Version 2.4.3 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * more buffer overflow and security fixes * replaced most of strcpy(), strcat() and sprintf() with strncpy(), strncat() and snprintf(). * added "int len" arguments to many functions for buffer length checking Version 2.4.2 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * some buffer overflow and security fixes Version 2.4.1 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed DigiDocGen.c - addNotaryInfoXML() to remove trailing newline after OCSP base64 block for backward compatibility with 2.1.5 * fixed DigiDocConfig.c - initConfigStore() to check env value "SystemRoot" for null Version 2.4.1 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * DigiDocServiceClient integrated * M$ COM library integrated Version 2.3.13 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Modified DigiDocConfig.c:notarizeSignature() to use signers CA specific OCSP URL that can be spcified in fonfig file as: DIGIDOC_OCSP_RESPONDER_CERT_<resp-idx>_URL=<ocsp-url> Default URL specified using DIGIDOC_OCSP_URL will be used if specific one is not found. Version 2.3.12 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * moved OCSP verification from separate COM method to existing verifySignature COM method. Version 2.3.11 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * removed OCSP and other non-essential verifications during parsing. Version 2.3.10 (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed OCSP response verification error 106 on no internet connection. * fixed timestamp time comparison during verification. Version 2.3.9: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed bug in verifying with wrong OCSP reponder cert. Version 2.3.8: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * changed functions ddocVerifyCertByOCSP() and verifyCertificateByOCSP() by adding an optional parameter for returning the OCSP_RESPONSE to caller. Version 2.3.7: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed base64 parsing and canonicalizing Version 2.3.5: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * improved digidoc parsing for documents that contain only base64 content and no pure xml or txt. Version 2.3.4: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * added ResponderID ByKey support Version 2.3.3: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed XAdES v1.3.2 namespace uri-s * integrated changes to DigiDocPKCS11.c to better support Setec cards Version 2.3.2: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * improved config file loading to avoid errors * changed timestamp verification to chek also that TSA cert is in users local certstore or certs dir (unix) Version 2.3.1: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * moved timestamping module code to libdigidoc/ts * added swithches --enable-mssp and --enable-ts to configure.in Version 2.2.14: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * collected TSA profile in DigiDocGlobals.h/.c Version 2.2.13: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * changed getting timestamps. Now will ask TSA server for it's cert together with response and use it. If user passed to lib optional TSA cert and TSA returned no cert then this one will be used. * changed SAX parsers handling of TSA & responder certs. Now Certs are categorized based on: OCSP responses responder id and TSA responses signer cert issuer number. * added verification of TSA cert by TSA CA cert * added verification that OCSP response is between SignatureTimeStamp and SigAndRefsTimeStamp. Added config entry MAX_TSA_TIME_ERR_SECS to specify max error in seconds between TSA and responder clocks. * Fixed OCSP response time calculation Version 2.2.12: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * moved all verification functions to DigiDocVerify.h/.c * moved all OCSP handling functions to DigiDocOCSP.h/.c * moved all functions handling memory allocation and access of digidoc structure to DigiDocObj.h/.c * moved all functiosn writing digidoc files to DigiDocGen.h/.c Version 2.2.11: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * yet another fix related to base64 bypassing from parser that cause error 16 - invalid xml type error Version 2.2.10: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * restored a fix to adding signatures to format 1.0 where error was caused due to Notary cert being missing * fixed signing problems when having "&" in signers address Version 2.2.9: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed a problem in SAX parser due to which postal code and country were switched * fixed a problem in SAX parser in handling DataFile filenames that contained "&" Version 2.2.8: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed a problem in ddocSaxExtractDataFile() related to a to small file being parsed directly from memory cache * fixed another problem in ddocSaxExtractDataFile() related to loosing some data content at the end of a base64 encoded <DataFile> content Version 2.2.7: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * added parameter ip_addr - senders ip address to sendOCSPRequest() * added functions getConfirmationWithIp() and made getConfirmation() call it with default ip - 0 * added function notarizeSignatureWithIp() and make notarizeSignature() call it with default ip - 0 * replaced error ERR_OCSP_WRONG_SIGNATURE everywhere with ERR_OCSP_CERT_NOTFOUND. The logic is that signature might be correct if we had the correct certificate Version 2.2.6: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed certificate policy conversion to UTF8 * fixed HASHCODE & 1.0 format reading problems Version 2.2.5: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed memory overflow attacks in sax parser and simplified it * added new OCSP responder certificates * MSSP part commented out as it is not yet in production Version 2.2.4: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * removed the check if signers certificate is valid according to local computers timestamp and according to certificates start and end date as local computers time might be wrong and cert is checked anyway with OCSP * changed macros used for private config file path calculation at the beginning of DigiDocConfig.c as suggested by - Mart Raudsepp <38406216018@eesti.ee> * changed functions ddocMsspReadCertificate() and ddocConfMsspSign() by adding certificate path. Earlier cert path was calculated directly based on phone number Version 2.2.3: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * hopefully fixed a bug with command -calc-sign. Created two new functions: ddocPrepareSignature() and ddocGetSignedHash() to prepare a new signature and to retrieve the final to-be-signed hash with or without ASN1 profix and in binary or base64 encoded. * fixed a type conversion bug related to new callback function defs in openssl 0.98 Version 2.2.2: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * temporarily removed MSSP functions as they are not ready yet and I had to release package * applied changes made by other developers (Mart Raudsepp <38406216018@eesti.ee>) * certificate path patch to configure.in (Tanel Kuusk <tanel@sk.ee>) Version 2.2.1: * added functions for MSSP_GW client app in DigiDocMsspGw.h Version 2.1.22: * surrounded deprecated functions with #ifdef WITH_DEPRECATED_FUNCTION. One can switch them in and out from DigiDocDefs.h * replaced deprecated functions with new ones in cdigidoc.c Version 2.1.21: * added function: int ddocConvertInput(const char* src, char** dest) to DigiDocConvert.h. Use this function to convert console input data to UTF8 before passing it on to the library. * fixed some memory leaks in SAX parser module Version 2.1.20: * added functions: * ddocCertGetSubjectCN() - will replace getCertSubjectCN() * ddocCertGetIssuerCN() - will replace getCertIssuerCN() * ddocCertGetIssuerDN() and ddocCertGetSubjectDN() * ddocCertGetSubjectFirstName() * ddocCertGetSubjectLastName() * ddocCertGetSubjectPerCode() Version 2.1.19: * typecasts * added more commands for adding, removing and notarizing signatures * moved all certificate handling functions to DigiDocCert.h/.c * added function ddocCertGetSubjectDN() that is supposed to replace getCertSubjectName(). CAUTION: getCertSubjectName() returns us-ascii but ddocCertGetSubjectDN() returns UTF8 * removed field: certNr from structure NotaryInfo as it has been replaced with szIssuerSerial Version 2.1.18: * CGI output using -CGI commandline option or config file entries. You can use config file entries: * DIGIDOC_CGI_MODE - print in CGI or normal mode - TRUE/FALSE * DIGIDOC_CGI_PRINT_HEADER - print program header or not - TRUE/FALSE * DIGIDOC_CGI_PRINT_TRAILER - print program trailer or not - TRUE/FALSE * DIGIDOC_CGI_SEPARATOR - charater(s) to use for separator or fields Version 2.1.17: (Veiko Sinivee) * possibility to specify signature pin using AUTOSIGN_PIN entry in the config file * replaced function decodeCertificateData() with ddocDecodeX509Data() * replaced function decodeCertificatePEMData() with ddocDecodeX509PEMData() * created function ddocDecodeOCSPResponseData() * replaced function decodeOCSPResponsePEMData() with ddocDecodeOCSPResponsePEMData() Version 2.1.16: (Veiko Sinivee) * corrected a bug in digidoc sax parser by increasing the buffer size used for certificate serial number * added the param (int nMaxLen) to functions ReadCertSerialNumber() and GetCertSerialNumber() (Marc Stren) * For all non-mandatory config files, we must accept return codes ERR_OK & ERR_CONF_FILE * g_szPrivateConfigFile defined as char[_MAX_PATH] * For Windows, the global config file should be "%systemroot%\digidoc.ini" (usually "c:\windows\digidoc.ini") * After reading the personal config, before reading the registry, I would read a local file in the current directory readConfigFile(DIGIDOC_CONF_NAME, ITEM_TYPE_PRIVATE); Version 2.1.15: (Marc Stren) * bug fixes and type casts (Veiko Sinivee) * fixed a bug in readCertificatePolicies() * added a lot of explicit conversions to prevent compiler warnings Version 2.1.14: (Marc Stren) * bug fixes and type casts * fixed a bug in verifyNotary() - buffer to short for CN * fixed a bug in ddocConvertFileName() - wrong destination buffer length Version 2.1.13: (Kaido Kert) * fixed initialization bugs in DigiDocConvert.c - utf82oem(), oem2uf8(), getDataFileFileName() (Veiko Sinivee) * added function ddocConvertFileName() for pltform specific filename conversion * removed debugPrint() that was no londer used. Now we use ddocDebug() instead. Version 2.1.12: * Fixed a bug in converting certificate subject names to UTF-8 Version 2.1.11: * Removed the code associated with accepting digidoc documents that got invalid hashes because the hashes were not checked when reading in digidoc documents (see version 2.1.3) * Changed the certificate subject name decoding. Not quite sure if this was totaly correct. Apparently there can be multiple 8 bit encoding and no sure proof way to decect which one was used. Version 2.1.10: * added a fix to digidoc SAX parser that accepts invalid documents generated with JDigiDoc if the program didn't set the Id atribute of DataFile element. Java printed this out as "null" which is a valid Id atribute value according to XML-DSIG but not accoring to our digidoc format. Since many such files were created I added a fix to accept them. Version 2.1.9: * added -check-cert command to cdigidoc * added config file entries: DIGIDOC_CERT_VERIFY_DEFAULT_RESPONDER=ESTEID-SK OCSP RESPONDER 2005 DIGIDOC_CERT_VERIFY_DEFAULT_CA=ESTEID-SK for configuring the certificate verify function * fixed a crash bug in escapeXMLSymbols() Version 2.1.8: * added error code ERR_OCSP_WRONG_SIGNATURE (129) of category USER to mark the case when OCSP signature is wrong * added function getFullFileName() to correct a problem in cdigidoc. Version 2.1.7: * reduced the size of the first block of data from digidoc file in function ddocSaxReadSignedDocFromFile() since it seemed to cause problems on win32 platform with smaller digidoc documents * added function getCertSubjectCNinUTF8() to retrieve sertificate owners name in UTF8. This is used in gdigidoc since GTK can display only UTF8 * added functions ddocDebugTruncateLog() and ddocDebugReadLog() for log data handling * fixed the CPS in isCompanyCPSPolicy() Version 2.1.6: * added possibility to send debug output to a log file. Use the entry DEBUG_FILE=<logfile> in config file. If not used then debug output will be sent to console Version 2.1.5: * fixed a problem in displaying debug info * fixed a hashcode calculation problem with format 1.0 for content-type=HASHCODE as used in the digidocservice Version 2.1.3: * added code to handle wrong hash codes calculated in an earlier release Version 2.1.2: * added error code ERR_NO_OCSP (128) to mark signatures that have no OCSP confirmation * fixed buffering and hash calculation problems in ddocSaxReadSignedDoc() Version 2.1.0: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * added function dencOrigContent_registerDigiDoc() to register encrypted digidoc meta-info. * added functions dencMetaInfo_SetLibVersion(), dencMetaInfo_SetFormatVersion(), dencMetaInfo_GetLibVersion() ja dencMetaInfo_GetFormatVersion() for registering ans using library and format meta-info * added supprt for multiple responder certificates in config file, some of which might be valid, some not yet valid and some no longer valid as well as algorithm for automatically picking the right cert for certain jobs. * fixed usage of IV vector as required by XML-ENC * added functions setGUIVersion() and getGUIVersion() to set and get the name & version of a program using libdigidoc. This will be sent in the UserAgent HTTP header to OCSP responder in order to collect statistics about how many versions of library & programs using it are used by the public. Version 2.0.1: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * bug fixes to XML-ENC - fixed RSA algorithm URI and EncrtyptedData Type value Version 2.0.0: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * This is a major release containing XML-ENC support * some bugefixed and documentation fixed * added the -list command to cdigidoc which can display both digidoc and encrypted documents * added functions dencOrigContent_count(), dencOrigContent_add(), dencOrigContent_findByIndex(), dencOrigContent_isDigiDocInside(), dencOrigContent_registerDigiDoc() Version 1.99: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed a bug in verifying 1.0 format files * added function get_subject_key() and modified function createOCSPRequest() to get CA certs SKI extension if AKI extension is not available * added function ddocSAXGetDataFile() to retrieve DataFile content and return it in a memory buffer * fixed a bug in getLastError() that cleared the error list after reading it * changed error code OCSP_RESPONSE_STATUS (31) to class USER * changed the logic that checks for pkcs12 file password. Now library attempts to use pkcs12 files also without password Version 1.98: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Improved error codes for failure to compse CA cert chain * datafile extraction problems fixed Version 1.97: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * improved digidoc parsing speed Version 1.96: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Added constant X509_NAME_BUF_LEN for X509 name buffer requested length The default is not enough if the name has to be decoded from unicode first * Library documentation updated * imporoved error handling during digidoc parsing. Now parsing stops on the first error encountered. Version 1.95: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Changed config API to use Windows registry on win32 platforms * added functions for managing encrypted file recipient info * added encryption functions for large files Version 1.94: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Added code supporting XML-Encryption standard (XML-ENC) * Added packing of data before encryption using ZLIB Version 1.93: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * Removed a lot of conversions for filename in the library Those conversions coud have caused loss of data. * Changed createOCSPRequest() to use custom functions for adding OCSP nonce to OCSP request for digidoc formats 1.0, 1.1 and 1.2 thereby guaranteing that in case of those formats only 20 bytes are sent. * Added function ddocGetDataFileFilename() to get proper filename. It corrects also errors in 1.0, 1.1 and 1.2 formats bad filename UTF-8 Version 1.92: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed a bug in SAX parser causing loss of certain characters in file name * created new parsing functions using libxml2 xmlReader interface * moved SAX parsing functions to a separate source file DigiDocSAXParser.c * fixed some memory problems * removed the alternative MY_OCSP_request_add1_nonce() as it's not necessary (Sven Heiberg <sven@tartu.cyber.ee>) * bug fixes for many variable initialisations * Renamed ddocExtractDataFile to ddocXRdrExtractDataFile * Renamed ddocGetDataFile to ddocXRdrGetDataFile * Renamed ddocCopyDataFile to ddocXRdrCopyDataFile * introduced ddocXRdrReadSignedDocFromFile() * Renamed readSignedDoc() to ddocSaxReadSignedDocFromFile(). Params changed. * Renamed extractDataFile() to ddocSaxExtractDataFile(). Uses chached content. * Moved memory buffer management functions to DigiDocMem.h/.c and small stack implementation (used on DigiDocParser.c) to DigiDocStack.h/.c Those functions will be used also elsewhere in library. Version 1.91: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * added a check on output filename for extractDataFile() function. * added a check for verifyNotaryInfoCERT() function to check empty certificate array size. * Added back the function verifyCertificateByOCSP() (Sven Heiberg <sven@tartu.cyber.ee>) * Replaced OCSP_request_add1_nonce with MY_OCSP_request_add1_nonce for handling OCSP with openssl 0.9.7d Version 1.90: (Veiko Sinivee <veiko.sinivee@solo.delfi.ee>) * fixed buffer overflow vulnerability in setPrivateConfigFile() Version 1.89: (Veiko Sinivee) * fixed generateDataFileXML() and handleStartDataFile() to support the '&' symbol in file names Version 1.88: (Veiko Sinivee) * fixes to convertStringToTimeT() Version 1.85: (Veiko Sinivee) * added error ERR_OCSP_WRONG_URL and changed sendOCSPRequest() to indicate this error in case user entered false OCSP responder URL * changed ERR_CERT_READ to USER category Version 1.84: (Veiko Sinivee) * added support for ContentType=HASHCODE. This was used by DigiDocService library create signatures by relying on the hash code calculated by client. Version 1.83: (Veiko Sinivee) * changed ReadCertificateSerialNumber() to use char* instead of long for certificate serial number because it might not fit in a long Version 1.82: (Veiko Sinivee) * added getCertPEM() and getOcspPEM() version 1.81: (Veiko Sinivee) * fixed setSignatureValueFromFile() that was affected by siganture caching. * fixed getConfirmation() to allowe sending not signed OCSP requests. * fixed ConfigItem_lookup_bool() * fixed getSignerLastName() version 1.80: // digidoc.c - added comand line parameter -h and -? for help on usage modified constants: g_sdoc_hdr1_1 and g_sdoc_hdr1_2 - modified functions: generateDataFileXML() createSignedXMLDoc() handleStartDataFile() - fixed bugs in emptying buffers unicode2ascii() getSignerLastName() (Martin Paljak) * added autoconf/automake support * added libtool support * added pkg-config support * reorganization of files and names to more unixish ones. - package name is libdigidoc0 - configureation is /etc/digidoc.conf per default - source code in src/ * common code format via indent -kr -i8 (subject to negotiation) * changed some files' newlines from \r\n to \n * dropped implementation specific files (namely binary pkcs11 modules and sk.ee certs) also moved win32 specific stuff to win32/ * added debian/ and support for debian packages Versioon 1.79: // modified freeThreadErrorsByTid() initPKCS11Library() signDocument() verifySignatureAndNotary() struct SignatureInfo_st SignatureInfo_delete() SignatureInfo_free() createSignedXMLDoc() charactersHandler() endElementHandler() startElementHandler() Versioon 1.76: // added functions: int getSignerCN(const SignatureInfo* pSigInfo, char* buf, int bUTF8); int getCertIssuerCN(void* cert, char* buf, int* buflen, int bUTF8); // added struct FormatAndVer // added function FormatAndVer* getSupportedFormatsAndVersions(); void handleStartSigningCertificate(); void handleStartCompleteCertificateRefs(); void handleX509SerialNumber(); int addNotaryInfoCert(); int finalizeAndVerifyNotary(); // changed functions to support format version 1.3 int addSignatureInfoXML(BIO* bout, SignedDoc* pSigDoc, SignatureInfo* pSigInfo); char* createXMLSignedProperties(const SignedDoc* pSigDoc, const SignatureInfo* pSigInfo); SignedDoc* SignedDoc_new(const char* format, const char* version); int addNotaryInfoXML(BIO* bout, const SignedDoc *pSigDoc, const NotaryInfo* pNotInfo); void convertStringToTimestamp(const SignedDoc* pSigDoc, const char* szTimestamp, Timestamp* pTimestamp); int asn1time2strYear(const SignedDoc* pSigDoc, ASN1_TIME* tm, char* buf, int year); void convertTimestampToString(const SignedDoc* pSigDoc, const Timestamp* pTimestamp, char* szTimestamp); void startElementHandler(); void handleEndEncapsulatedOCSPValue(); void charactersHandler(); int getConfirmation(); int initializeNotaryInfoWithOCSP(); SUPPORTED_VERSION_COUNT // added static data to support 1.3 g_sdoc_hdr221 g_sdoc_hdr35_2 g_sdoc_hdr37_1 g_sdoc_hdr37_2 g_sdoc_hdr46_1 g_sdoc_hdr46_2 g_sdoc_hdr39_1