diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 32eff4258..0b70a638b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -112,8 +112,6 @@ jobs: export VCPKG_ROOT=$VCPKG_INSTALLATION_ROOT export ANDROID_NDK_HOME=$ANDROID_NDK_LATEST_HOME export ANDROID_NDK_ROOT=$ANDROID_NDK_LATEST_HOME - git -C $VCPKG_INSTALLATION_ROOT fetch origin f77737496dabd44c63ecc599dc0f4d6cff30d0d5 - git -C $VCPKG_INSTALLATION_ROOT reset --hard f77737496dabd44c63ecc599dc0f4d6cff30d0d5 cmake --preset ${{ matrix.target }} "-GUnix Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo cmake --build --preset ${{ matrix.target }} cmake --build --preset ${{ matrix.target }} --target install/strip @@ -130,7 +128,7 @@ jobs: container: fedora:${{ matrix.container }} strategy: matrix: - container: [43, 44] + container: [43, 44, rawhide] steps: - name: Install Deps run: | @@ -349,6 +347,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: cpp + build-mode: none queries: +security-and-quality - name: Build run: | diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh index 3bed0040f..2b76ffb6b 100755 --- a/prepare_osx_build_environment.sh +++ b/prepare_osx_build_environment.sh @@ -1,8 +1,8 @@ #!/bin/sh set -e -OPENSSL_DIR=openssl-3.5.6 -XMLSEC_DIR=xmlsec1-1.3.11 +OPENSSL_DIR=openssl-3.5.7 +XMLSEC_DIR=xmlsec1-1.3.12 case "$@" in *android*|*iphone*|*simulator*) @@ -26,7 +26,7 @@ function xmlsec { rm -rf ${XMLSEC_DIR} tar xf ${XMLSEC_DIR}.tar.gz cd ${XMLSEC_DIR} - patch -Np1 -i ../xmlsec1-1.3.10.legacy.patch + patch -Np1 -i ../xmlsec1-1.3.12.legacy.patch sed -i '' 's/XMLSEC_VERSION_INFO=.*/XMLSEC_VERSION_INFO="1:0:0"/' configure ./configure CFLAGS="-arch ${ARCHS// / -arch }" --prefix=${TARGET_PATH} --disable-static --enable-shared \ --disable-dependency-tracking \ @@ -36,9 +36,7 @@ function xmlsec { --without-gcrypt \ --without-nss \ --with-openssl=${TARGET_PATH} \ - --disable-apps \ - --disable-docs \ - --disable-mans + --disable-apps make -s sudo make install cd - diff --git a/src/crypto/Digest.cpp b/src/crypto/Digest.cpp index 4a61d6dff..60d216e31 100644 --- a/src/crypto/Digest.cpp +++ b/src/crypto/Digest.cpp @@ -54,7 +54,8 @@ vector Digest::digestInfoDigest(const std::vector return {}; const ASN1_OCTET_STRING *value {}; X509_SIG_get0(sig.get(), nullptr, &value); - return { value->data, std::next(value->data, value->length) }; + const unsigned char *data = ASN1_STRING_get0_data(value); + return { data, std::next(data, ASN1_STRING_length(value)) }; } string Digest::digestInfoUri(const std::vector &digest) diff --git a/src/crypto/OCSP.cpp b/src/crypto/OCSP.cpp index b2a32805c..0859b9a73 100644 --- a/src/crypto/OCSP.cpp +++ b/src/crypto/OCSP.cpp @@ -153,9 +153,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const if(hash) { std::array sha1{}; - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert.handle()); - SHA1(key->data, size_t(key->length), sha1.data()); - if(!equal(sha1.cbegin(), sha1.cend(), hash->data, std::next(hash->data, hash->length))) + auto *key = X509_get0_pubkey_bitstr(cert.handle()); + SHA1(ASN1_STRING_get0_data(key), size_t(ASN1_STRING_length(key)), sha1.data()); + const unsigned char *data = ASN1_STRING_get0_data(hash); + if(!equal(sha1.cbegin(), sha1.cend(), data, std::next(data, ASN1_STRING_length(hash)))) return false; } else if(X509_NAME_cmp(X509_get_subject_name(cert.handle()), name) != 0) @@ -277,12 +278,13 @@ vector OCSP::nonce() const int resp_idx = OCSP_BASICRESP_get_ext_by_NID(basic.get(), NID_id_pkix_OCSP_Nonce, -1); if(resp_idx < 0) return nonce; - X509_EXTENSION *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx); + auto *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx); if(!ext) return nonce; - ASN1_OCTET_STRING *value = X509_EXTENSION_get_data(ext); - nonce.assign(value->data, std::next(value->data, value->length)); + auto *value = X509_EXTENSION_get_data(ext); + const unsigned char *data = ASN1_STRING_get0_data(value); + nonce.assign(data, std::next(data, ASN1_STRING_length(value))); //OpenSSL OCSP created messages NID_id_pkix_OCSP_Nonce field is DER encoded twice, not a problem with java impl //XXX: UglyHackTM check if nonceAsn1 contains ASN1_OCTET_STRING //XXX: if first 2 bytes seem to be beginning of DER ASN1_OCTET_STRING then remove them diff --git a/src/crypto/TS.cpp b/src/crypto/TS.cpp index d96dfc91c..ba7c3e36a 100644 --- a/src/crypto/TS.cpp +++ b/src/crypto/TS.cpp @@ -36,6 +36,7 @@ #include #include +#include using namespace digidoc; using namespace std; @@ -86,10 +87,11 @@ TS::TS(const Digest &digest, const std::string &userAgent) } #endif + std::array nonce_bytes{}; + for(; nonce_bytes[0] == 0;) // Make sure that first byte is not 0x00 + RAND_bytes(nonce_bytes.data(), nonce_bytes.size()); auto nonce = make_unique_ptr(ASN1_INTEGER_new()); - ASN1_STRING_set(nonce.get(), nullptr, 20); - for(nonce->data[0] = 0; nonce->data[0] == 0;) // Make sure that first byte is not 0x00 - RAND_bytes(nonce->data, nonce->length); + ASN1_STRING_set(nonce.get(), nonce_bytes.data(), nonce_bytes.size()); TS_REQ_set_nonce(req.get(), nonce.get()); Connect::Result result = Connect(CONF(TSUrl), "POST", 0, CONF(TSCerts), userAgent).exec({ diff --git a/src/crypto/X509Cert.cpp b/src/crypto/X509Cert.cpp index f8c47b45d..fa5b528e5 100644 --- a/src/crypto/X509Cert.cpp +++ b/src/crypto/X509Cert.cpp @@ -424,7 +424,7 @@ vector X509Cert::qcStatements() const int pos = X509_get_ext_by_NID(cert.get(), NID_qcStatements, -1); if(pos == -1) return result; - X509_EXTENSION *ext = X509_get_ext(cert.get(), pos); + auto *ext = X509_get_ext(cert.get(), pos); auto qc = make_unique_cast(ASN1_item_unpack(X509_EXTENSION_get_data(ext), ASN1_ITEM_rptr(QCStatements))); if(!qc) return result; @@ -492,7 +492,7 @@ string X509Cert::toString(const string &obj) const string str; if(!cert) return str; - X509_NAME* name = Func(cert.get()); + auto *name = Func(cert.get()); if(!name) THROW_OPENSSLEXCEPTION("Failed to convert X.509 certificate name"); @@ -500,7 +500,7 @@ string X509Cert::toString(const string &obj) const { for(int i = 0; i < X509_NAME_entry_count(name); ++i) { - X509_NAME_ENTRY *e = X509_NAME_get_entry(name, i); + auto *e = X509_NAME_get_entry(name, i); if(obj != OBJ_nid2sn(OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)))) continue; diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp index fba1ffef8..684882fbf 100644 --- a/src/crypto/X509CertStore.cpp +++ b/src/crypto/X509CertStore.cpp @@ -119,7 +119,10 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) if(ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i); ad->location->type == GEN_URI && OBJ_obj2nid(ad->method) == NID_ad_ca_issuers) - url.assign((const char*)ad->location->d.uniformResourceIdentifier->data, ad->location->d.uniformResourceIdentifier->length); + { + const unsigned char *data = ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier); + url.assign((const char*)data, ASN1_STRING_length(ad->location->d.uniformResourceIdentifier)); + } } if(url.empty()) return X509Cert(); diff --git a/src/crypto/X509Crypto.cpp b/src/crypto/X509Crypto.cpp index 7ee9937e1..105e4160d 100644 --- a/src/crypto/X509Crypto.cpp +++ b/src/crypto/X509Crypto.cpp @@ -157,7 +157,7 @@ int X509Crypto::compareIssuerToString(string_view name) const bool found = false; for(int i = 0; i < X509_NAME_entry_count(issuer); ++i) { - X509_NAME_ENTRY *entb = X509_NAME_get_entry(issuer, i); + auto *entb = X509_NAME_get_entry(issuer, i); if(OBJ_cmp(obja.get(), X509_NAME_ENTRY_get_object(entb)) != 0) continue; diff --git a/vcpkg.json b/vcpkg.json index 16058a75c..f29955282 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -15,7 +15,7 @@ "features": { "tests": { "description": "Build tests", "dependencies": ["boost-test"] } }, - "builtin-baseline": "f77737496dabd44c63ecc599dc0f4d6cff30d0d5", + "builtin-baseline": "67b5ee32c608c87971eed243d4bff140568ebe53", "vcpkg-configuration": { "overlay-triplets": ["./vcpkg-triplets"], "registries": [ @@ -23,7 +23,7 @@ "kind": "git", "repository": "https://github.com/open-eid/vcpkg-ports", "reference": "vcpkg-registry", - "baseline": "e841c32c534b9db3130a824992f4bacd79fae1bc", + "baseline": "408ae35659d383cf5563a8d9ea943a81bba5c008", "packages": ["openssl", "xmlsec"] } ] diff --git a/xmlsec1-1.3.10.legacy.patch b/xmlsec1-1.3.12.legacy.patch similarity index 96% rename from xmlsec1-1.3.10.legacy.patch rename to xmlsec1-1.3.12.legacy.patch index 32ab7d52a..0dd57952c 100644 --- a/xmlsec1-1.3.10.legacy.patch +++ b/xmlsec1-1.3.12.legacy.patch @@ -1,15 +1,15 @@ ---- a/src/openssl/signatures.c 2026-04-20 08:56:41 -+++ b/src/openssl/signatures.c 2026-04-20 08:56:41 -@@ -38,6 +38,8 @@ +--- a/src/openssl/signatures.c ++++ b/src/openssl/signatures.c +@@ -35,6 +35,8 @@ #endif /* XMLSEC_OPENSSL_API_300 */ - + #include "../cast_helpers.h" +#include + #include "../transform_helpers.h" #include "openssl_compat.h" - -@@ -1068,7 +1070,11 @@ + #include "private.h" +@@ -1066,7 +1068,11 @@ goto error; } } else { @@ -22,10 +22,10 @@ if(ret <= 0) { xmlSecOpenSSLError2("EVP_PKEY_verify_init", xmlSecTransformGetName(transform), "ret=%d", ret); -@@ -1076,11 +1082,13 @@ +@@ -1074,11 +1080,13 @@ } } - + - ret = EVP_PKEY_CTX_set_signature_md(pKeyCtx, ctx->digest); - if(ret <= 0) { - xmlSecOpenSSLError2("EVP_PKEY_CTX_set_signature_md", xmlSecTransformGetName(transform), @@ -101,5 +101,5 @@ + X509_SIG_free(sig); + } break; - + case xmlSecOpenSSLEvpSignatureFormat_Dsa: