[Libreoffice-commits] core.git: xmlsecurity/Executable_pdfverify.mk xmlsecurity/inc xmlsecurity/Library_xmlsecurity.mk xmlsecurity/source

Fri Oct 14 07:09:05 UTC 2016

xmlsecurity/Executable_pdfverify.mk              |    1 +
 xmlsecurity/Library_xmlsecurity.mk               |    2 ++
 xmlsecurity/inc/pdfio/pdfdocument.hxx            |    5 +++--
 xmlsecurity/inc/sigstruct.hxx                    |    2 +-
 xmlsecurity/source/helper/pdfsignaturehelper.cxx |    9 +++------
 xmlsecurity/source/pdfio/pdfdocument.cxx         |   23 +++++++++++++++++++----
 xmlsecurity/source/pdfio/pdfverify.cxx           |    7 ++++---
 7 files changed, 33 insertions(+), 16 deletions(-)

New commits:
commit e584bc808b634bf18ba5f7538d598e135b28f090
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Thu Oct 13 21:07:55 2016 +0200

    xmlsecurity: extract certificate from PDF signature
    
    So that the UI can show the correct "Signed by" and "Digital ID issued
    by" fields.
    
    Change-Id: Ied2fed480f48baf60cffb4f0ce762a726beab006
    Reviewed-on: https://gerrit.libreoffice.org/29776
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>

diff --git a/xmlsecurity/Executable_pdfverify.mk b/xmlsecurity/Executable_pdfverify.mk
index bc08d56..8a18dbc 100644
--- a/xmlsecurity/Executable_pdfverify.mk
+++ b/xmlsecurity/Executable_pdfverify.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_Executable_set_include,pdfverify,\
 
 $(eval $(call gb_Executable_use_libraries,pdfverify,\
     comphelper \
+    cppu \
     sal \
     tl \
     xmlsecurity \
diff --git a/xmlsecurity/Library_xmlsecurity.mk b/xmlsecurity/Library_xmlsecurity.mk
index 77368ab..c5e8d68 100644
--- a/xmlsecurity/Library_xmlsecurity.mk
+++ b/xmlsecurity/Library_xmlsecurity.mk
@@ -72,12 +72,14 @@ $(eval $(call gb_Library_add_defs,xmlsecurity,\
     -DXMLSEC_CRYPTO_MSCRYPTO \
 ))
 else
+ifneq (,$(filter DESKTOP,$(BUILD_TYPE)))
 $(eval $(call gb_Library_add_defs,xmlsecurity,\
     -DXMLSEC_CRYPTO_NSS \
 ))
 $(eval $(call gb_Library_use_externals,xmlsecurity,\
     nss3 \
 ))
+endif # BUILD_TYPE=DESKTOP
 endif
 
 # vim: set noet sw=4 ts=4:
diff --git a/xmlsecurity/inc/pdfio/pdfdocument.hxx b/xmlsecurity/inc/pdfio/pdfdocument.hxx
index 9d07261..79cd716 100644
--- a/xmlsecurity/inc/pdfio/pdfdocument.hxx
+++ b/xmlsecurity/inc/pdfio/pdfdocument.hxx
@@ -16,6 +16,7 @@
 #include <tools/stream.hxx>
 
 #include <xmlsecuritydllapi.h>
+#include <sigstruct.hxx>
 
 namespace xmlsecurity
 {
@@ -58,8 +59,8 @@ public:
 
     bool Read(SvStream& rStream);
     std::vector<PDFObjectElement*> GetSignatureWidgets();
-    /// Return value is about if we can determine a result, bDigestMatch is about the actual result.
-    static bool ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, bool& bDigestMatch);
+    /// Return value is about if we can determine a result, rInformation is about the actual result.
+    static bool ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, SignatureInformation& rInformation);
 };
 
 } // namespace pdfio
diff --git a/xmlsecurity/inc/sigstruct.hxx b/xmlsecurity/inc/sigstruct.hxx
index 8650a8f..610845c 100644
--- a/xmlsecurity/inc/sigstruct.hxx
+++ b/xmlsecurity/inc/sigstruct.hxx
@@ -23,7 +23,7 @@
 #include <rtl/ustring.hxx>
 #include <com/sun/star/util/DateTime.hpp>
 #include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
-#include <com/sun/star/uno/Sequence.h>
+#include <com/sun/star/uno/Sequence.hxx>
 
 #include <vector>
 
diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
index 2054f2b..cc4b388 100644
--- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
@@ -54,17 +54,12 @@ bool PDFSignatureHelper::ReadAndVerifySignature(const uno::Reference<io::XInputS
     {
         SignatureInformation aInfo(i);
 
-        bool bDigestMatch;
-        if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], bDigestMatch))
+        if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], aInfo))
         {
             SAL_WARN("xmlsecurity.helper", "failed to determine digest match");
             continue;
         }
 
-        if (bDigestMatch)
-            aInfo.nStatus = xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
-        else
-            aInfo.nStatus = xml::crypto::SecurityOperationStatus_UNKNOWN;
         m_aSignatureInfos.push_back(aInfo);
     }
 
@@ -80,11 +75,13 @@ uno::Sequence<security::DocumentSignatureInformation> PDFSignatureHelper::GetDoc
 {
     uno::Sequence<security::DocumentSignatureInformation> aRet(m_aSignatureInfos.size());
 
+    uno::Reference<xml::crypto::XSecurityEnvironment> xSecurityEnvironment = m_xSecurityContext->getSecurityEnvironment();
     for (size_t i = 0; i < m_aSignatureInfos.size(); ++i)
     {
         const SignatureInformation& rInternal = m_aSignatureInfos[i];
         security::DocumentSignatureInformation& rExternal = aRet[i];
         rExternal.SignatureIsValid = rInternal.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
+        rExternal.Signer = xSecurityEnvironment->createCertificateFromAscii(rInternal.ouX509Certificate);
     }
 
     return aRet;
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 4ca43a2..22731db 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -13,11 +13,14 @@
 #include <memory>
 #include <vector>
 
+#include <com/sun/star/uno/Sequence.hxx>
+
 #include <comphelper/scopeguard.hxx>
 #include <rtl/strbuf.hxx>
 #include <rtl/string.hxx>
 #include <sal/log.hxx>
 #include <sal/types.h>
+#include <sax/tools/converter.hxx>
 
 #ifdef XMLSEC_CRYPTO_NSS
 #include <cert.h>
@@ -674,7 +677,7 @@ int PDFDocument::AsHex(char ch)
     return nRet;
 }
 
-bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, bool& bDigestMatch)
+bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, SignatureInformation& rInformation)
 {
     PDFObjectElement* pValue = pSignature->LookupObject("V");
     if (!pValue)
@@ -841,11 +844,22 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
     unsigned int nActualResultLen;
     HASH_End(pHASHContext, pActualResultBuffer, &nActualResultLen, nMaxResultLen);
 
-    if (!NSS_CMSSignerInfo_GetSigningCertificate(pCMSSignerInfo, CERT_GetDefaultCertDB()))
+    CERTCertificate* pCertificate = NSS_CMSSignerInfo_GetSigningCertificate(pCMSSignerInfo, CERT_GetDefaultCertDB());
+    if (!pCertificate)
     {
         SAL_WARN("xmlsecurity.pdfio", "PDFDocument::ValidateSignature: NSS_CMSSignerInfo_GetSigningCertificate() failed");
         return false;
     }
+    else
+    {
+        uno::Sequence<sal_Int8> aDerCert(pCertificate->derCert.len);
+        for (size_t i = 0; i < pCertificate->derCert.len; ++i)
+            aDerCert[i] = pCertificate->derCert.data[i];
+        OUStringBuffer aBuffer;
+        sax::Converter::encodeBase64(aBuffer, aDerCert);
+        rInformation.ouX509Certificate = aBuffer.makeStringAndClear();
+    }
+
 
     SECItem* pContentInfoContentData = pCMSSignedData->contentInfo.content.data;
     if (pContentInfoContentData && pContentInfoContentData->data)
@@ -857,7 +871,8 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
     SECItem aActualResultItem;
     aActualResultItem.data = pActualResultBuffer;
     aActualResultItem.len = nActualResultLen;
-    bDigestMatch = NSS_CMSSignerInfo_Verify(pCMSSignerInfo, &aActualResultItem, nullptr) == SECSuccess;
+    if (NSS_CMSSignerInfo_Verify(pCMSSignerInfo, &aActualResultItem, nullptr) == SECSuccess)
+        rInformation.nStatus = xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
 
     // Everything went fine
     PORT_Free(pActualResultBuffer);
@@ -868,7 +883,7 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
 #else
     // Not implemented.
     (void)rStream;
-    (void)bDigestMatch;
+    (void)rInformation;
 
     return false;
 #endif
diff --git a/xmlsecurity/source/pdfio/pdfverify.cxx b/xmlsecurity/source/pdfio/pdfverify.cxx
index cbb9a89..67dde45 100644
--- a/xmlsecurity/source/pdfio/pdfverify.cxx
+++ b/xmlsecurity/source/pdfio/pdfverify.cxx
@@ -42,14 +42,15 @@ SAL_IMPLEMENT_MAIN_WITH_ARGS(nArgc, pArgv)
         std::cerr << "found " << aSignatures.size() << " signatures" << std::endl;
         for (size_t i = 0; i < aSignatures.size(); ++i)
         {
-            bool bDigestMatch;
-            if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(aStream, aSignatures[i], bDigestMatch))
+            SignatureInformation aInfo(i);
+            if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(aStream, aSignatures[i], aInfo))
             {
                 SAL_WARN("xmlsecurity.pdfio", "failed to determine digest match");
                 return 1;
             }
 
-            std::cerr << "signature #" << i << ": digest match? " << bDigestMatch << std::endl;
+            bool bSuccess = aInfo.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
+            std::cerr << "signature #" << i << ": digest match? " << bSuccess << std::endl;
         }
     }
 
