bool XmlSignature::addCertificateInfo(const X509Cert &cert)
{
try
{
if (_signed)
{
DSIGKeyInfoX509 * keyInfoX509 = _signature->appendX509Data();
XercesString base64Certificate{ cert.base64Encoded() };
XercesString issuer{ cert.issuer() };
XercesString serial{ cert.serial() };
keyInfoX509->appendX509Certificate(base64Certificate);
keyInfoX509->setX509IssuerSerial(issuer, serial);
}
else
{
_error = "addCertificateInfo() called prior to sign() method";
return false;
}
}
catch (XSECException &ex)
{
rethrowWithMessage(ex, "Failed to append certificate info");
}
return true;
}
/**
* Adds signing certificate to the signature XML. The DER encoded X.509 certificate is added to
* Signature->KeyInfo->X509Data->X509Certificate. Certificate info is also added to
* Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate.
*
* @param cert certificate that is used for signing the signature XML.
*/
void SignatureBES::setSigningCertificate(const X509Cert& x509)
{
DEBUG("SignatureBES::setSigningCertificate()");
// Estoniand ID-Card specific hack for older cards, they support only max SHA224
string method = Conf::instance()->digestUri();
X509Crypto key(x509);
if(!key.rsaModulus().empty())
{
if(method != URI_SHA1 && method != URI_SHA224)
{
vector<string> pol = x509.certificatePolicies();
for(vector<string>::const_iterator i = pol.begin(); i != pol.end(); ++i)
{
if((i->compare(0, 22, "1.3.6.1.4.1.10015.1.1.") == 0 ||
i->compare(0, 22, "1.3.6.1.4.1.10015.3.1.") == 0) &&
key.rsaModulus().size() <= 128)
{
method = URI_SHA224;
break;
}
}
}
signature->signedInfo().signatureMethod(Uri(Digest::toRsaUri(method)));
}
else
signature->signedInfo().signatureMethod(Uri(Digest::toEcUri(method)));
// Signature->KeyInfo->X509Data->X509Certificate
// BASE64 encoding of a DER-encoded X.509 certificate = PEM encoded.
X509DataType x509Data;
x509Data.x509Certificate().push_back(toBase64(x509));
KeyInfoType keyInfo;
keyInfo.x509Data().push_back(x509Data);
signature->keyInfo(keyInfo);
// Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate
// Calculate digest of the X.509 certificate.
auto_ptr<Digest> digest(new Digest());
digest->update(x509);
CertIDListType signingCertificate;
signingCertificate.cert().push_back(CertIDType(
DigestAlgAndValueType(DigestMethodType(digest->uri()), toBase64(digest->digest())),
X509IssuerSerialType(x509.issuerName(), x509.serial())));
getSignedSignatureProperties().signingCertificate(signingCertificate);
}
/**
* Adds signing certificate to the signature XML. The DER encoded X.509 certificate is added to
* Signature->KeyInfo->X509Data->X509Certificate. Certificate info is also added to
* Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate.
*
* @param cert certificate that is used for signing the signature XML.
*/
void SignatureBES::setSigningCertificate(const X509Cert& x509)
{
DEBUG("SignatureBES::setSigningCertificate()");
// Signature->KeyInfo->X509Data->X509Certificate
// BASE64 encoding of a DER-encoded X.509 certificate = PEM encoded.
X509DataType x509Data;
x509Data.x509Certificate().push_back(toBase64(x509));
KeyInfoType keyInfo;
keyInfo.x509Data().push_back(x509Data);
signature->keyInfo(keyInfo);
// Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate
// Calculate digest of the X.509 certificate.
Digest digest;
digest.update(x509);
CertIDListType signingCertificate;
signingCertificate.cert().push_back(CertIDType(
DigestAlgAndValueType(DigestMethodType(digest.uri()), toBase64(digest.result())),
X509IssuerSerialType(x509.issuerName(), x509.serial())));
getSignedSignatureProperties().signingCertificate(signingCertificate);
}