69 const xades::UnsignedSignaturePropertiesType::CertificateValuesType::EncapsulatedX509CertificateSequence &
certs =
70 unsignedSignatureProperties()->certificateValues()[0].encapsulatedX509Certificate();
71 xades::UnsignedSignaturePropertiesType::CertificateValuesType::EncapsulatedX509CertificateSequence::const_iterator
i = certs.begin();
75 for( ; i != certs.end(); ++
i )
77 if( i->id() && i->id().get().find(
"RESPONDER_CERT" ) != std::string::npos )
78 return X509Cert( std::vector<unsigned char>( i->data(), i->data() + i->size() ) );
80 if( certs.begin() != certs.end() )
81 return X509Cert( std::vector<unsigned char>(
82 certs.begin()->data(), certs.begin()->data() + certs.begin()->size() ) );
93 std::vector<unsigned char> respBuf = getOCSPResponseValue();
106 return unsignedSignatureProperties()->completeRevocationRefs()[0].oCSPRefs()
107 ->oCSPRef()[0].oCSPIdentifier().responderID().byName().get();
132 if(ocspConf.
issuer.empty())
134 SignatureException
e(__FILE__, __LINE__,
"Failed to find ocsp responder.");
146 SignatureException exception(__FILE__, __LINE__,
"OCSP certificate loading failed", e);
157 std::vector<unsigned char> respBuf = getOCSPResponseValue();
168 DEBUG(
"OCSP response was signed by trusted OCSP responder");
170 xades::UnsignedPropertiesType::UnsignedSignaturePropertiesOptional &usp = unsignedSignatureProperties();
173 xades::UnsignedSignaturePropertiesType::CompleteRevocationRefsSequence &crrs = usp->completeRevocationRefs();
176 xades::CompleteRevocationRefsType::OCSPRefsOptional &orr = crrs[0].oCSPRefs();
179 xades::OCSPRefsType::OCSPRefSequence &ors = orr->oCSPRef();
182 xades::OCSPRefType::OCSPIdentifierType &oit = ors[0].oCSPIdentifier();
186 std::vector<unsigned char> revocationOCSPRefValue(0);
188 getRevocationOCSPRef(revocationOCSPRefValue, method);
190 std::auto_ptr<Digest> calc(
new Digest(method));
191 calc->
update(getSignatureValue());
192 std::vector<unsigned char> nonce = calc->
getDigest();
194 std::vector<unsigned char> respNonce = ocsp.
getNonce(respBuf);
195 if(nonce != respNonce)
197 DEBUGMEM(
"Calculated signature HASH", &nonce[0], nonce.size());
198 DEBUGMEM(
"Response nonce", &respNonce[0], respNonce.size());
202 std::auto_ptr<Digest> ocspResponseCalc(
new Digest(method));
203 DEBUG(
"Calculating digest on %d bytes", respBuf.size());
204 ocspResponseCalc->
update(respBuf);
205 std::vector<unsigned char> ocspResponseHash = ocspResponseCalc->
getDigest();
207 if(ocspResponseHash != revocationOCSPRefValue)
209 DEBUGMEM(
"Document ocspResponse HASH:", &revocationOCSPRefValue[0], revocationOCSPRefValue.size());
210 DEBUGMEM(
"Calculated ocspResponse HASH:", &ocspResponseHash[0], ocspResponseHash.size());
215 DEBUG(
"TM signature valid");
226 DEBUG(
"SignatureTM::sign()");
229 DEBUG(
"BES signature successful.");
240 std::auto_ptr<Digest> calc(
new Digest());
241 calc->
update(getSignatureValue());
242 std::vector<unsigned char> nonce = calc->
getDigest();
243 DEBUGMEM(
"Calculated signature HASH (nonce):", &nonce[0], nonce.size());
246 X509Cert cert = getSigningCertificate();
251 cert.getIssuerName().c_str());
254 DEBUG(
"Signing with X.509 cert {serial=%s, subject=%s, issuer=%s})",
255 cert.getSerial().c_str(), cert.getSubjectName().c_str(), cert.getIssuerName().c_str());
258 DEBUG(
"Making OCSP request.");
261 if(ocspConf.
issuer.empty())
263 SignatureException
e(__FILE__, __LINE__,
"Failed to find ocsp responder.");
280 std::vector<unsigned char> ocspResponse;
281 struct tm producedAt;
289 X509 *c = cert.getX509();
290 status = ocsp.
checkCert(c, issuer, nonce, ocspResponse, producedAt);
307 DEBUG(
"OCSP status: REVOKED");
308 SignatureException
e( __FILE__, __LINE__,
"Certificate status: revoked" );
315 DEBUG(
"OCSP status: UNKNOWN");
316 SignatureException
e( __FILE__, __LINE__,
"Certificate status: unknown" );
322 DEBUG(
"OCSP response size %d", ocspResponse.size());
328 if(sk_X509_num(ocspCerts) > 1)
330 ERR(
"More than one OCSP cert in file.");
332 X509Cert ocspCert_(sk_X509_value(ocspCerts, 0));
334 std::auto_ptr<Digest> ocspResponseCalc(
new Digest());
335 ocspResponseCalc->
update(ocspResponse);
336 std::vector<unsigned char> ocspResponseHash = ocspResponseCalc->
getDigest();
337 DEBUGMEM(
"Calculated ocspResponse HASH:", &ocspResponseHash[0], ocspResponseHash.size());
340 createTMProperties();
341 setOCSPCertificate(ocspCert_);
343 setOCSPResponseValue(ocspResponse);
344 setCompleteRevocationRefs(ocspCert_.
getIssuerName(), calc->
getUri(), ocspResponseHash, producedAt);
353 xades::CertificateValuesType certValue;
355 xades::UnsignedSignaturePropertiesType usSignatureProp;
356 usSignatureProp.certificateValues().push_back(certValue);
358 xades::UnsignedPropertiesType usProp;
359 usProp.unsignedSignatureProperties(usSignatureProp);
361 signature->object()[0].qualifyingProperties()[0].unsignedProperties(usProp);
373 const std::vector<unsigned char>& ocspResponseHash,
const struct tm& producedAt )
375 dsig::DigestMethodType method(xml_schema::Uri(digestMethodUri.c_str()));
376 dsig::DigestValueType
value(xml_schema::Base64Binary(&ocspResponseHash[0], ocspResponseHash.size()));
378 xades::DigestAlgAndValueType digest(method, value);
380 xades::ResponderIDType responderId;
381 responderId.byName(responderName);
384 xades::OCSPIdentifierType ocspId(responderId, dateTime);
385 std::string
id = getId();
386 id.replace(0, 1,
"N");
387 ocspId.uRI(xml_schema::Uri(
"#" +
id));
389 xades::OCSPRefType ocspRef(ocspId);
390 ocspRef.digestAlgAndValue(digest);
392 xades::OCSPRefsType ocspRefs;
393 ocspRefs.oCSPRef().push_back(ocspRef);
395 xades::CompleteRevocationRefsType completeRevocationRefs;
396 completeRevocationRefs.oCSPRefs(ocspRefs);
397 completeRevocationRefs.id(xml_schema::Id(getId() +
"-REVOCREFS"));
399 unsignedSignatureProperties()->completeRevocationRefs().push_back(completeRevocationRefs);
410 DEBUG(
"digidoc::SignatureTM::setOCSPCertificate()");
412 std::vector<unsigned char> derEncodedX509 = x509.
encodeDER();
415 std::auto_ptr<Digest> calc(
new Digest());
416 calc->
update(derEncodedX509);
417 dsig::DigestMethodType digestMethod(xml_schema::Uri(calc->
getUri()));
418 dsig::DigestValueType digestValue(xml_schema::Base64Binary(&calc->
getDigest()[0], calc->
getSize()));
419 xades::DigestAlgAndValueType certDigest(digestMethod, digestValue);
424 digidoc::xades::CertIDType cert(certDigest, issuerSerial);
425 xades::CertIDListType certList;
426 certList.cert().push_back(cert);
428 xades::CompleteCertificateRefsType certificateRefs(certList);
432 unsignedSignatureProperties()->completeCertificateRefs().push_back(certificateRefs);
435 addCertificateValue(getId() +
"-RESPONDER_CERT", x509);
440 addCertificateValue(getId() +
"-CA-CERT", x509);
450 DEBUG(
"digidoc::SignatureTM::setCertificateValue(%s, X509Cert{%s,%s})",
453 std::vector<unsigned char> certBytes = x509.
encodeDER();
454 xades::CertificateValuesType::EncapsulatedX509CertificateType certData(
455 xml_schema::Base64Binary(&certBytes[0], certBytes.size()));
456 certData.id(xml_schema::Id(certId.c_str()));
457 unsignedSignatureProperties()->certificateValues()[0].encapsulatedX509Certificate().push_back(certData);
466 std::string
id = getId();
467 id.replace(0, 1,
"N");
468 xades::OCSPValuesType::EncapsulatedOCSPValueType ocspValueData(
469 xml_schema::Base64Binary(&data[0], data.size()));
470 ocspValueData.id(
id);
472 xades::OCSPValuesType ocspValue;
473 ocspValue.encapsulatedOCSPValue().push_back(ocspValueData);
475 xades::RevocationValuesType revocationValues;
476 revocationValues.oCSPValues(ocspValue);
478 unsignedSignatureProperties()->revocationValues().push_back(revocationValues);
490 xades::RevocationValuesType &t = unsignedSignatureProperties()->revocationValues()[0];
491 xades::OCSPValuesType &tt = t.oCSPValues().get();
492 xades::OCSPValuesType::EncapsulatedOCSPValueType &resp = tt.encapsulatedOCSPValue()[0];
493 return std::vector<unsigned char>(resp.data(), resp.data()+resp.size());
497 return std::vector<unsigned char>();
510 xades::UnsignedSignaturePropertiesType::CompleteRevocationRefsSequence &crrSeq =
511 unsignedSignatureProperties()->completeRevocationRefs();
515 xades::CompleteRevocationRefsType::OCSPRefsOptional &ocspRefsOpt = crrSeq[0].oCSPRefs();
516 if(ocspRefsOpt.present())
518 xades::OCSPRefsType::OCSPRefSequence &ocspRefSeq = ocspRefsOpt->oCSPRef();
519 if(!ocspRefSeq.empty())
521 xades::OCSPRefType::DigestAlgAndValueOptional &digestOpt = ocspRefSeq[0].digestAlgAndValue();
522 if(digestOpt.present())
524 dsig::DigestValueType &digestValue = digestOpt->digestValue();
525 data.resize(digestValue.size());
526 std::copy(digestValue.data(), digestValue.data()+digestValue.size(), data.begin());
528 xml_schema::Uri &uri = digestOpt->digestMethod().algorithm();
529 digestMethodUri = uri;
539 THROW_SIGNATUREEXCEPTION(
"Missing UnsignedProperties/UnsignedSignatureProperties/CompleteRevocationRefs/OCSPRefs/OCSPRef/DigestAlgAndValue element or its parent");
542 digidoc::xades::UnsignedPropertiesType::UnsignedSignaturePropertiesOptional&
546 dsig::SignatureType::ObjectSequence &os = signature->object();
549 else if ( os.size() != 1 )
553 dsig::ObjectType::QualifyingPropertiesSequence &qpSeq = os[0].qualifyingProperties();
556 else if ( qpSeq.size() != 1 )
560 xades::QualifyingPropertiesType::UnsignedPropertiesOptional &unsignedPropsOptional = qpSeq[0].unsignedProperties();
561 if ( !unsignedPropsOptional.present() )
565 digidoc::xades::UnsignedPropertiesType::UnsignedSignaturePropertiesOptional &unsignedSigProps =
566 unsignedPropsOptional->unsignedSignatureProperties();
567 if ( !unsignedSigProps.present() )
570 return unsignedSigProps;