/**
* Set OCSP responder cert.
* @param x509 certificate that was used identify OCSP responder
*/
void digidoc::SignatureTM::setOCSPCertificate(const X509Cert& x509)
{
//XXX: copied from digidoc::Signature::setSigningCertificate
DEBUG("digidoc::SignatureTM::setOCSPCertificate()");
std::vector<unsigned char> derEncodedX509 = x509.encodeDER();
// Calculate SHA1 digest of the certificate.
std::auto_ptr<Digest> calc = Digest::create();
calc->update(derEncodedX509);
dsig::DigestMethodType digestMethod(xml_schema::Uri(calc->getUri()));
dsig::DigestValueType digestValue(xml_schema::Base64Binary(&calc->getDigest()[0], calc->getSize()));
xades::DigestAlgAndValueType certDigest(digestMethod, digestValue);
// Add certificate issuer info.
dsig::X509IssuerSerialType issuerSerial(xml_schema::String(x509.getIssuerName()), xml_schema::Integer(x509.getSerial()));
digidoc::xades::CertIDType cert(certDigest, issuerSerial);
xades::CertIDListType certList;
certList.cert().push_back(cert);
xades::CompleteCertificateRefsType certificateRefs(certList);
//certificateRefs.certRefs(certList);
unsignedSignatureProperties()->completeCertificateRefs().push_back(certificateRefs);
//CertificateValues
addCertificateValue(std::string("S0-RESPONDER_CERT"), x509);
}
/**
*
* return
* @throws SignatureException
*/
digidoc::OCSP::CertStatus digidoc::SignatureBES::validateOnline() const throw(SignatureException)
{
// FIXME: Add exception handling.
// Get signing signature.
X509Cert cert = getSigningCertificate();
// Get issuer certificate.
X509* issuerCert = X509CertStore::getInstance()->getCert(*(cert.getIssuerNameAsn1()));
X509_scope issuerCertScope(&issuerCert);
if(issuerCert == NULL)
{
THROW_SIGNATUREEXCEPTION("Failed to load issuer certificate.");
}
Conf* conf = Conf::getInstance();
// Get OCSP responder certificate.
// FIXME: throws IOException, handle it
Conf::OCSPConf ocspConf = conf->getOCSP(cert.getIssuerName());
if(ocspConf.issuer.empty())
{
SignatureException e(__FILE__, __LINE__, "Failed to find ocsp responder.");
e.setCode( Exception::OCSPResponderMissing );
throw e;
}
STACK_OF(X509)* ocspCerts = X509Cert::loadX509Stack(ocspConf.cert);
X509Stack_scope ocspCertsScope(&ocspCerts);
// Check the certificate validity from OCSP server.
try
{
OCSP ocsp;
ocsp.setSkew(120);//XXX: load from conf
ocsp.setOCSPCerts(ocspCerts);
ocsp.setUrl(ocspConf.url);
std::auto_ptr<Digest> calc = Digest::create();
calc->update(getSignatureValue());
return ocsp.checkCert(cert.getX509(), issuerCert, calc->getDigest());
}
catch(const IOException& e)
{
THROW_SIGNATUREEXCEPTION("Failed to check the certificate validity from OCSP server.");
}
catch(const OCSPException& e)
{
THROW_SIGNATUREEXCEPTION("Failed to check the certificate validity from OCSP server.");
}
return digidoc::OCSP::GOOD;
}
