[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - external/xmlsec

Michael Stahl (via logerrit) logerrit at kemper.freedesktop.org
Tue Apr 13 09:22:25 UTC 2021


 external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 |   68 ++++++++++
 external/xmlsec/UnpackedTarball_xmlsec.mk                                         |    1 
 2 files changed, 69 insertions(+)

New commits:
commit 3942379504d613343e3b43bedafbff59de9535a8
Author:     Michael Stahl <michael.stahl at allotropia.de>
AuthorDate: Wed Apr 7 17:00:43 2021 +0200
Commit:     Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Tue Apr 13 11:21:49 2021 +0200

    xmlsec: fix signing documents on WNT
    
    Duplicate ds:X509Certificate elements cause:
    warn:xmlsecurity.comp:9604:3820:xmlsecurity/source/helper/xmlsignaturehelper.cxx:658: X509Data do not form a chain: certificate in cycle:
    
    (regression from 5af5ea893bcb8a8eb472ac11133da10e5a604e66)
    
    Change-Id: I3d319a2f74dbec17b73f1c7bb8f4efe4e335f0ac
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113746
    Tested-by: Mike Kaganski <mike.kaganski at collabora.com>
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
    (cherry picked from commit ae08aa8a095832ae2a88eac14f9680ac8d3a13b6)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113752
    Reviewed-by: Thorsten Behrens <thorsten.behrens at allotropia.de>
    (cherry picked from commit 0ab3a264ba8d732cffa42a069c9aa50dab44e99f)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113753
    Tested-by: Samuel Mehrbrodt <samuel.mehrbrodt at allotropia.de>
    Reviewed-by: Samuel Mehrbrodt <samuel.mehrbrodt at allotropia.de>
    (cherry picked from commit 69e2488acea640974fe7946f4cef18fed0ec4c30)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113755
    Tested-by: Michael Stahl <michael.stahl at allotropia.de>

diff --git a/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 b/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1
new file mode 100644
index 000000000000..51607ca6ee73
--- /dev/null
+++ b/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1
@@ -0,0 +1,68 @@
+From a39b110cb2c25680259a38b2f397b350151bc6e7 Mon Sep 17 00:00:00 2001
+From: Michael Stahl <michael.stahl at allotropia.de>
+Date: Wed, 7 Apr 2021 16:43:48 +0200
+Subject: [PATCH] xmlSecX509DataGetNodeContent(): don't return 0 for non-empty
+ elements
+
+LibreOffice wants to write the content of KeyInfo itself and thus writes
+X509Certificate element with content.
+
+But then xmlSecMSCngKeyDataX509XmlWrite() writes a duplicate
+X509Certificate element, which then makes a new additional consistency
+check in LO unhappy.
+
+The duplicate is written because xmlSecX509DataGetNodeContent() returns
+0 because it only checks for empty nodes; if there are only non-empty
+nodes a fallback to XMLSEC_X509DATA_DEFAULT occurs in all backends.
+
+Change the return value to be non-0 without changing the signature of
+the function, as it is apparently public.
+
+This doesn't happen in LO in the NSS backend due to another accident,
+where the private key flag isn't set when the X509Certificate is read,
+but otherwise the code is the same.
+---
+ src/x509.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/x509.c b/src/x509.c
+index ed8788ae..dac8bd2b 100644
+--- a/src/x509.c
++++ b/src/x509.c
+@@ -60,22 +60,33 @@ xmlSecX509DataGetNodeContent (xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+         if(xmlSecCheckNodeName(cur, xmlSecNodeX509Certificate, xmlSecDSigNs)) {
+             if(xmlSecIsEmptyNode(cur) == 1) {
+                 content |= XMLSEC_X509DATA_CERTIFICATE_NODE;
++            } else {
++                /* ensure return value isn't 0 if there are non-empty elements */
++                content |= (XMLSEC_X509DATA_CERTIFICATE_NODE << 16);
+             }
+         } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SubjectName, xmlSecDSigNs)) {
+             if(xmlSecIsEmptyNode(cur) == 1) {
+                 content |= XMLSEC_X509DATA_SUBJECTNAME_NODE;
++            } else {
++                content |= (XMLSEC_X509DATA_SUBJECTNAME_NODE << 16);
+             }
+         } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerSerial, xmlSecDSigNs)) {
+             if(xmlSecIsEmptyNode(cur) == 1) {
+                 content |= XMLSEC_X509DATA_ISSUERSERIAL_NODE;
++            } else {
++                content |= (XMLSEC_X509DATA_ISSUERSERIAL_NODE << 16);
+             }
+         } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SKI, xmlSecDSigNs)) {
+             if(xmlSecIsEmptyNode(cur) == 1) {
+                 content |= XMLSEC_X509DATA_SKI_NODE;
++            } else {
++                content |= (XMLSEC_X509DATA_SKI_NODE << 16);
+             }
+         } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509CRL, xmlSecDSigNs)) {
+             if(xmlSecIsEmptyNode(cur) == 1) {
+                 content |= XMLSEC_X509DATA_CRL_NODE;
++            } else {
++                content |= (XMLSEC_X509DATA_CRL_NODE << 16);
+             }
+         } else {
+             /* todo: fail on unknown child node? */
+-- 
+2.30.2
+
diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk
index e4d092bef019..76293fe31e42 100644
--- a/external/xmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -8,6 +8,7 @@
 #
 
 xmlsec_patches :=
+xmlsec_patches += 0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1
 
 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec))
 


More information about the Libreoffice-commits mailing list