[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-6-1+backports' - 2 commits - xmlsecurity/qa xmlsecurity/source

Fri Mar 26 17:37:46 UTC 2021

xmlsecurity/qa/unit/signing/signing.cxx                               |    4 ++++
 xmlsecurity/source/helper/xsecctl.cxx                                 |    8 ++++++++
 xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx |    4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)

New commits:
commit a8f4c18954848c24b11f6abeee49968c26af86be
Author:     Miklos Vajna <vmiklos at collabora.co.uk>
AuthorDate: Mon Aug 27 09:15:16 2018 +0200
Commit:     Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Fri Mar 26 18:37:25 2021 +0100

    tdf#119309 xmlsecurity xades: missing XML attribute on idSignedProperties ref
    
    The AdES validator at
    <https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation> recently
    learned to deal with ODF files, this improves its output, so that
    "Qualification Signature" section is no longer just a red "N/A" but an
    orange "Indeterminate QESig".
    
    Change-Id: I5f47b935f1dbfa4e2eee4654db31403479cb571d
    Reviewed-on: https://gerrit.libreoffice.org/59633
    Tested-by: Jenkins
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
    (cherry picked from commit ea3a5036d23081b6e8eb38a399ff8ef5acd8adc7)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113091
    Tested-by: Michael Stahl <michael.stahl at allotropia.de>
    Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>

diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx
index b961e2528108..897eb4db848f 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -775,6 +775,10 @@ void SigningTest::testXAdES()
 
     // Assert that the digest of the signing certificate is included.
     assertXPath(pXmlDoc, "//xd:CertDigest", 1);
+
+    // Assert that the Type attribute on the idSignedProperties reference is
+    // not missing.
+    assertXPath(pXmlDoc, "/odfds:document-signatures/dsig:Signature/dsig:SignedInfo/dsig:Reference[@URI='#idSignedProperties']", "Type", "http://uri.etsi.org/01903#SignedProperties");
 }
 
 void SigningTest::testXAdESGood()
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index 1d9906f27ed3..c587ae16ca0f 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -661,6 +661,14 @@ void XSecController::exportSignature(
                     pAttributeList->AddAttribute(
                         "URI",
                         "#" + refInfor.ouURI);
+
+                    if (bXAdESCompliantIfODF && refInfor.ouURI == "idSignedProperties")
+                    {
+                        // The reference which points to the SignedProperties
+                        // shall have this specific type.
+                        pAttributeList->AddAttribute("Type",
+                                                     "http://uri.etsi.org/01903#SignedProperties");
+                    }
                 }
 
                 xDocumentHandler->startElement( "Reference", cssu::Reference< cssxs::XAttributeList > (pAttributeList) );
commit 93187ed68e82dc0768785710bb9a55c92b537a23
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Mon Feb 8 17:05:28 2021 +0000
Commit:     Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Fri Mar 26 18:37:11 2021 +0100

    default to CertificateValidity::INVALID
    
    so if CertGetCertificateChain fails we don't want validity to be
    css::security::CertificateValidity::VALID which is what the old default
    of 0 equates to
    
    notably
    
    commit 1e0bc66d16aee28ce8bd9582ea32178c63841902
    Date:   Thu Nov 5 16:55:26 2009 +0100
    
        jl137:  #103420# better logging
    
    turned the nss equivalent of SecurityEnvironment_NssImpl::verifyCertificate
    from 0 to CertificateValidity::INVALID like this change does
    
    Change-Id: I5350dbc22d1b9b378da2976d3b0abd728f1f4c27
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/110561
    Tested-by: Jenkins
    Reviewed-by: Miklos Vajna <vmiklos at collabora.com>
    (cherry picked from commit edeb164c1d8ab64116afee4e2140403a362a1358)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113090
    Tested-by: Michael Stahl <michael.stahl at allotropia.de>
    Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>

diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
index ecfdd15d1895..f1f93be6f7fb 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
@@ -778,7 +778,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate(
     const uno::Reference< css::security::XCertificate >& aCert,
     const uno::Sequence< uno::Reference< css::security::XCertificate > >& seqCerts)
 {
-    sal_Int32 validity = 0;
+    sal_Int32 validity = css::security::CertificateValidity::INVALID;
     PCCERT_CHAIN_CONTEXT pChainContext = nullptr;
     PCCERT_CONTEXT pCertContext = nullptr;
 
@@ -923,7 +923,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate(
         }
         else
         {
-            SAL_INFO("xmlsecurity.xmlsec", "CertGetCertificateChaine failed.");
+            SAL_INFO("xmlsecurity.xmlsec", "CertGetCertificateChain failed.");
         }
     }
 
