Skip to content

Commit

Permalink
Allow only qualified TimeStamp-s (#640)
Browse files Browse the repository at this point in the history
IB-8250

Signed-off-by: Raul Metsma <[email protected]>
  • Loading branch information
metsma authored Nov 18, 2024
1 parent 47168f7 commit aba89db
Show file tree
Hide file tree
Showing 19 changed files with 10,100 additions and 651 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
with:
name: ${{ matrix.target }}
path: |
build/macos/libdigidocpp*.*
build/*/libdigidocpp*.*
libdigidocpp*.zip
fedora:
name: Build on Fedora ${{ matrix.container }}
Expand All @@ -79,7 +79,7 @@ jobs:
- name: Install Deps
run: |
dnf install -y --setopt=install_weak_deps=False \
${FEDORA_DEPS} doxygen boost-test swig python3-devel java-21-openjdk-devel rpm-build git
${FEDORA_DEPS} doxygen boost-test swig python3-devel java-21-openjdk-devel rpm-build
- name: Checkout
uses: actions/checkout@v4
- name: Build
Expand All @@ -105,7 +105,7 @@ jobs:
DEBEMAIL: [email protected]
steps:
- name: Install dependencies
run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-11-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
run: apt update -qq && apt install --no-install-recommends -y lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-11-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
- name: Checkout
uses: actions/checkout@v4
- name: Setup changelog
Expand Down
6 changes: 1 addition & 5 deletions src/crypto/TSL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -80,17 +80,13 @@ constexpr array SERVICESTATUS_END {

constexpr array SERVICES_SUPPORTED {
"http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
//"http://uri.etsi.org/TrstSvc/Svctype/CA/PKC", //???
//"http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QC", //???
"http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP",
"http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC",
"http://uri.etsi.org/TrstSvc/Svctype/TSA",
"http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
"http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC", //???
"http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES", //???
};

template<typename C, typename T>
[[nodiscard]]
constexpr bool contains(const C &list, const T &value)
{
return find(list.begin(), list.end(), value) != list.end();
Expand Down
41 changes: 20 additions & 21 deletions src/crypto/X509CertStore.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,19 @@
using namespace digidoc;
using namespace std;

template<typename C, typename T>
[[nodiscard]]
constexpr bool contains(const C &list, const T &value)
{
return find(list.begin(), list.end(), std::forward<decltype(value)>(value)) != list.end();
};

const X509CertStore::Type X509CertStore::CA {
"http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
};

const X509CertStore::Type X509CertStore::TSA {
"http://uri.etsi.org/TrstSvc/Svctype/TSA",
"http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
"http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC",
"http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES",
};

const X509CertStore::Type X509CertStore::OCSP {
Expand Down Expand Up @@ -240,29 +244,24 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
const vector<string> policies = cert.certificatePolicies();
const vector<string> qcstatement = cert.qcStatements();
const vector<X509Cert::KeyUsage> keyUsage = cert.keyUsage();
auto containsPolicy = [&policies](const string &policy) {
return find(policies.cbegin(), policies.cend(), policy) != policies.cend();
};
auto containsQCStatement = [&qcstatement](const string &statement) {
return find(qcstatement.cbegin(), qcstatement.cend(), statement) != qcstatement.cend();
};

bool isQCCompliant = containsQCStatement(X509Cert::QC_COMPLIANT);
bool isQCCompliant = contains(qcstatement, X509Cert::QC_COMPLIANT);
bool isQSCD =
containsPolicy(X509Cert::QCP_PUBLIC_WITH_SSCD) ||
containsPolicy(X509Cert::QCP_LEGAL_QSCD) ||
containsPolicy(X509Cert::QCP_NATURAL_QSCD) ||
containsQCStatement(X509Cert::QC_SSCD);
contains(policies, X509Cert::QCP_PUBLIC_WITH_SSCD) ||
contains(policies, X509Cert::QCP_LEGAL_QSCD) ||
contains(policies, X509Cert::QCP_NATURAL_QSCD) ||
contains(qcstatement, X509Cert::QC_SSCD);

bool isESeal = // Special treamtent for E-Seals
containsPolicy(X509Cert::QCP_LEGAL) ||
containsQCStatement(X509Cert::QCT_ESEAL);
auto matchPolicySet = [&containsPolicy](const vector<string> &policySet){
return all_of(policySet.cbegin(), policySet.cend(), containsPolicy);
bool isESeal = // Special treamtent for E-Seals
contains(policies, X509Cert::QCP_LEGAL) ||
contains(qcstatement, X509Cert::QCT_ESEAL);
auto matchPolicySet = [&policies](const vector<string> &policySet){
return all_of(policySet.cbegin(), policySet.cend(), [&policies](const string &policy) {
return contains(policies, policy);
});
};
auto matchKeyUsageSet = [&keyUsage](const map<X509Cert::KeyUsage,bool> &keyUsageSet){
return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](pair<X509Cert::KeyUsage, bool> keyUsageBit){
return (find(keyUsage.cbegin(), keyUsage.cend(), keyUsageBit.first) != keyUsage.cend()) == keyUsageBit.second;
return contains(keyUsage, keyUsageBit.first) == keyUsageBit.second;
});
};

Expand Down
671 changes: 635 additions & 36 deletions test/data/EE_T-CA-invalid-type.xml

Large diffs are not rendered by default.

669 changes: 634 additions & 35 deletions test/data/EE_T-CA-non-qa.xml

Large diffs are not rendered by default.

Loading

0 comments on commit aba89db

Please sign in to comment.