[Libreoffice-commits] core.git: xmlsecurity/inc xmlsecurity/source
Miklos Vajna
vmiklos at collabora.co.uk
Wed Jun 21 07:05:37 UTC 2017
xmlsecurity/inc/xmlsec-wrapper.h | 3
xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx | 39 ++++++----
xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx | 2
3 files changed, 29 insertions(+), 15 deletions(-)
New commits:
commit 9752eccdd06f6695ec4f173ea93cada65063d1f0
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date: Tue Jun 20 21:47:38 2017 +0200
xmlsecurity nss: adopt the private key of the signing certificate explicitly
xmlsec1-customkeymanage.patch.1 of our bundled xmlsec extends
xmlSecNssKeyDataX509VerifyAndExtractKey(), so that it calls
xmlSecNssPKIAdoptKey() for the private key of the signing certificate.
Make this explicit in xmlsecurity/ code, so we don't depend on the
patched xmlSecNssKeyDataX509VerifyAndExtractKey().
This is harmless for the patched xmlsec, but it prevents this error:
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: keys.c:1246: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:790: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:503: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:286: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxSignatureProcessNode' 1 ' '
when xmlsec is not patched.
(This is needed, but not enough to build against system xmlsec.)
Change-Id: I5d68a8be7aefcb529566213f9b9c2985eab6a80a
Reviewed-on: https://gerrit.libreoffice.org/39023
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
Tested-by: Jenkins <ci at libreoffice.org>
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
index 3d5c24b9b6f1..4a8a6554311b 100644
--- a/xmlsecurity/inc/xmlsec-wrapper.h
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -40,6 +40,9 @@
#include "xmlsec/xmlenc.h"
#include "xmlsec/xmlsec.h"
#include "xmlsec/xmltree.h"
+#ifdef XMLSEC_CRYPTO_NSS
+#include "xmlsec/nss/pkikeys.h"
+#endif
#endif
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 959e62cc34e0..a5b29017d180 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -474,6 +474,9 @@ Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUS
}
Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
+ // Remember the signing certificate.
+ m_xSigningCertificate = begin;
+
const X509Certificate_NssImpl* xcert ;
const CERTCertificate* cert ;
CERTCertList* certChain ;
@@ -881,19 +884,8 @@ X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
return xcert ;
}
-
-/* Native methods */
xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
- unsigned int i ;
- CERTCertDBHandle* handler = nullptr ;
- PK11SymKey* symKey = nullptr ;
- SECKEYPublicKey* pubKey = nullptr ;
- SECKEYPrivateKey* priKey = nullptr ;
- xmlSecKeysMngrPtr pKeysMngr = nullptr ;
-
- handler = m_pHandler;
-
/*-
* The following lines is based on the private version of xmlSec-NSS
* crypto engine
@@ -905,14 +897,15 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); ++islots, ++count)
slots[count] = *islots;
- pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
+ xmlSecKeysMngrPtr pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, m_pHandler ) ;
if( pKeysMngr == nullptr )
throw RuntimeException() ;
/*-
* Adopt symmetric key into keys manager
*/
- for( i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
+ PK11SymKey* symKey = nullptr ;
+ for( unsigned int i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
throw RuntimeException() ;
}
@@ -921,7 +914,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
/*-
* Adopt asymmetric public key into keys manager
*/
- for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
+ SECKEYPublicKey* pubKey = nullptr ;
+ for( unsigned int i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
throw RuntimeException() ;
}
@@ -930,11 +924,26 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
/*-
* Adopt asymmetric private key into keys manager
*/
- for( i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
+ SECKEYPrivateKey* priKey = nullptr ;
+ for( unsigned int i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
throw RuntimeException() ;
}
}
+
+ // Adopt the private key of the signing certificate, if it has any.
+ if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
+ {
+ if (auto pCERTCertificate = const_cast<CERTCertificate*>(pCertificate->getNssCert()))
+ {
+ SECKEYPrivateKey* pPrivateKey = PK11_FindPrivateKeyFromCert(pCERTCertificate->slot, pCERTCertificate, nullptr);
+ xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
+ xmlSecKeyPtr pKey = xmlSecKeyCreate();
+ xmlSecKeySetValue(pKey, pKeyData);
+ xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
+ }
+ }
+
return pKeysMngr ;
}
void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
index 5b0e8920abd2..46aba7bc0990 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
@@ -54,6 +54,8 @@ private:
std::list< PK11SlotInfo* > m_Slots;
typedef std::list< PK11SlotInfo* >::const_iterator CIT_SLOTS;
+ /// The last used certificate which has the private key for signing.
+ css::uno::Reference<css::security::XCertificate> m_xSigningCertificate;
osl::Mutex m_mutex;
More information about the Libreoffice-commits
mailing list