std::string bdoc::SignatureValidator::getTMSignature()
{
std::string ret;
X509Cert ocspCert(sk_X509_value(_ocspCerts, 0));
std::auto_ptr<Digest> ocspResponseCalc =
Digest::create(_conf->getDigestURI());
ocspResponseCalc->update(_ocspResponse);
std::vector<unsigned char>
ocspResponseHash = ocspResponseCalc->getDigest();
std::auto_ptr<xercesc::DOMDocument> doc = _sig->createDom();
xercesc::DOMNodeList *nl =
doc->getElementsByTagNameNS(
xercesc::XMLString::transcode("*"),
xercesc::XMLString::transcode("UnsignedProperties"));
xercesc::DOMNode *unsignedprops = nl->item(0);
xercesc::DOMNode *unsignedsignatureprops =
doc->createElement(
xercesc::XMLString::transcode(
"UnsignedSignatureProperties"));
unsignedprops->appendChild(unsignedsignatureprops);
{
X509Cert issuerCert(_issuerX509);
addXMLCertificateValues(doc.get(), unsignedsignatureprops,
ocspCert, issuerCert);
}
{
xml_schema::Base64Binary resp(&_ocspResponse[0],
_ocspResponse.size());
addXMLRevocationValues(doc.get(), unsignedsignatureprops,
resp);
}
{
X509* ocspIssuerCert =
_conf->getCertStore()->getCert(
*(ocspCert.getIssuerNameAsn1()));
X509_scope ocspIssuerCertScope(&ocspIssuerCert);
if (ocspIssuerCert == NULL) {
THROW_STACK_EXCEPTION(
"Failed to load issuer certificate.");
}
X509Cert oic(ocspIssuerCert);
std::vector<unsigned char> der = oic.encodeDER();
std::string oicmeth(_conf->getDigestURI());
std::auto_ptr<bdoc::Digest> oicCalc =
bdoc::Digest::create(oicmeth);
oicCalc->update(der);
xml_schema::Base64Binary oicDig(&oicCalc->getDigest()[0],
oicCalc->getSize());
addXMLCompleteCertificateRefs(doc.get(),
unsignedsignatureprops,
oic, oicDig, oicmeth);
}
{
xml_schema::Base64Binary oh(&ocspResponseHash[0],
ocspResponseHash.size());
addXMLCompleteRevocationRefs(
doc.get(), unsignedsignatureprops,
ocspCert, oh, ocspResponseCalc->getUri(),
bdoc::util::date::xsd2string(
bdoc::util::date::
makeDateTime(_producedAt)));
}
xercesc::DOMElement* root (doc->getDocumentElement ());
ret = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
ret += serializeDOM(root);
return ret;
}
SECStatus
ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
/*optional*/ ScopedCERTCertificate *certOut,
/*optional*/ SSLKEAType *keaOut)
{
ScopedCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
if (!cert) {
PrintPRError("PK11_FindCertFromNickname failed");
return SECFailure;
}
// If an intermediate certificate issued the server certificate (rather than
// directly by a trust anchor), we want to send it along in the handshake so
// we don't encounter unknown issuer errors when that's not what we're
// testing.
UniqueCERTCertificateList certList;
ScopedCERTCertificate issuerCert(
CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
// If we can't find the issuer cert, continue without it.
if (issuerCert) {
// Sadly, CERTCertificateList does not have a CERT_NewCertificateList
// utility function, so we must create it ourselves. This consists
// of creating an arena, allocating space for the CERTCertificateList,
// and then transferring ownership of the arena to that list.
ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena) {
PrintPRError("PORT_NewArena failed");
return SECFailure;
}
certList.reset(static_cast<CERTCertificateList*>(
PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList))));
if (!certList) {
PrintPRError("PORT_ArenaAlloc failed");
return SECFailure;
}
certList->arena = arena.forget();
// We also have to manually copy the certificates we care about to the
// list, because there aren't any utility functions for that either.
certList->certs = reinterpret_cast<SECItem*>(
PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem)));
if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert)
!= SECSuccess) {
PrintPRError("SECITEM_CopyItem failed");
return SECFailure;
}
if (SECITEM_CopyItem(certList->arena, certList->certs + 1,
&issuerCert->derCert) != SECSuccess) {
PrintPRError("SECITEM_CopyItem failed");
return SECFailure;
}
certList->len = 2;
}
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
UniqueSECKEYPrivateKey key(
PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr));
if (!key) {
PrintPRError("PK11_FindKeyByDERCert failed");
return SECFailure;
}
SSLKEAType certKEA = NSS_FindCertKEAType(cert);
if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(),
key.get(), certKEA) != SECSuccess) {
PrintPRError("SSL_ConfigSecureServer failed");
return SECFailure;
}
if (certOut) {
*certOut = cert.forget();
}
if (keaOut) {
*keaOut = certKEA;
}
return SECSuccess;
}
