Add SHA1 warning to timestamp digest (#409)

IB-6916 Signed-off-by: Raul Metsma <raul@metsma.ee>
open-eid · May 18, 2021 · a48cb04 · a48cb04
1 parent e11e62c
commit a48cb04
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 40 deletions.
diff --git a/src/Exception.cpp b/src/Exception.cpp
@@ -85,6 +85,8 @@ std::vector<Exception::ExceptionCode> Exception::ignores {};
  * DDoc warning: &lt;X509IssuerName&gt; and/or &lt;X509IssuerSerial&gt; XML element is missing xmlns attribute
  * @var digidoc::Exception::ProducedATLateWarning
  * TimeStamp and OCSP time difference is more than 15 minutes
+ * @var digidoc::Exception::MimeTypeWarning
+ * Mime type is not conformant mime-type strings
  *
  * @var digidoc::Exception::DDocError
  * DDoc libdigidoc error codes bit masked

diff --git a/src/SiVaContainer.cpp b/src/SiVaContainer.cpp
@@ -86,6 +86,13 @@ void SignatureSiVa::validate(const string &policy) const
     Exception e(EXCEPTION_PARAMS("Signature validation"));
     for(const Exception &exception: _exceptions)
         e.addCause(exception);
+    if(!Exception::hasWarningIgnore(Exception::SignatureDigestWeak) &&
+        (_signatureMethod == URI_RSA_SHA1 || _signatureMethod == URI_ECDSA_SHA1))
+    {
+        Exception ex(EXCEPTION_PARAMS("Signature digest weak"));
+        ex.setCode(Exception::SignatureDigestWeak);
+        e.addCause(ex);
+    }
     if(_indication == "TOTAL-PASSED")
     {
         if(QES.count(_signatureLevel) || _signatureLevel.empty() || policy == POLv1)

diff --git a/src/SignatureTST.cpp b/src/SignatureTST.cpp
@@ -94,10 +94,19 @@ void SignatureTST::validate() const
     {
         try
         {
-            Digest digest(timestampToken->digestMethod());
+            const string digestMethod = timestampToken->digestMethod();
+            Digest digest(digestMethod);
             auto dataFile = static_cast<const DataFilePrivate*>(asicSDoc->dataFiles().front());
             dataFile->calcDigest(&digest);
             timestampToken->verify(digest);
+
+            if(digestMethod == URI_SHA1 &&
+                !Exception::hasWarningIgnore(Exception::ReferenceDigestWeak))
+            {
+                Exception e(EXCEPTION_PARAMS("TimeStamp '%s' digest weak", digestMethod.c_str()));
+                e.setCode(Exception::ReferenceDigestWeak);
+                exception.addCause(e);
+            }
         }
         catch (const Exception& e)
         {
@@ -114,7 +123,7 @@ std::vector<unsigned char> SignatureTST::dataToSign() const
     THROW("Not implemented.");
 }
 
-void SignatureTST::setSignatureValue(const std::vector<unsigned char> &)
+void SignatureTST::setSignatureValue(const std::vector<unsigned char> & /*signatureValue*/)
 {
     THROW("Not implemented.");
 }

diff --git a/src/SignatureTST.h b/src/SignatureTST.h
@@ -27,28 +27,28 @@
 namespace digidoc
 {
 
-class SignatureTST: public Signature
+class SignatureTST final: public Signature
 {
 public:
     SignatureTST(std::unique_ptr<std::istream> sigdata, ASiC_S *asicSDoc);
-    virtual ~SignatureTST();
+    ~SignatureTST();
 
-    virtual std::string trustedSigningTime() const override;
+    std::string trustedSigningTime() const final;
 
-    X509Cert TimeStampCertificate() const override;
-    std::string TimeStampTime() const override;
+    X509Cert TimeStampCertificate() const final;
+    std::string TimeStampTime() const final;
 
     // DSig properties
-    std::string id() const override;
-    std::string claimedSigningTime() const override;
-    X509Cert signingCertificate() const override;
-    std::string signatureMethod() const override;
-    void validate() const override;
-    std::vector<unsigned char> dataToSign() const override;
-    void setSignatureValue(const std::vector<unsigned char> &signatureValue) override;
+    std::string id() const final;
+    std::string claimedSigningTime() const final;
+    X509Cert signingCertificate() const final;
+    std::string signatureMethod() const final;
+    void validate() const final;
+    std::vector<unsigned char> dataToSign() const final;
+    void setSignatureValue(const std::vector<unsigned char> &signatureValue) final;
 
     // Xades properties
-    std::string profile() const override;
+    std::string profile() const final;
 
 private:
     DISABLE_COPY(SignatureTST);

diff --git a/src/SignatureXAdES_LTA.cpp b/src/SignatureXAdES_LTA.cpp
@@ -55,10 +55,6 @@ using namespace xercesc;
 using namespace xml_schema;
 using namespace std;
 
-SignatureXAdES_LTA::SignatureXAdES_LTA(unsigned int id, ASiContainer *bdoc, Signer *signer): SignatureXAdES_LT(id, bdoc, signer) {}
-
-SignatureXAdES_LTA::SignatureXAdES_LTA(std::istream &sigdata, ASiContainer *bdoc, bool relaxSchemaValidation): SignatureXAdES_LT(sigdata, bdoc, relaxSchemaValidation) {}
-
 void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest) const
 {
     try {
@@ -120,8 +116,7 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest) const
         THROW("Failed to calculate digest");
     }
 
-    vector<string> list = {"SignedInfo", "SignatureValue", "KeyInfo"};
-    for(const string &name: list)
+    for(const string &name: {"SignedInfo", "SignatureValue", "KeyInfo"})
     {
         try {
             calcDigestOnNode(digest, URI_ID_DSIG, name);
@@ -130,18 +125,17 @@ void SignatureXAdES_LTA::calcArchiveDigest(Digest *digest) const
         }
     }
 
-    list = {
-        "SignatureTimeStamp",
-        "CounterSignature",
-        "CompleteCertificateRefs",
-        "CompleteRevocationRefs",
-        "AttributeCertificateRefs",
-        "AttributeRevocationRefs",
-        "CertificateValues",
-        "RevocationValues",
-        "SigAndRefsTimeStamp",
-        "RefsOnlyTimeStamp" };
-    for(const string &name: list)
+    for(const string &name: {
+             "SignatureTimeStamp",
+             "CounterSignature",
+             "CompleteCertificateRefs",
+             "CompleteRevocationRefs",
+             "AttributeCertificateRefs",
+             "AttributeRevocationRefs",
+             "CertificateValues",
+             "RevocationValues",
+             "SigAndRefsTimeStamp",
+             "RefsOnlyTimeStamp" })
     {
         try {
             calcDigestOnNode(digest, XADES_NAMESPACE, name);
@@ -234,6 +228,14 @@ void SignatureXAdES_LTA::validate(const string &policy) const
         Digest calc(tsa.digestMethod());
         calcArchiveDigest(&calc);
         tsa.verify(calc);
+
+        if(tsa.digestMethod() == URI_SHA1 &&
+            !Exception::hasWarningIgnore(Exception::ReferenceDigestWeak))
+        {
+            Exception e(EXCEPTION_PARAMS("TimeStamp '%s' digest weak", tsa.digestMethod().c_str()));
+            e.setCode(Exception::ReferenceDigestWeak);
+            exception.addCause(e);
+        }
     } catch(const Exception &e) {
         exception.addCause(e);
     }

diff --git a/src/SignatureXAdES_LTA.h b/src/SignatureXAdES_LTA.h
@@ -25,16 +25,15 @@ namespace digidoc
 {
 
 class TS;
-class SignatureXAdES_LTA: public SignatureXAdES_LT
+class SignatureXAdES_LTA final: public SignatureXAdES_LT
 {
 public:
-    SignatureXAdES_LTA(unsigned int id, ASiContainer *bdoc, Signer *signer);
-    SignatureXAdES_LTA(std::istream &sigdata, ASiContainer *bdoc, bool relaxSchemaValidation = false);
+    using SignatureXAdES_LT::SignatureXAdES_LT;
 
-    X509Cert ArchiveTimeStampCertificate() const override;
-    std::string ArchiveTimeStampTime() const override;
-    void validate(const std::string &policy) const override;
-    void extendSignatureProfile(const std::string &profile) override;
+    X509Cert ArchiveTimeStampCertificate() const final;
+    std::string ArchiveTimeStampTime() const final;
+    void validate(const std::string &policy) const final;
+    void extendSignatureProfile(const std::string &profile) final;
 
 private:
     DISABLE_COPY(SignatureXAdES_LTA);

diff --git a/src/SignatureXAdES_T.cpp b/src/SignatureXAdES_T.cpp
@@ -161,6 +161,14 @@ void SignatureXAdES_T::validate(const std::string &policy) const
         time_t validateTime = util::date::ASN1TimeToTime_t(tsa.time());
         if(!signingCertificate().isValid(&validateTime))
             THROW("Signing certificate was not valid on signing time");
+
+        if(tsa.digestMethod() == URI_SHA1 &&
+            !Exception::hasWarningIgnore(Exception::ReferenceDigestWeak))
+        {
+            Exception e(EXCEPTION_PARAMS("TimeStamp '%s' digest weak", tsa.digestMethod().c_str()));
+            e.setCode(Exception::ReferenceDigestWeak);
+            exception.addCause(e);
+        }
     } catch(const Exception &e) {
         exception.addCause(e);
     }