Allow only qualified OCSP-s

IB-8298 Signed-off-by: Raul Metsma <[email protected]>
open-eid · Nov 15, 2024 · cbaeef8 · cbaeef8
1 parent 16b6728
commit cbaeef8
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 25 deletions.
diff --git a/src/crypto/TSL.cpp b/src/crypto/TSL.cpp
@@ -22,10 +22,10 @@
 #include "Conf.h"
 #include "XMLDocument.h"
 #include "crypto/Connect.h"
+#include "util/algorithm.h"
 #include "util/DateTime.h"
 #include "util/File.h"
 
-#include <algorithm>
 #include <array>
 #include <charconv>
 #include <fstream>
@@ -80,18 +80,10 @@ constexpr array SERVICESTATUS_END {
 
 constexpr array SERVICES_SUPPORTED {
     "http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
-    "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP",
     "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC",
     "http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
 };
 
-template<typename C, typename T>
-[[nodiscard]]
-constexpr bool contains(const C &list, const T &value)
-{
-    return find(list.begin(), list.end(), value) != list.end();
-}
-
 }
 
 

diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp
@@ -23,25 +23,17 @@
 #include "crypto/Connect.h"
 #include "crypto/OpenSSLHelpers.h"
 #include "crypto/TSL.h"
+#include "util/algorithm.h"
 #include "util/DateTime.h"
 #include "util/log.h"
 
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 
-#include <algorithm>
-
 using namespace digidoc;
 using namespace std;
 
-template<typename C, typename T>
-[[nodiscard]]
-constexpr bool contains(const C &list, const T &value)
-{
-    return find(list.begin(), list.end(), std::forward<decltype(value)>(value)) != list.end();
-};
-
 const X509CertStore::Type X509CertStore::CA {
     "http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
 };
@@ -52,7 +44,6 @@ const X509CertStore::Type X509CertStore::TSA {
 
 const X509CertStore::Type X509CertStore::OCSP {
     "http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
-    "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP",
     "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC",
 };
 
@@ -255,12 +246,12 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
         contains(policies, X509Cert::QCP_LEGAL) ||
         contains(qcstatement, X509Cert::QCT_ESEAL);
     auto matchPolicySet = [&policies](const vector<string> &policySet){
-        return all_of(policySet.cbegin(), policySet.cend(), [&policies](const string &policy) {
+        return all_of(policySet, [&policies](const string &policy) {
             return contains(policies, policy);
         });
     };
     auto matchKeyUsageSet = [&keyUsage](const map<X509Cert::KeyUsage,bool> &keyUsageSet){
-        return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](pair<X509Cert::KeyUsage, bool> keyUsageBit){
+        return all_of(keyUsageSet, [&keyUsage](pair<X509Cert::KeyUsage, bool> keyUsageBit){
             return contains(keyUsage, keyUsageBit.first) == keyUsageBit.second;
         });
     };
@@ -269,14 +260,14 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
     {
         if(q.assert_ == "all")
         {
-            if(!(all_of(q.policySet.cbegin(), q.policySet.cend(), matchPolicySet) &&
-                 all_of(q.keyUsage.cbegin(), q.keyUsage.cend(), matchKeyUsageSet)))
+            if(!(all_of(q.policySet, matchPolicySet) &&
+                 all_of(q.keyUsage, matchKeyUsageSet)))
                 continue;
         }
         else if(q.assert_ == "atLeastOne")
         {
-            if(!(any_of(q.policySet.cbegin(), q.policySet.cend(), matchPolicySet) ||
-                 any_of(q.keyUsage.cbegin(), q.keyUsage.cend(), matchKeyUsageSet)))
+            if(!(any_of(q.policySet, matchPolicySet) ||
+                 any_of(q.keyUsage, matchKeyUsageSet)))
                 continue;
         }
         else

diff --git a/src/util/algorithm.h b/src/util/algorithm.h
@@ -0,0 +1,54 @@
+/*
+ * libdigidocpp
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#pragma once
+
+#include <algorithm>
+
+namespace digidoc
+{
+
+template<typename C, typename P>
+[[nodiscard]]
+constexpr bool all_of(const C &list, P pred)
+{
+    return std::all_of(list.begin(), list.end(), std::forward<P>(pred));
+}
+
+template<typename C, typename P>
+[[nodiscard]]
+constexpr bool any_of(const C &list, P pred)
+{
+    return std::any_of(list.begin(), list.end(), std::forward<P>(pred));
+}
+
+template<typename C, typename T>
+[[nodiscard]]
+constexpr bool contains(const C &list, T value)
+{
+    return std::find(list.begin(), list.end(), std::forward<T>(value)) != list.end();
+}
+
+template<typename T>
+[[nodiscard]]
+constexpr bool starts_with(T str, T needle) {
+    return str.size() >= needle.size() && str.compare(0, needle.size(), needle) == 0;
+}
+
+}