS10 | standard PKCS#10 format |
SPKAC | Signed Public Key and Challenge (Netscape) format. |
Known types of information stored in certificates.
This enumerator offers a convenient way to work with common types.
Enumerator | |
---|---|
CommonName | The common name (eg person), id = "2.5.4.3". |
Email address, id = "GeneralName.rfc822Name". | |
EmailLegacy | PKCS#9 Email field, id = "1.2.840.113549.1.9.1". |
Organization | An organisation (eg company), id = "2.5.4.10". |
OrganizationalUnit | An part of an organisation (eg a division or branch), id = "2.5.4.11". |
Locality | The locality (eg city, a shire, or part of a state), id = "2.5.4.7". |
IncorporationLocality | The locality of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.1". |
State | The state within the country, id = "2.5.4.8". |
IncorporationState | The state of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.2". |
Country | The country, id = "2.5.4.6". |
IncorporationCountry | The country of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.3". |
URI | Uniform Resource Identifier, id = "GeneralName.uniformResourceIdentifier". |
DNS | DNS name, id = "GeneralName.dNSName". |
IPAddress | IP address, id = "GeneralName.iPAddress". |
XMPP | XMPP address (see http://www.ietf.org/rfc/rfc3920.txt), id = "1.3.6.1.5.5.7.8.5". |
Known types of certificate constraints.
This enumerator offers a convenient way to work with common types.
enum QCA::UsageMode |
Specify the intended usage of a certificate.
Enumerator | |
---|---|
UsageAny | Any application, or unspecified. |
UsageTLSServer | server side of a TLS or SSL connection |
UsageTLSClient | client side of a TLS or SSL connection |
UsageCodeSigning | code signing certificate |
UsageEmailProtection | email (S/MIME) certificate |
UsageTimeStamping | time stamping certificate |
UsageCRLSigning | certificate revocation list signing certificate |
enum QCA::Validity |
The validity (or otherwise) of a certificate.
Enumerator | |
---|---|
ValidityGood | The certificate is valid. |
ErrorRejected | The root CA rejected the certificate purpose. |
ErrorUntrusted | The certificate is not trusted. |
ErrorSignatureFailed | The signature does not match. |
ErrorInvalidCA | The Certificate Authority is invalid. |
ErrorInvalidPurpose | The purpose does not match the intended usage. |
ErrorSelfSigned | The certificate is self-signed, and is not found in the list of trusted certificates. |
ErrorRevoked | The certificate has been revoked. |
ErrorPathLengthExceeded | The path length from the root CA to this certificate is too long. |
ErrorExpired | The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore time) |
ErrorExpiredCA | The Certificate Authority has expired. |
ErrorValidityUnknown | Validity is unknown. |
enum QCA::ValidateFlags |
The conditions to validate for a certificate.
enum QCA::MemoryMode |
Mode settings for memory allocation.
QCA can use secure memory, however most operating systems restrict the amount of memory that can be pinned by user applications, to prevent a denial-of-service attack.
QCA supports two approaches to getting memory - the mlock method, which generally requires root (administrator) level privileges, and the mmap method which is not as secure, but which should be able to be used by any process.
Enumerator | |
---|---|
Practical | mlock and drop root if available, else mmap |
Locking | mlock and drop root |
LockingKeepPrivileges | mlock, retaining root privileges |
enum QCA::Direction |
Direction settings for symmetric algorithms.
For some algorithms, it makes sense to have a "direction", such as Cipher algorithms which can be used to encrypt or decrypt.
Enumerator | |
---|---|
Encode | Operate in the "forward" direction; for example, encrypting. |
Decode | Operate in the "reverse" direction; for example, decrypting. |
Signature algorithm variants.
Note that most signature algorithms follow a process of first hashing the plaintext data to be signed, creating a payload format that wraps the hash value (among other things), and then signing the payload with the private key. So, for example, an EMSA3(SHA1) signature outputted by QCA cannot be verified by merely performing RSA and SHA1 operations (e.g. "openssl rsautl -verify" and comparing with sha1sum), because that would not take the EMSA3 payload format into consideration.
enum QCA::SignatureFormat |
enum QCA::PBEAlgorithm |
Password-based encryption.
enum QCA::ConvertResult |
Return value from a format conversion.
Note that if you are checking for any result other than ConvertGood, then you may be introducing a provider specific dependency.
enum QCA::DLGroupSet |
Well known discrete logarithm group sets.
These sets are derived from three main sources: Java Cryptographic Extensions, RFC2412 and RFC3526.
enum QCA::SecurityLevel |
Specify the lower-bound for acceptable TLS/SASL security layers.
For TLS, the interpretation of these levels is:
QCA_EXPORT QString QCA::orderedToDNString | ( | const CertificateInfoOrdered & | in | ) |
Convert to RFC 1779 string format.
in | the certificate info to convert |
Referenced by QCA::CertificateInfoOrdered::toString().
QCA_EXPORT CertificateInfoOrdered QCA::orderedDNOnly | ( | const CertificateInfoOrdered & | in | ) |
Return a new CertificateInfoOrdered that only contains the Distinguished Name (DN) types found in the input object.
in | the certificate info to extract from |
Referenced by QCA::CertificateInfoOrdered::dnOnly().
QCA_EXPORT QStringList QCA::makeFriendlyNames | ( | const QList< Certificate > & | list | ) |
Create a list of unique friendly names among a list of certificates.
list | the list of certificates for which a friendly name is required. |
QCA_EXPORT void QCA::init | ( | ) |
Initialise QCA.
This call is not normally required, because it is cleaner to use an Initializer.
QCA_EXPORT void QCA::init | ( | MemoryMode | m, |
int | prealloc | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts.
m | the MemoryMode to use |
prealloc | the amount of memory in kilobytes to allocate for secure storage |
QCA_EXPORT void QCA::deinit | ( | ) |
Clean up routine.
This routine cleans up QCA, including memory allocations This call is not normally required, because it is cleaner to use an Initializer
QCA_EXPORT bool QCA::haveSecureMemory | ( | ) |
Test if secure storage memory is available.
QCA_EXPORT bool QCA::haveSecureRandom | ( | ) |
Test if secure random is available.
Secure random is considered available if the global random provider is not the default provider.
QCA_EXPORT bool QCA::isSupported | ( | const char * | features, |
const QString & | provider = QString() |
||
) |
Test if a capability (algorithm) is available.
Since capabilities are made available at runtime, you should always check before using a capability the first time, as shown below.
features | the name of the capability to test for |
provider | if specified, only check for the capability in that specific provider. If not provided, or provided as an empty string, then check for capabilities in all available providers |
Note that you can test for a combination of capabilities, using a comma delimited list:
which will return true if all of the capabilities listed are present.
QCA_EXPORT bool QCA::isSupported | ( | const QStringList & | features, |
const QString & | provider = QString() |
||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts.
features | a list of features to test for |
provider | if specified, only check for the capability in that specific provider. If not provided, or provided as an empty string, then check for capabilities in all available providers |
QCA_EXPORT QStringList QCA::supportedFeatures | ( | ) |
Generate a list of all the supported features in plugins, and in built in capabilities.
The following code writes a list of features to standard out
QCA_EXPORT QStringList QCA::defaultFeatures | ( | ) |
Generate a list of the built in features.
This differs from supportedFeatures() in that it does not include features provided by plugins.
The following code writes a list of features to standard out
QCA_EXPORT bool QCA::insertProvider | ( | Provider * | p, |
int | priority = 0 |
||
) |
Add a provider to the current list of providers.
This function allows you to add a provider to the current plugin providers at a specified priority. If a provider with the name already exists, this call fails.
QCA takes ownership of the provider.
p | a pointer to a Provider object, which must be set up. |
priority | the priority level to set the provider to |
QCA_EXPORT bool QCA::unloadProvider | ( | const QString & | name | ) |
Unload specified provider.
The specified provider is removed from the list of providers and deleted. If no provider with the name is found, this call fails.
name | the name of the provider |
QCA_EXPORT void QCA::setProviderPriority | ( | const QString & | name, |
int | priority | ||
) |
Change the priority of a specified provider.
QCA supports a number of providers, and if a number of providers support the same algorithm, it needs to choose between them. You can do this at object instantiation time (by specifying the name of the provider that should be used). Alternatively, you can provide a relative priority level at an application level, using this call.
Priority is used at object instantiation time. The provider is selected according to the following logic:
name | the name of the provider |
priority | the new priority of the provider. As a special case, if you pass in -1, then this provider gets the same priority as the the last provider that was added or had its priority set using this call. |
QCA_EXPORT int QCA::providerPriority | ( | const QString & | name | ) |
Return the priority of a specified provider.
The name of the provider (eg "qca-ossl") is used to look up the current priority associated with that provider. If the provider is not found (or something else went wrong), -1 is returned.
name | the name of the provider |
QCA_EXPORT ProviderList QCA::providers | ( | ) |
Return a list of the current providers.
The current plugin providers are provided as a list, which you can iterate over using ProviderListIterator.
QCA_EXPORT Provider* QCA::findProvider | ( | const QString & | name | ) |
Return the named provider, or 0 if not found.
name | the name of the provider to search for. |
QCA_EXPORT Provider* QCA::defaultProvider | ( | ) |
Return the default provider.
QCA_EXPORT QStringList QCA::pluginPaths | ( | ) |
Retrieve plugin paths.
It consists of:
QCoreApplication::libraryPaths
() .QCA_PLUGIN_PATH is paths list like PATH or QT_PLUGIN_PATH. It uses system path separator. ";" on Windows and ":" on Unix.
This function was introduced in QCA 2.1.
QCA_EXPORT void QCA::scanForPlugins | ( | ) |
Scan for new plugins.
QCA_EXPORT void QCA::unloadAllPlugins | ( | ) |
Unload the current plugins.
QCA_EXPORT QString QCA::pluginDiagnosticText | ( | ) |
Retrieve plugin diagnostic text.
QCA_EXPORT void QCA::clearPluginDiagnosticText | ( | ) |
Clear plugin diagnostic text.
QCA_EXPORT void QCA::appendPluginDiagnosticText | ( | const QString & | text | ) |
Add plugin diagnostic text.
This function should only be called by providers.
text | the diagnostic message to append |
QCA_EXPORT void QCA::setProperty | ( | const QString & | name, |
const QVariant & | value | ||
) |
Set a global property.
name | the name of the property |
value | the value to set the property to |
QCA_EXPORT QVariant QCA::getProperty | ( | const QString & | name | ) |
QCA_EXPORT void QCA::setProviderConfig | ( | const QString & | name, |
const QVariantMap & | config | ||
) |
Set provider configuration.
Allowed value types: QString, int, bool
name | the name of the provider to set the configuration to |
config | the configuration |
QCA_EXPORT QVariantMap QCA::getProviderConfig | ( | const QString & | name | ) |
Retrieve provider configuration.
name | the name of the provider to retrieve the configuration of |
QCA_EXPORT void QCA::saveProviderConfig | ( | const QString & | name | ) |
Save provider configuration to persistent storage.
name | the name of the provider to have its configuration saved |
QCA_EXPORT QString QCA::globalRandomProvider | ( | ) |
Return the name of the global random number provider.
QCA_EXPORT void QCA::setGlobalRandomProvider | ( | const QString & | provider | ) |
Change the global random number provider.
The Random capabilities of QCA are provided as part of the built in capabilities, however the generator can be changed if required.
provider | the name of the provider to use as the global random provider. |
QCA_EXPORT Logger* QCA::logger | ( | ) |
QCA_EXPORT bool QCA::haveSystemStore | ( | ) |
Test if QCA can access the root CA certificates.
If root certificates are available, this function returns true, otherwise it returns false.
QCA_EXPORT CertificateCollection QCA::systemStore | ( | ) |
Get system-wide root Certificate Authority (CA) certificates.
Many operating systems (or distributions, on Linux-type systems) come with some trusted certificates. Typically, these include the root certificates for major Certificate Authorities (for example, Verisign, Comodo) and some additional certificates that are used for system updates. They are provided in different ways for different systems.
This function provides an common way to access the system certificates. There are other ways to access certificates - see the various I/O methods (such as fromDER() and fromPEM()) in the Certificate and CertificateCollection classes.
QCA_EXPORT QString QCA::appName | ( | ) |
QCA_EXPORT void QCA::setAppName | ( | const QString & | name | ) |
Set the application name that will be used by SASL server mode.
The application name is used by SASL in server mode, as some systems might have different security policies depending on the app. This should be set before using SASL objects, and it cannot be changed later.
name | the name string to use for SASL server mode |
QCA_EXPORT QString QCA::arrayToHex | ( | const QByteArray & | array | ) |
Convert a byte array to printable hexadecimal representation.
This is a convenience function to convert an arbitrary QByteArray to a printable representation.
array | the array to be converted |
QCA_EXPORT QByteArray QCA::hexToArray | ( | const QString & | hexString | ) |
Convert a QString containing a hexadecimal representation of a byte array into a QByteArray.
This is a convenience function to convert a printable representation into a QByteArray - effectively the inverse of QCA::arrayToHex.
hexString | the string containing a printable representation to be converted |
QCA_EXPORT QString QCA::arrayToBase64 | ( | const QByteArray & | array | ) |
Convert a byte array to printable base64 representation.
This is a convenience function to convert an arbitrary QByteArray to a printable representation.
array | the array to be converted |
QCA_EXPORT QByteArray QCA::base64ToArray | ( | const QString & | base64String | ) |
Convert a QString containing a base64 representation of a byte array into a QByteArray.
This is a convenience function to convert a printable representation into a QByteArray - effectively the inverse of QCA::arrayToBase64.
base64String | the string containing a printable representation to be converted |
QCA_EXPORT QByteArray QCA::emsa3Encode | ( | const QString & | hashName, |
const QByteArray & | digest, | ||
int | size = -1 |
||
) |
Encode a hash result in EMSA3 (PKCS#1) format.
This is a convenience function for providers that only have access to raw RSA signing (mainly smartcard providers). This is a built-in function of QCA and does not utilize a provider. SHA1, MD5, MD2, and RIPEMD160 are supported.
hashName | the hash type used to create the digest |
digest | the digest to encode in EMSA3 format |
size | the desired size of the encoding output (-1 for automatic size) |
QCA_EXPORT const SecureArray QCA::operator+ | ( | const SecureArray & | a, |
const SecureArray & | b | ||
) |
Returns an array that is the result of concatenating a and b.
a | the string to put at the start of the result |
b | the string to put at the end of the result |