[Libreoffice-commits] core.git: 3 commits - xmlsecurity/inc xmlsecurity/source

Miklos Vajna vmiklos at collabora.co.uk
Thu Mar 3 16:11:23 UTC 2016


 xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx     |    2 -
 xmlsecurity/source/helper/documentsignaturemanager.cxx |   18 ++++++++++++-
 xmlsecurity/source/helper/xmlsignaturehelper.cxx       |    6 ++--
 xmlsecurity/source/helper/xsecctl.cxx                  |   23 +++--------------
 xmlsecurity/source/helper/xsecctl.hxx                  |    6 ++--
 xmlsecurity/source/helper/xsecsign.cxx                 |   10 +++++--
 6 files changed, 38 insertions(+), 27 deletions(-)

New commits:
commit cc75888c9e4cd09476287a8489c99fbf073feddb
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Thu Mar 3 15:46:52 2016 +0100

    xmlsecurity OOXML export: don't attempt to sign other signatures
    
    For one, MSO doesn't do that either by default.
    
    For another, this would currently result in a io::IOException, because:
    
    - the root storage is opened read-write, to be able to add the signature
    - then _xmlsignatures/newsig is opened read-write to be able to write
      the signature
    - opening _xmlsignatures/something as read-only still opens the
      _xmlsignatures storage as read-write -> boom, we tried to open the
      same sub-storage read-write two times, OStorage::openStorageElement()
      detects that
    
    Change-Id: I2b90dc044bcfb835df4f19a339a0447e69f42975

diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index f347863..288295b 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -993,7 +993,9 @@ static bool lcl_isOOXMLBlacklist(const OUString& rStreamName)
     {
         OUStringLiteral("/%5BContent_Types%5D.xml"),
         OUStringLiteral("/docProps/app.xml"),
-        OUStringLiteral("/docProps/core.xml")
+        OUStringLiteral("/docProps/core.xml"),
+        // Don't attempt to sign other signatures for now.
+        OUStringLiteral("/_xmlsignatures")
     };
     // Just check the prefix, as we don't care about the content type part of the stream name.
     return std::find_if(vBlacklist.begin(), vBlacklist.end(), [&](const OUStringLiteral& rLiteral) { return rStreamName.startsWith(rLiteral); }) != vBlacklist.end();
commit 963264a417ce807201f0021fc6000ce7d6cf0245
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Thu Mar 3 15:32:48 2016 +0100

    xmlsecurity OOXML export: don't loose old signatures when adding a new one
    
    With this, at least we don't completely throw away existing signatures.
    The roundtrip of them isn't perfect yet, though.
    
    Change-Id: Ibc3408364403a057169e384902afe13b1e397480

diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx
index 7f0fc66..b5bc008 100644
--- a/xmlsecurity/source/helper/documentsignaturemanager.cxx
+++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx
@@ -269,6 +269,10 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>&
         int nSignatureCount = maCurrentSignatureInformations.size() + 1;
         maSignatureHelper.ExportSignatureRelations(aStreamHelper.xSignatureStorage, nSignatureCount);
 
+        // Export old signatures.
+        for (size_t i = 0; i < maCurrentSignatureInformations.size(); ++i)
+            maSignatureHelper.ExportOOXMLSignature(mxStore, aStreamHelper.xSignatureStorage, maCurrentSignatureInformations[i], i + 1);
+
         // Create a new signature.
         maSignatureHelper.CreateAndWriteOOXMLSignature(mxStore, aStreamHelper.xSignatureStorage, nSignatureCount);
 
commit 122c01989d4843db52725d375af22f866345d80a
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Thu Mar 3 14:59:03 2016 +0100

    xmlsecurity: avoid calculating the certificate digest late in XSecController
    
    Every other aspect of the certificate is calculated earlier in
    DocumentSignatureManager, so calculate the digest there as well.
    
    Change-Id: Icd97f3ecb084bbce60fcdfa496b6aaf0ac75026d

diff --git a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
index f22570a..55dc230 100644
--- a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
+++ b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
@@ -161,7 +161,7 @@ public:
         certificate.
      */
     void SetX509Certificate(sal_Int32 nSecurityId, const OUString& ouX509IssuerName,
-        const OUString& ouX509SerialNumber, const OUString& ouX509Cert);
+        const OUString& ouX509SerialNumber, const OUString& ouX509Cert, const OUString& ouX509CertDigest);
 
     void        SetDateTime( sal_Int32 nSecurityId, const Date& rDate, const tools::Time& rTime );
     void SetDescription(sal_Int32 nSecurityId, const OUString& rDescription);
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx
index bb904b8..7f0fc66 100644
--- a/xmlsecurity/source/helper/documentsignaturemanager.cxx
+++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx
@@ -32,6 +32,8 @@
 #include <tools/date.hxx>
 #include <tools/time.hxx>
 
+#include <certificate.hxx>
+
 using namespace com::sun::star;
 
 DocumentSignatureManager::DocumentSignatureManager(const uno::Reference<uno::XComponentContext>& xContext, DocumentSignatureMode eMode)
@@ -208,7 +210,17 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>&
     OUStringBuffer aStrBuffer;
     sax::Converter::encodeBase64(aStrBuffer, xCert->getEncoded());
 
-    maSignatureHelper.SetX509Certificate(nSecurityId, xCert->getIssuerName(), aCertSerial, aStrBuffer.makeStringAndClear());
+    OUString aCertDigest;
+    if (xmlsecurity::Certificate* pCertificate = dynamic_cast<xmlsecurity::Certificate*>(xCert.get()))
+    {
+        OUStringBuffer aBuffer;
+        sax::Converter::encodeBase64(aBuffer, pCertificate->getSHA256Thumbprint());
+        aCertDigest = aBuffer.makeStringAndClear();
+    }
+    else
+        SAL_WARN("xmlsecurity.helper", "XCertificate implementation without an xmlsecurity::Certificate one");
+
+    maSignatureHelper.SetX509Certificate(nSecurityId, xCert->getIssuerName(), aCertSerial, aStrBuffer.makeStringAndClear(), aCertDigest);
 
     std::vector< OUString > aElements = DocumentSignatureHelper::CreateElementList(mxStore, meSignatureMode, OOo3_2Document);
     DocumentSignatureHelper::AppendContentTypes(mxStore, aElements);
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 59f2cac..59d5ec4 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -123,13 +123,15 @@ void XMLSignatureHelper::SetX509Certificate(
         sal_Int32 nSecurityId,
         const OUString& ouX509IssuerName,
         const OUString& ouX509SerialNumber,
-        const OUString& ouX509Cert)
+        const OUString& ouX509Cert,
+        const OUString& ouX509CertDigest)
 {
     mpXSecController->setX509Certificate(
         nSecurityId,
         ouX509IssuerName,
         ouX509SerialNumber,
-        ouX509Cert);
+        ouX509Cert,
+        ouX509CertDigest);
 }
 
 void XMLSignatureHelper::SetDateTime( sal_Int32 nSecurityId, const ::Date& rDate, const tools::Time& rTime )
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index 4178aab..f347863 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -40,8 +40,6 @@
 #include <comphelper/ofopxmlhelper.hxx>
 #include <sax/tools/converter.hxx>
 
-#include <certificate.hxx>
-
 namespace cssu = com::sun::star::uno;
 namespace cssl = com::sun::star::lang;
 namespace cssxc = com::sun::star::xml::crypto;
@@ -1320,21 +1318,8 @@ void XSecController::exportOOXMLSignature(const uno::Reference<embed::XStorage>&
         xDocumentHandler->endElement("DigestMethod");
         xDocumentHandler->startElement("DigestValue", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
 
-        if (rInformation.ouCertDigest.isEmpty())
-        {
-            uno::Reference<xml::crypto::XSecurityEnvironment> xEnvironment = m_xSecurityContext->getSecurityEnvironment();
-            uno::Reference<security::XCertificate> xCertificate = xEnvironment->createCertificateFromAscii(rInformation.ouX509Certificate);
-            if (xmlsecurity::Certificate* pCertificate = dynamic_cast<xmlsecurity::Certificate*>(xCertificate.get()))
-            {
-                OUStringBuffer aBuffer;
-                sax::Converter::encodeBase64(aBuffer, pCertificate->getSHA256Thumbprint());
-                xDocumentHandler->characters(aBuffer.makeStringAndClear());
-            }
-            else
-                SAL_WARN("xmlsecurity.helper", "XCertificate implementation without an xmlsecurity::Certificate one");
-        }
-        else
-            xDocumentHandler->characters(rInformation.ouCertDigest);
+        assert(!rInformation.ouCertDigest.isEmpty());
+        xDocumentHandler->characters(rInformation.ouCertDigest);
 
         xDocumentHandler->endElement("DigestValue");
         xDocumentHandler->endElement("xd:CertDigest");
diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx
index 9081b33..1b52072 100644
--- a/xmlsecurity/source/helper/xsecctl.hxx
+++ b/xmlsecurity/source/helper/xsecctl.hxx
@@ -457,14 +457,16 @@ public:
         sal_Int32 nSecurityId,
         const OUString& ouX509IssuerName,
         const OUString& ouX509SerialNumber,
-        const OUString& ouX509Cert);
+        const OUString& ouX509Cert,
+        const OUString& ouX509CertDigest);
     // see the other setX509Certifcate function
     void setX509Certificate(
         sal_Int32 nSecurityId,
         const sal_Int32 nSecurityEnvironmentIndex,
         const OUString& ouX509IssuerName,
         const OUString& ouX509SerialNumber,
-        const OUString& ouX509Cert);
+        const OUString& ouX509Cert,
+        const OUString& ouX509CertDigest);
 
     void setDate(
         sal_Int32 nSecurityId,
diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index a0aa8dc..92274a7 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -226,9 +226,10 @@ void XSecController::setX509Certificate(
     sal_Int32 nSecurityId,
     const OUString& ouX509IssuerName,
     const OUString& ouX509SerialNumber,
-    const OUString& ouX509Cert)
+    const OUString& ouX509Cert,
+    const OUString& ouX509CertDigest)
 {
-    setX509Certificate(nSecurityId, -1, ouX509IssuerName, ouX509SerialNumber, ouX509Cert);
+    setX509Certificate(nSecurityId, -1, ouX509IssuerName, ouX509SerialNumber, ouX509Cert, ouX509CertDigest);
 }
 
 void XSecController::setX509Certificate(
@@ -236,7 +237,8 @@ void XSecController::setX509Certificate(
     const sal_Int32 nSecurityEnvironmentIndex,
     const OUString& ouX509IssuerName,
     const OUString& ouX509SerialNumber,
-    const OUString& ouX509Cert)
+    const OUString& ouX509Cert,
+    const OUString& ouX509CertDigest)
 {
     int index = findSignatureInfor( nSecurityId );
 
@@ -247,6 +249,7 @@ void XSecController::setX509Certificate(
         isi.signatureInfor.ouX509IssuerName = ouX509IssuerName;
         isi.signatureInfor.ouX509SerialNumber = ouX509SerialNumber;
         isi.signatureInfor.ouX509Certificate = ouX509Cert;
+        isi.signatureInfor.ouCertDigest = ouX509CertDigest;
         m_vInternalSignatureInformations.push_back( isi );
     }
     else
@@ -256,6 +259,7 @@ void XSecController::setX509Certificate(
         si.ouX509IssuerName = ouX509IssuerName;
         si.ouX509SerialNumber = ouX509SerialNumber;
         si.ouX509Certificate = ouX509Cert;
+        si.ouCertDigest = ouX509CertDigest;
         si.nSecurityEnvironmentIndex = nSecurityEnvironmentIndex;
     }
 }


More information about the Libreoffice-commits mailing list