[Libreoffice-commits] core.git: 3 commits - xmlsecurity/inc xmlsecurity/source
Miklos Vajna
vmiklos at collabora.co.uk
Thu Mar 3 16:11:23 UTC 2016
xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx | 2 -
xmlsecurity/source/helper/documentsignaturemanager.cxx | 18 ++++++++++++-
xmlsecurity/source/helper/xmlsignaturehelper.cxx | 6 ++--
xmlsecurity/source/helper/xsecctl.cxx | 23 +++--------------
xmlsecurity/source/helper/xsecctl.hxx | 6 ++--
xmlsecurity/source/helper/xsecsign.cxx | 10 +++++--
6 files changed, 38 insertions(+), 27 deletions(-)
New commits:
commit cc75888c9e4cd09476287a8489c99fbf073feddb
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date: Thu Mar 3 15:46:52 2016 +0100
xmlsecurity OOXML export: don't attempt to sign other signatures
For one, MSO doesn't do that either by default.
For another, this would currently result in a io::IOException, because:
- the root storage is opened read-write, to be able to add the signature
- then _xmlsignatures/newsig is opened read-write to be able to write
the signature
- opening _xmlsignatures/something as read-only still opens the
_xmlsignatures storage as read-write -> boom, we tried to open the
same sub-storage read-write two times, OStorage::openStorageElement()
detects that
Change-Id: I2b90dc044bcfb835df4f19a339a0447e69f42975
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index f347863..288295b 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -993,7 +993,9 @@ static bool lcl_isOOXMLBlacklist(const OUString& rStreamName)
{
OUStringLiteral("/%5BContent_Types%5D.xml"),
OUStringLiteral("/docProps/app.xml"),
- OUStringLiteral("/docProps/core.xml")
+ OUStringLiteral("/docProps/core.xml"),
+ // Don't attempt to sign other signatures for now.
+ OUStringLiteral("/_xmlsignatures")
};
// Just check the prefix, as we don't care about the content type part of the stream name.
return std::find_if(vBlacklist.begin(), vBlacklist.end(), [&](const OUStringLiteral& rLiteral) { return rStreamName.startsWith(rLiteral); }) != vBlacklist.end();
commit 963264a417ce807201f0021fc6000ce7d6cf0245
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date: Thu Mar 3 15:32:48 2016 +0100
xmlsecurity OOXML export: don't loose old signatures when adding a new one
With this, at least we don't completely throw away existing signatures.
The roundtrip of them isn't perfect yet, though.
Change-Id: Ibc3408364403a057169e384902afe13b1e397480
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx
index 7f0fc66..b5bc008 100644
--- a/xmlsecurity/source/helper/documentsignaturemanager.cxx
+++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx
@@ -269,6 +269,10 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>&
int nSignatureCount = maCurrentSignatureInformations.size() + 1;
maSignatureHelper.ExportSignatureRelations(aStreamHelper.xSignatureStorage, nSignatureCount);
+ // Export old signatures.
+ for (size_t i = 0; i < maCurrentSignatureInformations.size(); ++i)
+ maSignatureHelper.ExportOOXMLSignature(mxStore, aStreamHelper.xSignatureStorage, maCurrentSignatureInformations[i], i + 1);
+
// Create a new signature.
maSignatureHelper.CreateAndWriteOOXMLSignature(mxStore, aStreamHelper.xSignatureStorage, nSignatureCount);
commit 122c01989d4843db52725d375af22f866345d80a
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date: Thu Mar 3 14:59:03 2016 +0100
xmlsecurity: avoid calculating the certificate digest late in XSecController
Every other aspect of the certificate is calculated earlier in
DocumentSignatureManager, so calculate the digest there as well.
Change-Id: Icd97f3ecb084bbce60fcdfa496b6aaf0ac75026d
diff --git a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
index f22570a..55dc230 100644
--- a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
+++ b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
@@ -161,7 +161,7 @@ public:
certificate.
*/
void SetX509Certificate(sal_Int32 nSecurityId, const OUString& ouX509IssuerName,
- const OUString& ouX509SerialNumber, const OUString& ouX509Cert);
+ const OUString& ouX509SerialNumber, const OUString& ouX509Cert, const OUString& ouX509CertDigest);
void SetDateTime( sal_Int32 nSecurityId, const Date& rDate, const tools::Time& rTime );
void SetDescription(sal_Int32 nSecurityId, const OUString& rDescription);
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx
index bb904b8..7f0fc66 100644
--- a/xmlsecurity/source/helper/documentsignaturemanager.cxx
+++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx
@@ -32,6 +32,8 @@
#include <tools/date.hxx>
#include <tools/time.hxx>
+#include <certificate.hxx>
+
using namespace com::sun::star;
DocumentSignatureManager::DocumentSignatureManager(const uno::Reference<uno::XComponentContext>& xContext, DocumentSignatureMode eMode)
@@ -208,7 +210,17 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>&
OUStringBuffer aStrBuffer;
sax::Converter::encodeBase64(aStrBuffer, xCert->getEncoded());
- maSignatureHelper.SetX509Certificate(nSecurityId, xCert->getIssuerName(), aCertSerial, aStrBuffer.makeStringAndClear());
+ OUString aCertDigest;
+ if (xmlsecurity::Certificate* pCertificate = dynamic_cast<xmlsecurity::Certificate*>(xCert.get()))
+ {
+ OUStringBuffer aBuffer;
+ sax::Converter::encodeBase64(aBuffer, pCertificate->getSHA256Thumbprint());
+ aCertDigest = aBuffer.makeStringAndClear();
+ }
+ else
+ SAL_WARN("xmlsecurity.helper", "XCertificate implementation without an xmlsecurity::Certificate one");
+
+ maSignatureHelper.SetX509Certificate(nSecurityId, xCert->getIssuerName(), aCertSerial, aStrBuffer.makeStringAndClear(), aCertDigest);
std::vector< OUString > aElements = DocumentSignatureHelper::CreateElementList(mxStore, meSignatureMode, OOo3_2Document);
DocumentSignatureHelper::AppendContentTypes(mxStore, aElements);
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 59f2cac..59d5ec4 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -123,13 +123,15 @@ void XMLSignatureHelper::SetX509Certificate(
sal_Int32 nSecurityId,
const OUString& ouX509IssuerName,
const OUString& ouX509SerialNumber,
- const OUString& ouX509Cert)
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest)
{
mpXSecController->setX509Certificate(
nSecurityId,
ouX509IssuerName,
ouX509SerialNumber,
- ouX509Cert);
+ ouX509Cert,
+ ouX509CertDigest);
}
void XMLSignatureHelper::SetDateTime( sal_Int32 nSecurityId, const ::Date& rDate, const tools::Time& rTime )
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index 4178aab..f347863 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -40,8 +40,6 @@
#include <comphelper/ofopxmlhelper.hxx>
#include <sax/tools/converter.hxx>
-#include <certificate.hxx>
-
namespace cssu = com::sun::star::uno;
namespace cssl = com::sun::star::lang;
namespace cssxc = com::sun::star::xml::crypto;
@@ -1320,21 +1318,8 @@ void XSecController::exportOOXMLSignature(const uno::Reference<embed::XStorage>&
xDocumentHandler->endElement("DigestMethod");
xDocumentHandler->startElement("DigestValue", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- if (rInformation.ouCertDigest.isEmpty())
- {
- uno::Reference<xml::crypto::XSecurityEnvironment> xEnvironment = m_xSecurityContext->getSecurityEnvironment();
- uno::Reference<security::XCertificate> xCertificate = xEnvironment->createCertificateFromAscii(rInformation.ouX509Certificate);
- if (xmlsecurity::Certificate* pCertificate = dynamic_cast<xmlsecurity::Certificate*>(xCertificate.get()))
- {
- OUStringBuffer aBuffer;
- sax::Converter::encodeBase64(aBuffer, pCertificate->getSHA256Thumbprint());
- xDocumentHandler->characters(aBuffer.makeStringAndClear());
- }
- else
- SAL_WARN("xmlsecurity.helper", "XCertificate implementation without an xmlsecurity::Certificate one");
- }
- else
- xDocumentHandler->characters(rInformation.ouCertDigest);
+ assert(!rInformation.ouCertDigest.isEmpty());
+ xDocumentHandler->characters(rInformation.ouCertDigest);
xDocumentHandler->endElement("DigestValue");
xDocumentHandler->endElement("xd:CertDigest");
diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx
index 9081b33..1b52072 100644
--- a/xmlsecurity/source/helper/xsecctl.hxx
+++ b/xmlsecurity/source/helper/xsecctl.hxx
@@ -457,14 +457,16 @@ public:
sal_Int32 nSecurityId,
const OUString& ouX509IssuerName,
const OUString& ouX509SerialNumber,
- const OUString& ouX509Cert);
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest);
// see the other setX509Certifcate function
void setX509Certificate(
sal_Int32 nSecurityId,
const sal_Int32 nSecurityEnvironmentIndex,
const OUString& ouX509IssuerName,
const OUString& ouX509SerialNumber,
- const OUString& ouX509Cert);
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest);
void setDate(
sal_Int32 nSecurityId,
diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index a0aa8dc..92274a7 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -226,9 +226,10 @@ void XSecController::setX509Certificate(
sal_Int32 nSecurityId,
const OUString& ouX509IssuerName,
const OUString& ouX509SerialNumber,
- const OUString& ouX509Cert)
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest)
{
- setX509Certificate(nSecurityId, -1, ouX509IssuerName, ouX509SerialNumber, ouX509Cert);
+ setX509Certificate(nSecurityId, -1, ouX509IssuerName, ouX509SerialNumber, ouX509Cert, ouX509CertDigest);
}
void XSecController::setX509Certificate(
@@ -236,7 +237,8 @@ void XSecController::setX509Certificate(
const sal_Int32 nSecurityEnvironmentIndex,
const OUString& ouX509IssuerName,
const OUString& ouX509SerialNumber,
- const OUString& ouX509Cert)
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest)
{
int index = findSignatureInfor( nSecurityId );
@@ -247,6 +249,7 @@ void XSecController::setX509Certificate(
isi.signatureInfor.ouX509IssuerName = ouX509IssuerName;
isi.signatureInfor.ouX509SerialNumber = ouX509SerialNumber;
isi.signatureInfor.ouX509Certificate = ouX509Cert;
+ isi.signatureInfor.ouCertDigest = ouX509CertDigest;
m_vInternalSignatureInformations.push_back( isi );
}
else
@@ -256,6 +259,7 @@ void XSecController::setX509Certificate(
si.ouX509IssuerName = ouX509IssuerName;
si.ouX509SerialNumber = ouX509SerialNumber;
si.ouX509Certificate = ouX509Cert;
+ si.ouCertDigest = ouX509CertDigest;
si.nSecurityEnvironmentIndex = nSecurityEnvironmentIndex;
}
}
More information about the Libreoffice-commits
mailing list