Add expire date to label

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

cdoc/CDoc2Writer.cpp

@@ -97,15 +97,15 @@ CDoc2Writer::writeHeader(const std::vector<libcdoc::Recipient> &recipients)
 }
 
 static flatbuffers::Offset<cdoc20::header::RecipientRecord>
-createRSACapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::Recipient& rcpt, const std::vector<uint8_t>& encrypted_kek, const std::vector<uint8_t>& xor_key)
+createRSACapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::Recipient& rcpt, const std::vector<uint8_t>& encrypted_kek, uint64_t expiry_time, const std::vector<uint8_t>& xor_key)
 {
     auto capsule = cdoc20::recipients::CreateRSAPublicKeyCapsule(builder,
                                                                  builder.CreateVector(rcpt.rcpt_key),
                                                                  builder.CreateVector(encrypted_kek));
     return cdoc20::header::CreateRecipientRecord(builder,
                                                         cdoc20::header::Capsule::recipients_RSAPublicKeyCapsule,
                                                         capsule.Union(),
-                                                        builder.CreateString(rcpt.getLabel({})),
+                                                        builder.CreateString(rcpt.getLabel({{"x-expiry-time", expiry_time == 0 ? std::string() : std::to_string(expiry_time)}})),
                                                         builder.CreateVector(xor_key),
                                                         cdoc20::header::FMKEncryptionMethod::XOR);
 }
@@ -129,7 +129,7 @@ createRSAServerCapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::R
 }
 
 static flatbuffers::Offset<cdoc20::header::RecipientRecord>
-createECCCapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::Recipient& rcpt, const std::vector<uint8_t>& eph_public_key, const std::vector<uint8_t>& xor_key)
+createECCCapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::Recipient& rcpt, const std::vector<uint8_t>& eph_public_key, uint64_t expiry_time, const std::vector<uint8_t>& xor_key)
 {
     auto capsule = cdoc20::recipients::CreateECCPublicKeyCapsule(builder,
                                                                  cdoc20::recipients::EllipticCurve::secp384r1,
@@ -138,7 +138,7 @@ createECCCapsule(flatbuffers::FlatBufferBuilder& builder, const libcdoc::Recipie
     return cdoc20::header::CreateRecipientRecord(builder,
                                                         cdoc20::header::Capsule::recipients_ECCPublicKeyCapsule,
                                                         capsule.Union(),
-                                                        builder.CreateString(rcpt.getLabel({})),
+                                                        builder.CreateString(rcpt.getLabel({{"x-expiry-time", expiry_time == 0 ? std::string() : std::to_string(expiry_time)}})),
                                                         builder.CreateVector(xor_key),
                                                         cdoc20::header::FMKEncryptionMethod::XOR);
 }
@@ -285,7 +285,7 @@ CDoc2Writer::buildHeader(std::vector<uint8_t>& header, const std::vector<libcdoc
                     auto record = createRSAServerCapsule(builder, rcpt, cinfo.transaction_id, cinfo.expiry_time, xor_key);
                     fb_rcpts.push_back(std::move(record));
                 } else {
-                    auto record = createRSACapsule(builder, rcpt, key_material, xor_key);
+                    auto record = createRSACapsule(builder, rcpt, key_material, rcpt.expiry_ts, xor_key);
                     fb_rcpts.push_back(std::move(record));
                 }
             } else {
@@ -320,7 +320,7 @@ CDoc2Writer::buildHeader(std::vector<uint8_t>& header, const std::vector<libcdoc
                     auto record = createECCServerCapsule(builder, rcpt, cinfo.transaction_id, cinfo.expiry_time, xor_key);
                     fb_rcpts.push_back(std::move(record));
                 } else {
-                    auto record = createECCCapsule(builder, rcpt, key_material, xor_key);
+                    auto record = createECCCapsule(builder, rcpt, key_material, rcpt.expiry_ts, xor_key);
                     fb_rcpts.push_back(std::move(record));
                 }
             }

cdoc/Certificate.cpp

@@ -74,6 +74,21 @@ Certificate::getSerialNumber() const
 	return getName(cert, NID_serialNumber);
 }
 
+time_t
+Certificate::getNotAfter() const
+{
+    if(!cert)
+        return 0;
+    tm tm{};
+    if(ASN1_TIME_to_tm(X509_get0_notAfter(cert.get()), &tm) != 1)
+        return 0;
+#ifdef _WIN32
+    return _mkgmtime(&tm);
+#else
+    return timegm(&tm);
+#endif
+}
+
 
 
 std::vector<std::string>
@@ -85,8 +100,8 @@ Certificate::policies() const
     if(!cert)
         return list;
 
-    auto p = static_cast<CERTIFICATEPOLICIES *>(X509_get_ext_d2i(cert.get(), NID_certificate_policies, nullptr, nullptr));
-    auto cp = std::unique_ptr<CERTIFICATEPOLICIES,decltype(&CERTIFICATEPOLICIES_free)>(p,CERTIFICATEPOLICIES_free);
+    auto cp = make_unique_cast<CERTIFICATEPOLICIES_free>(X509_get_ext_d2i(
+        cert.get(), NID_certificate_policies, nullptr, nullptr));
     if(!cp)
         return list;
 
@@ -122,7 +137,7 @@ Certificate::getAlgorithm() const
 	return (alg == EVP_PKEY_RSA) ? Algorithm::RSA : Algorithm::ECC;
 }
 
-std::vector<uint8_t> Certificate::getDigest()
+std::vector<uint8_t> Certificate::getDigest() const
 {
     if(!cert)
         return {};

cdoc/Certificate.h

@@ -50,8 +50,9 @@ class Certificate {
 
 	std::vector<uint8_t> getPublicKey() const;
     Algorithm getAlgorithm() const;
+    time_t getNotAfter() const;
 
-    std::vector<uint8_t> getDigest();
+    std::vector<uint8_t> getDigest() const;
 };
 
 } // Namespace

cdoc/Io.h

@@ -26,7 +26,7 @@
 
 namespace libcdoc {
 
-class DataSource;
+struct DataSource;
 
 /**
  * @brief The DataConsumer class

cdoc/Recipient.cpp

@@ -80,9 +80,10 @@ Recipient::makeCertificate(std::string label, std::vector<uint8_t> cert)
 	Recipient rcpt(Type::PUBLIC_KEY);
 	rcpt.label = std::move(label);
     rcpt.cert = std::move(cert);
-	Certificate ssl(rcpt.cert);
-    rcpt.rcpt_key = ssl.getPublicKey();
-    rcpt.pk_type = (ssl.getAlgorithm() == libcdoc::Certificate::RSA) ? PKType::RSA : PKType::ECC;
+	Certificate x509(rcpt.cert);
+    rcpt.rcpt_key = x509.getPublicKey();
+    rcpt.pk_type = (x509.getAlgorithm() == libcdoc::Certificate::RSA) ? PKType::RSA : PKType::ECC;
+    rcpt.expiry_ts = x509.getNotAfter();
 	return rcpt;
 }
 
@@ -138,26 +139,10 @@ Recipient::isTheSameRecipient(const std::vector<uint8_t>& public_key) const
     return rcpt_key == public_key;
 }
 
-static std::string
-buildLabel(std::vector<std::pair<std::string_view, std::string_view>> components)
-{
-    std::ostringstream ofs;
-    ofs << LABELPREFIX;
-    bool first = true;
-    for (auto& [key, value] : components) {
-        if (!value.empty()) {
-            if (!first) ofs << '&';
-            ofs << libcdoc::urlEncode(key) << '=' << libcdoc::urlEncode(value);
-            first = false;
-        }
-    }
-    return ofs.str();
-}
-
 static Recipient::EIDType
 getEIDType(const std::vector<std::string>& policies)
 {
-    for (std::vector<std::string>::const_reference policy : policies)
+    for (const auto& policy : policies)
     {
         if (policy.starts_with("1.3.6.1.4.1.51361.1.1.3") ||
             policy.starts_with("1.3.6.1.4.1.51361.1.2.3")) {
@@ -181,113 +166,101 @@ getEIDType(const std::vector<std::string>& policies)
     return Recipient::EIDType::Unknown;
 }
 
-static std::string
-BuildLabelEID(const std::vector<uint8_t>& cert)
+static void
+buildLabel(std::ostream& ofs, std::string_view type, const std::initializer_list<std::pair<std::string_view, std::string_view>> &components)
 {
-    Certificate x509(cert);
-    Recipient::EIDType type = getEIDType(x509.policies());
-    std::string cn = x509.getCommonName();
-    std::string sn = x509.getSerialNumber();
-    std::string gn = x509.getGivenName();
-    if (!gn.empty()) {
-        return buildLabel({
-            {"v", std::to_string(CDoc2::KEYLABELVERSION)},
-            {"type", eid_strs[type]},
-            {"cn", cn},
-            {"serial_number", sn}
-        });
-    } else {
-        return buildLabel({
-            {"v", std::to_string(CDoc2::KEYLABELVERSION)},
-            {"type", eid_strs[type]},
-            {"cn", cn},
-            {"serial_number", sn},
-            {"last_name", x509.getSurname()},
-            {"first_name", gn}
-        });
+    ofs << LABELPREFIX;
+    ofs << "v" << '=' << std::to_string(CDoc2::KEYLABELVERSION) << '&'
+        << "type" << '=' << type;
+    for (auto& [key, value] : components) {
+        if (value.empty())
+            continue;
+        ofs << '&';
+        ofs << libcdoc::urlEncode(key) << '=' << libcdoc::urlEncode(value);
     }
 }
 
-static std::string
-BuildLabelCertificate(std::string_view file, const std::vector<uint8_t>& cert)
+static void
+BuildLabelEID(std::ostream& ofs, Recipient::EIDType type, const Certificate& x509)
 {
-    Certificate x509(cert);
-    return buildLabel({
-        {"v", std::to_string(CDoc2::KEYLABELVERSION)},
-        {"type", "cert"},
+    buildLabel(ofs, eid_strs[type], {
+        {"cn", x509.getCommonName()},
+        {"serial_number", x509.getSerialNumber()},
+        {"last_name", x509.getSurname()},
+        {"first_name", x509.getGivenName()},
+    });
+}
+
+static void
+BuildLabelCertificate(std::ostream &ofs, std::string_view file, const Certificate& x509)
+{
+    buildLabel(ofs, "cert", {
         {"file", file},
         {"cn", x509.getCommonName()},
         {"cert_sha1", toHex(x509.getDigest())}
     });
 }
 
-static std::string
-BuildLabelPublicKey(int version, const std::string file)
+static void
+BuildLabelPublicKey(std::ostream &ofs, const std::string file)
 {
-    return buildLabel({
-        {"v", std::to_string(version)},
-        {"type", "pub_key"},
+    buildLabel(ofs, "pub_key", {
         {"file", file}
     });
 }
 
-static std::string
-BuildLabelSymmetricKey(int version, const std::string& label, const std::string file)
+static void
+BuildLabelSymmetricKey(std::ostream &ofs, const std::string& label, const std::string file)
 {
-    return buildLabel({
-        {"v", std::to_string(version)},
-        {"type", "secret"},
+    buildLabel(ofs, "secret", {
         {"label", label},
         {"file", file}
     });
 }
 
-static std::string
-BuildLabelPassword(int version, const std::string& label)
+static void
+BuildLabelPassword(std::ostream &ofs, const std::string& label)
 {
-    return buildLabel({
-        {"v", std::to_string(version)},
-        {"type", "pw"},
+    buildLabel(ofs, "pw", {
         {"label", label}
     });
 }
 
 std::string
-Recipient::getLabel(std::vector<std::pair<std::string_view, std::string_view>> extra) const
+Recipient::getLabel(const std::vector<std::pair<std::string_view, std::string_view>> &extra) const
 {
     LOG_DBG("Generating label");
     if (!label.empty()) return label;
     std::ostringstream ofs;
     switch(type) {
-		case NONE:
+        case NONE:
             LOG_DBG("The recipient is not initialized");
             break;
         case SYMMETRIC_KEY:
             if (kdf_iter > 0) {
-                ofs << BuildLabelPassword(CDoc2::KEYLABELVERSION, key_name);
+                BuildLabelPassword(ofs, key_name);
             } else {
-                ofs << BuildLabelSymmetricKey(CDoc2::KEYLABELVERSION, key_name, file_name);
+                BuildLabelSymmetricKey(ofs, key_name, file_name);
             }
         case PUBLIC_KEY:
             if (!cert.empty()) {
                 Certificate x509(cert);
-                EIDType eid_type = getEIDType(x509.policies());
-                if (eid_type != EIDType::Unknown) {
-                    ofs << BuildLabelEID(cert);
+                if (auto type = getEIDType(x509.policies()); type != EIDType::Unknown) {
+                    BuildLabelEID(ofs, type, x509);
                 } else {
-                    ofs << BuildLabelCertificate(file_name, cert);
+                    BuildLabelCertificate(ofs, file_name, x509);
                 }
             } else {
-                ofs << BuildLabelPublicKey(CDoc2::KEYLABELVERSION, file_name);
+                BuildLabelPublicKey(ofs, file_name);
             }
         case KEYSHARE:
             break;
     }
     for (auto& [key, value] : extra) {
-        if (!value.empty()) {
-            ofs << '&';
-            ofs << libcdoc::urlEncode(key) << '=' << libcdoc::urlEncode(value);
-        }
+        if (value.empty())
+            continue;
+        ofs << '&';
+        ofs << libcdoc::urlEncode(key) << '=' << libcdoc::urlEncode(value);
     }
     LOG_DBG("Generated label: {}", ofs.str());
     return ofs.str();

cdoc/Recipient.h

@@ -80,20 +80,6 @@ struct CDOC_EXPORT Recipient {
         DigiID_EResident
     };
 
-    /**
-     * @brief Extra parameters for automatic label generation
-     */
-	enum Params : unsigned char {
-        /**
-         * @brief Name of symmetric key/password ('label')
-         */
-        LABEL,
-        /**
-         * @brief Public key or certificate filename ('file')
-         */
-        FILE
-	};
-
 	Recipient() = default;
 
     /**
@@ -257,7 +243,7 @@ struct CDOC_EXPORT Recipient {
      * @param extra additional parameter values to use
      * @return a label value
      */
-    std::string getLabel(std::vector<std::pair<std::string_view, std::string_view>> extra) const;
+    std::string getLabel(const std::vector<std::pair<std::string_view, std::string_view>> &extra) const;
 
     /**
      * @brief parse machine-readable CDoc2 label

cdoc/Utils.cpp

@@ -118,14 +118,13 @@ buildURL(const std::string& host, int port)
     return std::string("https://") + host + ":" + std::to_string(port) + "/";
 }
 
-std::string
-urlEncode(std::string_view src)
+std::ostream&
+operator<<(std::ostream& escaped, urlEncode src)
 {
-    std::ostringstream escaped;
     escaped.fill('0');
     escaped << std::hex;
 
-    for (auto c : src) {
+    for (auto c : src.src) {
         // Keep alphanumeric and other accepted characters intact
         if (isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
             escaped << c;
@@ -136,7 +135,7 @@ urlEncode(std::string_view src)
         escaped << '%' << std::setw(2) << int((unsigned char) c);
         escaped << std::nouppercase;
     }
-    return escaped.str();
+    return escaped;
 }
 
 std::string

cdoc/Utils.h

@@ -118,7 +118,11 @@ readAllBytes(std::string_view filename)
 int parseURL(const std::string& url, std::string& host, int& port, std::string& path, bool end_with_slash = false);
 std::string buildURL(const std::string& host, int port);
 
-std::string urlEncode(std::string_view src);
+struct urlEncode {
+    std::string_view src;
+    friend std::ostream& operator<<(std::ostream& escaped, urlEncode src);
+};
+
 std::string urlDecode(const std::string &src);
 
 } // namespace libcdoc