Skip to content

Commit 324b908

Browse files
metsmakristelmerilain
metsma
authored and
kristelmerilain
committed
Verify manifest timestamps
IB-8180 Signed-off-by: Raul Metsma <raul@metsma.ee>
1 parent fad3e40 commit 324b908

File tree

2 files changed

+30
-17
lines changed

2 files changed

+30
-17
lines changed

.github/workflows/build.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
target: [macos, iphoneos, iphonesimulator]
1818
steps:
1919
- name: Checkout
20-
uses: actions/checkout@v4
20+
uses: actions/checkout@v5
2121
- name: Install dependencies
2222
run: |
2323
brew update
@@ -81,7 +81,7 @@ jobs:
8181
triplet: x64-android
8282
steps:
8383
- name: Checkout
84-
uses: actions/checkout@v4
84+
uses: actions/checkout@v5
8585
- name: Expose Android NDK env
8686
shell: bash
8787
run: |
@@ -118,14 +118,14 @@ jobs:
118118
container: fedora:${{ matrix.container }}
119119
strategy:
120120
matrix:
121-
container: [41, 42, rawhide]
121+
container: [41, 42, 43, rawhide]
122122
steps:
123123
- name: Install Deps
124124
run: |
125125
dnf install -y --setopt=install_weak_deps=False \
126126
${FEDORA_DEPS} doxygen boost-test swig python3-devel java-21-openjdk-devel rpm-build
127127
- name: Checkout
128-
uses: actions/checkout@v4
128+
uses: actions/checkout@v5
129129
- name: Build
130130
run: |
131131
cmake -DCMAKE_INSTALL_SYSCONFDIR=/etc -B build -S .
@@ -142,7 +142,7 @@ jobs:
142142
container: ubuntu:${{ matrix.container }}
143143
strategy:
144144
matrix:
145-
container: ['22.04', '24.04', '25.04']
145+
container: ['22.04', '24.04', '25.04', '25.10']
146146
arch: ['amd64', 'arm64']
147147
env:
148148
DEBIAN_FRONTEND: noninteractive
@@ -152,7 +152,7 @@ jobs:
152152
- name: Install dependencies
153153
run: apt update -qq && apt install --no-install-recommends -y lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-17-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
154154
- name: Checkout
155-
uses: actions/checkout@v4
155+
uses: actions/checkout@v5
156156
- name: Setup changelog
157157
run: |
158158
export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}")
@@ -188,7 +188,7 @@ jobs:
188188
CXXFLAGS: '/D_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR' # https://github.com/actions/runner-images/issues/10004
189189
steps:
190190
- name: Checkout
191-
uses: actions/checkout@v4
191+
uses: actions/checkout@v5
192192
- name: Cache vcpkg
193193
uses: actions/cache@v4
194194
with:
@@ -235,7 +235,7 @@ jobs:
235235
contents: write
236236
steps:
237237
- name: Checkout
238-
uses: actions/checkout@v4
238+
uses: actions/checkout@v5
239239
- name: Install dependencies
240240
run: sudo apt update -qq && sudo apt install --no-install-recommends -y doxygen ${UBUNTU_DEPS}
241241
- name: Build docs
@@ -257,7 +257,7 @@ jobs:
257257
PROJECTNAME: ${{ github.repository }}
258258
steps:
259259
- name: Checkout
260-
uses: actions/checkout@v4
260+
uses: actions/checkout@v5
261261
- name: Install dependencies
262262
run: sudo apt update -qq && sudo apt install --no-install-recommends -y curl ca-certificates ${UBUNTU_DEPS}
263263
- name: Download Coverity Build Tool
@@ -292,7 +292,7 @@ jobs:
292292
security-events: write
293293
steps:
294294
- name: Checkout
295-
uses: actions/checkout@v4
295+
uses: actions/checkout@v5
296296
- name: Install dependencies
297297
run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS}
298298
- name: Initialize CodeQL

src/SignatureTST.cpp

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@
3939
using namespace digidoc;
4040
using namespace std;
4141

42+
constexpr const char* TST_MIMETYPE {"application/vnd.etsi.timestamp-token"};
43+
4244
struct SignatureTST::Data {
4345
string name, mime, data;
4446
unique_ptr<map<string, vector<unsigned char>>> cache = make_unique<map<string, vector<unsigned char>>>();
@@ -59,7 +61,7 @@ struct SignatureTST::Data {
5961
if (auto it = cache->find(method); it != cache->cend()) {
6062
return it->second;
6163
}
62-
return (*cache)[std::move(method)] = digest({method}).result();
64+
return (*cache)[std::move(method)] = digest(Digest(method)).result();
6365
}
6466
};
6567

@@ -94,7 +96,7 @@ SignatureTST::SignatureTST(bool manifest, const ZipSerialize &z, ASiC_S *asicSDo
9496
}
9597
}
9698
}
97-
metadata.emplace_back("META-INF/timestamp.tst", "application/vnd.etsi.timestamp-token", std::move(data));
99+
metadata.emplace_back("META-INF/timestamp.tst", TST_MIMETYPE, std::move(data));
98100
}
99101

100102
SignatureTST::SignatureTST(ASiC_S *asicSDoc, Signer *signer)
@@ -105,7 +107,7 @@ SignatureTST::SignatureTST(ASiC_S *asicSDoc, Signer *signer)
105107
dataFile->digest(digest);
106108
timestampToken = make_unique<TS>(digest, signer->userAgent());
107109
vector<unsigned char> der = *timestampToken;
108-
metadata.emplace_back("META-INF/timestamp.tst", "application/vnd.etsi.timestamp-token", string{der.cbegin(), der.cend()});
110+
metadata.emplace_back("META-INF/timestamp.tst", TST_MIMETYPE, string{der.cbegin(), der.cend()});
109111
}
110112

111113
SignatureTST::~SignatureTST() = default;
@@ -127,9 +129,9 @@ string SignatureTST::ArchiveTimeStampTime() const
127129
vector<TSAInfo> SignatureTST::ArchiveTimeStamps() const
128130
{
129131
vector<TSAInfo> result;
130-
for(auto i = metadata.crbegin(), end = next(metadata.crend(), 1); i != end; ++i)
132+
for(auto i = next(metadata.crbegin()), end = metadata.crend(); i != end; ++i)
131133
{
132-
if(i->mime != "application/vnd.etsi.timestamp-token")
134+
if(i->mime != TST_MIMETYPE)
133135
continue;
134136
TS ts((const unsigned char*)i->data.data(), i->data.size());
135137
result.push_back({ts.cert(), util::date::to_string(ts.time())});
@@ -149,7 +151,7 @@ void SignatureTST::extendSignatureProfile(Signer *signer)
149151
string tstName = nextName("META-INF/timestamp%03zu.tst");
150152
auto doc = XMLDocument::create("ASiCManifest", ASiContainer::ASIC_NS, "asic");
151153
auto ref = doc + "SigReference";
152-
ref.setProperty("MimeType", "application/vnd.etsi.timestamp-token");
154+
ref.setProperty("MimeType", TST_MIMETYPE);
153155
ref.setProperty("URI", tstName);
154156

155157
auto addRef = [&doc](const string &name, string_view mime, bool root, const Digest &digest) {
@@ -185,7 +187,7 @@ void SignatureTST::extendSignatureProfile(Signer *signer)
185187
}, true);
186188
auto i = metadata.insert(metadata.cbegin(), {"META-INF/ASiCArchiveManifest.xml", "text/xml", std::move(data)});
187189
vector<unsigned char> der = TS(i->digest(), signer->userAgent());
188-
metadata.insert(next(i), {tstName, "application/vnd.etsi.timestamp-token", string{der.cbegin(), der.cend()}});
190+
metadata.insert(next(i), {tstName, TST_MIMETYPE, string{der.cbegin(), der.cend()}});
189191
}
190192

191193
X509Cert SignatureTST::TimeStampCertificate() const
@@ -278,6 +280,17 @@ void SignatureTST::validate() const
278280
if(vector<unsigned char> digestValue = ref/DigestValue; digest != digestValue)
279281
THROW("Reference '%s' digest does not match", uri.c_str());
280282
}
283+
if(auto sigRef = doc/"SigReference"; sigRef["MimeType"] == TST_MIMETYPE)
284+
{
285+
const auto &uri = add.emplace_back(util::File::fromUriPath(sigRef["URI"]));
286+
auto j = find_if(metadata.cbegin(), metadata.cend(), [uri](const auto &d) { return d.name == uri; });
287+
if(j == metadata.cend())
288+
THROW("SigReference %s is missing", uri.c_str());
289+
TS ts((const unsigned char*)j->data.data(), j->data.size());
290+
ts.verify(i->digestCache(ts.digestMethod()));
291+
}
292+
else
293+
THROW("SigReference is missing");
281294
// Check if all files in previous scope are present
282295
for(const string &uri: list)
283296
{

0 commit comments

Comments
 (0)