How can I verify an SSL Certificate given a local path in a GUI app



  • How can I verify an SSL Certificate given a local path in a C++ GUI app, without using local host, or any installed web server on the local machine?

    I want to be able to store an SSL Certificate information in a file, so I can verify it with an online SSL Certificate, but also want to be able to work off-line, without having to verify the online Certificate unless I need to go online in the app, I can not find any information for verifying a local file, only request through an https network call.

    Example: I give a user my program and a Public Certificate, and a Key, so I can verify it at start up, to give access to the app, so the app most already have information on the Certificate, so I plan to encrypt that info, then decrypt it to verify the two Certificates are the same, so the Certificate is used in two ways.

    The idea is so I can put the app on a laptop, and the certificate on a flash stick, so if I lose the laptop, no one can access the data in the app, so it uses the Certificate info to encrypt the files, so a wrong Certificate will not work, easy enough, but I can not figure out how to read the Certificate from my C++ GUI app running from my desktop.


  • Lifetime Qt Champion

    Hi,

    Are you looking for something like the "QSslCertificate":http://doc.qt.io/qt-5/qsslcertificate.html class ?



  • I could not find any examples of QSslCertificate verifying a local Certificate, I did see a fromPath, which looks promising, so its still the how part I am stuck on, all the examples I have seen connect to a remote server, and require an https connection, which I already know how to do, its just the local Certificate that is my issue, how do I do this on a machine with no server setup.


  • Lifetime Qt Champion

    Maybe with the help of a self constructed QSslConfiguration ?



  • Maybe you do not understand my Question: so just to Clarify, I know how to verify the Certificate for the Server / Client Connection, and as you have pointed out, it could use QSslCertificate, in which case it would have to use a Constructor of some sort, not sure why you mentioned that like it was an Example, because like I said, I already have the code examples I need to figure out that much, my question is can I read a Certificate from disk and stored its Credentials in a File, so that I can verify the Certificate off line, without having SSL or Webserver installed, my guess is that OpenSSL is going to have to be required, not sure, because I can not figure out how to do that with QSslCertificate, nor do I know if its even possible at this point, but I do know how to program, been doing it since 1979, so I think I could use a little help figuring out how to do a task that seems simple, but the way to do it eludes me, I have been researching all the classes, what is confusing me is that I am not using this information to setup an SSL Connection, I only want to verify that the Certificate on Disk, is the same as the one I have on file, I am not connecting to it or using it as an SSL connection, I simple want to open the file, and get some value from it that is secure to use as an Encryption key to decrypt data stored in an XML file, I hope I am clear about the question, I have a hard time explaining things at times.

    One of my thoughts is to use one of the Subject fields, then try to decrypt a known value using that key, if it passes I know the Certificate at least has the correct Subject, so I got to thinking maybe there is a field that you can only access if you have a key, but I can not find any feature like that, but it would be nice, so it seems it must exist, but for now I think this level of security might be good enough, because I am sure the certificates must match when I create the connection, which gives me access to an online website. It seems this form of security is about the equivalent to writing the password in an unprotected file, but lets face it, if you have the file, you have the key anyway, so if its on a flash stick, this security might be as good as it gets, I could have the program require online authentication once before it can use the offline mode, then save that verification along with the public access IP address, then only require online validation if the address changes outside a normal Dynamic IP range.

    Thanks for the Help.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.