Adds new feature: Auto-enable and host matching for client certificates

author: Felix (xq) Queißner <git@mq32.de> 2020-06-20 00:42:46 +0200
committer: Felix (xq) Queißner <git@mq32.de> 2020-06-20 00:42:46 +0200
commit: cf3b60ea29526417a35734a4ae4f5a7b0d5560d5 (patch)
tree: 1ff3846f2b10ddce0e883adf41ba35f7139945af /src/browsertab.cpp
parent: bdfd6ba6874ca1a7bcfa4ed075e686bfd119dc7e (diff)
download: kristall-cf3b60ea29526417a35734a4ae4f5a7b0d5560d5.tar.gz
1 files changed, 69 insertions, 14 deletions
diff --git a/src/browsertab.cpp b/src/browsertab.cpp
index 3d16e08..0fe0af6 100644
--- a/src/browsertab.cpp
+++ b/src/browsertab.cpp
@@ -767,18 +767,7 @@ bool BrowserTab::trySetClientCertificate(const QString &query)
         return false;
     }
 
-    this->current_identity = dialog.identity();
-
-    if (not current_identity.isValid())
-    {
-        QMessageBox::warning(this, "Kristall", "Failed to generate temporary crypto-identitiy");
-        this->disableClientCertificate();
-        return false;
-    }
-
-    this->ui->enable_client_cert_button->setChecked(true);
-
-    return true;
+    return this->enableClientCertificate(dialog.identity());
 }
 
 void BrowserTab::resetClientCertificate()
@@ -826,7 +815,7 @@ bool BrowserTab::startRequest(const QUrl &url, ProtocolHandler::RequestOptions o
             auto answer = QMessageBox::question(
                 this,
                 "Kristall",
-                QString("You requested a %1-URL with a client certificate, but these are not supported for this scheme. Continue?").arg(url.scheme())
+                tr("You requested a %1-URL with a client certificate, but these are not supported for this scheme. Continue?").arg(url.scheme())
             );
             if(answer != QMessageBox::Yes)
                 return false;
@@ -840,7 +829,22 @@ bool BrowserTab::startRequest(const QUrl &url, ProtocolHandler::RequestOptions o
         auto answer = QMessageBox::question(
             this,
             "Kristall",
-            "You want to visit a new host, but have a client certificate enabled. This may be a risk to expose your identity to another host.\r\nDo you want to keep the certificate enabled?",
+            tr("You want to visit a new host, but have a client certificate enabled. This may be a risk to expose your identity to another host.\r\nDo you want to keep the certificate enabled?"),
+            QMessageBox::Yes | QMessageBox::No,
+            QMessageBox::No
+        );
+        if(answer != QMessageBox::Yes) {
+            this->disableClientCertificate();
+        }
+    }
+
+    if(this->current_identity.isValid() and this->current_identity.isHostFiltered(url)) {
+        auto answer = QMessageBox::question(
+            this,
+            "Kristall",
+            tr("Your client certificate has a host filter enabled and this site does not match the host filter.\r\nNew URL: %1\r\nHost Filter: %2\r\nDo you want to keep the certificate enabled?")
+                .arg(url.toString(QUrl::FullyEncoded))
+                .arg(this->current_identity.host_filter),
             QMessageBox::Yes | QMessageBox::No,
             QMessageBox::No
         );
@@ -848,6 +852,44 @@ bool BrowserTab::startRequest(const QUrl &url, ProtocolHandler::RequestOptions o
             this->disableClientCertificate();
         }
     }
+    else if(not this->current_identity.isValid()) {
+        for(auto ident_ptr : global_identities.allIdentities())
+        {
+            if(ident_ptr->isAutomaticallyEnabledOn(url)) {
+
+                auto answer = QMessageBox::question(
+                    this,
+                    "Kristall",
+                    tr("An automatic client certificate was detected for this site:\r\n%1\r\nDo you want to enable that certificate?")
+                        .arg(ident_ptr->display_name),
+                    QMessageBox::Yes | QMessageBox::No,
+                    QMessageBox::No
+                );
+                if(answer != QMessageBox::Yes) {
+                    break;
+                }
+
+                enableClientCertificate(*ident_ptr);
+
+                break;
+            }
+        }
+    }
+
+    if(this->current_identity.isValid()) {
+        if(not this->current_handler->enableClientCertificate(this->current_identity)) {
+            auto answer = QMessageBox::question(
+                this,
+                "Kristall",
+                tr("You requested a %1-URL with a client certificate, but these are not supported for this scheme. Continue?").arg(url.scheme())
+            );
+            if(answer != QMessageBox::Yes)
+                return false;
+            this->disableClientCertificate();
+        }
+    } else {
+        this->disableClientCertificate();
+    }
 
     this->is_internal_location = (url.scheme() == "about");
     this->current_location = url;
@@ -858,6 +900,19 @@ bool BrowserTab::startRequest(const QUrl &url, ProtocolHandler::RequestOptions o
     return this->current_handler->startRequest(url, options);
 }
 
+bool BrowserTab::enableClientCertificate(const CryptoIdentity &ident)
+{
+    if (not ident.isValid())
+    {
+        QMessageBox::warning(this, "Kristall", "Failed to generate temporary crypto-identitiy");
+        this->disableClientCertificate();
+        return false;
+    }
+    this->current_identity = ident;
+    this->ui->enable_client_cert_button->setChecked(true);
+    return true;
+}
+
 void BrowserTab::disableClientCertificate()
 {
     for(auto & handler : this->protocol_handlers) {
author	Felix (xq) Queißner <git@mq32.de>	2020-06-20 00:42:46 +0200
committer	Felix (xq) Queißner <git@mq32.de>	2020-06-20 00:42:46 +0200
commit	cf3b60ea29526417a35734a4ae4f5a7b0d5560d5 (patch)
tree	1ff3846f2b10ddce0e883adf41ba35f7139945af /src/browsertab.cpp
parent	bdfd6ba6874ca1a7bcfa4ed075e686bfd119dc7e (diff)
download	kristall-cf3b60ea29526417a35734a4ae4f5a7b0d5560d5.tar.gz