Allow only qualified TimeStamp-s (#640)

IB-8250

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

.github/workflows/build.yml

@@ -66,7 +66,7 @@ jobs:
       with:
         name: ${{ matrix.target }}
         path: |
-          build/macos/libdigidocpp*.*
+          build/*/libdigidocpp*.*
           libdigidocpp*.zip
   fedora:
     name: Build on Fedora ${{ matrix.container }}
@@ -79,7 +79,7 @@ jobs:
     - name: Install Deps
       run: |
         dnf install -y --setopt=install_weak_deps=False \
-          ${FEDORA_DEPS} doxygen boost-test swig python3-devel java-21-openjdk-devel rpm-build git
+          ${FEDORA_DEPS} doxygen boost-test swig python3-devel java-21-openjdk-devel rpm-build
     - name: Checkout
       uses: actions/checkout@v4
     - name: Build
@@ -105,7 +105,7 @@ jobs:
       DEBEMAIL: [email protected]
     steps:
     - name: Install dependencies
-      run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-11-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
+      run: apt update -qq && apt install --no-install-recommends -y lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-11-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
     - name: Checkout
       uses: actions/checkout@v4
     - name: Setup changelog

src/crypto/TSL.cpp

@@ -80,17 +80,13 @@ constexpr array SERVICESTATUS_END {
 
 constexpr array SERVICES_SUPPORTED {
     "http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
-    //"http://uri.etsi.org/TrstSvc/Svctype/CA/PKC", //???
-    //"http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QC", //???
     "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP",
     "http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC",
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA",
     "http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC", //???
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES", //???
 };
 
 template<typename C, typename T>
+[[nodiscard]]
 constexpr bool contains(const C &list, const T &value)
 {
     return find(list.begin(), list.end(), value) != list.end();

src/crypto/X509CertStore.cpp

@@ -35,15 +35,19 @@
 using namespace digidoc;
 using namespace std;
 
+template<typename C, typename T>
+[[nodiscard]]
+constexpr bool contains(const C &list, const T &value)
+{
+    return find(list.begin(), list.end(), std::forward<decltype(value)>(value)) != list.end();
+};
+
 const X509CertStore::Type X509CertStore::CA {
     "http://uri.etsi.org/TrstSvc/Svctype/CA/QC",
 };
 
 const X509CertStore::Type X509CertStore::TSA {
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA",
     "http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC",
-    "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES",
 };
 
 const X509CertStore::Type X509CertStore::OCSP {
@@ -240,29 +244,24 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
     const vector<string> policies = cert.certificatePolicies();
     const vector<string> qcstatement = cert.qcStatements();
     const vector<X509Cert::KeyUsage> keyUsage = cert.keyUsage();
-    auto containsPolicy = [&policies](const string &policy) {
-        return find(policies.cbegin(), policies.cend(), policy) != policies.cend();
-    };
-    auto containsQCStatement = [&qcstatement](const string &statement) {
-        return find(qcstatement.cbegin(), qcstatement.cend(), statement) != qcstatement.cend();
-    };
-
-    bool isQCCompliant = containsQCStatement(X509Cert::QC_COMPLIANT);
+    bool isQCCompliant = contains(qcstatement, X509Cert::QC_COMPLIANT);
     bool isQSCD =
-        containsPolicy(X509Cert::QCP_PUBLIC_WITH_SSCD) ||
-        containsPolicy(X509Cert::QCP_LEGAL_QSCD) ||
-        containsPolicy(X509Cert::QCP_NATURAL_QSCD) ||
-        containsQCStatement(X509Cert::QC_SSCD);
+        contains(policies, X509Cert::QCP_PUBLIC_WITH_SSCD) ||
+        contains(policies, X509Cert::QCP_LEGAL_QSCD) ||
+        contains(policies, X509Cert::QCP_NATURAL_QSCD) ||
+        contains(qcstatement, X509Cert::QC_SSCD);
 
-    bool isESeal =  // Special treamtent for E-Seals
-        containsPolicy(X509Cert::QCP_LEGAL) ||
-        containsQCStatement(X509Cert::QCT_ESEAL);
-    auto matchPolicySet = [&containsPolicy](const vector<string> &policySet){
-        return all_of(policySet.cbegin(), policySet.cend(), containsPolicy);
+    bool isESeal = // Special treamtent for E-Seals
+        contains(policies, X509Cert::QCP_LEGAL) ||
+        contains(qcstatement, X509Cert::QCT_ESEAL);
+    auto matchPolicySet = [&policies](const vector<string> &policySet){
+        return all_of(policySet.cbegin(), policySet.cend(), [&policies](const string &policy) {
+            return contains(policies, policy);
+        });
     };
     auto matchKeyUsageSet = [&keyUsage](const map<X509Cert::KeyUsage,bool> &keyUsageSet){
         return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](pair<X509Cert::KeyUsage, bool> keyUsageBit){
-            return (find(keyUsage.cbegin(), keyUsage.cend(), keyUsageBit.first) != keyUsage.cend()) == keyUsageBit.second;
+            return contains(keyUsage, keyUsageBit.first) == keyUsageBit.second;
         });
     };