Use SHA-256 for CertID

IB-6977

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

src/crypto/Digest.cpp

@@ -49,8 +49,7 @@ Digest::Digest(string_view uri)
 
 vector<unsigned char> Digest::digestInfoDigest(const std::vector<unsigned char> &digest)
 {
-    const unsigned char *p = digest.data();
-    auto sig = make_unique_ptr<X509_SIG_free>(d2i_X509_SIG(nullptr, &p, long(digest.size())));
+    auto sig = d2i<d2i_X509_SIG, X509_SIG_free>(digest);
     if(!sig)
         return {};
     const ASN1_OCTET_STRING *value {};
@@ -60,8 +59,7 @@ vector<unsigned char> Digest::digestInfoDigest(const std::vector<unsigned char>
 
 string Digest::digestInfoUri(const std::vector<unsigned char> &digest)
 {
-    const unsigned char *p = digest.data();
-    auto sig = make_unique_ptr<X509_SIG_free>(d2i_X509_SIG(nullptr, &p, long(digest.size())));
+    auto sig = d2i<d2i_X509_SIG, X509_SIG_free>(digest);
     if(!sig)
         return {};
     const X509_ALGOR *algor {};

src/crypto/OCSP.cpp

@@ -30,10 +30,6 @@
 #include <algorithm>
 #include <array>
 
-#ifdef WIN32 //hack for win32 build
-#undef OCSP_REQUEST
-#undef OCSP_RESPONSE
-#endif
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
@@ -73,7 +69,10 @@ OCSP::OCSP(const X509Cert &cert, const X509Cert &issuer, const std::string &user
     if(!req)
         THROW_OPENSSLEXCEPTION("Failed to create new OCSP request, out of memory?");
 
-    OCSP_CERTID *certId = OCSP_cert_to_id(nullptr, cert.handle(), issuer.handle());
+    const EVP_MD *evp_md {};
+    if(url.find("eidpki.ee") != std::string::npos)
+        evp_md = EVP_get_digestbynid(NID_sha256);
+    OCSP_CERTID *certId = OCSP_cert_to_id(evp_md, cert.handle(), issuer.handle());
     if(!OCSP_request_add0_id(req.get(), certId))
         THROW_OPENSSLEXCEPTION("Failed to add certificate ID to OCSP request.");
 
@@ -236,6 +235,8 @@ void OCSP::verifyResponse(const X509Cert &cert) const
         if(OCSP_id_get0_info(nullptr, &md, nullptr, nullptr, const_cast<OCSP_CERTID*>(certID)) == 1)
             evp_md = EVP_get_digestbyobj(md);
         auto certId = make_unique_ptr<OCSP_CERTID_free>(OCSP_cert_to_id(evp_md, cert.handle(), issuer.handle()));
+        if(OCSP_id_cmp(certID, certId.get()) != 0)
+            continue;
         if(OCSP_resp_find_status(basic.get(), certId.get(), &status, nullptr, nullptr, nullptr, nullptr) == 1)
             break;
     }

src/crypto/OpenSSLHelpers.h

@@ -28,9 +28,6 @@
 namespace digidoc
 {
 
-#define SCOPE_PTR(TYPE, DATA) make_unique_ptr<TYPE##_free>(DATA)
-#define SCOPE(TYPE, VAR, DATA) auto VAR = make_unique_ptr<TYPE>(DATA, TYPE##_free)
-
 template<auto F, class T>
 [[nodiscard]]
 inline std::vector<unsigned char> i2d(T *obj)
@@ -54,6 +51,13 @@ inline std::vector<unsigned char> i2d(const T &obj)
     return i2d<F>(obj.get());
 }
 
+template<auto F, auto D, class C>
+constexpr auto d2i(const C &c)
+{
+    const unsigned char *p = c.data();
+    return make_unique_ptr<D>(F(nullptr, &p, long(c.size())));
+}
+
 /**
  * OpenSSL exception implementation. Thrown if the openssl returns error
  */

src/crypto/PKCS12Signer.cpp

@@ -54,10 +54,10 @@ class PKCS12Signer::Private
 PKCS12Signer::PKCS12Signer(const string &path, const string &pass)
     : d(make_unique<Private>())
 {
-    auto bio = SCOPE_PTR(BIO, BIO_new_file(path.c_str(), "rb"));
+    auto bio = make_unique_ptr<BIO_free>(BIO_new_file(path.c_str(), "rb"));
     if(!bio)
         THROW_OPENSSLEXCEPTION("Failed to open PKCS12 certificate: %s.", path.c_str());
-    auto p12 = SCOPE_PTR(PKCS12, d2i_PKCS12_bio(bio.get(), nullptr));
+    auto p12 = make_unique_ptr<PKCS12_free>(d2i_PKCS12_bio(bio.get(), nullptr));
     if(!p12)
         THROW_OPENSSLEXCEPTION("Failed to read PKCS12 certificate: %s.", path.c_str());
     if(!PKCS12_parse(p12.get(), pass.c_str(), &d->key, &d->cert, nullptr))
@@ -82,7 +82,7 @@ vector<unsigned char> PKCS12Signer::sign(const string &method, const vector<unsi
     int result = 0;
     vector<unsigned char> signature;
     size_t size = 0;
-    SCOPE(EVP_PKEY_CTX, ctx, EVP_PKEY_CTX_new(d->key, nullptr));
+    auto ctx = make_unique_ptr<EVP_PKEY_CTX_free>(EVP_PKEY_CTX_new(d->key, nullptr));
     if(!ctx || EVP_PKEY_sign_init(ctx.get()) <= 0)
         THROW_OPENSSLEXCEPTION("Failed to sign the digest");
     switch(EVP_PKEY_base_id(d->key))
@@ -111,8 +111,7 @@ vector<unsigned char> PKCS12Signer::sign(const string &method, const vector<unsi
         result = EVP_PKEY_sign(ctx.get(), asn1.data(), &size, digest.data(), digest.size());
         if(result <= 0)
             break;
-        const unsigned char *p = asn1.data();
-        SCOPE(ECDSA_SIG, sig, d2i_ECDSA_SIG(nullptr, &p, long(asn1.size())));
+        auto sig = d2i<d2i_ECDSA_SIG, ECDSA_SIG_free>(asn1);
         const BIGNUM *r = nullptr, *s = nullptr;
         ECDSA_SIG_get0(sig.get(), &r, &s);
         auto r_len = size_t(BN_num_bytes(r));

src/crypto/X509Crypto.cpp

@@ -54,8 +54,7 @@ X509Crypto::X509Crypto(X509Cert cert)
 bool X509Crypto::compareIssuerToDer(const vector<unsigned char> &data) const
 {
     // DER-encoded instance of type IssuerSerial type defined in IETF RFC 5035 [17].
-    const unsigned char *p = data.data();
-    SCOPE(ESS_ISSUER_SERIAL, is, d2i_ESS_ISSUER_SERIAL(nullptr, &p, long(data.size())));
+    auto is = d2i<d2i_ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL_free>(data);
     if(!is || sk_GENERAL_NAME_num(is->issuer) != 1)
         return false;