From 0c0537d4623aa195169acc7b8833c4c3202ee23c Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Mon, 26 Jun 2023 15:32:41 +0300
Subject: [PATCH] Send 32 byte nonce with TS profile (#528)

IB-7668

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 README.md                 |  2 +-
 RELEASE-NOTES.md          | 10 ++++++++++
 src/SignatureXAdES_LT.cpp | 20 +++++++++-----------
 src/crypto/OCSP.cpp       |  7 ++++---
 src/crypto/OCSP.h         |  2 ++
 5 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 15ed8378e..b38b0a238 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
         # Ubuntu
         sudo apt install cmake xxd libxml-security-c-dev xsdcxx libssl-dev zlib1g-dev
         # Fedora
-        sudo dnf install cmake openssl-devel xerces-c-devel xml-security-c-devel zlib-devel vim-common https://www.codesynthesis.com/download/xsd/4.0/linux-gnu/x86_64/xsd-4.0.0-1.x86_64.rpm
+        sudo dnf install cmake gcc-c++ openssl-devel xerces-c-devel xml-security-c-devel zlib-devel vim-common https://www.codesynthesis.com/download/xsd/4.0/linux-gnu/x86_64/xsd-4.0.0-1.x86_64.rpm
 
 	* doxygen - Optional, for API documentation
 	* libboost-test-dev - Optional, for unittests
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 072d767c4..7bd33711d 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,3 +1,13 @@
+Libdigidocpp library [3.15.0](https://github.com/open-eid/libdigidocpp/releases/tag/v3.15.0) release notes
+--------------------------------------
+- Update libraries and platform support (#525, #522, #515, #503, #511, #514, #516, #517, #523, #505, #530, #477)
+- Improve code quality and documentation (#526, #521, #524, #520, #501)
+- Improve signature and container compatibility (#506, #504, #502, #491, #528)
+- Other fixes and optimizations (#435, #481, #508, #433, #519, #497, #535, #533, #532)
+- Removed time-mark signature creation support (#527, #539)
+
+[Full Changelog](https://github.com/open-eid/libdigidocpp/compare/v3.14.11...v3.15.0)
+
 Libdigidocpp library [3.14.12](https://github.com/open-eid/libdigidocpp/releases/tag/v3.14.12) release notes
 --------------------------------------
 - Fix digidoc-tool file extraction
diff --git a/src/SignatureXAdES_LT.cpp b/src/SignatureXAdES_LT.cpp
index 37a30a863..491cd045c 100644
--- a/src/SignatureXAdES_LT.cpp
+++ b/src/SignatureXAdES_LT.cpp
@@ -44,15 +44,15 @@ using namespace xml_schema;
 
 SignatureXAdES_LT::SignatureXAdES_LT(unsigned int id, ASiContainer *bdoc, Signer *signer)
 : SignatureXAdES_T(id, bdoc, signer)
-{
-}
+{}
 
 SignatureXAdES_LT::SignatureXAdES_LT(istream &sigdata, ASiContainer *bdoc, bool relaxSchemaValidation)
 : SignatureXAdES_T(sigdata, bdoc, relaxSchemaValidation)
 {
     try {
         // ADOC files are default T level, take OCSP response to create temporary LT level
-        if(bdoc->mediaType() == ASiContainer::MIMETYPE_ADOC && unsignedSignatureProperties().revocationValues().empty())
+        if(bdoc->mediaType() == ASiContainer::MIMETYPE_ADOC &&
+            unsignedSignatureProperties().revocationValues().empty())
         {
             X509Cert cert = signingCertificate();
             X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::OCSP);
@@ -60,8 +60,7 @@ SignatureXAdES_LT::SignatureXAdES_LT(istream &sigdata, ASiContainer *bdoc, bool
                 THROW("Could not find certificate issuer '%s' in certificate store.",
                     cert.issuerName().c_str());
 
-            OCSP ocsp(cert, issuer);
-            addOCSPValue(id().replace(0, 1, "N"), ocsp);
+            addOCSPValue(id().replace(0, 1, "N"), OCSP(cert, issuer));
         }
     } catch(const Exception &) {
     }
@@ -134,7 +133,7 @@ void SignatureXAdES_LT::validate(const string &policy) const
         vector<Exception> ocspExceptions;
         for(const OCSPValuesType::EncapsulatedOCSPValueType &resp: revSeq.front().oCSPValues()->encapsulatedOCSPValue())
         {
-            OCSP ocsp((const unsigned char*)resp.data(), resp.size());
+            OCSP ocsp(resp);
             try {
                 ocsp.verifyResponse(signingCertificate());
                 foundSignerOCSP = true;
@@ -256,7 +255,7 @@ void SignatureXAdES_LT::addCertificateValue(const string& certId, const X509Cert
     }
 
     vector<unsigned char> der = x509;
-    CertificateValuesType::EncapsulatedX509CertificateType certData(Base64Binary(der.data(), der.size(), der.size(), false));
+    CertificateValuesType::EncapsulatedX509CertificateType certData({der.data(), der.size(), der.size(), false});
     certData.id(certId);
     values[0].encapsulatedX509Certificate().push_back(certData);
 }
@@ -268,7 +267,7 @@ void SignatureXAdES_LT::addOCSPValue(const string &id, const OCSP &ocsp)
     createUnsignedSignatureProperties();
 
     vector<unsigned char> der = ocsp;
-    OCSPValuesType::EncapsulatedOCSPValueType ocspValueData(Base64Binary(der.data(), der.size(), der.size(), false));
+    OCSPValuesType::EncapsulatedOCSPValueType ocspValueData({der.data(), der.size(), der.size(), false});
     ocspValueData.id(id);
 
     OCSPValuesType ocspValue;
@@ -302,15 +301,14 @@ OCSP SignatureXAdES_LT::getOCSPResponseValue() const
         for(const OCSPValuesType::EncapsulatedOCSPValueType &resp: t.oCSPValues()->encapsulatedOCSPValue())
         {
             try {
-                OCSP ocsp((const unsigned char*)resp.data(), resp.size());
+                OCSP ocsp(resp);
                 ocsp.verifyResponse(signingCertificate());
                 return ocsp;
             } catch(const Exception &) {
             }
         }
         // Return first OCSP response when chains are not complete and validation fails
-        const OCSPValuesType::EncapsulatedOCSPValueType &resp = t.oCSPValues()->encapsulatedOCSPValue().at(0);
-        return {(const unsigned char*)resp.data(), resp.size()};
+        return {t.oCSPValues()->encapsulatedOCSPValue().front()};
     }
     catch(const Exception &)
     {}
diff --git a/src/crypto/OCSP.cpp b/src/crypto/OCSP.cpp
index d1a474393..cb1f0c740 100644
--- a/src/crypto/OCSP.cpp
+++ b/src/crypto/OCSP.cpp
@@ -28,6 +28,7 @@
 #include "util/log.h"
 
 #include <algorithm>
+#include <array>
 
 #ifdef WIN32 //hack for win32 build
 #undef OCSP_REQUEST
@@ -150,10 +151,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const
         return X509_NAME_cmp(X509_get_subject_name(cert.handle()), name) == 0;
     if(hash)
     {
-        unsigned char sha1[SHA_DIGEST_LENGTH];
+        std::array<unsigned char,SHA_DIGEST_LENGTH> sha1{};
         ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert.handle());
-        SHA1(key->data, size_t(key->length), sha1);
-        return memcmp(hash->data, &sha1, size_t(hash->length)) == 0;
+        SHA1(key->data, size_t(key->length), sha1.data());
+        return sha1.size() == hash->length && memcmp(hash->data, sha1.data(), sha1.size()) == 0;
     }
     return false;
 }
diff --git a/src/crypto/OCSP.h b/src/crypto/OCSP.h
index 92a3dcd1a..6507b7774 100644
--- a/src/crypto/OCSP.h
+++ b/src/crypto/OCSP.h
@@ -37,6 +37,8 @@ namespace digidoc
 
       public:
           OCSP(const X509Cert &cert, const X509Cert &issuer);
+          template <class Container>
+          inline OCSP(const Container &data): OCSP((const unsigned char*)data.data(), data.size()) {}
           OCSP(const unsigned char *data = nullptr, size_t size = 0);
 
           std::vector<unsigned char> nonce() const;