Add new OCSP access certificate and use when old is expired (#250)

IB-5272
- port of qdigidoc dd4dfd9, open-eid/qdigidoc@dd4dfd9
- Debian packaging improvements

Signed-off-by: Toomas Uudisaru <toomas.uudisaru@aktors.ee>

Author: uudisaru

.travis.yml

@@ -19,11 +19,11 @@ before_install:
 - git submodule update --init --recursive && if [ "${TRAVIS_OS_NAME}" = "osx" ]; then
     command curl -sSL https://rvm.io/mpapis.asc | gpg --import -;
     rvm get stable;
-    brew install --force openssl;
+    brew update && brew install --force openssl;
     curl -s --location "https://bootstrap.pypa.io/get-pip.py" -o get-pip.py;
     python get-pip.py --user;
     curl -s --location "https://github.com/open-eid/libdigidoc/releases/download/v3.10.3/libdigidoc_3.10.3.1214.pkg" -o libdigidoc.pkg;
-    curl -s --location "https://github.com/open-eid/libdigidocpp/releases/download/v3.13.2/libdigidocpp_3.13.2.1360.pkg" -o libdigidocpp.pkg;
+    curl -s --location "https://github.com/open-eid/libdigidocpp/releases/download/v3.13.5/libdigidocpp_3.13.5.1369.pkg" -o libdigidocpp.pkg;
     sudo installer -verboseR -pkg libdigidoc.pkg -target /;
     sudo installer -verboseR -pkg libdigidocpp.pkg -target /;
     HASH=($(shasum prepare_osx_build_environment.sh | cut -d ' ' -f 1));
@@ -46,31 +46,35 @@ script: case ${TARGET} in
     make zipdebug macdeployqt zip && cp qdigidoc4*.zip ./$BUILD_NUMBER/ && cd ..;
     ;;
   *)
-    docker run -e BUILD_NUMBER=${TRAVIS_BUILD_NUMBER} -e DEBFULLNAME="Travis" -e DEBEMAIL="travis-ci@travis" -e COVERITY_SCAN_TOKEN=${COVERITY_SCAN_TOKEN} -e TRAVIS_BRANCH=${TRAVIS_BRANCH} -e IMAGE=${TARGET} -v $(pwd):$(pwd) -t "${TARGET}" /bin/bash -c "cd $(pwd);"'
+    docker run -e BUILD_NUMBER=${BUILD_NUMBER} -e COVERITY_SCAN_TOKEN=${COVERITY_SCAN_TOKEN} -e TRAVIS_BRANCH=${TRAVIS_BRANCH} -e IMAGE=${TARGET} -v $(pwd):$(pwd) -t "${TARGET}" /bin/bash -c "cd $(pwd);"'
       set -e;
       apt-get update -qq; 
-      apt-get install -y apt-transport-https curl dh-make devscripts dpkg-dev cdbs cmake libldap2-dev libpcsclite-dev libssl-dev qtbase5-dev libqt5svg5-dev qttools5-dev qttools5-dev-tools gettext git curl wget ruby;
+      apt-get install -y apt-transport-https curl dh-make devscripts cdbs cmake libldap2-dev gettext libpcsclite-dev libssl-dev libqt5svg5-dev qttools5-dev git curl wget ruby;
       curl https://installer.id.ee/media/install-scripts/ria-public.key | apt-key add -;
       curl https://installer.id.ee/media/install-scripts/C6C83D68.pub | apt-key add -;
       echo "deb http://installer.id.ee/media/ubuntu/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/repo.list;
       apt-get update -qq;
       apt-get install -y libdigidocpp-dev;
       export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}").${BUILD_NUMBER};
+      export DEBFULLNAME="Travis";
+      export DEBEMAIL="travis-ci@travis";
       dh_make --createorig --addmissing --copyright lgpl2 --defaultless -y -p qdigidoc4_${VERSION};
+      mkdir -p tmp/build && cp ../qdigidoc4_${VERSION}.orig.tar.xz tmp/ && cd tmp/build;
+      tar xf ../qdigidoc4_${VERSION}.orig.tar.xz;
       dch --distribution $(lsb_release -cs) -v ${VERSION} "Release ${VERSION}.";
       dpkg-buildpackage -rfakeroot -us -uc;
       set +e;
       if [ "${IMAGE}" = "ubuntu:17.04" ]; then
         export COVERITY_SCAN_PROJECT_NAME="open-eid/DigiDoc4-Client";
         export COVERITY_SCAN_NOTIFICATION_EMAIL="toomas.uudisaru@gmail.com";
         export COVERITY_SCAN_BRANCH_PATTERN=coverity_scan;
-        export COVERITY_SCAN_BUILD_COMMAND_PREPEND="cmake -DBREAKPAD=\"\" .";
+        export COVERITY_SCAN_BUILD_COMMAND_PREPEND="cmake .";
         export COVERITY_SCAN_BUILD_COMMAND=make;
-        wget https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh;
-        bash travisci_build_coverity_scan.sh;
+        wget -O - https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash;
       fi;
+      cd ../..;
       mkdir -p build/$BUILD_NUMBER;
-      cp ../qdigidoc4_*.deb build/$BUILD_NUMBER';
+      cp tmp/qdigidoc4_*.deb build/$BUILD_NUMBER';
   esac
 deploy:
   provider: s3

CMakeLists.txt

@@ -6,7 +6,7 @@ if(POLICY CMP0063)
 	cmake_policy(SET CMP0063 NEW)
 endif()
 if(POLICY CMP0071)
-	cmake_policy(SET CMP0071 OLD)
+	cmake_policy(SET CMP0071 NEW)
 endif()
 project(qdigidoc4 VERSION 0.6.0)
 

client/AccessCert.cpp

@@ -106,16 +106,19 @@ void AccessCert::increment()
 
 bool AccessCert::isDefaultCert(const QSslCertificate &cert) const
 {
-	return QList<QByteArray>({
+	static const QList<QByteArray> list {
 		// CN = Sertifitseerimiskeskus AS, SN = 0E:EB:07
 		QByteArray::fromHex("8cb7b0f9aa8c1270422c6cf85d25134a47273758"),
 		// CN = Sertifitseerimiskeskus AS, SN = 10:CC:4F
 		QByteArray::fromHex("ab1cc8221912648e0780d48fba4e10ae71e1635e"),
 		// CN = DigiDoc3 Client ver 3.11, SN = 11:9E:E0
 		QByteArray::fromHex("97dfcf8894c908031694345a1452a9b5efce537d"),
 		// CN = DigiDoc3 Client ver 3.12, SN = 12:05:79
-		QByteArray::fromHex("2a704f8a69b1837426a3498008600512e78f84d6")
-	}).contains(cert.digest(QCryptographicHash::Sha1));
+		QByteArray::fromHex("2a704f8a69b1837426a3498008600512e78f84d6"),
+		// CN=Riigi Infos\xC3\xBCsteemi Amet, SN = da:98:09:46:6d:57:51:65:48:8b:b2:14:0d:9e:19:27
+		QByteArray::fromHex("aa8ee5735ec72d411bc88d39dec0b3648b1b4c81")
+	};
+	return list.contains(cert.digest(QCryptographicHash::Sha1));
 }
 
 bool AccessCert::installCert( const QByteArray &data, const QString &password )

client/CMakeLists.txt

@@ -21,7 +21,12 @@ qt5_wrap_ui( SOURCES MainWindow.ui dialogs/AddRecipients.ui dialogs/CertificateH
 	widgets/InfoStack.ui widgets/ItemList.ui widgets/MainAction.ui widgets/NoCardInfo.ui widgets/NoOtherId.ui widgets/OtherData.ui widgets/OtherId.ui 
 	widgets/PageIcon.ui widgets/SignatureItem.ui widgets/VerifyCert.ui widgets/WarningItem.ui widgets/WarningRibbon.ui )
 
-if( UNIX AND NOT APPLE )
+if( APPLE )
+	set( LDAP_LIBRARIES "-framework LDAP" )
+	set_source_files_properties( crypto/LdapSearch.cpp PROPERTIES COMPILE_FLAGS "-Wno-deprecated-declarations" )
+elseif( WIN32 )
+	set( LDAP_LIBRARIES Wldap32 )
+else()
 	find_package( Ldap REQUIRED )
 endif()
 
@@ -106,13 +111,6 @@ add_executable( ${PROGNAME} WIN32 MACOSX_BUNDLE
 	)
 add_manifest( ${PROGNAME} )
 
-if( APPLE )
-	set( LDAP_LIBRARIES "-framework LDAP" )
-	set_source_files_properties( crypto/LdapSearch.cpp PROPERTIES COMPILE_FLAGS "-Wno-deprecated-declarations" )
-elseif( WIN32 )
-	set( LDAP_LIBRARIES Wldap32 )
-endif()
-
 target_link_libraries( ${PROGNAME}
 	qdigidoccommon
 	Qt5::PrintSupport

debian/compat

@@ -1 +1 @@
-9
+10

debian/control

@@ -9,10 +9,8 @@ Build-Depends:
  libldap2-dev,
  libpcsclite-dev,
  libssl-dev,
- qtbase5-dev,
- libqt5svg5-dev,
  qttools5-dev,
- qttools5-dev-tools
+ libqt5svg5-dev
 Standards-Version: 0.2.0
 Homepage: https://github.com/open-eid/DigiDoc4-Client
 
@@ -21,8 +19,8 @@ Architecture: any
 Depends:
  opensc,
  fonts-liberation,
- pcscd,
- ${shlibs:Depends} ${misc:Depends}
+ ${shlibs:Depends},
+ ${misc:Depends}
 Conflicts:
  libdigidocpp0 (<<3.0)
 Replaces:
@@ -46,14 +44,4 @@ Description: Estonian digital signature application
  encrypting enables you to protect sensitive information from other
  people in the short term. The ID-card’s authentication certificate is
  used for encryption. A secure container file will be created upon
- encryption with the extension .cdoc.
-
-Package: qdigidoc4-dbg
-Architecture: any
-Section: debug
-Depends:
- libdigidocpp-dbg ${misc:Depends},
- qdigidoc4 (=${binary:Version})
-Description: Debugging symbols for qdigidoc4
- This package contains the debugging symbols for Estonian ID card digital
- signature desktop tools.
+ encryption with the extension .cdoc.