From 19fb6499abe9ebd7168409088ef2fe0045c0633f Mon Sep 17 00:00:00 2001
From: alashkova <n.alashkova@micord.ru>
Date: Tue, 19 Nov 2024 17:08:58 +0300
Subject: [PATCH] =?UTF-8?q?SUPPORT-8714.=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?=
 =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D0=B0=20=D0=B2=D0=BE=D0=B7=D0=BC=D0=BE=D0=B6?=
 =?UTF-8?q?=D0=BD=D0=BE=D1=81=D1=82=D1=8C=20=D1=83=D0=BA=D0=B0=D0=B7=D1=8B?=
 =?UTF-8?q?=D0=B2=D0=B0=D1=82=D1=8C=20=D0=BD=D0=B5=D1=81=D0=BA=D0=BE=D0=BB?=
 =?UTF-8?q?=D1=8C=D0=BA=D0=BE=20=D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8?=
 =?UTF-8?q?=D0=BA=D0=B0=D1=82=D0=BE=D0=B2=20=D0=95=D0=A1=D0=98=D0=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                    |  2 +-
 src/modules/service_verify.c | 47 ++++++++++++++++++++++++++++++++----
 src/modules/service_verify.h |  3 ++-
 src/utils/cryptopro.c        |  7 +++++-
 4 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 1855d16..c29c0b8 100644
--- a/README.md
+++ b/README.md
@@ -95,4 +95,4 @@ sign_cert_password = \*\*\*\* *\# пароль от контейнера*
 
 - В секции **\[verify\]** задать настройки проверки подписи маркера доступа:  
 location = /verify *\# значение по умолчанию: /verify*  
-esia_cert_thumbprint = sha1_thumbprint_of_esia_cert *\# SHA1 отпечаток сертификата ЕСИА*  
+esia_cert_thumbprint = sha1_thumbprint_of_esia_cert0 sha1_thumbprint_of_esia_cert1 *\# список SHA1 отпечатков сертификатов ЕСИА, указанных через пробел*  
diff --git a/src/modules/service_verify.c b/src/modules/service_verify.c
index fd82789..8d5292c 100644
--- a/src/modules/service_verify.c
+++ b/src/modules/service_verify.c
@@ -63,8 +63,8 @@ verify_conf_load(verify_conf_t *conf, const conf_file_context_t conf_file)
         {
             VERIFY_CONF_SECTION,
             VERIFY_CONF_KEY_THUMBPRINT,
-            &conf->esia_cert_thumbprint,
-            CONF_FILE_VALUE_STRT,
+            &conf->esia_cert_thumbprint_list,
+            CONF_FILE_VALUE_STRING_LIST,
             CONF_FILE_VALUE_NONE,
             NULL 
         },
@@ -91,7 +91,7 @@ verify_conf_clear(verify_conf_t *conf)
     if (conf == NULL) return;
 
     str_t_clear(&conf->location);
-    str_t_clear(&conf->esia_cert_thumbprint);
+    string_list_clear(&conf->esia_cert_thumbprint_list);
 
     memset(conf, 0, sizeof(verify_conf_t));
 }
@@ -238,6 +238,42 @@ fcgi_verify_request_clear(fcgi_verify_request_t *req_info)
     memset(req_info, 0, sizeof(fcgi_verify_request_t));
 }
 
+static int
+verify_sign_using_thumbprint_list(const string_list_t* thumbprint_list, const str_t* alg, 
+                                    const str_t* header_payload, const str_t* sign, 
+                                    bool* is_verified, char** verify_error)
+{
+    int rc = -1;
+
+    LOG_TRACE("verify_sign_using_thumbprint_list enter");
+
+    for (size_t i = 0; i < thumbprint_list->size; i++) {
+        const char *cert_thumbprint = thumbprint_list->list[i];
+        str_t thumbprint = {
+            .data = (char*) cert_thumbprint,
+            .len = strlen(cert_thumbprint)
+        };
+
+        LOG_DEBUG("Try to verify jwt using cert with thumbprint '%s'...", cert_thumbprint);
+
+        rc = cryptopro_verify(&thumbprint, alg, header_payload, sign, is_verified, verify_error);
+        if (rc) {
+            LOG_ERROR("cryptopro_verify() failed for cert with thumbprint '%s'", cert_thumbprint);
+        }
+
+        if (*is_verified) {
+            LOG_DEBUG("jwt verified using cert with thumbprint '%s'", cert_thumbprint);
+            break;
+        } else {
+            LOG_DEBUG("Could not veify jwt using cert with thumbprint '%s'. Desc: %s", 
+                        cert_thumbprint, *verify_error);
+        }
+    }
+
+    LOG_TRACE("verify_sign_using_thumbprint_list exit");
+    return rc;
+}
+
 static fcgi_handler_status_t
 verify_jwt_sign(fcgi_verify_request_t* req_info, const verify_service_t *ctx)
 {
@@ -286,8 +322,9 @@ verify_jwt_sign(fcgi_verify_request_t* req_info, const verify_service_t *ctx)
         goto error;
     }
 
-    if (cryptopro_verify(&ctx->conf->esia_cert_thumbprint, &alg, &header_payload, &sign, 
-                            &is_verified, &req_info->verify_error)) {
+    if (verify_sign_using_thumbprint_list(&ctx->conf->esia_cert_thumbprint_list, &alg, 
+                                            &header_payload, &sign, &is_verified, 
+                                            &req_info->verify_error)) {
         goto error;
     }
 
diff --git a/src/modules/service_verify.h b/src/modules/service_verify.h
index fdf7153..b6346ce 100644
--- a/src/modules/service_verify.h
+++ b/src/modules/service_verify.h
@@ -5,12 +5,13 @@
 
 #include "utils/conf_file_context.h"
 #include "utils/str_t.h"
+#include "utils/types.h"
 
 typedef struct verify_service_t* HVerify;
 
 typedef struct verify_conf_s {
     str_t               location;
-    str_t               esia_cert_thumbprint;
+    string_list_t       esia_cert_thumbprint_list;
 
 } verify_conf_t;
 
diff --git a/src/utils/cryptopro.c b/src/utils/cryptopro.c
index b93b91f..90c31cf 100644
--- a/src/utils/cryptopro.c
+++ b/src/utils/cryptopro.c
@@ -371,6 +371,10 @@ get_verify_error(char** verify_error)
 
     size_t size = strlen(err_string) + 4 /*error code*/ + 1 /*terminating null*/;
 
+    if (*verify_error != NULL) {
+        free(*verify_error); // в ответе отдаем последнюю ошибку
+    }
+
     *verify_error = malloc(size);
     if (*verify_error == NULL) {
         LOG_ERROR("get_verify_error failed. Could not allocate memory for error string "
@@ -461,7 +465,8 @@ cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* da
         if (*verify_error == NULL) {
             goto exit;
         }
-        LOG_WARN("%s", *verify_error);
+        LOG_WARN("%s, cert_thumbprint: %.*s", *verify_error, 
+                    (int) cert_thumbprint->len, cert_thumbprint->data);
     }
 
     rc = 0;