open-eid · metsma · Apr 1, 2026 · Mar 31, 2026 · Apr 1, 2026
diff --git a/cdoc/CDoc1Writer.cpp b/cdoc/CDoc1Writer.cpp
@@ -273,7 +273,12 @@ CDoc1Writer::addRecipient(const libcdoc::Recipient& rcpt)
 {
     if(d)
         return WORKFLOW_ERROR;
-	rcpts.push_back(rcpt);
+    if (!rcpt.isCertificate()) {
+        setLastError("Invalid recipient type");
+        LOG_ERROR("{}", last_error);
+        return WRONG_ARGUMENTS;
+    }
+    rcpts.push_back(rcpt);
     return libcdoc::OK;
 }
 

diff --git a/cdoc/CDoc2Writer.cpp b/cdoc/CDoc2Writer.cpp
diff --git a/cdoc/CDoc2Writer.h b/cdoc/CDoc2Writer.h
@@ -33,19 +33,20 @@ class CDoc2Writer final: public libcdoc::CDocWriter {
     CDOC_DISABLE_COPY(CDoc2Writer);
     ~CDoc2Writer() noexcept final;
 
-    libcdoc::result_t beginEncryption() final;
-    libcdoc::result_t addRecipient(const libcdoc::Recipient& rcpt) final;
-    libcdoc::result_t addFile(const std::string& name, size_t size) final;
-    libcdoc::result_t writeData(const uint8_t *src, size_t size) final;
-    libcdoc::result_t finishEncryption() final;
+    result_t beginEncryption() final;
+    result_t addRecipient(const Recipient& rcpt) final;
+    result_t addFile(const std::string& name, size_t size) final;
+    result_t writeData(const uint8_t *src, size_t size) final;
+    result_t finishEncryption() final;
 
-    libcdoc::result_t encrypt(libcdoc::MultiDataSource& src, const std::vector<libcdoc::Recipient>& keys) final;
+    result_t encrypt(MultiDataSource& src, const std::vector<Recipient>& keys) final;
 private:
-    libcdoc::result_t writeHeader(const std::vector<libcdoc::Recipient> &recipients);
-    libcdoc::result_t buildHeader(std::vector<uint8_t>& header, const std::vector<libcdoc::Recipient>& keys, const std::vector<uint8_t>& fmk);
+    result_t writeHeader(const std::vector<Recipient> &recipients);
+    result_t buildHeader(std::vector<uint8_t>& header, const std::vector<Recipient>& keys, const std::vector<uint8_t>& fmk);
+    result_t fail(const std::string& message, result_t result);
 
-    std::unique_ptr<libcdoc::TarConsumer> tar;
-    std::vector<libcdoc::Recipient> recipients;
+    std::unique_ptr<TarConsumer> tar;
+    std::vector<Recipient> recipients;
     bool finished = false;
 };
 

diff --git a/cdoc/CDocCipher.cpp b/cdoc/CDocCipher.cpp
@@ -277,6 +277,8 @@ fill_recipients_from_rcpt_info(ToolConf& conf, ToolCrypto& crypto, std::vector<l
             }
         } else if (rcpt.type == RcptInfo::Type::SKEY) {
             key = libcdoc::Recipient::makeSymmetric(label, 0);
+            if (conf.gen_label)
+                key.setLabelValue(CDoc2::Label::LABEL, rcpt.label);
             LOG_DBG("Creating symmetric key:");
         } else if (rcpt.type == RcptInfo::Type::PKEY) {
             if (!conf.servers.empty()) {
@@ -297,6 +299,8 @@ fill_recipients_from_rcpt_info(ToolConf& conf, ToolCrypto& crypto, std::vector<l
             LOG_DBG("Creating public key:");
         } else if (rcpt.type == RcptInfo::Type::P11_SYMMETRIC) {
             key = libcdoc::Recipient::makeSymmetric(label, 0);
+            if (conf.gen_label)
+                key.setLabelValue(CDoc2::Label::LABEL, rcpt.label);
         } else if (rcpt.type == RcptInfo::Type::P11_PKI) {
             std::vector<uint8_t> val;
             bool rsa;
@@ -315,6 +319,8 @@ fill_recipients_from_rcpt_info(ToolConf& conf, ToolCrypto& crypto, std::vector<l
         } else if (rcpt.type == RcptInfo::Type::PASSWORD) {
             LOG_DBG("Creating password key:");
             key = libcdoc::Recipient::makeSymmetric(label, 65535);
+            if (conf.gen_label)
+                key.setLabelValue(CDoc2::Label::LABEL, rcpt.label);
         } else if (rcpt.type == RcptInfo::Type::SHARE) {
             LOG_DBG("Creating keyshare recipient:");
             key = libcdoc::Recipient::makeShare(label, conf.servers[0].ID, "PNOEE-" + rcpt.id);

diff --git a/cdoc/Recipient.cpp b/cdoc/Recipient.cpp
@@ -205,4 +205,20 @@ Recipient::getLabel(std::map<std::string_view, std::string_view> extra) const
     return ofs.str();
 }
 
+bool
+Recipient::validate() const
+{
+    switch(type) {
+        case SYMMETRIC_KEY:
+            // Either user-defined label or LABEL property is required
+            return !label.empty() || lbl_parts.contains("CDoc2::Label::LABEL");
+        case PUBLIC_KEY:
+            // Public key should not be empty
+            return !rcpt_key.empty();
+        default:
+            return false;
+    }
+    return true;
+}
+
 } // namespace libcdoc
diff --git a/cdoc/Recipient.h b/cdoc/Recipient.h
@@ -238,6 +238,13 @@ struct CDOC_EXPORT Recipient {
         lbl_parts[std::string(key)] = value;
     }
 
+    /**
+     * @brief Validate recipient record
+     * 
+     * @return true if Recipient is valid
+     */
+    bool validate() const;
+
     bool operator== (const Recipient& other) const = default;
 protected:
 	Recipient(Type _type) : type(_type) {};

diff --git a/test/libcdoc_boost.cpp b/test/libcdoc_boost.cpp
@@ -540,7 +540,7 @@ BOOST_FIXTURE_TEST_CASE_WITH_DECOR(EncryptWithPasswordWithoutLabel, EncryptFixtu
         * utf::description("Encrypting a file with password and without label"))
 {
     std::vector<libcdoc::RcptInfo> rcpts {
-        {libcdoc::RcptInfo::PASSWORD, {}, {}, std::vector<uint8_t>(Password.cbegin(), Password.cend())}
+        {libcdoc::RcptInfo::PASSWORD, "auto", {}, std::vector<uint8_t>(Password.cbegin(), Password.cend())}
     };
     encrypt(2, {checkDataFile(sources[0])}, formTargetFile("PasswordUsageWithoutLabel.cdoc"), rcpts);
 }
@@ -559,7 +559,7 @@ BOOST_FIXTURE_TEST_CASE_WITH_DECOR(EncryptWithAESKey, EncryptFixture,
         * utf::description("Encrypting a file with symmetric AES key"))
 {
     std::vector<libcdoc::RcptInfo> rcpts {
-        {libcdoc::RcptInfo::SKEY, {}, {}, libcdoc::fromHex(AESKey)}
+        {libcdoc::RcptInfo::SKEY, "AES", {}, libcdoc::fromHex(AESKey)}
     };
     encrypt(2, {checkDataFile(sources[0])}, formTargetFile("AESKeyUsage.cdoc"), rcpts);
 }