SSL Certificate and Public Key Pinning



  • Does QT support certificate pinning? I am not finding much when searching documentation and google.

    To give more clarification: we are looking to do more to stop the MITM attacks. One way is to store a hash of the server's public key in the client when the client is built, so that when the client reaches out to the server for the first time for the server's public key, it can hash that key and compare it to its stored hash to ensure it's legitimate. And then do the compare for each request.

    Thoughts? There a better way to achieve this result?



  • will i have to manually do the public key comparison myself, or does QT have this built in?



  • here is how i solved it:

    connected to encrypted signal

    QObject::connect(&mgr, SIGNAL(encrypted(QNetworkReply*)), this, SLOT(on_Encrypted(QNetworkReply*)));
    

    then in the slot, check and verify if using pinning and check the hash

    void on_Encrypted(QNetworkReply *reply){
           if (useCertPinning) {
            QSslCertificate cert = reply->sslConfiguration().peerCertificate();
    
            QString serverHash = QCryptographicHash::hash(cert.publicKey().toDer(),QCryptographicHash::Sha256).toBase64();
            
            if (pinningHash.compare(serverHash) != 0) {
                qDebug()<< "Public Key Hashes don't match, abort";
                reply->abort();
            }
    
        }
    }
    

Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.