[Libreoffice-commits] core.git: xmlsecurity/inc xmlsecurity/source

Miklos Vajna vmiklos at collabora.co.uk
Wed Jun 21 07:05:37 UTC 2017 

 xmlsecurity/inc/xmlsec-wrapper.h                              |    3 
 xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx |   39 ++++++----
 xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx |    2 
 3 files changed, 29 insertions(+), 15 deletions(-)

New commits:
commit 9752eccdd06f6695ec4f173ea93cada65063d1f0
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Tue Jun 20 21:47:38 2017 +0200

    xmlsecurity nss: adopt the private key of the signing certificate explicitly
    
    xmlsec1-customkeymanage.patch.1 of our bundled xmlsec extends
    xmlSecNssKeyDataX509VerifyAndExtractKey(), so that it calls
    xmlSecNssPKIAdoptKey() for the private key of the signing certificate.
    Make this explicit in xmlsecurity/ code, so we don't depend on the
    patched xmlSecNssKeyDataX509VerifyAndExtractKey().
    
    This is harmless for the patched xmlsec, but it prevents this error:
    
    warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: keys.c:1246: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' '
    warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:790: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
    warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:503: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
    warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:286: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxSignatureProcessNode' 1 ' '
    
    when xmlsec is not patched.
    
    (This is needed, but not enough to build against system xmlsec.)
    
    Change-Id: I5d68a8be7aefcb529566213f9b9c2985eab6a80a
    Reviewed-on: https://gerrit.libreoffice.org/39023
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
    Tested-by: Jenkins <ci at libreoffice.org>

diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
index 3d5c24b9b6f1..4a8a6554311b 100644
--- a/xmlsecurity/inc/xmlsec-wrapper.h
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -40,6 +40,9 @@
 #include "xmlsec/xmlenc.h"
 #include "xmlsec/xmlsec.h"
 #include "xmlsec/xmltree.h"
+#ifdef XMLSEC_CRYPTO_NSS
+#include "xmlsec/nss/pkikeys.h"
+#endif
 
 #endif
 
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 959e62cc34e0..a5b29017d180 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -474,6 +474,9 @@ Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUS
 }
 
 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
+    // Remember the signing certificate.
+    m_xSigningCertificate = begin;
+
     const X509Certificate_NssImpl* xcert ;
     const CERTCertificate* cert ;
     CERTCertList* certChain ;
@@ -881,19 +884,8 @@ X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
     return xcert ;
 }
 
-
-/* Native methods */
 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
 
-    unsigned int i ;
-    CERTCertDBHandle* handler = nullptr ;
-    PK11SymKey* symKey = nullptr ;
-    SECKEYPublicKey* pubKey = nullptr ;
-    SECKEYPrivateKey* priKey = nullptr ;
-    xmlSecKeysMngrPtr pKeysMngr = nullptr ;
-
-    handler = m_pHandler;
-
     /*-
      * The following lines is based on the private version of xmlSec-NSS
      * crypto engine
@@ -905,14 +897,15 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); ++islots, ++count)
         slots[count] = *islots;
 
-    pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
+    xmlSecKeysMngrPtr pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, m_pHandler ) ;
     if( pKeysMngr == nullptr )
         throw RuntimeException() ;
 
     /*-
      * Adopt symmetric key into keys manager
      */
-    for( i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
+    PK11SymKey* symKey = nullptr ;
+    for( unsigned int i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
             throw RuntimeException() ;
         }
@@ -921,7 +914,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     /*-
      * Adopt asymmetric public key into keys manager
      */
-    for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
+    SECKEYPublicKey* pubKey = nullptr ;
+    for( unsigned int i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
             throw RuntimeException() ;
         }
@@ -930,11 +924,26 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     /*-
      * Adopt asymmetric private key into keys manager
      */
-    for( i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
+    SECKEYPrivateKey* priKey = nullptr ;
+    for( unsigned int i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
             throw RuntimeException() ;
         }
     }
+
+    // Adopt the private key of the signing certificate, if it has any.
+    if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
+    {
+        if (auto pCERTCertificate = const_cast<CERTCertificate*>(pCertificate->getNssCert()))
+        {
+            SECKEYPrivateKey* pPrivateKey = PK11_FindPrivateKeyFromCert(pCERTCertificate->slot, pCERTCertificate, nullptr);
+            xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
+            xmlSecKeyPtr pKey = xmlSecKeyCreate();
+            xmlSecKeySetValue(pKey, pKeyData);
+            xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
+        }
+    }
+
     return pKeysMngr ;
 }
 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
index 5b0e8920abd2..46aba7bc0990 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
@@ -54,6 +54,8 @@ private:
 
     std::list< PK11SlotInfo* > m_Slots;
     typedef std::list< PK11SlotInfo* >::const_iterator CIT_SLOTS;
+    /// The last used certificate which has the private key for signing.
+    css::uno::Reference<css::security::XCertificate> m_xSigningCertificate;
 
     osl::Mutex m_mutex;

More information about the Libreoffice-commits mailing list