Remove time-mark creation support (#539)

IB-6843

Signed-off-by: Raul Metsma <[email protected]>

etc/digidocpp.conf.cmake

@@ -20,11 +20,6 @@
     <!--<param name="proxy.user" lock="false"></param>-->
     <!--<param name="proxy.pass" lock="false"></param>-->
 
-    <!--OCSP request signing options-->
-    <!--<param name="pkcs12.cert" lock="false"></param>-->
-    <!--<param name="pkcs12.pass" lock="false"></param>-->
-    <!--<param name="pkcs12.disable" lock="false">false</param>-->
-
     <!--Time-stamping service settings-->
     <!--<param name="ts.url" lock="false">@TSA_URL@</param>-->
 

libdigidocpp.dox

@@ -724,38 +724,6 @@ The check is based on the TSL list's HTTP HEAD request ETag field or SHA-256 dig
 
 
 
-\subsubsection ocspsigning-settings Settings for signing OCSP requests
-Whether you need to sign the OCSP requests sent to your OCSP responder or not depends on your responder. Some OCSP servers require that the OCSP request is signed. To sign the OCSP request, you need to obtain and specify the PKCS#12 token, which will be used for signing.
-
-For example, accessing the SK's OCSP Responder service by private persons requires the requests to signed (access certificates can be obtained through registering for the service, see also https://www.skidsolutions.eu/en/services/validity-confirmation-services/) whereas in case of companies/services, signing the request is not required if having a contract with SK and accessing the service from specific IP address(es). It is not necessary to sign OCSP requests in case of using OCSP test-responder (see the next sub-section for more information).
-
-By default, the parameter "pkcs12.disable" value is set to "true" – i.e. the OCSP requests will not be signed. If setting this to "false", you will also need to provide your access certificate file's location and password that have been issued to you for this purpose.
-
-<table>
-<tr>
-  <th>Parameter name</th>
-  <th>Comments</th>
-</tr>
-<tr>
-  <td>pkcs12.disable</td>
-  <td>Specifies if the OCSP requests are signed or not. Possible values are:
-true – OCSP requests are not signed;
-false – OCSP requests are signed.
-</td>
-</tr>
-<tr>
-  <td>pkcs12.cert</td>
-  <td>Specifies your access certificate's PKCS#12 container's filename, e.g. ./home/132936.p12d</td>
-</tr>
-<tr>
-  <td>pkcs12.pass</td>
-  <td>Specifies your access certificate's PKCS#12 container's  password, e.g. m15eTGpA</td>
-</tr>
-</table>
-
-
-
-
 \subsubsection ocspresponder-settings OCSP responder settings
 
 The default OCSP responder that the library uses for retrieving the OCSP confirmation during signature creation depends on the signer's certificate chain.
@@ -875,15 +843,14 @@ If you would like to add PIN insertion dialog window for the signer to enter the
 \paragraph API-sign-profile Optionally specify the signature profile
 The supported signature profiles are (see also \ref Supported, under "Signature profiles"):
 - "time-stamp" (TS) - signature profile in case of which the certificate validity information is added to the signature with an OCSP confirmation (retrieved from OCSP server); the signing time information is added with a time-stamp token (retrieved from a time-stamping service). Signature creation time is the issuance time of the time-stamp token (value of the getTime field in the token). The profile is supported only in case of BDOC 2.1 document format, since v3.9 of the library.
-- "time-mark" (TM) - certificate validity and signing time information is added to the signature with a time-mark (an OCSP confirmation with a specific "nonce" value). Signature creation time is the time-mark's issuance time (i.e. the OCSP confirmation's producedAt field's value).
 
 \warning When adding signature to an existing BDOC 2.1 container then the profile of the existing signature should be used for all of the new signatures in the same container. Signature's profile can be determined with method digidoc::Signature.profile().
 
 If the signature profile value is not specified then then a "time-stamp" profile is used by default.
 
 Set the profile value as follows:
 \code{.cpp}
-std::string profile = "<signature-profile>"; // "time-mark" or "time-stamp"
+std::string profile = "time-stamp"; // or "time-stamp-archive"
 signer->setProfile(profile);
 \endcode
 
@@ -1375,18 +1342,7 @@ Specifies the data file's mime-type value. When used then must be written right
 
 Additional options for the "websign" command are the same as for "sign" command (see \ref Adding).
 
-Sample commands for creating and external signing of BDOC files:
-
-\code{.txt}
-Sample: creating new BDOC-TM file, specifying signers certificate, adding data file and calculating the RSA signature value in browser
-> digidoc-tool websign --cert=signer.cer --file=file1.txt --profile=time-mark demo-container.bdoc
-
-Input:
-  --cert=signer.cer		- signers certificate
-  --file=file1.txt		- a data file to be added to container
-  --profile=time-mark	- profile of the signature
-  demo-container.bdoc	- container to be created (in BDOC 2.1 format)
-\endcode
+Sample command for creating and external signing of BDOC files:
 
 \code{.txt}
 Sample: creating new BDOC-TS file, specifying signers certificate, adding data files and other meta-data and calculating the RSA signature value in browser
@@ -1564,8 +1520,8 @@ Command "sign" enables adding signatures to existing DigiDoc containers. The sup
 If PIN is not provided with this parameter value and (the default) PKCS#11 module is used for signing then the utility program asks for the user to insert PIN code to command line during the program’s execution time.</td></tr>
 <tr><td>\-\-profile=	</td><td>Optional</td><td>
 Profile of the signature. Possible values are:
-- TM - a time-mark will be added to the signature as validation data;
 - TS - a time-stamp and OCSP confirmation will be added to the signature as validation data.
+- TSA - a time-stamp and OCSP confirmation will be added to the signature as validation data. Additional time-stamp is added for notarize all certificate and revocation info.
 
 \warning When adding signature to an existing BDOC 2.1 container then the profile of the existing signature should be used for all of the new signatures in the same container.</td></tr>
 <tr><td>\-\-XAdESEN	</td><td>Optional</td><td>

src/ASiC_E.cpp

@@ -40,12 +40,10 @@ using namespace digidoc;
 using namespace digidoc::util;
 using namespace std;
 
-const string ASiC_E::BES_PROFILE = "BES";
-const string ASiC_E::EPES_PROFILE = "EPES";
-const string ASiC_E::ASIC_TM_PROFILE = "time-mark";
-const string ASiC_E::ASIC_TS_PROFILE = "time-stamp";
-const string ASiC_E::ASIC_TSA_PROFILE = ASIC_TS_PROFILE + "-archive";
-const string ASiC_E::ASIC_TMA_PROFILE = ASIC_TM_PROFILE + "-archive";
+const string_view ASiC_E::ASIC_TM_PROFILE = "time-mark";
+const string_view ASiC_E::ASIC_TS_PROFILE = "time-stamp";
+const string_view ASiC_E::ASIC_TSA_PROFILE = "time-stamp-archive";
+const string_view ASiC_E::ASIC_TMA_PROFILE = "time-mark-archive";
 const string ASiC_E::MANIFEST_NAMESPACE = "urn:oasis:names:tc:opendocument:xmlns:manifest:1.0";
 
 class ASiC_E::Private
@@ -76,7 +74,7 @@ ASiC_E::ASiC_E(const string &path)
 
 ASiC_E::~ASiC_E()
 {
-    for_each(d->metadata.cbegin(), d->metadata.cend(), std::default_delete<DataFile>());
+    for_each(d->metadata.cbegin(), d->metadata.cend(), default_delete<DataFile>());
 }
 
 vector<DataFile*> ASiC_E::metaFiles() const
@@ -360,7 +358,7 @@ Signature *ASiC_E::sign(Signer* signer)
     try
     {
         s->setSignatureValue(signer->sign(s->signatureMethod(), s->dataToSign()));
-        s->extendSignatureProfile(signer->profile().empty() ? ASiC_E::ASIC_TS_PROFILE : signer->profile());
+        s->extendSignatureProfile(signer->profile());
     }
     catch(const Exception& e)
     {

src/ASiC_E.h

@@ -36,12 +36,10 @@ namespace digidoc
     class ASiC_E final : public ASiContainer
     {
       public:
-          static const std::string BES_PROFILE;
-          static const std::string EPES_PROFILE;
-          static const std::string ASIC_TM_PROFILE;
-          static const std::string ASIC_TS_PROFILE;
-          static const std::string ASIC_TMA_PROFILE;
-          static const std::string ASIC_TSA_PROFILE;
+          static const std::string_view ASIC_TM_PROFILE;
+          static const std::string_view ASIC_TS_PROFILE;
+          static const std::string_view ASIC_TMA_PROFILE;
+          static const std::string_view ASIC_TSA_PROFILE;
           static const std::string MANIFEST_NAMESPACE;
 
           ~ASiC_E() final;

src/Conf.h

@@ -56,9 +56,9 @@ class DIGIDOCPP_EXPORT Conf
     virtual std::string TSUrl() const;
     virtual std::string verifyServiceUri() const;
 
-    virtual std::string PKCS12Cert() const;
-    virtual std::string PKCS12Pass() const;
-    virtual bool PKCS12Disable() const;
+    DIGIDOCPP_DEPRECATED virtual std::string PKCS12Cert() const;
+    DIGIDOCPP_DEPRECATED virtual std::string PKCS12Pass() const;
+    DIGIDOCPP_DEPRECATED virtual bool PKCS12Disable() const;
 
     virtual bool TSLAllowExpired() const;
     virtual bool TSLAutoUpdate() const;

src/SiVaContainer.cpp

@@ -53,8 +53,8 @@ using namespace std;
 using namespace xercesc;
 using json = nlohmann::json;
 
-static std::string base64_decode(const XMLCh *in) {
-    static constexpr std::array<std::uint8_t, 128> T{
+static string base64_decode(const XMLCh *in) {
+    static constexpr array<uint8_t, 128> T{
         0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64,
         0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64,
         0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x3E, 0x64, 0x64, 0x64, 0x3F,
@@ -65,7 +65,7 @@ static std::string base64_decode(const XMLCh *in) {
         0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x64, 0x64, 0x64, 0x64, 0x64
     };
 
-    std::string out;
+    string out;
     int value = 0;
     int bits = -8;
     for(; in; ++in)
@@ -185,7 +185,7 @@ SiVaContainer::SiVaContainer(const string &path, const string &ext, bool useHash
         {"document", move(b64)},
         {"signaturePolicy", "POLv4"}
     }).dump();
-    Connect::Result r = Connect(CONF(verifyServiceUri), "POST", 0, {}, CONF(verifyServiceCerts)).exec({
+    Connect::Result r = Connect(CONF(verifyServiceUri), "POST", 0, CONF(verifyServiceCerts)).exec({
         {"Content-Type", "application/json;charset=UTF-8"}
     }, (const unsigned char*)req.c_str(), req.size());
 
@@ -327,7 +327,7 @@ unique_ptr<Container> SiVaContainer::openInternal(const string &path)
     }
 }
 
-std::unique_ptr<std::istream> SiVaContainer::parseDDoc(bool useHashCode)
+unique_ptr<istream> SiVaContainer::parseDDoc(bool useHashCode)
 {
     namespace xml = xsd::cxx::xml;
     using cpXMLCh = const XMLCh*;

src/SignatureXAdES_B.cpp

@@ -61,11 +61,8 @@ const string SignatureXAdES_B::XADES_NAMESPACE = "http://uri.etsi.org/01903/v1.3
 const string SignatureXAdES_B::XADESv141_NAMESPACE = "http://uri.etsi.org/01903/v1.4.1#";
 const string SignatureXAdES_B::ASIC_NAMESPACE = "http://uri.etsi.org/02918/v1.2.1#";
 const string SignatureXAdES_B::OPENDOCUMENT_NAMESPACE = "urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0";
-const string SignatureXAdES_B::POLICY_BDOC_2_1_OID = "urn:oid:1.3.6.1.4.1.10015.1000.3.2.1";
 const map<string,SignatureXAdES_B::Policy> SignatureXAdES_B::policylist = {
-    {SignatureXAdES_B::POLICY_BDOC_2_1_OID,{
-        "BDOC – FORMAT FOR DIGITAL SIGNATURES",
-        "https://www.sk.ee/repository/bdoc-spec21.pdf",
+    {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.1",{ // https://www.sk.ee/repository/bdoc-spec21.pdf
         // SHA-1
         {   0x80,0x81,0xe2,0x69,0xeb,0x44,0x13,0xde,0x20,0x6e,0x40,0x91,0xca,0x04,0x3d,0x5a,
             0xca,0x71,0x51,0xdc},
@@ -85,9 +82,7 @@ const map<string,SignatureXAdES_B::Policy> SignatureXAdES_B::policylist = {
             0xa6,0x7b,0x18,0x86,0x04,0xd8,0x20,0x9b,0xf8,0x54,0x4e,0xb0,0x5f,0xb3,0x67,0x58,
             0x39,0xb9,0xef,0xfe,0xf7,0x75,0x7d,0x34,0x5e,0x39,0xa8,0xa5,0xbf,0x4a,0xa1,0xd7}
     }},
-    {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.3",{
-        "BDOC – FORMAT FOR DIGITAL SIGNATURES",
-        "http://id.ee/public/bdoc-spec212-eng.pdf",
+    {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.3",{ // http://id.ee/public/bdoc-spec212-eng.pdf
         // SHA-1
         {   0x0b,0x2d,0x60,0x6b,0x17,0x9b,0x3b,0x92,0x9c,0x3f,0x79,0xf5,0x92,0x5c,0x84,0xc8,
             0xeb,0xef,0x31,0xc6},
@@ -125,12 +120,14 @@ static Base64Binary toBase64(const vector<unsigned char> &v)
 SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *signer)
     : bdoc(bdoc)
 {
+    X509Cert c = signer->cert();
     string nr = "S" + to_string(id);
 
     // Signature->SignedInfo
     auto signedInfo = make_unique<SignedInfoType>(
         make_unique<CanonicalizationMethodType>(/*URI_ID_EXC_C14N_NOC*/URI_ID_C14N11_NOC),
-        make_unique<SignatureMethodType>(URI_ID_RSA_SHA256));
+        make_unique<SignatureMethodType>(X509Crypto(c).isRSAKey() ?
+            Digest::toRsaUri(signer->method()) : Digest::toEcUri(signer->method())));
 
     // Signature->SignatureValue
     auto signatureValue = make_unique<SignatureValueType>();
@@ -146,38 +143,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *
     auto signedProperties = make_unique<SignedPropertiesType>();
     signedProperties->signedSignatureProperties(make_unique<SignedSignaturePropertiesType>());
     signedProperties->id(nr + "-SignedProperties");
-    // Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SignaturePolicyIdentifierType
-    if(signer->profile().find(ASiC_E::ASIC_TM_PROFILE) != string::npos ||
-       signer->profile().find(ASiC_E::EPES_PROFILE) != string::npos)
-    {
-        auto p = policylist.cbegin();
-        auto identifierid = make_unique<IdentifierType>(p->first);
-        identifierid->qualifier(QualifierType::OIDAsURN);
-
-        auto identifier = make_unique<ObjectIdentifierType>(std::move(identifierid));
-        identifier->description(p->second.DESCRIPTION.data());
-
-        string digestUri = Conf::instance()->digestUri();
-        const vector<unsigned char> *data = &p->second.SHA256;
-        if(Conf::instance()->digestUri() == URI_SHA224) data = &p->second.SHA224;
-        else if(Conf::instance()->digestUri() == URI_SHA256) data = &p->second.SHA256;
-        else if(Conf::instance()->digestUri() == URI_SHA384) data = &p->second.SHA384;
-        else if(Conf::instance()->digestUri() == URI_SHA512) data = &p->second.SHA512;
-        auto policyDigest = make_unique<DigestAlgAndValueType>(make_unique<DigestMethodType>(digestUri), toBase64(*data));
-
-        auto policyId = make_unique<SignaturePolicyIdType>(std::move(identifier), std::move(policyDigest));
-
-        auto uri = make_unique<SigPolicyQualifiersListType::SigPolicyQualifierType>();
-        uri->sPURI(p->second.URI.data());
-
-        auto qualifiers = make_unique<SigPolicyQualifiersListType>();
-        qualifiers->sigPolicyQualifier().push_back(std::move(uri));
-        policyId->sigPolicyQualifiers(std::move(qualifiers));
-
-        auto policyidentifier = make_unique<SignaturePolicyIdentifierType>();
-        policyidentifier->signaturePolicyId(std::move(policyId));
-        signedProperties->signedSignatureProperties()->signaturePolicyIdentifier(std::move(policyidentifier));
-    }
 
     // Signature->Object->QualifyingProperties
     auto qualifyingProperties = make_unique<QualifyingPropertiesType>("#" + nr);
@@ -190,7 +155,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *
     signature->object().push_back(std::move(object));
 
     //Fill XML-DSIG/XAdES properties
-    X509Cert c = signer->cert();
     setKeyInfo(c);
     if(signer->usingENProfile())
     {
@@ -204,8 +168,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *
         setSignatureProductionPlace(signer->city(), signer->stateOrProvince(), signer->postalCode(), signer->countryName());
         setSignerRoles(signer->signerRoles());
     }
-    signature->signedInfo().signatureMethod(make_unique<SignatureMethodType>(X509Crypto(c).isRSAKey() ?
-        Digest::toRsaUri(signer->method()) : Digest::toEcUri(signer->method()) ));
     setSigningTime(time(nullptr));
 
     string digestMethod = Conf::instance()->digestUri();
@@ -364,26 +326,26 @@ string SignatureXAdES_B::policy() const
  */
 string SignatureXAdES_B::profile() const
 {
-    string base = policy().empty() ? ASiC_E::BES_PROFILE : ASiC_E::EPES_PROFILE;
+    string base = policy().empty() ? "BES" : "EPES";
     try {
-        const QualifyingPropertiesType::UnsignedPropertiesOptional &up = qualifyingProperties().unsignedProperties();
+        auto up = qualifyingProperties().unsignedProperties();
         if(!up)
             return base;
-        const UnsignedPropertiesType::UnsignedSignaturePropertiesOptional &usp = up->unsignedSignatureProperties();
+        auto usp = up->unsignedSignatureProperties();
         if(!usp)
             return base;
 
         if(!usp->signatureTimeStamp().empty())
         {
             if(!usp->archiveTimeStampV141().empty())
-                return base + "/" + ASiC_E::ASIC_TSA_PROFILE;
-            return base + "/" + ASiC_E::ASIC_TS_PROFILE;
+                return (base + '/').append(ASiC_E::ASIC_TSA_PROFILE);
+            return (base + '/').append(ASiC_E::ASIC_TS_PROFILE);
         }
         if(!usp->revocationValues().empty())
         {
             if(!usp->archiveTimeStampV141().empty())
-                return base + "/" + ASiC_E::ASIC_TMA_PROFILE;
-            return base + "/" + ASiC_E::ASIC_TM_PROFILE;
+                return (base + '/').append(ASiC_E::ASIC_TMA_PROFILE);
+            return (base + '/').append(ASiC_E::ASIC_TM_PROFILE);
         }
     }
     catch(const Exception &) {}

src/SignatureXAdES_B.h

@@ -81,7 +81,6 @@ namespace digidoc
           static const std::string XADES_NAMESPACE;
           static const std::string XADESv141_NAMESPACE;
           static const std::string OPENDOCUMENT_NAMESPACE;
-          static const std::string POLICY_BDOC_2_1_OID;
           dsig::SignatureType *signature = nullptr;
           std::unique_ptr<asic::XAdESSignaturesType> asicsignature;
           std::unique_ptr<asic::Document_signatures> odfsignature;
@@ -93,7 +92,6 @@ namespace digidoc
 
           struct Policy
           {
-              const std::string_view DESCRIPTION, URI;
               const std::vector<unsigned char> SHA1, SHA224, SHA256, SHA384, SHA512;
           };
           static const std::map<std::string,Policy> policylist;