From 767326df9ee80331d88e70ab417139984fa6b875 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Tue, 20 Jun 2023 15:59:03 +0300 Subject: [PATCH] Remove time-mark creation support (#539) IB-6843 Signed-off-by: Raul Metsma --- etc/digidocpp.conf.cmake | 5 -- libdigidocpp.dox | 50 +--------------- src/ASiC_E.cpp | 14 ++--- src/ASiC_E.h | 10 ++-- src/Conf.h | 6 +- src/SiVaContainer.cpp | 10 ++-- src/SignatureXAdES_B.cpp | 62 ++++---------------- src/SignatureXAdES_B.h | 2 - src/SignatureXAdES_LT.cpp | 19 ++---- src/SignatureXAdES_LTA.cpp | 31 +++++----- src/SignatureXAdES_T.cpp | 8 +-- src/SignatureXAdES_T.h | 4 +- src/XmlConf.cpp | 67 ++++++++++------------ src/XmlConf.h | 60 +++++++++---------- src/crypto/Connect.cpp | 6 +- src/crypto/Connect.h | 2 +- src/crypto/OCSP.cpp | 70 ++++++----------------- src/crypto/OCSP.h | 7 +-- src/crypto/OpenSSLHelpers.h | 31 ++-------- src/crypto/PKCS12Signer.cpp | 11 +++- src/crypto/Signer.cpp | 21 ++++++- src/crypto/TS.cpp | 4 +- src/crypto/TS.h | 2 +- src/crypto/X509CertStore.cpp | 33 +---------- src/digidoc-tool.1.cmake | 9 +-- src/digidoc-tool.cpp | 52 +++++++---------- src/libdigidocpp.i.h | 5 -- src/xml/UnsignedSignaturePropertiesType.h | 10 ++-- test/libdigidocpp_boost.cpp | 32 ++--------- 29 files changed, 216 insertions(+), 427 deletions(-) diff --git a/etc/digidocpp.conf.cmake b/etc/digidocpp.conf.cmake index ce98c03cf..1ba91308f 100644 --- a/etc/digidocpp.conf.cmake +++ b/etc/digidocpp.conf.cmake @@ -20,11 +20,6 @@ - - - - - diff --git a/libdigidocpp.dox b/libdigidocpp.dox index e782afeec..bdf8d7ccf 100644 --- a/libdigidocpp.dox +++ b/libdigidocpp.dox @@ -724,38 +724,6 @@ The check is based on the TSL list's HTTP HEAD request ETag field or SHA-256 dig -\subsubsection ocspsigning-settings Settings for signing OCSP requests -Whether you need to sign the OCSP requests sent to your OCSP responder or not depends on your responder. Some OCSP servers require that the OCSP request is signed. To sign the OCSP request, you need to obtain and specify the PKCS#12 token, which will be used for signing. - -For example, accessing the SK's OCSP Responder service by private persons requires the requests to signed (access certificates can be obtained through registering for the service, see also https://www.skidsolutions.eu/en/services/validity-confirmation-services/) whereas in case of companies/services, signing the request is not required if having a contract with SK and accessing the service from specific IP address(es). It is not necessary to sign OCSP requests in case of using OCSP test-responder (see the next sub-section for more information). - -By default, the parameter "pkcs12.disable" value is set to "true" – i.e. the OCSP requests will not be signed. If setting this to "false", you will also need to provide your access certificate file's location and password that have been issued to you for this purpose. - - - - - - - - - - - - - - - - - - -
Parameter nameComments
pkcs12.disableSpecifies if the OCSP requests are signed or not. Possible values are: -true – OCSP requests are not signed; -false – OCSP requests are signed. -
pkcs12.certSpecifies your access certificate's PKCS#12 container's filename, e.g. ./home/132936.p12d
pkcs12.passSpecifies your access certificate's PKCS#12 container's password, e.g. m15eTGpA
- - - - \subsubsection ocspresponder-settings OCSP responder settings The default OCSP responder that the library uses for retrieving the OCSP confirmation during signature creation depends on the signer's certificate chain. @@ -875,7 +843,6 @@ If you would like to add PIN insertion dialog window for the signer to enter the \paragraph API-sign-profile Optionally specify the signature profile The supported signature profiles are (see also \ref Supported, under "Signature profiles"): - "time-stamp" (TS) - signature profile in case of which the certificate validity information is added to the signature with an OCSP confirmation (retrieved from OCSP server); the signing time information is added with a time-stamp token (retrieved from a time-stamping service). Signature creation time is the issuance time of the time-stamp token (value of the getTime field in the token). The profile is supported only in case of BDOC 2.1 document format, since v3.9 of the library. -- "time-mark" (TM) - certificate validity and signing time information is added to the signature with a time-mark (an OCSP confirmation with a specific "nonce" value). Signature creation time is the time-mark's issuance time (i.e. the OCSP confirmation's producedAt field's value). \warning When adding signature to an existing BDOC 2.1 container then the profile of the existing signature should be used for all of the new signatures in the same container. Signature's profile can be determined with method digidoc::Signature.profile(). @@ -883,7 +850,7 @@ If the signature profile value is not specified then then a "time-stamp" profile Set the profile value as follows: \code{.cpp} -std::string profile = ""; // "time-mark" or "time-stamp" +std::string profile = "time-stamp"; // or "time-stamp-archive" signer->setProfile(profile); \endcode @@ -1375,18 +1342,7 @@ Specifies the data file's mime-type value. When used then must be written right Additional options for the "websign" command are the same as for "sign" command (see \ref Adding). -Sample commands for creating and external signing of BDOC files: - -\code{.txt} -Sample: creating new BDOC-TM file, specifying signers certificate, adding data file and calculating the RSA signature value in browser -> digidoc-tool websign --cert=signer.cer --file=file1.txt --profile=time-mark demo-container.bdoc - -Input: - --cert=signer.cer - signers certificate - --file=file1.txt - a data file to be added to container - --profile=time-mark - profile of the signature - demo-container.bdoc - container to be created (in BDOC 2.1 format) -\endcode +Sample command for creating and external signing of BDOC files: \code{.txt} Sample: creating new BDOC-TS file, specifying signers certificate, adding data files and other meta-data and calculating the RSA signature value in browser @@ -1564,8 +1520,8 @@ Command "sign" enables adding signatures to existing DigiDoc containers. The sup If PIN is not provided with this parameter value and (the default) PKCS#11 module is used for signing then the utility program asks for the user to insert PIN code to command line during the program’s execution time. \-\-profile= Optional Profile of the signature. Possible values are: -- TM - a time-mark will be added to the signature as validation data; - TS - a time-stamp and OCSP confirmation will be added to the signature as validation data. +- TSA - a time-stamp and OCSP confirmation will be added to the signature as validation data. Additional time-stamp is added for notarize all certificate and revocation info. \warning When adding signature to an existing BDOC 2.1 container then the profile of the existing signature should be used for all of the new signatures in the same container. \-\-XAdESEN Optional diff --git a/src/ASiC_E.cpp b/src/ASiC_E.cpp index ea6ca0d05..0ad265482 100644 --- a/src/ASiC_E.cpp +++ b/src/ASiC_E.cpp @@ -40,12 +40,10 @@ using namespace digidoc; using namespace digidoc::util; using namespace std; -const string ASiC_E::BES_PROFILE = "BES"; -const string ASiC_E::EPES_PROFILE = "EPES"; -const string ASiC_E::ASIC_TM_PROFILE = "time-mark"; -const string ASiC_E::ASIC_TS_PROFILE = "time-stamp"; -const string ASiC_E::ASIC_TSA_PROFILE = ASIC_TS_PROFILE + "-archive"; -const string ASiC_E::ASIC_TMA_PROFILE = ASIC_TM_PROFILE + "-archive"; +const string_view ASiC_E::ASIC_TM_PROFILE = "time-mark"; +const string_view ASiC_E::ASIC_TS_PROFILE = "time-stamp"; +const string_view ASiC_E::ASIC_TSA_PROFILE = "time-stamp-archive"; +const string_view ASiC_E::ASIC_TMA_PROFILE = "time-mark-archive"; const string ASiC_E::MANIFEST_NAMESPACE = "urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"; class ASiC_E::Private @@ -76,7 +74,7 @@ ASiC_E::ASiC_E(const string &path) ASiC_E::~ASiC_E() { - for_each(d->metadata.cbegin(), d->metadata.cend(), std::default_delete()); + for_each(d->metadata.cbegin(), d->metadata.cend(), default_delete()); } vector ASiC_E::metaFiles() const @@ -360,7 +358,7 @@ Signature *ASiC_E::sign(Signer* signer) try { s->setSignatureValue(signer->sign(s->signatureMethod(), s->dataToSign())); - s->extendSignatureProfile(signer->profile().empty() ? ASiC_E::ASIC_TS_PROFILE : signer->profile()); + s->extendSignatureProfile(signer->profile()); } catch(const Exception& e) { diff --git a/src/ASiC_E.h b/src/ASiC_E.h index c8079f8b6..f268c21e8 100644 --- a/src/ASiC_E.h +++ b/src/ASiC_E.h @@ -36,12 +36,10 @@ namespace digidoc class ASiC_E final : public ASiContainer { public: - static const std::string BES_PROFILE; - static const std::string EPES_PROFILE; - static const std::string ASIC_TM_PROFILE; - static const std::string ASIC_TS_PROFILE; - static const std::string ASIC_TMA_PROFILE; - static const std::string ASIC_TSA_PROFILE; + static const std::string_view ASIC_TM_PROFILE; + static const std::string_view ASIC_TS_PROFILE; + static const std::string_view ASIC_TMA_PROFILE; + static const std::string_view ASIC_TSA_PROFILE; static const std::string MANIFEST_NAMESPACE; ~ASiC_E() final; diff --git a/src/Conf.h b/src/Conf.h index 9a44917b7..0463c58f0 100644 --- a/src/Conf.h +++ b/src/Conf.h @@ -56,9 +56,9 @@ class DIGIDOCPP_EXPORT Conf virtual std::string TSUrl() const; virtual std::string verifyServiceUri() const; - virtual std::string PKCS12Cert() const; - virtual std::string PKCS12Pass() const; - virtual bool PKCS12Disable() const; + DIGIDOCPP_DEPRECATED virtual std::string PKCS12Cert() const; + DIGIDOCPP_DEPRECATED virtual std::string PKCS12Pass() const; + DIGIDOCPP_DEPRECATED virtual bool PKCS12Disable() const; virtual bool TSLAllowExpired() const; virtual bool TSLAutoUpdate() const; diff --git a/src/SiVaContainer.cpp b/src/SiVaContainer.cpp index a28ff2201..4f1676e00 100644 --- a/src/SiVaContainer.cpp +++ b/src/SiVaContainer.cpp @@ -53,8 +53,8 @@ using namespace std; using namespace xercesc; using json = nlohmann::json; -static std::string base64_decode(const XMLCh *in) { - static constexpr std::array T{ +static string base64_decode(const XMLCh *in) { + static constexpr array T{ 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x3E, 0x64, 0x64, 0x64, 0x3F, @@ -65,7 +65,7 @@ static std::string base64_decode(const XMLCh *in) { 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x64, 0x64, 0x64, 0x64, 0x64 }; - std::string out; + string out; int value = 0; int bits = -8; for(; in; ++in) @@ -185,7 +185,7 @@ SiVaContainer::SiVaContainer(const string &path, const string &ext, bool useHash {"document", move(b64)}, {"signaturePolicy", "POLv4"} }).dump(); - Connect::Result r = Connect(CONF(verifyServiceUri), "POST", 0, {}, CONF(verifyServiceCerts)).exec({ + Connect::Result r = Connect(CONF(verifyServiceUri), "POST", 0, CONF(verifyServiceCerts)).exec({ {"Content-Type", "application/json;charset=UTF-8"} }, (const unsigned char*)req.c_str(), req.size()); @@ -327,7 +327,7 @@ unique_ptr SiVaContainer::openInternal(const string &path) } } -std::unique_ptr SiVaContainer::parseDDoc(bool useHashCode) +unique_ptr SiVaContainer::parseDDoc(bool useHashCode) { namespace xml = xsd::cxx::xml; using cpXMLCh = const XMLCh*; diff --git a/src/SignatureXAdES_B.cpp b/src/SignatureXAdES_B.cpp index 1c8da3840..b439165a7 100644 --- a/src/SignatureXAdES_B.cpp +++ b/src/SignatureXAdES_B.cpp @@ -61,11 +61,8 @@ const string SignatureXAdES_B::XADES_NAMESPACE = "http://uri.etsi.org/01903/v1.3 const string SignatureXAdES_B::XADESv141_NAMESPACE = "http://uri.etsi.org/01903/v1.4.1#"; const string SignatureXAdES_B::ASIC_NAMESPACE = "http://uri.etsi.org/02918/v1.2.1#"; const string SignatureXAdES_B::OPENDOCUMENT_NAMESPACE = "urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0"; -const string SignatureXAdES_B::POLICY_BDOC_2_1_OID = "urn:oid:1.3.6.1.4.1.10015.1000.3.2.1"; const map SignatureXAdES_B::policylist = { - {SignatureXAdES_B::POLICY_BDOC_2_1_OID,{ - "BDOC – FORMAT FOR DIGITAL SIGNATURES", - "https://www.sk.ee/repository/bdoc-spec21.pdf", + {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.1",{ // https://www.sk.ee/repository/bdoc-spec21.pdf // SHA-1 { 0x80,0x81,0xe2,0x69,0xeb,0x44,0x13,0xde,0x20,0x6e,0x40,0x91,0xca,0x04,0x3d,0x5a, 0xca,0x71,0x51,0xdc}, @@ -85,9 +82,7 @@ const map SignatureXAdES_B::policylist = { 0xa6,0x7b,0x18,0x86,0x04,0xd8,0x20,0x9b,0xf8,0x54,0x4e,0xb0,0x5f,0xb3,0x67,0x58, 0x39,0xb9,0xef,0xfe,0xf7,0x75,0x7d,0x34,0x5e,0x39,0xa8,0xa5,0xbf,0x4a,0xa1,0xd7} }}, - {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.3",{ - "BDOC – FORMAT FOR DIGITAL SIGNATURES", - "http://id.ee/public/bdoc-spec212-eng.pdf", + {"urn:oid:1.3.6.1.4.1.10015.1000.3.2.3",{ // http://id.ee/public/bdoc-spec212-eng.pdf // SHA-1 { 0x0b,0x2d,0x60,0x6b,0x17,0x9b,0x3b,0x92,0x9c,0x3f,0x79,0xf5,0x92,0x5c,0x84,0xc8, 0xeb,0xef,0x31,0xc6}, @@ -125,12 +120,14 @@ static Base64Binary toBase64(const vector &v) SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *signer) : bdoc(bdoc) { + X509Cert c = signer->cert(); string nr = "S" + to_string(id); // Signature->SignedInfo auto signedInfo = make_unique( make_unique(/*URI_ID_EXC_C14N_NOC*/URI_ID_C14N11_NOC), - make_unique(URI_ID_RSA_SHA256)); + make_unique(X509Crypto(c).isRSAKey() ? + Digest::toRsaUri(signer->method()) : Digest::toEcUri(signer->method()))); // Signature->SignatureValue auto signatureValue = make_unique(); @@ -146,38 +143,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer * auto signedProperties = make_unique(); signedProperties->signedSignatureProperties(make_unique()); signedProperties->id(nr + "-SignedProperties"); - // Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SignaturePolicyIdentifierType - if(signer->profile().find(ASiC_E::ASIC_TM_PROFILE) != string::npos || - signer->profile().find(ASiC_E::EPES_PROFILE) != string::npos) - { - auto p = policylist.cbegin(); - auto identifierid = make_unique(p->first); - identifierid->qualifier(QualifierType::OIDAsURN); - - auto identifier = make_unique(std::move(identifierid)); - identifier->description(p->second.DESCRIPTION.data()); - - string digestUri = Conf::instance()->digestUri(); - const vector *data = &p->second.SHA256; - if(Conf::instance()->digestUri() == URI_SHA224) data = &p->second.SHA224; - else if(Conf::instance()->digestUri() == URI_SHA256) data = &p->second.SHA256; - else if(Conf::instance()->digestUri() == URI_SHA384) data = &p->second.SHA384; - else if(Conf::instance()->digestUri() == URI_SHA512) data = &p->second.SHA512; - auto policyDigest = make_unique(make_unique(digestUri), toBase64(*data)); - - auto policyId = make_unique(std::move(identifier), std::move(policyDigest)); - - auto uri = make_unique(); - uri->sPURI(p->second.URI.data()); - - auto qualifiers = make_unique(); - qualifiers->sigPolicyQualifier().push_back(std::move(uri)); - policyId->sigPolicyQualifiers(std::move(qualifiers)); - - auto policyidentifier = make_unique(); - policyidentifier->signaturePolicyId(std::move(policyId)); - signedProperties->signedSignatureProperties()->signaturePolicyIdentifier(std::move(policyidentifier)); - } // Signature->Object->QualifyingProperties auto qualifyingProperties = make_unique("#" + nr); @@ -190,7 +155,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer * signature->object().push_back(std::move(object)); //Fill XML-DSIG/XAdES properties - X509Cert c = signer->cert(); setKeyInfo(c); if(signer->usingENProfile()) { @@ -204,8 +168,6 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer * setSignatureProductionPlace(signer->city(), signer->stateOrProvince(), signer->postalCode(), signer->countryName()); setSignerRoles(signer->signerRoles()); } - signature->signedInfo().signatureMethod(make_unique(X509Crypto(c).isRSAKey() ? - Digest::toRsaUri(signer->method()) : Digest::toEcUri(signer->method()) )); setSigningTime(time(nullptr)); string digestMethod = Conf::instance()->digestUri(); @@ -364,26 +326,26 @@ string SignatureXAdES_B::policy() const */ string SignatureXAdES_B::profile() const { - string base = policy().empty() ? ASiC_E::BES_PROFILE : ASiC_E::EPES_PROFILE; + string base = policy().empty() ? "BES" : "EPES"; try { - const QualifyingPropertiesType::UnsignedPropertiesOptional &up = qualifyingProperties().unsignedProperties(); + auto up = qualifyingProperties().unsignedProperties(); if(!up) return base; - const UnsignedPropertiesType::UnsignedSignaturePropertiesOptional &usp = up->unsignedSignatureProperties(); + auto usp = up->unsignedSignatureProperties(); if(!usp) return base; if(!usp->signatureTimeStamp().empty()) { if(!usp->archiveTimeStampV141().empty()) - return base + "/" + ASiC_E::ASIC_TSA_PROFILE; - return base + "/" + ASiC_E::ASIC_TS_PROFILE; + return (base + '/').append(ASiC_E::ASIC_TSA_PROFILE); + return (base + '/').append(ASiC_E::ASIC_TS_PROFILE); } if(!usp->revocationValues().empty()) { if(!usp->archiveTimeStampV141().empty()) - return base + "/" + ASiC_E::ASIC_TMA_PROFILE; - return base + "/" + ASiC_E::ASIC_TM_PROFILE; + return (base + '/').append(ASiC_E::ASIC_TMA_PROFILE); + return (base + '/').append(ASiC_E::ASIC_TM_PROFILE); } } catch(const Exception &) {} diff --git a/src/SignatureXAdES_B.h b/src/SignatureXAdES_B.h index b42cf2f1c..bbadcd9bb 100644 --- a/src/SignatureXAdES_B.h +++ b/src/SignatureXAdES_B.h @@ -81,7 +81,6 @@ namespace digidoc static const std::string XADES_NAMESPACE; static const std::string XADESv141_NAMESPACE; static const std::string OPENDOCUMENT_NAMESPACE; - static const std::string POLICY_BDOC_2_1_OID; dsig::SignatureType *signature = nullptr; std::unique_ptr asicsignature; std::unique_ptr odfsignature; @@ -93,7 +92,6 @@ namespace digidoc struct Policy { - const std::string_view DESCRIPTION, URI; const std::vector SHA1, SHA224, SHA256, SHA384, SHA512; }; static const std::map policylist; diff --git a/src/SignatureXAdES_LT.cpp b/src/SignatureXAdES_LT.cpp index 3c984af00..37a30a863 100644 --- a/src/SignatureXAdES_LT.cpp +++ b/src/SignatureXAdES_LT.cpp @@ -60,7 +60,7 @@ SignatureXAdES_LT::SignatureXAdES_LT(istream &sigdata, ASiContainer *bdoc, bool THROW("Could not find certificate issuer '%s' in certificate store.", cert.issuerName().c_str()); - OCSP ocsp(cert, issuer, {}, " format: " + bdoc->mediaType()); + OCSP ocsp(cert, issuer); addOCSPValue(id().replace(0, 1, "N"), ocsp); } } catch(const Exception &) { @@ -106,7 +106,7 @@ string SignatureXAdES_LT::trustedSigningTime() const * * @throws SignatureException if signature is not valid */ -void SignatureXAdES_LT::validate(const std::string &policy) const +void SignatureXAdES_LT::validate(const string &policy) const { Exception exception(EXCEPTION_PARAMS("Signature validation")); try { @@ -147,7 +147,7 @@ void SignatureXAdES_LT::validate(const std::string &policy) const { vector policies = ocsp.responderCert().certificatePolicies(); const set trusted = CONF(OCSPTMProfiles); - if(!std::any_of(policies.cbegin(), policies.cend(), [&](const string &policy) { return trusted.find(policy) != trusted.cend(); })) + if(!any_of(policies.cbegin(), policies.cend(), [&](const string &policy) { return trusted.find(policy) != trusted.cend(); })) { EXCEPTION_ADD(exception, "OCSP Responder does not meet TM requirements"); break; @@ -210,17 +210,12 @@ void SignatureXAdES_LT::validate(const std::string &policy) const * * @throws SignatureException */ -void SignatureXAdES_LT::extendSignatureProfile(const std::string &profile) +void SignatureXAdES_LT::extendSignatureProfile(const string &profile) { SignatureXAdES_T::extendSignatureProfile(profile); - if(profile == ASiC_E::BES_PROFILE || profile == ASiC_E::EPES_PROFILE) + if(profile.find(ASiC_E::ASIC_TS_PROFILE) == string::npos) return; - // Calculate NONCE value. - Digest calc; - vector nonce = Digest::addDigestInfo(calc.result(getSignatureValue()), calc.uri()); - DEBUGMEM("OID + Calculated signature HASH (nonce):", nonce.data(), nonce.size()); - // Get issuer certificate from certificate store. X509Cert cert = signingCertificate(); X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::CA); @@ -230,9 +225,7 @@ void SignatureXAdES_LT::extendSignatureProfile(const std::string &profile) THROW("Could not find certificate issuer '%s' in certificate store or from AIA.", cert.issuerName().c_str()); - string userAgent = " format: " + bdoc->mediaType() + " profile: " + - (profile.find(ASiC_E::ASIC_TM_PROFILE) != string::npos ? "ASiC_E_BASELINE_LT_TM" : "ASiC_E_BASELINE_LT"); - OCSP ocsp(cert, issuer, nonce, userAgent); + OCSP ocsp(cert, issuer); ocsp.verifyResponse(cert); addCertificateValue(id() + "-CA-CERT", issuer); diff --git a/src/SignatureXAdES_LTA.cpp b/src/SignatureXAdES_LTA.cpp index 9aa0a762a..b8dd13b4c 100644 --- a/src/SignatureXAdES_LTA.cpp +++ b/src/SignatureXAdES_LTA.cpp @@ -41,6 +41,8 @@ DIGIDOCPP_WARNING_DISABLE_MSVC(4005) #include DIGIDOCPP_WARNING_POP +#include + using namespace digidoc; using namespace digidoc::dsig; using namespace digidoc::util; @@ -50,7 +52,7 @@ using namespace xml_schema; using namespace std; void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest, - std::string_view canonicalizationMethod) const + string_view canonicalizationMethod) const { try { stringstream ofs; @@ -70,14 +72,14 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest, safeBuffer m_errStr; m_errStr.sbXMLChIn((const XMLCh*)u""); - XMLByte buf[1024]; + std::array buf{}; DSIGReferenceList *list = sig->getReferenceList(); for(size_t i = 0; i < list->getSize(); ++i) { XSECBinTXFMInputStream *stream = list->item(i)->makeBinInputStream(); - for(XMLSize_t size = stream->readBytes(buf, 1024); size > 0; - size = stream->readBytes(buf, 1024)) - digest->update(buf, size); + for(XMLSize_t size = stream->readBytes(buf.data(), buf.size()); size > 0; + size = stream->readBytes(buf.data(), buf.size())) + digest->update(buf.data(), size); delete stream; } } @@ -113,7 +115,7 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest, THROW("Failed to calculate digest"); } - for(auto name: {u"SignedInfo", u"SignatureValue", u"KeyInfo"}) + for(const auto *name: {u"SignedInfo", u"SignatureValue", u"KeyInfo"}) { try { calcDigestOnNode(digest, URI_ID_DSIG, name, canonicalizationMethod); @@ -122,7 +124,7 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest, } } - for(auto name: { + for(const auto *name: { u"SignatureTimeStamp", u"CounterSignature", u"CompleteCertificateRefs", @@ -149,15 +151,15 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest, //ds:Object } -void SignatureXAdES_LTA::extendSignatureProfile(const std::string &profile) +void SignatureXAdES_LTA::extendSignatureProfile(const string &profile) { SignatureXAdES_LT::extendSignatureProfile(profile); - if(profile != ASiC_E::ASIC_TSA_PROFILE && profile != ASiC_E::ASIC_TMA_PROFILE) + if(profile != ASiC_E::ASIC_TSA_PROFILE) return; Digest calc; calcArchiveDigest(&calc, signature->signedInfo().canonicalizationMethod().algorithm()); - TS tsa(CONF(TSUrl), calc, " Profile: " + profile); + TS tsa(CONF(TSUrl), calc); vector der = tsa; auto &usp = unsignedSignatureProperties(); auto ts = make_unique(); @@ -165,10 +167,9 @@ void SignatureXAdES_LTA::extendSignatureProfile(const std::string &profile) ts->canonicalizationMethod(signature->signedInfo().canonicalizationMethod()); ts->encapsulatedTimeStamp().push_back(make_unique( Base64Binary(der.data(), der.size(), der.size(), false))); - usp.archiveTimeStampV141().push_back(move(ts)); - usp.contentOrder().push_back(UnsignedSignaturePropertiesType::ContentOrderType( - UnsignedSignaturePropertiesType::archiveTimeStampV141Id, - usp.archiveTimeStampV141().size() - 1)); + usp.archiveTimeStampV141().push_back(std::move(ts)); + usp.contentOrder().emplace_back(UnsignedSignaturePropertiesType::archiveTimeStampV141Id, + usp.archiveTimeStampV141().size() - 1); sigdata_.clear(); } @@ -222,7 +223,7 @@ void SignatureXAdES_LTA::validate(const string &policy) const if(ts.encapsulatedTimeStamp().empty()) THROW("Missing EncapsulatedTimeStamp"); - verifyTS(ts, exception, [this](Digest *digest, std::string_view canonicalizationMethod) { + verifyTS(ts, exception, [this](Digest *digest, string_view canonicalizationMethod) { calcArchiveDigest(digest, canonicalizationMethod); }); } catch(const Exception &e) { diff --git a/src/SignatureXAdES_T.cpp b/src/SignatureXAdES_T.cpp index 43ec5e7df..cb4ce2ee8 100644 --- a/src/SignatureXAdES_T.cpp +++ b/src/SignatureXAdES_T.cpp @@ -80,7 +80,7 @@ void SignatureXAdES_T::extendSignatureProfile(const std::string &profile) calcDigestOnNode(&calc, URI_ID_DSIG, u"SignatureValue", signature->signedInfo().canonicalizationMethod().algorithm()); - TS tsa(CONF(TSUrl), calc, " Profile: " + profile); + TS tsa(CONF(TSUrl), calc); vector der = tsa; auto &usp = unsignedSignatureProperties(); auto ts = make_unique(); @@ -88,7 +88,7 @@ void SignatureXAdES_T::extendSignatureProfile(const std::string &profile) ts->canonicalizationMethod(signature->signedInfo().canonicalizationMethod()); ts->encapsulatedTimeStamp().push_back(make_unique( Base64Binary(der.data(), der.size(), der.size(), false))); - usp.signatureTimeStamp().push_back(move(ts)); + usp.signatureTimeStamp().push_back(std::move(ts)); usp.contentOrder().emplace_back(UnsignedSignaturePropertiesType::ContentOrderType( UnsignedSignaturePropertiesType::signatureTimeStampId, usp.signatureTimeStamp().size() - 1)); @@ -198,7 +198,7 @@ void SignatureXAdES_T::validate(const std::string &policy) const { verifyTS(sigAndRefsTS, exception, [this](Digest *digest, std::string_view canonicalizationMethod) { calcDigestOnNode(digest, URI_ID_DSIG, u"SignatureValue", canonicalizationMethod); - for(auto name: { + for(const auto *name: { u"SignatureTimeStamp", u"CompleteCertificateRefs", u"CompleteRevocationRefs", @@ -230,7 +230,7 @@ UnsignedSignaturePropertiesType &SignatureXAdES_T::unsignedSignatureProperties() } TS SignatureXAdES_T::verifyTS(const xades::XAdESTimeStampType ×tamp, digidoc::Exception &exception, - std::function &&calcDigest) const + std::function &&calcDigest) { const GenericTimeStampType::EncapsulatedTimeStampType &bin = timestamp.encapsulatedTimeStamp().front(); TS tsa((const unsigned char*)bin.data(), bin.size()); diff --git a/src/SignatureXAdES_T.h b/src/SignatureXAdES_T.h index 5766b15a1..33fbbae2d 100644 --- a/src/SignatureXAdES_T.h +++ b/src/SignatureXAdES_T.h @@ -47,8 +47,8 @@ class SignatureXAdES_T: public SignatureXAdES_B xades::UnsignedSignaturePropertiesType& unsignedSignatureProperties() const; TS TimeStamp() const; - TS verifyTS(const xades::XAdESTimeStampType ×tamp, Exception &exception, - std::function &&calcDigest) const; + static TS verifyTS(const xades::XAdESTimeStampType ×tamp, Exception &exception, + std::function &&calcDigest); private: DISABLE_COPY(SignatureXAdES_T); diff --git a/src/XmlConf.cpp b/src/XmlConf.cpp index 1ccfeb8e1..59d69c53c 100644 --- a/src/XmlConf.cpp +++ b/src/XmlConf.cpp @@ -102,9 +102,6 @@ class XmlConf::Private XmlConfParam proxyPort{"proxy.port"}; XmlConfParam proxyUser{"proxy.user"}; XmlConfParam proxyPass{"proxy.pass"}; - XmlConfParam PKCS12Cert{"pkcs12.cert"}; - XmlConfParam PKCS12Pass{"pkcs12.pass"}; - XmlConfParam PKCS12Disable{"pkcs12.disable", false}; XmlConfParam TSUrl{"ts.url"}; XmlConfParam TSLAutoUpdate{"tsl.autoupdate", true}; XmlConfParam TSLCache{"tsl.cache"}; @@ -170,9 +167,6 @@ void XmlConf::Private::init(const string& path, bool global) proxyPort.setValue(p, global) || proxyUser.setValue(p, global) || proxyPass.setValue(p, global) || - PKCS12Cert.setValue(p, global) || - PKCS12Pass.setValue(p, global) || - PKCS12Disable.setValue(p, global) || TSUrl.setValue(p, global) || TSLAutoUpdate.setValue(p, global) || TSLCache.setValue(p, global) || @@ -375,36 +369,35 @@ XmlConfV5* XmlConfV5::instance() { return dynamic_cast(Conf::instanc +#define GET1EX(TYPE, PROP, VALUE) \ +TYPE XmlConf::PROP() const { return VALUE; } \ +TYPE XmlConfV2::PROP() const { return VALUE; } \ +TYPE XmlConfV3::PROP() const { return VALUE; } \ +TYPE XmlConfV4::PROP() const { return VALUE; } \ +TYPE XmlConfV5::PROP() const { return VALUE; } + #define GET1(TYPE, PROP) \ -TYPE XmlConf::PROP() const { return d->PROP.value(Conf::PROP()); } \ -TYPE XmlConfV2::PROP() const { return d->PROP.value(Conf::PROP()); } \ -TYPE XmlConfV3::PROP() const { return d->PROP.value(Conf::PROP()); } \ -TYPE XmlConfV4::PROP() const { return d->PROP.value(Conf::PROP()); } \ -TYPE XmlConfV5::PROP() const { return d->PROP.value(Conf::PROP()); } +GET1EX(TYPE, PROP, d->PROP.value(Conf::PROP())) + +#define SET1EX(TYPE, SET, VALUE) \ +void XmlConf::SET(TYPE value) { VALUE; } \ +void XmlConfV2::SET(TYPE value) { VALUE; } \ +void XmlConfV3::SET(TYPE value) { VALUE; } \ +void XmlConfV4::SET(TYPE value) { VALUE; } \ +void XmlConfV5::SET(TYPE value) { VALUE; } #define SET1(TYPE, SET, PROP) \ -void XmlConf::SET(TYPE PROP) \ -{ d->setUserConf(d->PROP, Conf::PROP(), PROP); } \ -void XmlConfV2::SET(TYPE PROP) \ -{ d->setUserConf(d->PROP, ConfV2::PROP(), PROP); } \ -void XmlConfV3::SET(TYPE PROP) \ -{ d->setUserConf(d->PROP, ConfV3::PROP(), PROP); } \ -void XmlConfV4::SET(TYPE PROP) \ -{ d->setUserConf(d->PROP, ConfV4::PROP(), PROP); } \ -void XmlConfV5::SET(TYPE PROP) \ -{ d->setUserConf(d->PROP, ConfV5::PROP(), PROP); } +SET1EX(TYPE, SET, d->setUserConf(d->PROP, Conf::PROP(), value)) + +#define SET1CONSTEX(TYPE, SET, VALUE) \ +void XmlConf::SET(const TYPE &value) { VALUE; } \ +void XmlConfV2::SET(const TYPE &value) { VALUE; } \ +void XmlConfV3::SET(const TYPE &value) { VALUE; } \ +void XmlConfV4::SET(const TYPE &value) { VALUE; } \ +void XmlConfV5::SET(const TYPE &value) { VALUE; } #define SET1CONST(TYPE, SET, PROP) \ -void XmlConf::SET(const TYPE &(PROP)) \ -{ d->setUserConf(d->PROP, Conf::PROP(), PROP); } \ -void XmlConfV2::SET(const TYPE &(PROP)) \ -{ d->setUserConf(d->PROP, ConfV2::PROP(), PROP); } \ -void XmlConfV3::SET(const TYPE &(PROP)) \ -{ d->setUserConf(d->PROP, ConfV3::PROP(), PROP); } \ -void XmlConfV4::SET(const TYPE &(PROP)) \ -{ d->setUserConf(d->PROP, ConfV4::PROP(), PROP); } \ -void XmlConfV5::SET(const TYPE &(PROP)) \ -{ d->setUserConf(d->PROP, ConfV5::PROP(), PROP); } +SET1CONSTEX(TYPE, SET, d->setUserConf(d->PROP, Conf::PROP(), value)) GET1(int, logLevel) GET1(string, logFile) @@ -415,9 +408,9 @@ GET1(string, proxyUser) GET1(string, proxyPass) GET1(bool, proxyForceSSL) GET1(bool, proxyTunnelSSL) -GET1(string, PKCS12Cert) -GET1(string, PKCS12Pass) -GET1(bool, PKCS12Disable) +GET1EX(string, PKCS12Cert, Conf::PKCS12Cert()) +GET1EX(string, PKCS12Pass, Conf::PKCS12Cert()) +GET1EX(bool, PKCS12Disable, Conf::PKCS12Disable()) GET1(string, TSUrl) GET1(bool, TSLAutoUpdate) GET1(string, TSLCache) @@ -628,7 +621,7 @@ SET1CONST(string, setProxyPass, proxyPass) * @fn void digidoc::XmlConfV5::setPKCS12Cert(const std::string &cert) * @copydoc digidoc::XmlConf::setPKCS12Cert(const std::string &cert) */ -SET1CONST(string, setPKCS12Cert, PKCS12Cert) +SET1CONSTEX(string, setPKCS12Cert, {}) /** * @fn void digidoc::XmlConf::setPKCS12Pass(const std::string &pass) @@ -653,7 +646,7 @@ SET1CONST(string, setPKCS12Cert, PKCS12Cert) * @fn void digidoc::XmlConfV5::setPKCS12Pass(const std::string &pass) * @copydoc digidoc::XmlConf::setPKCS12Pass(const std::string &pass) */ -SET1CONST(string, setPKCS12Pass, PKCS12Pass) +SET1CONSTEX(string, setPKCS12Pass, {}) /** * @fn void digidoc::XmlConf::setTSUrl(const std::string &url) @@ -728,7 +721,7 @@ SET1CONST(string, setVerifyServiceUri, verifyServiceUri) * @fn void digidoc::XmlConfV5::setPKCS12Disable(bool disable) * @copydoc digidoc::XmlConf::setPKCS12Disable(bool disable) */ -SET1(bool, setPKCS12Disable, PKCS12Disable) +SET1EX(bool, setPKCS12Disable, {}) /** * @fn void digidoc::XmlConf::setProxyTunnelSSL(bool enable) diff --git a/src/XmlConf.h b/src/XmlConf.h index 385459839..2aa554281 100644 --- a/src/XmlConf.h +++ b/src/XmlConf.h @@ -50,9 +50,9 @@ class DIGIDOCPP_EXPORT XmlConf: public Conf std::string TSUrl() const override; std::string verifyServiceUri() const override; - std::string PKCS12Cert() const override; - std::string PKCS12Pass() const override; - bool PKCS12Disable() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Cert() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Pass() const override; + DIGIDOCPP_DEPRECATED bool PKCS12Disable() const override; bool TSLAutoUpdate() const override; std::string TSLCache() const override; @@ -64,9 +64,9 @@ class DIGIDOCPP_EXPORT XmlConf: public Conf virtual void setProxyUser( const std::string &user ); virtual void setProxyPass( const std::string &pass ); virtual void setProxyTunnelSSL( bool enable ); - virtual void setPKCS12Cert( const std::string &cert ); - virtual void setPKCS12Pass( const std::string &pass ); - virtual void setPKCS12Disable( bool disable ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Cert( const std::string &cert ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Pass( const std::string &pass ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Disable( bool disable ); virtual void setTSLOnlineDigest( bool enable ); virtual void setTSLTimeOut( int timeOut ); @@ -110,9 +110,9 @@ class DIGIDOCPP_EXPORT XmlConfV2: public ConfV2 X509Cert verifyServiceCert() const override; std::string verifyServiceUri() const override; - std::string PKCS12Cert() const override; - std::string PKCS12Pass() const override; - bool PKCS12Disable() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Cert() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Pass() const override; + DIGIDOCPP_DEPRECATED bool PKCS12Disable() const override; bool TSLAutoUpdate() const override; std::string TSLCache() const override; @@ -124,9 +124,9 @@ class DIGIDOCPP_EXPORT XmlConfV2: public ConfV2 virtual void setProxyUser( const std::string &user ); virtual void setProxyPass( const std::string &pass ); virtual void setProxyTunnelSSL( bool enable ); - virtual void setPKCS12Cert( const std::string &cert ); - virtual void setPKCS12Pass( const std::string &pass ); - virtual void setPKCS12Disable( bool disable ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Cert( const std::string &cert ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Pass( const std::string &pass ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Disable( bool disable ); virtual void setTSLOnlineDigest( bool enable ); virtual void setTSLTimeOut( int timeOut ); @@ -166,9 +166,9 @@ class DIGIDOCPP_EXPORT XmlConfV3: public ConfV3 X509Cert verifyServiceCert() const override; std::string verifyServiceUri() const override; - std::string PKCS12Cert() const override; - std::string PKCS12Pass() const override; - bool PKCS12Disable() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Cert() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Pass() const override; + DIGIDOCPP_DEPRECATED bool PKCS12Disable() const override; bool TSLAutoUpdate() const override; std::string TSLCache() const override; @@ -180,9 +180,9 @@ class DIGIDOCPP_EXPORT XmlConfV3: public ConfV3 virtual void setProxyUser( const std::string &user ); virtual void setProxyPass( const std::string &pass ); virtual void setProxyTunnelSSL( bool enable ); - virtual void setPKCS12Cert( const std::string &cert ); - virtual void setPKCS12Pass( const std::string &pass ); - virtual void setPKCS12Disable( bool disable ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Cert( const std::string &cert ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Pass( const std::string &pass ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Disable( bool disable ); virtual void setTSLOnlineDigest( bool enable ); virtual void setTSLTimeOut( int timeOut ); @@ -223,9 +223,9 @@ class DIGIDOCPP_EXPORT XmlConfV4: public ConfV4 std::vector verifyServiceCerts() const override; std::string verifyServiceUri() const override; - std::string PKCS12Cert() const override; - std::string PKCS12Pass() const override; - bool PKCS12Disable() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Cert() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Pass() const override; + DIGIDOCPP_DEPRECATED bool PKCS12Disable() const override; bool TSLAutoUpdate() const override; std::string TSLCache() const override; @@ -237,9 +237,9 @@ class DIGIDOCPP_EXPORT XmlConfV4: public ConfV4 virtual void setProxyUser( const std::string &user ); virtual void setProxyPass( const std::string &pass ); virtual void setProxyTunnelSSL( bool enable ); - virtual void setPKCS12Cert( const std::string &cert ); - virtual void setPKCS12Pass( const std::string &pass ); - virtual void setPKCS12Disable( bool disable ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Cert( const std::string &cert ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Pass( const std::string &pass ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Disable( bool disable ); virtual void setTSLOnlineDigest( bool enable ); virtual void setTSLTimeOut( int timeOut ); @@ -281,9 +281,9 @@ class DIGIDOCPP_EXPORT XmlConfV5: public ConfV5 std::vector verifyServiceCerts() const override; std::string verifyServiceUri() const override; - std::string PKCS12Cert() const override; - std::string PKCS12Pass() const override; - bool PKCS12Disable() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Cert() const override; + DIGIDOCPP_DEPRECATED std::string PKCS12Pass() const override; + DIGIDOCPP_DEPRECATED bool PKCS12Disable() const override; bool TSLAutoUpdate() const override; std::string TSLCache() const override; @@ -295,9 +295,9 @@ class DIGIDOCPP_EXPORT XmlConfV5: public ConfV5 virtual void setProxyUser( const std::string &user ); virtual void setProxyPass( const std::string &pass ); virtual void setProxyTunnelSSL( bool enable ); - virtual void setPKCS12Cert( const std::string &cert ); - virtual void setPKCS12Pass( const std::string &pass ); - virtual void setPKCS12Disable( bool disable ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Cert( const std::string &cert ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Pass( const std::string &pass ); + DIGIDOCPP_DEPRECATED virtual void setPKCS12Disable( bool disable ); virtual void setTSLOnlineDigest( bool enable ); virtual void setTSLTimeOut( int timeOut ); diff --git a/src/crypto/Connect.cpp b/src/crypto/Connect.cpp index 4ec498328..67a659c5c 100644 --- a/src/crypto/Connect.cpp +++ b/src/crypto/Connect.cpp @@ -47,7 +47,7 @@ using namespace std; throw ex; \ } -Connect::Connect(const string &_url, const string &method, int timeout, const string &useragent, const std::vector &certs) +Connect::Connect(const string &_url, const string &method, int timeout, const vector &certs) : _method(method) , _timeout(timeout) { @@ -168,7 +168,7 @@ Connect::Connect(const string &_url, const string &method, int timeout, const st else addHeader("Host", host + ":" + port); if(!userAgent().empty()) - addHeader("User-Agent", "LIB libdigidocpp/" + string(FILE_VER_STR) + " APP " + userAgent() + useragent); + addHeader("User-Agent", "LIB libdigidocpp/" + string(FILE_VER_STR) + " APP " + userAgent()); if(usessl == 0) sendProxyAuth(); } @@ -184,7 +184,7 @@ void Connect::addHeader(const string &key, const string &value) BIO_printf(d, "%s: %s\r\n", key.c_str(), value.c_str()); } -std::string Connect::decompress(const std::string &encoding, const std::string &data) +string Connect::decompress(const string &encoding, const string &data) { if(data.empty()) return data; diff --git a/src/crypto/Connect.h b/src/crypto/Connect.h index 7b92a91f2..4d8edeadb 100644 --- a/src/crypto/Connect.h +++ b/src/crypto/Connect.h @@ -60,7 +60,7 @@ class Connect }; Connect(const std::string &url, const std::string &method = "POST", - int timeout = 0, const std::string &useragent = {}, const std::vector &certs = {}); + int timeout = 0, const std::vector &certs = {}); ~Connect(); Result exec(std::initializer_list> headers, const std::vector &data); diff --git a/src/crypto/OCSP.cpp b/src/crypto/OCSP.cpp index 4aebb113c..d1a474393 100644 --- a/src/crypto/OCSP.cpp +++ b/src/crypto/OCSP.cpp @@ -44,7 +44,7 @@ using namespace std; /** * Initialize OCSP certificate validator. */ -OCSP::OCSP(const X509Cert &cert, const X509Cert &issuer, const vector &nonce, const string &userAgent) +OCSP::OCSP(const X509Cert &cert, const X509Cert &issuer) { if(!cert) THROW("Can not check X.509 certificate, certificate is NULL pointer."); @@ -68,10 +68,22 @@ OCSP::OCSP(const X509Cert &cert, const X509Cert &issuer, const vectorPKCS12Disable() && url.find("ocsp.sk.ee") != string::npos)); + SCOPE(OCSP_REQUEST, req, OCSP_REQUEST_new()); + if(!req) + THROW_OPENSSLEXCEPTION("Failed to create new OCSP request, out of memory?"); + + if(!OCSP_request_add0_id(req.get(), certId)) + THROW_OPENSSLEXCEPTION("Failed to add certificate ID to OCSP request."); + + SCOPE(ASN1_OCTET_STRING, st, ASN1_OCTET_STRING_new()); + ASN1_OCTET_STRING_set(st.get(), nullptr, 20); + RAND_bytes(st->data, st->length); + + SCOPE(X509_EXTENSION, ex, X509_EXTENSION_create_by_NID(nullptr, NID_id_pkix_OCSP_Nonce, 0, st.get())); + if(!OCSP_REQUEST_add_ext(req.get(), ex.get(), 0)) + THROW_OPENSSLEXCEPTION("Failed to add NONCE to OCSP request."); - Connect::Result result = Connect(url, "POST", 0, userAgent).exec({ + Connect::Result result = Connect(url, "POST").exec({ {"Content-Type", "application/ocsp-request"}, {"Accept", "application/ocsp-response"}, {"Connection", "Close"}, @@ -146,54 +158,6 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const return false; } -/** - * Creates OCSP request to check the certificate cert validity. - * - * @param certId OCSP_CERTID which validity will be checked. - * @param nonce NONCE field value in OCSP request. - * @return returns created OCSP request. - */ -OCSP_REQUEST* OCSP::createRequest(OCSP_CERTID *certId, const vector &nonce, bool signRequest) -{ - SCOPE(OCSP_REQUEST, req, OCSP_REQUEST_new()); - if(!req) - THROW_OPENSSLEXCEPTION("Failed to create new OCSP request, out of memory?"); - - if(!OCSP_request_add0_id(req.get(), certId)) - THROW_OPENSSLEXCEPTION("Failed to add certificate ID to OCSP request."); - - SCOPE(ASN1_OCTET_STRING, st, ASN1_OCTET_STRING_new()); - if(nonce.empty()) - { - ASN1_OCTET_STRING_set(st.get(), nullptr, 20); - RAND_bytes(st->data, st->length); - } - else - ASN1_OCTET_STRING_set(st.get(), nonce.data(), int(nonce.size())); - - SCOPE(X509_EXTENSION, ex, X509_EXTENSION_create_by_NID(nullptr, NID_id_pkix_OCSP_Nonce, 0, st.get())); - if(!OCSP_REQUEST_add_ext(req.get(), ex.get(), 0)) - THROW_OPENSSLEXCEPTION("Failed to add NONCE to OCSP request."); - - if(signRequest) - { - X509 *signCert {}; - EVP_PKEY *signKey {}; - Conf *c = Conf::instance(); - OpenSSL::parsePKCS12(c->PKCS12Cert(), c->PKCS12Pass(), &signKey, &signCert); - if(!signCert) - THROW_OPENSSLEXCEPTION("Failed to parse PKCS12 certificate"); - if(!signKey) - THROW_OPENSSLEXCEPTION("Failed to parse PKCS12 key"); - if(!OCSP_request_sign(req.get(), signCert, signKey, EVP_sha256(), nullptr, 0)) - THROW_OPENSSLEXCEPTION("Failed to sign OCSP request."); - X509_free(signCert); - EVP_PKEY_free(signKey); - } - - return req.release(); -} - X509Cert OCSP::responderCert() const { if(!basic) @@ -213,7 +177,7 @@ X509Cert OCSP::responderCert() const return X509Cert(); } -OCSP::operator std::vector() const +OCSP::operator vector() const { return i2d(resp.get(), i2d_OCSP_RESPONSE); } diff --git a/src/crypto/OCSP.h b/src/crypto/OCSP.h index e6f2b32b4..92a3dcd1a 100644 --- a/src/crypto/OCSP.h +++ b/src/crypto/OCSP.h @@ -20,13 +20,10 @@ #pragma once #include -#include #include using OCSP_RESPONSE = struct ocsp_response_st; using OCSP_BASICRESP = struct ocsp_basic_response_st; -using OCSP_CERTID = struct ocsp_cert_id_st; -using OCSP_REQUEST = struct ocsp_request_st; namespace digidoc { @@ -39,8 +36,7 @@ namespace digidoc { public: - OCSP(const X509Cert &cert, const X509Cert &issuer, - const std::vector &nonce, const std::string &userAgent); + OCSP(const X509Cert &cert, const X509Cert &issuer); OCSP(const unsigned char *data = nullptr, size_t size = 0); std::vector nonce() const; @@ -52,7 +48,6 @@ namespace digidoc private: bool compareResponderCert(const X509Cert &cert) const; - OCSP_REQUEST* createRequest(OCSP_CERTID *certId, const std::vector &nonce, bool signRequest); std::shared_ptr resp; std::shared_ptr basic; diff --git a/src/crypto/OpenSSLHelpers.h b/src/crypto/OpenSSLHelpers.h index 126a59392..1d810d22c 100644 --- a/src/crypto/OpenSSLHelpers.h +++ b/src/crypto/OpenSSLHelpers.h @@ -26,7 +26,6 @@ #include #include -#include #ifndef RSA_PSS_SALTLEN_DIGEST #define RSA_PSS_SALTLEN_DIGEST -1 @@ -42,16 +41,14 @@ namespace digidoc template std::vector i2d(T *obj, Func func) { - std::vector result; if(!obj) - return result; + return {}; int size = func(obj, nullptr); if(size <= 0) - return result; - result.resize(size_t(size)); - unsigned char *p = result.data(); - if(func(obj, &p) <= 0) - result.clear(); + return {}; + std::vector result(size_t(size), 0); + if(unsigned char *p = result.data(); func(obj, &p) <= 0) + return {}; return result; } @@ -82,22 +79,4 @@ class OpenSSLException : public Exception #define THROW_OPENSSLEXCEPTION(...) throw OpenSSLException(EXCEPTION_PARAMS(__VA_ARGS__)) -class OpenSSL -{ -public: - static void parsePKCS12(const std::string &path, const std::string &pass, EVP_PKEY **key, X509 **cert) - { - SCOPE(BIO, bio, BIO_new_file(path.c_str(), "rb")); - if(!bio) - THROW_OPENSSLEXCEPTION("Failed to open PKCS12 certificate: %s.", path.c_str()); - SCOPE(PKCS12, p12, d2i_PKCS12_bio(bio.get(), nullptr)); - if(!p12) - THROW_OPENSSLEXCEPTION("Failed to read PKCS12 certificate: %s.", path.c_str()); - if(!PKCS12_parse(p12.get(), pass.c_str(), key, cert, nullptr)) - THROW_OPENSSLEXCEPTION("Failed to parse PKCS12 certificate."); - // Hack: clear PKCS12_parse error ERROR: 185073780 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch - OpenSSLException(EXCEPTION_PARAMS("ignore")); - } -}; - } diff --git a/src/crypto/PKCS12Signer.cpp b/src/crypto/PKCS12Signer.cpp index 29cbdb89a..61c6bd149 100644 --- a/src/crypto/PKCS12Signer.cpp +++ b/src/crypto/PKCS12Signer.cpp @@ -24,6 +24,8 @@ #include "crypto/X509Cert.h" #include "util/log.h" +#include + #include using namespace digidoc; @@ -52,7 +54,14 @@ class PKCS12Signer::Private PKCS12Signer::PKCS12Signer(const string &path, const string &pass) : d(make_unique()) { - OpenSSL::parsePKCS12(path, pass, &d->key, &d->cert); + auto bio = SCOPE_PTR(BIO, BIO_new_file(path.c_str(), "rb")); + if(!bio) + THROW_OPENSSLEXCEPTION("Failed to open PKCS12 certificate: %s.", path.c_str()); + auto p12 = SCOPE_PTR(PKCS12, d2i_PKCS12_bio(bio.get(), nullptr)); + if(!p12) + THROW_OPENSSLEXCEPTION("Failed to read PKCS12 certificate: %s.", path.c_str()); + if(!PKCS12_parse(p12.get(), pass.c_str(), &d->key, &d->cert, nullptr)) + THROW_OPENSSLEXCEPTION("Failed to parse PKCS12 certificate."); } PKCS12Signer::~PKCS12Signer() diff --git a/src/crypto/Signer.cpp b/src/crypto/Signer.cpp index 0abccd820..ea447a2d3 100644 --- a/src/crypto/Signer.cpp +++ b/src/crypto/Signer.cpp @@ -19,6 +19,7 @@ #include "Signer.h" +#include "ASiC_E.h" #include "Conf.h" #include "crypto/Digest.h" #include "crypto/OpenSSLHelpers.h" @@ -26,6 +27,9 @@ #include +#include +#include + using namespace digidoc; using namespace std; @@ -153,14 +157,25 @@ string Signer::countryName() const /** * Set signing profile * - * - time-mark * - time-stamp - * - time-mark-archive * - time-stamp-archive */ void Signer::setProfile(const string &profile) { - d->profile = profile; + static const map profiles { + {{}, ASiC_E::ASIC_TS_PROFILE}, + {"BES", "BES"}, + {"EPES", "EPES"}, + {"TS", ASiC_E::ASIC_TS_PROFILE}, + {"TSA", ASiC_E::ASIC_TSA_PROFILE}, + {ASiC_E::ASIC_TS_PROFILE, ASiC_E::ASIC_TS_PROFILE}, + {ASiC_E::ASIC_TSA_PROFILE, ASiC_E::ASIC_TSA_PROFILE}, + }; + if(auto it = std::find_if(profiles.cbegin(), profiles.cend(), [&profile](const auto &elem) { return elem.first == profile; }); + it != profiles.cend()) + d->profile = it->second; + else + THROW("Unsupported profile: %s", profile.c_str()); } /** diff --git a/src/crypto/TS.cpp b/src/crypto/TS.cpp index 75d49cfe1..775cc8953 100644 --- a/src/crypto/TS.cpp +++ b/src/crypto/TS.cpp @@ -55,7 +55,7 @@ void *OPENSSL_memdup(const void *data, size_t size) } #endif -TS::TS(const string &url, const Digest &digest, const string &useragent) +TS::TS(const string &url, const Digest &digest) { auto req = SCOPE_PTR(TS_REQ, TS_REQ_new()); TS_REQ_set_version(req.get(), 1); @@ -87,7 +87,7 @@ TS::TS(const string &url, const Digest &digest, const string &useragent) RAND_bytes(nonce->data, nonce->length); TS_REQ_set_nonce(req.get(), nonce.get()); - Connect::Result result = Connect(url, "POST", 0, useragent, CONF(TSCerts)).exec({ + Connect::Result result = Connect(url, "POST", 0, CONF(TSCerts)).exec({ {"Content-Type", "application/timestamp-query"}, {"Accept", "application/timestamp-reply"}, {"Connection", "Close"}, diff --git a/src/crypto/TS.h b/src/crypto/TS.h index 82b086b26..67ae6483b 100644 --- a/src/crypto/TS.h +++ b/src/crypto/TS.h @@ -30,7 +30,7 @@ class X509Cert; class TS { public: - TS(const std::string &url, const Digest &digest, const std::string &useragent = {}); + TS(const std::string &url, const Digest &digest); TS(const unsigned char *data = nullptr, size_t size = 0); X509Cert cert() const; diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp index f6c029c94..7cdba0745 100644 --- a/src/crypto/X509CertStore.cpp +++ b/src/crypto/X509CertStore.cpp @@ -28,9 +28,6 @@ #include "util/log.h" #include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#include -#endif #include #include @@ -65,10 +62,6 @@ class X509CertStore::Private: public vector { swap(list); INFO("Loaded %zu certificates into TSL certificate store.", size()); } - -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - vector provs; -#endif }; /** @@ -77,37 +70,13 @@ class X509CertStore::Private: public vector { X509CertStore::X509CertStore() : d(make_unique()) { -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#ifdef _WIN32 -#ifdef _WIN64 - string path = util::File::dllPath("libcrypto-3-x64.dll"); -#else - string path = util::File::dllPath("libcrypto-3.dll"); -#endif - if(!path.empty()) - OSSL_PROVIDER_set_default_search_path(nullptr, path.c_str()); -#endif - for(const auto *prov: {"legacy", "default"}) - { - if(OSSL_PROVIDER *p = OSSL_PROVIDER_load(nullptr, prov)) - d->provs.push_back(p); - else - WARN("Failed to load OpenSSL '%s' provider!", prov); - } -#endif d->update(); } /** * Release all certificates. */ -X509CertStore::~X509CertStore() -{ -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - for(OSSL_PROVIDER *p: d->provs) - OSSL_PROVIDER_unload(p); -#endif -} +X509CertStore::~X509CertStore() = default; void X509CertStore::activate(const X509Cert &cert) const { diff --git a/src/digidoc-tool.1.cmake b/src/digidoc-tool.1.cmake index c3c104f48..48bef9c73 100644 --- a/src/digidoc-tool.1.cmake +++ b/src/digidoc-tool.1.cmake @@ -40,7 +40,7 @@ Command remove: --signature= - signatures to remove Command websign: - Example: digidoc-tool sign --cert=signer.crt demo-container.asice + Example: digidoc-tool websign --cert=signer.crt demo-container.asice Available options: --cert= - signer token certificate for additional options look sign command @@ -48,10 +48,10 @@ Command websign: Command sign: Example: digidoc-tool sign demo-container.asice Available options: - --profile= - signature profile, TM, time-mark, TS, time-stamp + --profile= - signature profile, TS, TSA, time-stamp, time-stamp-archive --XAdESEN - use XAdES EN profile --city= - city of production place - --street= - streetAddress of production place in XAdES profile + --street= - streetAddress of production place in XAdES EN profile --state= - state of production place --postalCode= - postalCode of production place --country= - country of production place @@ -61,7 +61,8 @@ Command sign: --pin= - default asks pin from prompt --sha(224,256,384,512) - set default digest method (default sha256) --sigsha(224,256,384,512) - set default digest method (default sha256) - --tsurl - option to change TS URL (default http://demo.sk.ee/tsa) + --sigpsssha(224,256,384,512) - set default digest method using RSA PSS (default sha256) + --tsurl - option to change TS URL (default http://dd-at.ria.ee/tsa) --dontValidate - Don't validate container on signature creation All commands: diff --git a/src/digidoc-tool.cpp b/src/digidoc-tool.cpp index 68453c0f2..fc97acf09 100644 --- a/src/digidoc-tool.cpp +++ b/src/digidoc-tool.cpp @@ -119,6 +119,12 @@ static ostream &operator<<(ostream &os, Signature::Validator::Status status) } return os; } + +static ostream &endl(ostream &os) +{ + os.put('\n'); + return os; +} } /** @@ -267,7 +273,7 @@ class ToolConfig final: public XmlConfCurrent string TSLUrl() const final { return tslurl.value_or(XmlConfCurrent::TSLUrl()); } unique_ptr getSigner(bool getwebsigner = false) const; - static string toUTF8(std::string_view param) + static string toUTF8(string_view param) { return fs::path(param).u8string(); } @@ -288,7 +294,6 @@ class ToolConfig final: public XmlConfCurrent vector > files; vector roles; bool cng = true, selectFirst = false, doSign = true, dontValidate = false, XAdESEN = false; - static const map profiles; static string_view RED, GREEN, YELLOW, RESET; }; @@ -338,7 +343,7 @@ static int printUsage(const char *executable) << " Command sign:" << endl << " Example: " << executable << " sign demo-container.asice" << endl << " Available options:" << endl - << " --profile= - signature profile, TM, time-mark, TS, time-stamp" << endl + << " --profile= - signature profile, TS, TSA, time-stamp, time-stamp-archive" << endl << " --XAdESEN - use XAdES EN profile" << endl << " --city= - city of production place" << endl << " --street= - streetAddress of production place in XAdES EN profile" << endl @@ -366,18 +371,6 @@ static int printUsage(const char *executable) return EXIT_FAILURE; } -const map ToolConfig::profiles = { - {"BES", "BES"}, - {"EPES", "EPES"}, - {"TM", "time-mark"}, - {"TS", "time-stamp"}, - {"TMA", "time-mark-archive"}, - {"TSA", "time-stamp-archive"}, - {"time-mark", "time-mark"}, - {"time-stamp", "time-stamp"}, - {"time-mark-archive", "time-mark-archive"}, - {"time-stamp-archive", "time-stamp-archive"}, -}; string_view ToolConfig::RED = "\033[31m"; string_view ToolConfig::GREEN = "\033[32m"; string_view ToolConfig::YELLOW = "\033[33m"; @@ -389,11 +382,7 @@ ToolConfig::ToolConfig(int argc, char *argv[]) { string arg(toUTF8(argv[i])); if(arg.find("--profile=") == 0) - { profile = arg.substr(10); - size_t pos = profile.find('.'); - profile = profiles.at(profile.substr(0, pos)) + (pos == string::npos ? string() : profile.substr(pos)); - } else if(arg.find("--file=") == 0) { string arg2(i+1 < argc ? toUTF8(argv[i+1]) : string()); @@ -464,7 +453,7 @@ unique_ptr ToolConfig::getSigner(bool getwebsigner) const class WebSigner final: public Signer { public: - WebSigner(X509Cert cert): _cert(move(cert)) {} + WebSigner(X509Cert cert): _cert(std::move(cert)) {} X509Cert cert() const final { return _cert; } vector sign(const string & /*method*/, const vector & /*digest*/) const final { @@ -684,9 +673,9 @@ static int remove(int argc, char *argv[]) { string arg(ToolConfig::toUTF8(argv[i])); if(arg.find("--document=") == 0) - documents.push_back(atoi(arg.substr(11).c_str())); + documents.push_back(stoi(arg.substr(11))); else if(arg.find("--signature=") == 0) - signatures.push_back(atoi(arg.substr(12).c_str())); + signatures.push_back(stoi(arg.substr(12))); else path = arg; } @@ -820,16 +809,9 @@ static int createBatch(const ToolConfig &p, const char *program) return printUsage(program); unique_ptr signer = p.getSigner(); - std::error_code ec; - fs::directory_iterator it{fs::u8path(p.path), ec}; - if(ec) - { - cout << "Failed to open directory " << p.path << endl; - cout << " Exception: " << ec.message() << endl; - return EXIT_FAILURE; - } + error_code ec; int returnCode = EXIT_SUCCESS; - for(const auto &file: it) + for(const auto &file: fs::directory_iterator(fs::u8path(p.path), ec)) { if(!fs::is_regular_file(file.status()) || file.path().extension() == ".asice") continue; @@ -845,6 +827,12 @@ static int createBatch(const ToolConfig &p, const char *program) returnCode = EXIT_FAILURE; } } + if(ec) + { + cout << "Failed to open directory " << p.path << endl; + cout << " Exception: " << ec.message() << endl; + return EXIT_FAILURE; + } return returnCode; } @@ -994,7 +982,7 @@ int main(int argc, char *argv[]) try #endif info << ")"; digidoc::initialize("digidoc-tool", info.str()); - std::atexit(&digidoc::terminate); + atexit(&digidoc::terminate); if(argc < 2) { diff --git a/src/libdigidocpp.i.h b/src/libdigidocpp.i.h index 7b862e1da..f13582973 100644 --- a/src/libdigidocpp.i.h +++ b/src/libdigidocpp.i.h @@ -48,11 +48,6 @@ class SWIGEXPORT DigiDocConf: public digidoc::XmlConfCurrent auto pos = OCSPUrls.value().find(issuer); return pos == OCSPUrls.value().cend() ? std::string() : pos->second; } - std::string PKCS12Cert() const final - { - return cache.empty() ? digidoc::XmlConfCurrent::PKCS12Cert() : - cache + "/" + digidoc::util::File::fileName(digidoc::XmlConfCurrent::PKCS12Cert()); - } std::set OCSPTMProfiles() const final { return TMProfiles.value_or(digidoc::XmlConfCurrent::OCSPTMProfiles()); } std::vector TSCerts() const final { return tsCerts.value_or(digidoc::XmlConfCurrent::TSCerts()); } std::string TSLCache() const final { return cache.empty() ? digidoc::XmlConfCurrent::TSLCache() : cache; } diff --git a/src/xml/UnsignedSignaturePropertiesType.h b/src/xml/UnsignedSignaturePropertiesType.h index 572028616..a098972d0 100644 --- a/src/xml/UnsignedSignaturePropertiesType.h +++ b/src/xml/UnsignedSignaturePropertiesType.h @@ -38,21 +38,21 @@ class UnsignedSignaturePropertiesType final: public UnsignedSignaturePropertiesT public: UnsignedSignaturePropertiesType(); - UnsignedSignaturePropertiesType(const xercesc::DOMElement &e, xml_schema::Flags f = {}, xml_schema::Container *c = nullptr); - UnsignedSignaturePropertiesType(const UnsignedSignaturePropertiesType &x, xml_schema::Flags f = {}, xml_schema::Container *c = nullptr); + UnsignedSignaturePropertiesType(const xercesc::DOMElement &e, xml_schema::Flags f = {}, xml_schema::Container *c = {}); + UnsignedSignaturePropertiesType(const UnsignedSignaturePropertiesType &x, xml_schema::Flags f = {}, xml_schema::Container *c = {}); ~UnsignedSignaturePropertiesType() final; - UnsignedSignaturePropertiesType* _clone(xml_schema::Flags f = {}, xml_schema::Container *c = nullptr) const final; + UnsignedSignaturePropertiesType* _clone(xml_schema::Flags f = {}, xml_schema::Container *c = {}) const final; const xadesv141::ArchiveTimeStampSequence& archiveTimeStampV141() const; xadesv141::ArchiveTimeStampSequence& archiveTimeStampV141(); - static const ::std::size_t archiveTimeStampV141Id = 14UL; + static constexpr ::std::size_t archiveTimeStampV141Id = 14UL; const xadesv141::TimeStampValidationData& timeStampValidationData() const; xadesv141::TimeStampValidationData& timeStampValidationData(); - static const ::std::size_t timeStampValidationDataId = 15UL; + static constexpr ::std::size_t timeStampValidationDataId = 15UL; private: xadesv141::ArchiveTimeStampSequence ArchiveTimeStampV141_; diff --git a/test/libdigidocpp_boost.cpp b/test/libdigidocpp_boost.cpp index a68b9453e..2c5d5e33f 100644 --- a/test/libdigidocpp_boost.cpp +++ b/test/libdigidocpp_boost.cpp @@ -292,7 +292,7 @@ BOOST_AUTO_TEST_CASE_TEMPLATE(signature, Doc, DocTypes) BOOST_CHECK_THROW(d->removeSignature(0U), Exception); auto signer1 = make_unique("signer1.p12", "signer1"); - signer1->setProfile("time-mark"); + signer1->setProfile("time-stamp"); BOOST_CHECK_THROW(d->sign(signer1.get()), Exception); // Add first Signature @@ -333,9 +333,9 @@ BOOST_AUTO_TEST_CASE_TEMPLATE(signature, Doc, DocTypes) Signature *s3 = nullptr; BOOST_CHECK_NO_THROW(s3 = d->sign(signer3.get())); BOOST_CHECK_EQUAL(d->signatures().size(), 2U); - BOOST_CHECK_EQUAL(s3->signatureMethod(), URI_ECDSA_SHA256); if(s3) { + BOOST_CHECK_EQUAL(s3->signatureMethod(), URI_ECDSA_SHA256); BOOST_CHECK_EQUAL(s3->signingCertificate(), signer3->cert()); BOOST_CHECK_NO_THROW(s3->validate()); } @@ -354,15 +354,6 @@ BOOST_AUTO_TEST_CASE_TEMPLATE(signature, Doc, DocTypes) BOOST_CHECK_NO_THROW(d->removeSignature(1U)); BOOST_CHECK_EQUAL(d->signatures().size(), 1U); - // TS signature - signer2->setProfile("time-stamp"); - BOOST_CHECK_NO_THROW(s3 = d->sign(signer2.get())); - //BOOST_CHECK_EQUAL(s3->TSCertificate(), signer2->cert()); - //BOOST_CHECK_NO_THROW(s3->validate()); - BOOST_CHECK_NO_THROW(d->save(Doc::EXT + "-TS.tmp")); - BOOST_CHECK_NO_THROW(d->removeSignature(1U)); - BOOST_CHECK_EQUAL(d->signatures().size(), 1U); - // TSA signature signer2->setProfile("time-stamp-archive"); BOOST_CHECK_NO_THROW(s3 = d->sign(signer2.get())); @@ -372,15 +363,8 @@ BOOST_AUTO_TEST_CASE_TEMPLATE(signature, Doc, DocTypes) BOOST_CHECK_NO_THROW(d->removeSignature(1U)); BOOST_CHECK_EQUAL(d->signatures().size(), 1U); - // TSA signature - signer2->setProfile("time-stamp-archive"); - BOOST_CHECK_NO_THROW(d->sign(signer2.get())); - BOOST_CHECK_NO_THROW(d->save(Doc::EXT + "-TMA.tmp")); - BOOST_CHECK_NO_THROW(d->removeSignature(1U)); - BOOST_CHECK_EQUAL(d->signatures().size(), 1U); - - // Save with no SignatureValue and later add signautre value, time-mark - signer2->setProfile("time-mark"); + // Save with no SignatureValue and later add signautre value + signer2->setProfile("time-stamp"); d = Container::createPtr(Doc::EXT + ".tmp"); BOOST_CHECK_NO_THROW(d->addDataFile("test1.txt", "text/plain")); Signature *s = nullptr; @@ -487,9 +471,6 @@ BOOST_AUTO_TEST_CASE(XmlConfCase) { BOOST_CHECK_EQUAL(c.proxyPort(), "port"); BOOST_CHECK_EQUAL(c.proxyUser(), "user"); BOOST_CHECK_EQUAL(c.proxyPass(), "pass"); - BOOST_CHECK_EQUAL(c.PKCS12Cert(), "cert"); - BOOST_CHECK_EQUAL(c.PKCS12Pass(), "pass"); - BOOST_CHECK_EQUAL(c.PKCS12Disable(), true); BOOST_CHECK_EQUAL(c.ocsp("ISSUER NAME"), "http://ocsp.issuer.com"); BOOST_CHECK_EQUAL(c.verifyServiceUri(), SIVA_URL); const string testurl = "https://test.url"; @@ -541,10 +522,9 @@ BOOST_AUTO_TEST_CASE(OpenValidASiCSContainer) const DataFile *doc = d->dataFiles().front(); BOOST_CHECK_EQUAL(doc->fileName(), "test1.txt"); - const auto ts = d->signatures().front(); - BOOST_CHECK_NO_THROW(ts->validate()); - if(ts) + if(const auto *ts = d->signatures().front()) { + BOOST_CHECK_NO_THROW(ts->validate()); BOOST_CHECK_EQUAL("8766262679921277358", ts->id()); // Serial number: 0x79A805763478B9AE BOOST_CHECK_EQUAL("2016-11-02T11:07:45Z", ts->TimeStampTime()); BOOST_CHECK_EQUAL("DEMO of SK TSA 2014", ts->TimeStampCertificate().subjectName("CN"));