From fb2d24f05b5727a26960dedde4f9fe679b1b1e20 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Fri, 15 Nov 2024 10:22:45 +0200 Subject: [PATCH] Allow only qualified OCSP-s IB-8298 Signed-off-by: Raul Metsma --- src/crypto/TSL.cpp | 10 +----- src/crypto/X509CertStore.cpp | 29 ++++++----------- src/util/algorithm.h | 61 ++++++++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 28 deletions(-) create mode 100644 src/util/algorithm.h diff --git a/src/crypto/TSL.cpp b/src/crypto/TSL.cpp index 9b409ea48..4fb336bd1 100644 --- a/src/crypto/TSL.cpp +++ b/src/crypto/TSL.cpp @@ -22,10 +22,10 @@ #include "Conf.h" #include "XMLDocument.h" #include "crypto/Connect.h" +#include "util/algorithm.h" #include "util/DateTime.h" #include "util/File.h" -#include #include #include #include @@ -80,18 +80,10 @@ constexpr array SERVICESTATUS_END { constexpr array SERVICES_SUPPORTED { "http://uri.etsi.org/TrstSvc/Svctype/CA/QC", - "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP", "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC", "http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST", }; -template -[[nodiscard]] -constexpr bool contains(const C &list, const T &value) -{ - return find(list.begin(), list.end(), value) != list.end(); -} - } diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp index d2c9971c8..b0dbf0dcc 100644 --- a/src/crypto/X509CertStore.cpp +++ b/src/crypto/X509CertStore.cpp @@ -23,6 +23,7 @@ #include "crypto/Connect.h" #include "crypto/OpenSSLHelpers.h" #include "crypto/TSL.h" +#include "util/algorithm.h" #include "util/DateTime.h" #include "util/log.h" @@ -30,18 +31,9 @@ #include #include -#include - using namespace digidoc; using namespace std; -template -[[nodiscard]] -constexpr bool contains(const C &list, const T &value) -{ - return find(list.begin(), list.end(), std::forward(value)) != list.end(); -}; - const X509CertStore::Type X509CertStore::CA { "http://uri.etsi.org/TrstSvc/Svctype/CA/QC", }; @@ -52,7 +44,6 @@ const X509CertStore::Type X509CertStore::TSA { const X509CertStore::Type X509CertStore::OCSP { "http://uri.etsi.org/TrstSvc/Svctype/CA/QC", - "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP", "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC", }; @@ -181,7 +172,7 @@ int X509CertStore::validate(int ok, X509_STORE_CTX *ctx, const Type &type) { if(type.find(s.type) == type.cend()) continue; - if(none_of(s.certs.cbegin(), s.certs.cend(), [&](const X509Cert &issuer){ + if(none_of(s.certs, [&](const X509Cert &issuer) { if(issuer == x509) return true; if(X509_check_issued(issuer.handle(), x509) != X509_V_OK) @@ -254,13 +245,13 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const bool isESeal = // Special treamtent for E-Seals contains(policies, X509Cert::QCP_LEGAL) || contains(qcstatement, X509Cert::QCT_ESEAL); - auto matchPolicySet = [&policies](const vector &policySet){ - return all_of(policySet.cbegin(), policySet.cend(), [&policies](const string &policy) { + auto matchPolicySet = [&policies](const vector &policySet) { + return all_of(policySet, [&policies](const string &policy) { return contains(policies, policy); }); }; - auto matchKeyUsageSet = [&keyUsage](const map &keyUsageSet){ - return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](pair keyUsageBit){ + auto matchKeyUsageSet = [&keyUsage](const map &keyUsageSet) { + return all_of(keyUsageSet, [&keyUsage](pair keyUsageBit) { return contains(keyUsage, keyUsageBit.first) == keyUsageBit.second; }); }; @@ -269,14 +260,14 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const { if(q.assert_ == "all") { - if(!(all_of(q.policySet.cbegin(), q.policySet.cend(), matchPolicySet) && - all_of(q.keyUsage.cbegin(), q.keyUsage.cend(), matchKeyUsageSet))) + if(!(all_of(q.policySet, matchPolicySet) && + all_of(q.keyUsage, matchKeyUsageSet))) continue; } else if(q.assert_ == "atLeastOne") { - if(!(any_of(q.policySet.cbegin(), q.policySet.cend(), matchPolicySet) || - any_of(q.keyUsage.cbegin(), q.keyUsage.cend(), matchKeyUsageSet))) + if(!(any_of(q.policySet, matchPolicySet) || + any_of(q.keyUsage, matchKeyUsageSet))) continue; } else diff --git a/src/util/algorithm.h b/src/util/algorithm.h new file mode 100644 index 000000000..30911a357 --- /dev/null +++ b/src/util/algorithm.h @@ -0,0 +1,61 @@ +/* + * libdigidocpp + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#pragma once + +#include + +namespace digidoc +{ + +template +[[nodiscard]] +constexpr bool all_of(const C &list, P pred) +{ + return std::all_of(list.begin(), list.end(), std::forward

(pred)); +} + +template +[[nodiscard]] +constexpr bool any_of(const C &list, P pred) +{ + return std::any_of(list.begin(), list.end(), std::forward

(pred)); +} + +template +[[nodiscard]] +constexpr bool contains(const C &list, T value) +{ + return std::find(list.begin(), list.end(), std::forward(value)) != list.end(); +} + +template +[[nodiscard]] +constexpr bool none_of(const C &list, P pred) +{ + return std::none_of(list.begin(), list.end(), std::forward

(pred)); +} + +template +[[nodiscard]] +constexpr bool starts_with(T str, T needle) { + return str.size() >= needle.size() && str.compare(0, needle.size(), needle) == 0; +} + +}