From 8b745b1093fe55453a220c82cd70adc45a98237a Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 1 Oct 2021 11:37:35 +0300
Subject: [PATCH] Add option to modify TSA Pinning certificate

IB-7392

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 client/Application.cpp            | 134 +++---
 client/dialogs/SettingsDialog.cpp |  84 +++-
 client/dialogs/SettingsDialog.h   |   4 +
 client/dialogs/SettingsDialog.ui  | 776 ++++++++++++++++--------------
 client/translations/en.ts         |   8 +
 client/translations/et.ts         |   8 +
 client/translations/ru.ts         |   8 +
 7 files changed, 588 insertions(+), 434 deletions(-)

diff --git a/client/Application.cpp b/client/Application.cpp
index 2baa26611..852816db1 100644
--- a/client/Application.cpp
+++ b/client/Application.cpp
@@ -118,42 +118,26 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 
 	std::string proxyHost() const final
 	{
-		switch(s.value(QStringLiteral("ProxyConfig")).toUInt())
-		{
-		case 0: return {};
-		case 1: return systemProxy().hostName().toStdString();
-		default: return s.value(QStringLiteral("ProxyHost"), QString::fromStdString(digidoc::XmlConfCurrent::proxyHost()) ).toString().toStdString();
-		}
+		return proxyConf(&QNetworkProxy::hostName,
+			QStringLiteral("ProxyHost"), &digidoc::XmlConfCurrent::proxyHost);
 	}
 
 	std::string proxyPort() const final
 	{
-		switch(s.value(QStringLiteral("ProxyConfig")).toUInt())
-		{
-		case 0: return {};
-		case 1: return QString::number(systemProxy().port()).toStdString();
-		default: return s.value(QStringLiteral("ProxyPort"), QString::fromStdString(digidoc::XmlConfCurrent::proxyPort()) ).toString().toStdString();
-		}
+		return proxyConf([](const QNetworkProxy &systemProxy) { return QString::number(systemProxy.port()); },
+			QStringLiteral("ProxyPort"), &digidoc::XmlConfCurrent::proxyPort);
 	}
 
 	std::string proxyUser() const final
 	{
-		switch(s.value(QStringLiteral("ProxyConfig")).toUInt())
-		{
-		case 0: return {};
-		case 1: return systemProxy().user().toStdString();
-		default: return s.value(QStringLiteral("ProxyUser"), QString::fromStdString(digidoc::XmlConfCurrent::proxyUser()) ).toString().toStdString();
-		}
+		return proxyConf(&QNetworkProxy::user,
+			QStringLiteral("ProxyUser"), &digidoc::XmlConfCurrent::proxyUser);
 	}
 
 	std::string proxyPass() const final
 	{
-		switch(s.value(QStringLiteral("ProxyConfig")).toUInt())
-		{
-		case 0: return {};
-		case 1: return systemProxy().password().toStdString();
-		default: return s.value(QStringLiteral("ProxyPass"), QString::fromStdString(digidoc::XmlConfCurrent::proxyPass())).toString().toStdString();
-		}
+		return proxyConf(&QNetworkProxy::password,
+			QStringLiteral("ProxyPass"), &digidoc::XmlConfCurrent::proxyPass);
 	}
 
 #ifdef Q_OS_MAC
@@ -167,13 +151,13 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 	{ return s.value(QStringLiteral("TSLOnlineDigest"), digidoc::XmlConfCurrent::TSLOnlineDigest()).toBool(); }
 
 	void setProxyHost( const std::string &host ) final
-	{ SettingsDialog::setValueEx(QStringLiteral("ProxyHost"), QString::fromStdString( host )); }
+	{ SettingsDialog::setValueEx(QStringLiteral("ProxyHost"), fromStdString(host)); }
 	void setProxyPort( const std::string &port ) final
-	{ SettingsDialog::setValueEx(QStringLiteral("ProxyPort"), QString::fromStdString( port )); }
+	{ SettingsDialog::setValueEx(QStringLiteral("ProxyPort"), fromStdString(port)); }
 	void setProxyUser( const std::string &user ) final
-	{ SettingsDialog::setValueEx(QStringLiteral("ProxyUser"), QString::fromStdString( user )); }
+	{ SettingsDialog::setValueEx(QStringLiteral("ProxyUser"), fromStdString(user)); }
 	void setProxyPass( const std::string &pass ) final
-	{ SettingsDialog::setValueEx(QStringLiteral("ProxyPass"), QString::fromStdString( pass )); }
+	{ SettingsDialog::setValueEx(QStringLiteral("ProxyPass"), fromStdString(pass)); }
 	void setProxyTunnelSSL( bool enable ) final
 	{ SettingsDialog::setValueEx(QStringLiteral("ProxyTunnelSSL"), enable, digidoc::XmlConfCurrent::proxyTunnelSSL()); }
 	void setPKCS12Cert( const std::string & /*cert*/) final {}
@@ -184,6 +168,14 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 	{ SettingsDialog::setValueEx(QStringLiteral("TSLOnlineDigest"), enable, digidoc::XmlConfCurrent::TSLOnlineDigest()); }
 #endif
 
+	std::vector<digidoc::X509Cert> TSCerts() const final
+	{
+		std::vector<digidoc::X509Cert> list = toCerts(QStringLiteral("CERT-BUNDLE"));
+		if(digidoc::X509Cert cert = toCert(fromBase64(s.value(QStringLiteral("TSA-CERT")))))
+			list.push_back(cert);
+		return list;
+	}
+
 	std::string TSUrl() const final
 	{
 		if(s.value(QStringLiteral("TSA-URL-CUSTOM"), s.contains(QStringLiteral("TSA-URL"))).toBool())
@@ -191,36 +183,27 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 		return valueSystemScope(QStringLiteral("TSA-URL"), digidoc::XmlConfCurrent::TSUrl());
 	}
 	void setTSUrl(const std::string &url) final
-	{ SettingsDialog::setValueEx(QStringLiteral("TSA-URL"), QString::fromStdString(url)); }
+	{ SettingsDialog::setValueEx(QStringLiteral("TSA-URL"), fromStdString(url)); }
 
 	std::string TSLUrl() const final { return valueSystemScope(QStringLiteral("TSL-URL"), digidoc::XmlConfCurrent::TSLUrl()); }
 	std::vector<digidoc::X509Cert> TSLCerts() const final
 	{
-		std::vector<digidoc::X509Cert> tslcerts;
-		for(const QJsonValue &val: obj.value(QStringLiteral("TSL-CERTS")).toArray())
-		{
-			QByteArray cert = QByteArray::fromBase64(val.toString().toLatin1());
-			tslcerts.emplace_back((const unsigned char*)cert.constData(), size_t(cert.size()));
-		}
+		std::vector<digidoc::X509Cert> tslcerts = toCerts(QStringLiteral("TSL-CERTS"));
 		return tslcerts.empty() ? digidoc::XmlConfCurrent::TSLCerts() : tslcerts;
 	}
 
 	digidoc::X509Cert verifyServiceCert() const final
 	{
-		QByteArray cert = QByteArray::fromBase64(obj.value(QStringLiteral("SIVA-CERT")).toString().toLatin1());
+		QByteArray cert = fromBase64(obj.value(QStringLiteral("SIVA-CERT")));
 		if(cert.isEmpty())
 			return digidoc::XmlConfCurrent::verifyServiceCert();
-		return digidoc::X509Cert((const unsigned char*)cert.constData(), size_t(cert.size()));
+		return toCert(cert);
 	}
 	std::vector<digidoc::X509Cert> verifyServiceCerts() const final
 	{
-		std::vector<digidoc::X509Cert> list;
-		list.push_back(verifyServiceCert());
-		for(const QJsonValue &cert: obj.value(QStringLiteral("CERT-BUNDLE")).toArray())
-		{
-			QByteArray der = QByteArray::fromBase64(cert.toString().toLatin1());
-			list.emplace_back((const unsigned char*)der.constData(), size_t(der.size()));
-		}
+		std::vector<digidoc::X509Cert> list = toCerts(QStringLiteral("CERT-BUNDLE"));
+		if(digidoc::X509Cert cert = verifyServiceCert())
+			list.push_back(cert);
 		return list;
 	}
 	std::string verifyServiceUri() const final
@@ -240,7 +223,7 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 			if(issuer == i.key().toStdString())
 				return i.value().toString().toStdString();
 		}
-		return obj.value(QStringLiteral("OCSP-URL")).toString(QString::fromStdString(digidoc::XmlConfCurrent::ocsp(issuer))).toStdString();
+		return obj.value(QStringLiteral("OCSP-URL")).toString(fromStdString(digidoc::XmlConfCurrent::ocsp(issuer))).toStdString();
 	}
 
 	bool TSLAllowExpired() const final
@@ -267,36 +250,67 @@ class DigidocConf final: public digidoc::XmlConfCurrent
 		if(s.value(QStringLiteral("TSA-URL")) == obj.value(QStringLiteral("TSA-URL")))
 			s.remove(QStringLiteral("TSA-URL")); // Cleanup user conf if it is default url
 		QList<QSslCertificate> list;
-		for(const QJsonValue &cert: obj.value(QStringLiteral("CERT-BUNDLE")).toArray())
-			list << QSslCertificate(QByteArray::fromBase64(cert.toString().toLatin1()), QSsl::Der);
+		for(const auto &cert: obj.value(QStringLiteral("CERT-BUNDLE")).toArray())
+			list.append(QSslCertificate(fromBase64(cert), QSsl::Der));
 		QSslConfiguration ssl = QSslConfiguration::defaultConfiguration();
 		ssl.setCaCertificates(list);
 		QSslConfiguration::setDefaultConfiguration(ssl);
 	}
 #endif
 
-	QNetworkProxy systemProxy() const
+	std::string valueSystemScope(const QString &key, const std::string &defaultValue) const
 	{
-		for(const QNetworkProxy &proxy: QNetworkProxyFactory::systemProxyForQuery())
+		return obj.value(key).toString(fromStdString(defaultValue)).toStdString();
+	}
+
+	std::string valueUserScope(const QString &key, const std::string &defaultValue) const
+	{
+		return s.value(key, obj.value(key).toString(fromStdString(defaultValue))).toString().toStdString();
+	}
+
+	template<typename System, typename Config>
+	std::string proxyConf(System &&system, const QString &key, Config &&config) const
+	{
+		switch(s.value(QStringLiteral("ProxyConfig")).toUInt())
 		{
-			if(proxy.type() == QNetworkProxy::HttpProxy)
-				return proxy;
+		case 0: return {};
+		case 1: return std::invoke(system, [] {
+				for(const QNetworkProxy &proxy: QNetworkProxyFactory::systemProxyForQuery())
+				{
+					if(proxy.type() == QNetworkProxy::HttpProxy)
+						return proxy;
+				}
+				return QNetworkProxy{};
+			}()).toStdString();
+		default: return s.value(key, fromStdString(std::invoke(config, this))).toString().toStdString();
 		}
-		return {};
 	}
 
-	std::string valueSystemScope(const QString &key, const std::string &defaultValue) const
+	template<class T>
+	QByteArray fromBase64(const T &data) const
 	{
-		return obj.value(key).toString(QString::fromStdString(defaultValue)).toStdString();
+		return QByteArray::fromBase64(data.toString().toLatin1());
 	}
 
-	std::string valueUserScope(const QString &key, const std::string &defaultValue) const
+	digidoc::X509Cert toCert(const QByteArray &der) const
 	{
-		return s.value(key, obj.value(key).toString(QString::fromStdString(defaultValue))).toString().toStdString();
+		return digidoc::X509Cert((const unsigned char*)der.constData(), size_t(der.size()));
+	}
+
+	std::vector<digidoc::X509Cert> toCerts(const QString &key) const
+	{
+		std::vector<digidoc::X509Cert> certs;
+		for(const auto &cert: obj.value(key).toArray())
+		{
+			QByteArray der = fromBase64(cert);
+			certs.emplace_back((const unsigned char*)der.constData(), size_t(der.size()));
+		}
+		return certs;
 	}
 
+	static constexpr auto fromStdString = &QString::fromStdString;
 	QSettings s;
-	bool	debug = false;
+	bool debug = false;
 public:
 	QJsonObject obj;
 };
@@ -530,7 +544,7 @@ void Application::activate( QWidget *w )
 #ifdef Q_OS_WIN
 void Application::addTempFile(const QString &file)
 {
-	d->tempFiles << file;
+	d->tempFiles.append(file);
 }
 #endif
 
@@ -623,7 +637,7 @@ QVariant Application::confValue( ConfParameter parameter, const QVariant &value
 		{
 			std::vector<unsigned char> v = cert;
 			if(!v.empty())
-				list << QSslCertificate(QByteArray::fromRawData((const char*)v.data(), int(v.size())), QSsl::Der);
+				list.append(QSslCertificate(QByteArray::fromRawData((const char*)v.data(), int(v.size())), QSsl::Der));
 		}
 		return QVariant::fromValue(list);
 	}
@@ -992,7 +1006,7 @@ void Application::parseArgs( const QString &msg )
 #endif
 	{
 		QUrl url( param, QUrl::StrictMode );
-		params << (param != QLatin1String("-crypto") && !url.toLocalFile().isEmpty() ? url.toLocalFile() : param);
+		params.append(param != QLatin1String("-crypto") && !url.toLocalFile().isEmpty() ? url.toLocalFile() : param);
 	}
 	parseArgs( params );
 }
diff --git a/client/dialogs/SettingsDialog.cpp b/client/dialogs/SettingsDialog.cpp
index 0033817de..4e2de6c77 100644
--- a/client/dialogs/SettingsDialog.cpp
+++ b/client/dialogs/SettingsDialog.cpp
@@ -123,6 +123,14 @@ SettingsDialog::SettingsDialog(QWidget *parent)
 	ui->rdTimeStampDefault->setFont(regularFont);
 	ui->rdTimeStampCustom->setFont(regularFont);
 	ui->txtTimeStamp->setFont(regularFont);
+	ui->lblTSACert->setFont(regularFont);
+	ui->txtTSACert->setFont(regularFont);
+	ui->btInstallTSACert->setFont(condensed12);
+	ui->btShowTSACert->setFont(condensed12);
+#if defined(Q_OS_UNIX) && !defined(Q_OS_MAC)
+	ui->btInstallTSACert->setStyleSheet("background-color: #d3d3d3");
+	ui->btShowTSACert->setStyleSheet("background-color: #d3d3d3");
+#endif
 	ui->lblMID->setFont(headerFont);
 	ui->rdMIDUUIDDefault->setFont(regularFont);
 	ui->rdMIDUUIDCustom->setFont(regularFont);
@@ -133,11 +141,11 @@ SettingsDialog::SettingsDialog(QWidget *parent)
 
 	// pageValidation
 	ui->lblSiVa->setFont(headerFont);
-	ui->lblSiVaCert->setFont(regularFont);
 	ui->txtSiVa->setFont(regularFont);
-	ui->txtSiVaCert->setFont(regularFont);
 	ui->rdSiVaDefault->setFont(regularFont);
 	ui->rdSiVaCustom->setFont(regularFont);
+	ui->lblSiVaCert->setFont(regularFont);
+	ui->txtSiVaCert->setFont(regularFont);
 	ui->btInstallSiVaCert->setFont(condensed12);
 	ui->btShowSiVaCert->setFont(condensed12);
 #if defined(Q_OS_UNIX) && !defined(Q_OS_MAC)
@@ -267,7 +275,7 @@ SettingsDialog::SettingsDialog(QWidget *parent)
 	ui->pageGroup->setId(ui->btnMenuProxy, NetworkSettings);
 	ui->pageGroup->setId(ui->btnMenuDiagnostics, DiagnosticsSettings);
 	ui->pageGroup->setId(ui->btnMenuInfo, LicenseSettings);
-	connect(ui->pageGroup, QOverload<QAbstractButton*>::of(&QButtonGroup::buttonClicked), this, &SettingsDialog::changePage);
+	connect(ui->pageGroup, qOverload<QAbstractButton*>(&QButtonGroup::buttonClicked), this, &SettingsDialog::changePage);
 
 	initFunctionality();
 	updateVersion();
@@ -338,7 +346,7 @@ void SettingsDialog::initFunctionality()
 
 	// pageGeneral
 	selectLanguage();
-	connect(ui->langGroup, QOverload<QAbstractButton*>::of(&QButtonGroup::buttonClicked), this,
+	connect(ui->langGroup, qOverload<QAbstractButton*>(&QButtonGroup::buttonClicked), this,
 		[this](QAbstractButton *button){ retranslate(button->property("lang").toString()); });
 
 	ui->chkGeneralTslRefresh->setChecked(qApp->confValue(Application::TSLOnlineDigest).toBool());
@@ -419,9 +427,16 @@ void SettingsDialog::initFunctionality()
 	// pageServices - TimeStamp
 	connect(ui->rdTimeStampCustom, &QRadioButton::toggled, ui->txtTimeStamp, [=](bool checked) {
 		ui->txtTimeStamp->setEnabled(checked);
+		if(!checked)
+		{
+			QSettings().remove(QStringLiteral("TSA-CERT"));
+			updateTSACert(QSslCertificate());
+		}
+		ui->wgtTSACert->setVisible(checked);
 		setValueEx(QStringLiteral("TSA-URL-CUSTOM"), checked, QSettings().contains(QStringLiteral("TSA-URL")));
 	});
 	ui->rdTimeStampCustom->setChecked(s.value(QStringLiteral("TSA-URL-CUSTOM"), s.contains(QStringLiteral("TSA-URL"))).toBool());
+	ui->wgtTSACert->setVisible(ui->rdTimeStampCustom->isChecked());
 #ifdef CONFIG_URL
 	ui->txtTimeStamp->setPlaceholderText(qApp->conf()->object().value(QStringLiteral("TSA-URL")).toString());
 #endif
@@ -433,6 +448,15 @@ void SettingsDialog::initFunctionality()
 	connect(ui->helpTimeStamp, &QToolButton::clicked, this, []{
 		QDesktopServices::openUrl(tr("https://www.id.ee/en/article/for-organisations-that-sign-large-quantities-of-documents-using-digidoc4-client/"));
 	});
+	connect(ui->btInstallTSACert, &QPushButton::clicked, this, [this] {
+		QSslCertificate cert = selectCert(tr("Select Time-Stamping server certificate"),
+			QStringLiteral("%1 (*.crt *.cer *.pem)").arg(tr("Time-Stamping service SSL certificate")));
+		if(cert.isNull())
+			return;
+		QSettings().setValue(QStringLiteral("TSA-CERT"), cert.toDer().toBase64());
+		updateTSACert(cert);
+	});
+	updateTSACert(QSslCertificate(QByteArray::fromBase64(s.value(QStringLiteral("TSA-CERT")).toByteArray()), QSsl::Der));
 
 	// pageServices - MID
 	connect(ui->rdMIDUUIDCustom, &QRadioButton::toggled, ui->txtMIDUUID, [=](bool checked) {
@@ -475,16 +499,8 @@ void SettingsDialog::initFunctionality()
 		QDesktopServices::openUrl(tr("https://www.id.ee/en/article/configuring-the-siva-validation-service-in-the-digidoc4-client/"));
 	});
 	connect(ui->btInstallSiVaCert, &QPushButton::clicked, this, [this] {
-		QFile file(FileDialog::getOpenFileName(this, tr("Select SiVa server certificate"), {},
-			QStringLiteral("%1 (*.crt *.cer *.pem)")).arg(tr("Digital Signature Validation Service SiVa SSL certificate")));
-		if(!file.open(QFile::ReadOnly))
-			return;
-		QSslCertificate cert(&file, QSsl::Pem);
-		if(cert.isNull())
-		{
-			file.seek(0);
-			cert = QSslCertificate(&file, QSsl::Der);
-		}
+		QSslCertificate cert = selectCert(tr("Select SiVa server certificate"),
+			QStringLiteral("%1 (*.crt *.cer *.pem)").arg(tr("Digital Signature Validation Service SiVa SSL certificate")));
 		if(cert.isNull())
 			return;
 		QSettings().setValue(QStringLiteral("SIVA-CERT"), cert.toDer().toBase64());
@@ -531,19 +547,41 @@ void SettingsDialog::updateCert()
 	ui->btShowCertificate->setDisabled(c.isNull());
 }
 
-void SettingsDialog::updateSiVaCert(const QSslCertificate &c)
+void SettingsDialog::updateCert(const QSslCertificate &c, QPushButton *btn, QLabel *lbl)
 {
-	disconnect(ui->btShowSiVaCert, &QPushButton::clicked, nullptr, nullptr);
-	ui->btShowSiVaCert->setHidden(c.isNull());
-	ui->txtSiVaCert->setHidden(c.isNull());
+	disconnect(btn, &QPushButton::clicked, nullptr, nullptr);
+	btn->setHidden(c.isNull());
+	lbl->setHidden(c.isNull());
 	if(c.isNull())
 		return;
-	ui->txtSiVaCert->setText(certInfo(c));
-	connect(ui->btShowSiVaCert, &QPushButton::clicked, this, [this, c] {
+	lbl->setText(certInfo(c));
+	connect(btn, &QPushButton::clicked, this, [this, c] {
 		CertificateDetails::showCertificate(SslCertificate(c), this);
 	});
 }
 
+void SettingsDialog::updateSiVaCert(const QSslCertificate &c)
+{
+	updateCert(c, ui->btShowSiVaCert, ui->txtSiVaCert);
+}
+
+void SettingsDialog::updateTSACert(const QSslCertificate &c)
+{
+	updateCert(c, ui->btShowTSACert, ui->txtTSACert);
+}
+
+QSslCertificate SettingsDialog::selectCert(const QString &label, const QString &format)
+{
+	QFile file(FileDialog::getOpenFileName(this, label, {}, format));
+	if(!file.open(QFile::ReadOnly))
+		return QSslCertificate();
+	QSslCertificate cert(&file, QSsl::Pem);
+	if(!cert.isNull())
+		return cert;
+	file.seek(0);
+	return QSslCertificate(&file, QSsl::Der);
+}
+
 void SettingsDialog::selectLanguage()
 {
 	const QList<QAbstractButton*> list = ui->langGroup->buttons();
@@ -646,16 +684,12 @@ void SettingsDialog::installCert()
 {
 	QFile file(FileDialog::getOpenFileName(this, tr("Select server access certificate"), {},
 		tr("Server access certificates (*.p12 *.p12d *.pfx)") ) );
-	if(!file.exists())
+	if(!file.open(QFile::ReadOnly))
 		return;
 	QString pass = QInputDialog::getText( this, tr("Password"),
 		tr("Enter server access certificate password."), QLineEdit::Password );
 	if(pass.isEmpty())
 		return;
-
-	if(!file.open(QFile::ReadOnly))
-		return;
-
 	PKCS12Certificate p12(&file, pass);
 	switch(p12.error())
 	{
diff --git a/client/dialogs/SettingsDialog.h b/client/dialogs/SettingsDialog.h
index b9fe0dab3..1bea37e37 100644
--- a/client/dialogs/SettingsDialog.h
+++ b/client/dialogs/SettingsDialog.h
@@ -30,6 +30,7 @@ class SettingsDialog;
 }
 
 class QAbstractButton;
+class QLabel;
 class QSslCertificate;
 class SslCertificate;
 
@@ -69,10 +70,13 @@ class SettingsDialog final: public QDialog
 	void saveFile(const QString &name, const QString &path);
 	void saveFile(const QString &name, const QByteArray &content);
 	void saveProxy();
+	QSslCertificate selectCert(const QString &label, const QString &format);
 	void selectLanguage();
 	void setProxyEnabled();
 	void updateCert();
+	void updateCert(const QSslCertificate &c, QPushButton *btn, QLabel *lbl);
 	void updateSiVaCert(const QSslCertificate &c);
+	void updateTSACert(const QSslCertificate &c);
 	void updateProxy();
 	void updateVersion();
 	void updateDiagnostics();
diff --git a/client/dialogs/SettingsDialog.ui b/client/dialogs/SettingsDialog.ui
index 5179e21bf..643ef3900 100644
--- a/client/dialogs/SettingsDialog.ui
+++ b/client/dialogs/SettingsDialog.ui
@@ -478,363 +478,441 @@ QRadioButton::indicator::checked {
        </item>
       </layout>
      </widget>
-     <widget class="QWidget" name="pageServices">
-      <property name="styleSheet">
-       <string notr="true">QToolButton { border: none; }
-QPushButton {
-	padding: 1px;
-	text-align: middle;
-	min-height: 30px;
-	min-width: 150px;
-}</string>
+     <widget class="QScrollArea" name="pageServicesScrollArea">
+      <property name="frameShape">
+       <enum>QFrame::NoFrame</enum>
       </property>
-      <layout class="QVBoxLayout" name="pageServicesLayout">
-       <property name="spacing">
-        <number>5</number>
-       </property>
-       <property name="leftMargin">
-        <number>20</number>
+      <property name="widgetResizable">
+       <bool>true</bool>
+      </property>
+      <widget class="QWidget" name="pageServices">
+       <property name="geometry">
+        <rect>
+         <x>0</x>
+         <y>0</y>
+         <width>789</width>
+         <height>524</height>
+        </rect>
        </property>
-       <property name="topMargin">
-        <number>20</number>
+       <property name="styleSheet">
+        <string notr="true">QToolButton { border: none; }
+ QPushButton {
+     padding: 1px;
+     text-align: middle;
+     min-height: 30px;
+     min-width: 150px;
+ }</string>
        </property>
-       <property name="rightMargin">
-        <number>20</number>
-       </property>
-       <property name="bottomMargin">
-        <number>20</number>
-       </property>
-       <item>
-        <layout class="QHBoxLayout" name="accessCertLayout">
-         <item>
-          <widget class="QLabel" name="lblRevocation">
-           <property name="focusPolicy">
-            <enum>Qt::TabFocus</enum>
-           </property>
-           <property name="text">
-            <string>Access to validity confirmation service</string>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <widget class="QToolButton" name="helpRevocation">
-           <property name="cursor">
-            <cursorShape>PointingHandCursor</cursorShape>
-           </property>
-           <property name="text">
-            <string>Help</string>
-           </property>
-           <property name="icon">
-            <iconset>
-             <normalon>:/images/icon_Abi.svg</normalon>
-             <selectedon>:/images/icon_Abi_hover.svg</selectedon>
-            </iconset>
-           </property>
-           <property name="iconSize">
-            <size>
-             <width>20</width>
-             <height>20</height>
-            </size>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <spacer name="helpRevocationSpacer">
-           <property name="orientation">
-            <enum>Qt::Horizontal</enum>
-           </property>
-           <property name="sizeHint" stdset="0">
-            <size>
-             <width>40</width>
-             <height>20</height>
-            </size>
-           </property>
-          </spacer>
-         </item>
-        </layout>
-       </item>
-       <item>
-        <widget class="QLabel" name="lblAccessCert">
-         <property name="focusPolicy">
-          <enum>Qt::TabFocus</enum>
-         </property>
-         <property name="text">
-          <string>Server access certificate</string>
-         </property>
-        </widget>
-       </item>
-       <item>
-        <widget class="QLabel" name="txtAccessCert">
-         <property name="focusPolicy">
-          <enum>Qt::TabFocus</enum>
-         </property>
-         <property name="alignment">
-          <set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
-         </property>
-         <property name="wordWrap">
-          <bool>true</bool>
-         </property>
-         <property name="openExternalLinks">
-          <bool>true</bool>
-         </property>
-         <property name="textInteractionFlags">
-          <set>Qt::TextBrowserInteraction</set>
-         </property>
-        </widget>
-       </item>
-       <item>
-        <layout class="QHBoxLayout" name="accessCertButtonsLayout">
-         <item>
-          <widget class="QPushButton" name="btInstallManually">
-           <property name="cursor">
-            <cursorShape>PointingHandCursor</cursorShape>
-           </property>
-           <property name="text">
-            <string>INSTALL MANUALLY</string>
-           </property>
-           <property name="autoDefault">
-            <bool>false</bool>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <widget class="QPushButton" name="btShowCertificate">
-           <property name="cursor">
-            <cursorShape>PointingHandCursor</cursorShape>
-           </property>
-           <property name="text">
-            <string comment="accessCert">SHOW CERTIFICATE</string>
-           </property>
-           <property name="autoDefault">
-            <bool>false</bool>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <spacer name="accessCertButtonSpacer">
-           <property name="orientation">
-            <enum>Qt::Horizontal</enum>
-           </property>
-           <property name="sizeHint" stdset="0">
-            <size>
-             <width>40</width>
-             <height>20</height>
-            </size>
-           </property>
-          </spacer>
-         </item>
-        </layout>
-       </item>
-       <item>
-        <widget class="CheckBox" name="chkIgnoreAccessCert">
-         <property name="text">
-          <string>Ignore server access certificate (IP based access)</string>
-         </property>
-        </widget>
-       </item>
-       <item>
-        <spacer name="pageServicesSpacer">
-         <property name="orientation">
-          <enum>Qt::Vertical</enum>
-         </property>
-         <property name="sizeType">
-          <enum>QSizePolicy::Preferred</enum>
-         </property>
-         <property name="sizeHint" stdset="0">
-          <size>
-           <width>20</width>
-           <height>20</height>
-          </size>
-         </property>
-        </spacer>
-       </item>
-       <item>
-        <layout class="QHBoxLayout" name="timeStampLayout">
-         <item>
-          <widget class="QLabel" name="lblTimeStamp">
-           <property name="focusPolicy">
-            <enum>Qt::TabFocus</enum>
-           </property>
-           <property name="text">
-            <string>Access to Time-Stamping service</string>
-           </property>
-           <property name="buddy">
-            <cstring>txtTimeStamp</cstring>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <widget class="QToolButton" name="helpTimeStamp">
-           <property name="cursor">
-            <cursorShape>PointingHandCursor</cursorShape>
-           </property>
-           <property name="text">
-            <string>Help</string>
-           </property>
-           <property name="icon">
-            <iconset>
-             <normalon>:/images/icon_Abi.svg</normalon>
-             <selectedon>:/images/icon_Abi_hover.svg</selectedon>
-            </iconset>
-           </property>
-           <property name="iconSize">
-            <size>
-             <width>20</width>
-             <height>20</height>
-            </size>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <spacer name="helpTimeStampSpacer">
-           <property name="orientation">
-            <enum>Qt::Horizontal</enum>
-           </property>
-           <property name="sizeHint" stdset="0">
-            <size>
-             <width>40</width>
-             <height>20</height>
-            </size>
-           </property>
-          </spacer>
-         </item>
-        </layout>
-       </item>
-       <item>
-        <widget class="RadioButton" name="rdTimeStampDefault">
-         <property name="text">
-          <string>Use default access</string>
-         </property>
-         <property name="checked">
-          <bool>true</bool>
-         </property>
-         <attribute name="buttonGroup">
-          <string notr="true">rdTimeStamp</string>
-         </attribute>
-        </widget>
-       </item>
-       <item>
-        <widget class="RadioButton" name="rdTimeStampCustom">
-         <property name="text">
-          <string>Use manually configured access</string>
-         </property>
-         <attribute name="buttonGroup">
-          <string notr="true">rdTimeStamp</string>
-         </attribute>
-        </widget>
-       </item>
-       <item>
-        <widget class="LineEdit" name="txtTimeStamp">
-         <property name="enabled">
-          <bool>false</bool>
-         </property>
-         <property name="clearButtonEnabled">
-          <bool>true</bool>
-         </property>
-        </widget>
-       </item>
-       <item>
-        <layout class="QHBoxLayout" name="midLayout">
-         <item>
-          <widget class="QLabel" name="lblMID">
-           <property name="focusPolicy">
-            <enum>Qt::TabFocus</enum>
-           </property>
-           <property name="text">
-            <string>Access to mobile-ID and Smart-ID service</string>
-           </property>
-          </widget>
-         </item>
-         <item>
-          <widget class="QToolButton" name="helpMID">
-           <property name="cursor">
-            <cursorShape>PointingHandCursor</cursorShape>
-           </property>
-           <property name="text">
-            <string>Help</string>
+       <layout class="QVBoxLayout" name="pageServicesLayout">
+        <property name="spacing">
+         <number>5</number>
+        </property>
+        <property name="leftMargin">
+         <number>20</number>
+        </property>
+        <property name="topMargin">
+         <number>20</number>
+        </property>
+        <property name="rightMargin">
+         <number>20</number>
+        </property>
+        <property name="bottomMargin">
+         <number>20</number>
+        </property>
+        <item>
+         <layout class="QHBoxLayout" name="accessCertLayout">
+          <item>
+           <widget class="QLabel" name="lblRevocation">
+            <property name="focusPolicy">
+             <enum>Qt::TabFocus</enum>
+            </property>
+            <property name="text">
+             <string>Access to validity confirmation service</string>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <widget class="QToolButton" name="helpRevocation">
+            <property name="cursor">
+             <cursorShape>PointingHandCursor</cursorShape>
+            </property>
+            <property name="text">
+             <string>Help</string>
+            </property>
+            <property name="icon">
+             <iconset>
+              <normalon>:/images/icon_Abi.svg</normalon>
+              <selectedon>:/images/icon_Abi_hover.svg</selectedon>
+             </iconset>
+            </property>
+            <property name="iconSize">
+             <size>
+              <width>20</width>
+              <height>20</height>
+             </size>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <spacer name="helpRevocationSpacer">
+            <property name="orientation">
+             <enum>Qt::Horizontal</enum>
+            </property>
+            <property name="sizeHint" stdset="0">
+             <size>
+              <width>40</width>
+              <height>20</height>
+             </size>
+            </property>
+           </spacer>
+          </item>
+         </layout>
+        </item>
+        <item>
+         <widget class="QLabel" name="lblAccessCert">
+          <property name="focusPolicy">
+           <enum>Qt::TabFocus</enum>
+          </property>
+          <property name="text">
+           <string>Server access certificate</string>
+          </property>
+         </widget>
+        </item>
+        <item>
+         <widget class="QLabel" name="txtAccessCert">
+          <property name="focusPolicy">
+           <enum>Qt::TabFocus</enum>
+          </property>
+          <property name="alignment">
+           <set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
+          </property>
+          <property name="wordWrap">
+           <bool>true</bool>
+          </property>
+          <property name="openExternalLinks">
+           <bool>true</bool>
+          </property>
+          <property name="textInteractionFlags">
+           <set>Qt::TextBrowserInteraction</set>
+          </property>
+         </widget>
+        </item>
+        <item>
+         <layout class="QHBoxLayout" name="accessCertButtonsLayout">
+          <item>
+           <widget class="QPushButton" name="btInstallManually">
+            <property name="cursor">
+             <cursorShape>PointingHandCursor</cursorShape>
+            </property>
+            <property name="text">
+             <string>INSTALL MANUALLY</string>
+            </property>
+            <property name="autoDefault">
+             <bool>false</bool>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <widget class="QPushButton" name="btShowCertificate">
+            <property name="cursor">
+             <cursorShape>PointingHandCursor</cursorShape>
+            </property>
+            <property name="text">
+             <string comment="accessCert">SHOW CERTIFICATE</string>
+            </property>
+            <property name="autoDefault">
+             <bool>false</bool>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <spacer name="accessCertButtonSpacer">
+            <property name="orientation">
+             <enum>Qt::Horizontal</enum>
+            </property>
+            <property name="sizeHint" stdset="0">
+             <size>
+              <width>40</width>
+              <height>20</height>
+             </size>
+            </property>
+           </spacer>
+          </item>
+         </layout>
+        </item>
+        <item>
+         <widget class="CheckBox" name="chkIgnoreAccessCert">
+          <property name="text">
+           <string>Ignore server access certificate (IP based access)</string>
+          </property>
+         </widget>
+        </item>
+        <item>
+         <spacer name="pageServicesSpacer">
+          <property name="orientation">
+           <enum>Qt::Vertical</enum>
+          </property>
+          <property name="sizeType">
+           <enum>QSizePolicy::Preferred</enum>
+          </property>
+          <property name="sizeHint" stdset="0">
+           <size>
+            <width>20</width>
+            <height>20</height>
+           </size>
+          </property>
+         </spacer>
+        </item>
+        <item>
+         <layout class="QHBoxLayout" name="timeStampLayout">
+          <item>
+           <widget class="QLabel" name="lblTimeStamp">
+            <property name="focusPolicy">
+             <enum>Qt::TabFocus</enum>
+            </property>
+            <property name="text">
+             <string>Access to Time-Stamping service</string>
+            </property>
+            <property name="buddy">
+             <cstring>txtTimeStamp</cstring>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <widget class="QToolButton" name="helpTimeStamp">
+            <property name="cursor">
+             <cursorShape>PointingHandCursor</cursorShape>
+            </property>
+            <property name="text">
+             <string>Help</string>
+            </property>
+            <property name="icon">
+             <iconset>
+              <normalon>:/images/icon_Abi.svg</normalon>
+              <selectedon>:/images/icon_Abi_hover.svg</selectedon>
+             </iconset>
+            </property>
+            <property name="iconSize">
+             <size>
+              <width>20</width>
+              <height>20</height>
+             </size>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <spacer name="helpTimeStampSpacer">
+            <property name="orientation">
+             <enum>Qt::Horizontal</enum>
+            </property>
+            <property name="sizeHint" stdset="0">
+             <size>
+              <width>40</width>
+              <height>20</height>
+             </size>
+            </property>
+           </spacer>
+          </item>
+         </layout>
+        </item>
+        <item>
+         <widget class="RadioButton" name="rdTimeStampDefault">
+          <property name="text">
+           <string>Use default access</string>
+          </property>
+          <property name="checked">
+           <bool>true</bool>
+          </property>
+          <attribute name="buttonGroup">
+           <string notr="true">rdTimeStamp</string>
+          </attribute>
+         </widget>
+        </item>
+        <item>
+         <widget class="RadioButton" name="rdTimeStampCustom">
+          <property name="text">
+           <string>Use manually configured access</string>
+          </property>
+          <attribute name="buttonGroup">
+           <string notr="true">rdTimeStamp</string>
+          </attribute>
+         </widget>
+        </item>
+        <item>
+         <widget class="LineEdit" name="txtTimeStamp">
+          <property name="enabled">
+           <bool>false</bool>
+          </property>
+          <property name="clearButtonEnabled">
+           <bool>true</bool>
+          </property>
+         </widget>
+        </item>
+        <item>
+         <widget class="QWidget" name="wgtTSACert" native="true">
+          <layout class="QVBoxLayout" name="wgtTSACertLayout">
+           <property name="spacing">
+            <number>5</number>
            </property>
-           <property name="icon">
-            <iconset>
-             <normalon>:/images/icon_Abi.svg</normalon>
-             <selectedon>:/images/icon_Abi_hover.svg</selectedon>
-            </iconset>
+           <property name="leftMargin">
+            <number>0</number>
            </property>
-           <property name="iconSize">
-            <size>
-             <width>20</width>
-             <height>20</height>
-            </size>
+           <property name="topMargin">
+            <number>2</number>
            </property>
-          </widget>
-         </item>
-         <item>
-          <spacer name="helpMIDSpacer">
-           <property name="orientation">
-            <enum>Qt::Horizontal</enum>
+           <property name="rightMargin">
+            <number>0</number>
            </property>
-           <property name="sizeHint" stdset="0">
-            <size>
-             <width>40</width>
-             <height>20</height>
-            </size>
+           <property name="bottomMargin">
+            <number>0</number>
            </property>
-          </spacer>
-         </item>
-        </layout>
-       </item>
-       <item>
-        <widget class="RadioButton" name="rdMIDUUIDDefault">
-         <property name="text">
-          <string>Use default access</string>
-         </property>
-         <property name="checked">
-          <bool>true</bool>
-         </property>
-         <attribute name="buttonGroup">
-          <string notr="true">rdMIDUUID</string>
-         </attribute>
-        </widget>
-       </item>
-       <item>
-        <widget class="RadioButton" name="rdMIDUUIDCustom">
-         <property name="text">
-          <string>Use manually configured access</string>
-         </property>
-         <attribute name="buttonGroup">
-          <string notr="true">rdMIDUUID</string>
-         </attribute>
-        </widget>
-       </item>
-       <item>
-        <widget class="LineEdit" name="txtMIDUUID">
-         <property name="enabled">
-          <bool>false</bool>
-         </property>
-         <property name="echoMode">
-          <enum>QLineEdit::Password</enum>
-         </property>
-         <property name="placeholderText">
-          <string notr="true">00000000-0000-0000-0000-000000000000</string>
-         </property>
-         <property name="clearButtonEnabled">
-          <bool>true</bool>
-         </property>
-        </widget>
-       </item>
-       <item>
-        <spacer name="pageServicesBottomSpacer">
-         <property name="orientation">
-          <enum>Qt::Vertical</enum>
-         </property>
-         <property name="sizeHint" stdset="0">
-          <size>
-           <width>20</width>
-           <height>20</height>
-          </size>
-         </property>
-        </spacer>
-       </item>
-      </layout>
+           <item>
+            <widget class="QLabel" name="lblTSACert">
+             <property name="focusPolicy">
+              <enum>Qt::TabFocus</enum>
+             </property>
+             <property name="text">
+              <string>Time-Stamping service SSL certificate</string>
+             </property>
+            </widget>
+           </item>
+           <item>
+            <widget class="QLabel" name="txtTSACert">
+             <property name="focusPolicy">
+              <enum>Qt::TabFocus</enum>
+             </property>
+            </widget>
+           </item>
+           <item>
+            <layout class="QHBoxLayout" name="installTSACertLayout">
+             <item>
+              <widget class="QPushButton" name="btInstallTSACert">
+               <property name="cursor">
+                <cursorShape>PointingHandCursor</cursorShape>
+               </property>
+               <property name="text">
+                <string>ADD CERTIFICATE</string>
+               </property>
+              </widget>
+             </item>
+             <item>
+              <widget class="QPushButton" name="btShowTSACert">
+               <property name="cursor">
+                <cursorShape>PointingHandCursor</cursorShape>
+               </property>
+               <property name="text">
+                <string>SHOW CERTIFICATE</string>
+               </property>
+              </widget>
+             </item>
+             <item>
+              <spacer name="installTSACertSpacer">
+               <property name="orientation">
+                <enum>Qt::Horizontal</enum>
+               </property>
+               <property name="sizeHint" stdset="0">
+                <size>
+                 <width>0</width>
+                 <height>0</height>
+                </size>
+               </property>
+              </spacer>
+             </item>
+            </layout>
+           </item>
+          </layout>
+         </widget>
+        </item>
+        <item>
+         <layout class="QHBoxLayout" name="midLayout">
+          <item>
+           <widget class="QLabel" name="lblMID">
+            <property name="focusPolicy">
+             <enum>Qt::TabFocus</enum>
+            </property>
+            <property name="text">
+             <string>Access to mobile-ID and Smart-ID service</string>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <widget class="QToolButton" name="helpMID">
+            <property name="cursor">
+             <cursorShape>PointingHandCursor</cursorShape>
+            </property>
+            <property name="text">
+             <string>Help</string>
+            </property>
+            <property name="icon">
+             <iconset>
+              <normalon>:/images/icon_Abi.svg</normalon>
+              <selectedon>:/images/icon_Abi_hover.svg</selectedon>
+             </iconset>
+            </property>
+            <property name="iconSize">
+             <size>
+              <width>20</width>
+              <height>20</height>
+             </size>
+            </property>
+           </widget>
+          </item>
+          <item>
+           <spacer name="helpMIDSpacer">
+            <property name="orientation">
+             <enum>Qt::Horizontal</enum>
+            </property>
+            <property name="sizeHint" stdset="0">
+             <size>
+              <width>40</width>
+              <height>20</height>
+             </size>
+            </property>
+           </spacer>
+          </item>
+         </layout>
+        </item>
+        <item>
+         <widget class="RadioButton" name="rdMIDUUIDDefault">
+          <property name="text">
+           <string>Use default access</string>
+          </property>
+          <property name="checked">
+           <bool>true</bool>
+          </property>
+          <attribute name="buttonGroup">
+           <string notr="true">rdMIDUUID</string>
+          </attribute>
+         </widget>
+        </item>
+        <item>
+         <widget class="RadioButton" name="rdMIDUUIDCustom">
+          <property name="text">
+           <string>Use manually configured access</string>
+          </property>
+          <attribute name="buttonGroup">
+           <string notr="true">rdMIDUUID</string>
+          </attribute>
+         </widget>
+        </item>
+        <item>
+         <widget class="LineEdit" name="txtMIDUUID">
+          <property name="enabled">
+           <bool>false</bool>
+          </property>
+          <property name="echoMode">
+           <enum>QLineEdit::Password</enum>
+          </property>
+          <property name="placeholderText">
+           <string notr="true">00000000-0000-0000-0000-000000000000</string>
+          </property>
+          <property name="clearButtonEnabled">
+           <bool>true</bool>
+          </property>
+         </widget>
+        </item>
+       </layout>
+      </widget>
      </widget>
      <widget class="QWidget" name="pageValidation">
       <property name="styleSheet">
diff --git a/client/translations/en.ts b/client/translations/en.ts
index 7852b2eb3..17049a25b 100644
--- a/client/translations/en.ts
+++ b/client/translations/en.ts
@@ -2769,6 +2769,14 @@ Additional licenses and components</translation>
         <source>ADD CERTIFICATE</source>
         <translation>ADD CERTIFICATE</translation>
     </message>
+    <message>
+        <source>Select Time-Stamping server certificate</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Time-Stamping service SSL certificate</source>
+        <translation>Time-Stamping Service SSL certificate</translation>
+    </message>
     <message>
         <source>SHOW CERTIFICATE</source>
         <comment>accessCert</comment>
diff --git a/client/translations/et.ts b/client/translations/et.ts
index fb0c63540..33c3e0ccd 100644
--- a/client/translations/et.ts
+++ b/client/translations/et.ts
@@ -2769,6 +2769,14 @@ Täiendavad litsentsid ja komponendid</translation>
         <source>ADD CERTIFICATE</source>
         <translation>LISA SERTIFIKAAT</translation>
     </message>
+    <message>
+        <source>Select Time-Stamping server certificate</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Time-Stamping service SSL certificate</source>
+        <translation>Ajatempliteenuse SSL sertifikaat</translation>
+    </message>
     <message>
         <source>SHOW CERTIFICATE</source>
         <comment>accessCert</comment>
diff --git a/client/translations/ru.ts b/client/translations/ru.ts
index 76fd95ae2..16839fed1 100644
--- a/client/translations/ru.ts
+++ b/client/translations/ru.ts
@@ -2772,6 +2772,14 @@ Additional licenses and components</source>
         <source>ADD CERTIFICATE</source>
         <translation>ДОБАВИТЬ СЕРТИФИКАТ</translation>
     </message>
+    <message>
+        <source>Select Time-Stamping server certificate</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Time-Stamping service SSL certificate</source>
+        <translation>SSL сертификат службы отметок времени</translation>
+    </message>
     <message>
         <source>SHOW CERTIFICATE</source>
         <comment>accessCert</comment>