Exemplo n.º 1
0
TS::TS(const string &url, const Digest &digest, const string &useragent)
{
    SCOPE(TS_REQ, req, TS_REQ_new());
    TS_REQ_set_version(req.get(), 1);
    TS_REQ_set_cert_req(req.get(), 1);

    SCOPE(X509_ALGOR, algo, X509_ALGOR_new());
    algo->algorithm = OBJ_nid2obj(Digest::toMethod(digest.uri()));
    algo->parameter = ASN1_TYPE_new();
    algo->parameter->type = V_ASN1_NULL;

    SCOPE(TS_MSG_IMPRINT, msg_imprint, TS_MSG_IMPRINT_new());
    TS_MSG_IMPRINT_set_algo(msg_imprint.get(), algo.get());
    vector<unsigned char> digestdata = digest.result();
    TS_MSG_IMPRINT_set_msg(msg_imprint.get(), digestdata.data(), int(digestdata.size()));
    TS_REQ_set_msg_imprint(req.get(), msg_imprint.get());

#if 0
    if(!policy.empty())
    {
        SCOPE(ASN1_OBJECT, obj, OBJ_txt2obj(policy.c_str(), 0));
        TS_REQ_set_policy_id(req.get(), obj.get());
    }
#endif

    SCOPE(ASN1_INTEGER, nonce, ASN1_INTEGER_new());
    nonce->length = 20;
    nonce->data = (unsigned char*)OPENSSL_malloc(nonce->length);
    nonce->data[0] = 0;
    while(nonce->data[0] == 0) // Make sure that first byte is not 0x00
        RAND_bytes(nonce->data, nonce->length);
    TS_REQ_set_nonce(req.get(), nonce.get());

    int len = i2d_TS_REQ(req.get(), 0);
    vector<unsigned char> data(len, 0);
    unsigned char *p = data.data();
    i2d_TS_REQ(req.get(), &p);

    string result = Connect(url, "POST", 0, useragent).exec({
        {"Content-Type", "application/timestamp-query"},
        {"Accept", "application/timestamp-reply"},
        {"Connection", "Close"},
        {"Cache-Control", "no-cache"}
    }, data).content;

    const unsigned char *p2 = (const unsigned char*)result.c_str();
    SCOPE(TS_RESP, resp, d2i_TS_RESP(0, &p2, long(result.size())));
    if(!resp)
        THROW_OPENSSLEXCEPTION("Failed to parse TS response.");

    SCOPE(TS_VERIFY_CTX, ctx, TS_VERIFY_CTX_new());
    ctx->flags = TS_VFY_NONCE|TS_VFY_VERSION;
    ctx->nonce = nonce.release();
    if(TS_RESP_verify_response(ctx.get(), resp.get()) != 1)
        THROW_OPENSSLEXCEPTION("Failed to verify TS response.");

    d.reset(resp->token, function<void(PKCS7*)>(PKCS7_free));
    resp->token = nullptr;
}
Exemplo n.º 2
0
/**
 * Adds signing certificate to the signature XML. The DER encoded X.509 certificate is added to
 * Signature->KeyInfo->X509Data->X509Certificate. Certificate info is also added to
 * Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate.
 *
 * @param cert certificate that is used for signing the signature XML.
 */
void SignatureBES::setSigningCertificate(const X509Cert& x509)
{
    DEBUG("SignatureBES::setSigningCertificate()");
    // Signature->KeyInfo->X509Data->X509Certificate
    // BASE64 encoding of a DER-encoded X.509 certificate = PEM encoded.
    X509DataType x509Data;
    x509Data.x509Certificate().push_back(toBase64(x509));

    KeyInfoType keyInfo;
    keyInfo.x509Data().push_back(x509Data);
    signature->keyInfo(keyInfo);

    // Signature->Object->QualifyingProperties->SignedProperties->SignedSignatureProperties->SigningCertificate
    // Calculate digest of the X.509 certificate.
    Digest digest;
    digest.update(x509);
    CertIDListType signingCertificate;
    signingCertificate.cert().push_back(CertIDType(
        DigestAlgAndValueType(DigestMethodType(digest.uri()), toBase64(digest.result())),
        X509IssuerSerialType(x509.issuerName(), x509.serial())));

    getSignedSignatureProperties().signingCertificate(signingCertificate);
}