[Libreoffice-bugs] [Bug 116937] New: Provide per-user certificate store

Wed Apr 11 10:53:52 UTC 2018

https://bugs.documentfoundation.org/show_bug.cgi?id=116937

            Bug ID: 116937
           Summary: Provide per-user certificate store
           Product: LibreOffice
           Version: 6.0.3.1 rc
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: mycae at gmx.com

Description:
Currently, there is no clear way to provide a self-signed p12 file, with x509
certificate in libreoffice. 

The use case here is to be able to perform round-trip confirmation of
documents. I wish to emit documents, and then in the case that the need arises
(query over whether the document is genuine), I can manually verify a document
that has been returned to me.

Network based man-in-the middle is not a concern, as this will be performed
using USB keys to transfer files, and only to provide negative verification
(document is not valid), rather than positive.

It should be possible for me to install, on whichever machines are needed,
without the use of third-party software, a certificate in libreoffice that can
be used to sign outgoing ODT/PDF documents. 

Currently my (non-working) workflow is to:
* Create a pem file pair.
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

* Rebind these back into a p12 file (to work around a bug in
firefox/thunderbird)
https://security.stackexchange.com/questions/163199/firefox-certificate-can-t-be-installed

* Install this as a personal certificate

* ??

* Have the certificate appear in libreoffice's certificate selection.

The current method of needing to use third party software to manage which
certificates are available is understandable from a central-certificate point
of view, but not so from a user perspective.

If there is some way to allow the user to either manually provide a pem/p12
file from the filesystem, OR to have an import system within libreoffice to
manage certificates only for libreoffice, that would be great.

PDF might be a bit tricky, as if the store is specific to libreoffice, then PDF
viewers will not respect this.

Steps to Reproduce:
1. Attempt to digitally sign a document
2. See that you dont have any certificates available
3. Run internet searches to find a way to make it available
4. Give up after an hour or so.

Actual Results:  
Document cannot be signed, as no certificates are available

Expected Results:
1. Attempt to digitally sign a document
2. Be prompted for your signature file, or allowed to import it
3. Sign document

Reproducible: Always

User Profile Reset: No

Additional Info:
I've managed to import gpg files, but this cannot be used to sign a PDF.
Selecting "sign" using a GPG RSA key pair allows you to select the GPG key for
signing, but simply dumps you back to the PDF dialog with no actual signing or
certificate details being provided (It seems to error out with no user
feedback).

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101
Firefox/44.0 Iceweasel/44.0

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20180411/5f7d390c/attachment.html>