[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-1' - 21 commits - external/hsqldb external/xmlsec include/svl include/xmloff offapi/com sfx2/source shell/source solenv/gbuild svl/source svx/source sw/source xmloff/source xmlsecurity/inc xmlsecurity/qa xmlsecurity/source
Miklos Vajna (via logerrit)
logerrit at kemper.freedesktop.org
Mon Mar 29 15:16:16 UTC 2021
external/hsqldb/UnpackedTarball_hsqldb.mk | 1
external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch | 14
external/xmlsec/UnpackedTarball_xmlsec.mk | 1
external/xmlsec/xmlsec1-customkeymanage.patch.1 | 4321 ----------
include/svl/sigstruct.hxx | 48
include/xmloff/xmlimp.hxx | 6
include/xmloff/xmlnmspe.hxx | 7
include/xmloff/xmltoken.hxx | 13
offapi/com/sun/star/security/DocumentSignatureInformation.idl | 1
sfx2/source/dialog/dinfdlg.cxx | 2
shell/source/win32/SysShExec.cxx | 65
solenv/gbuild/platform/com_GCC_defs.mk | 4
svl/source/crypto/cryptosign.cxx | 16
svx/source/svdraw/svdedxv.cxx | 5
sw/source/core/edit/edfcol.cxx | 3
xmloff/source/core/xmlimp.cxx | 26
xmloff/source/core/xmltoken.cxx | 13
xmloff/source/token/tokens.txt | 10
xmlsecurity/inc/biginteger.hxx | 3
xmlsecurity/inc/xmlsignaturehelper.hxx | 12
xmlsecurity/inc/xsecctl.hxx | 27
xmlsecurity/qa/create-certs/create-certs.sh | 6
xmlsecurity/qa/unit/signing/data/cert8.db |binary
xmlsecurity/qa/unit/signing/data/key3.db |binary
xmlsecurity/qa/unit/signing/data/notype-xades.odt |binary
xmlsecurity/qa/unit/signing/signing.cxx | 65
xmlsecurity/source/component/documentdigitalsignatures.cxx | 54
xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx | 15
xmlsecurity/source/helper/documentsignaturehelper.cxx | 63
xmlsecurity/source/helper/documentsignaturemanager.cxx | 12
xmlsecurity/source/helper/ooxmlsecexporter.cxx | 217
xmlsecurity/source/helper/ooxmlsecparser.cxx | 28
xmlsecurity/source/helper/pdfsignaturehelper.cxx | 8
xmlsecurity/source/helper/xmlsignaturehelper.cxx | 162
xmlsecurity/source/helper/xsecctl.cxx | 202
xmlsecurity/source/helper/xsecparser.cxx | 1754 +++-
xmlsecurity/source/helper/xsecparser.hxx | 106
xmlsecurity/source/helper/xsecsign.cxx | 75
xmlsecurity/source/helper/xsecverify.cxx | 233
xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 4
xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx | 47
xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx | 2
xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx | 36
xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx | 25
xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx | 4
45 files changed, 2575 insertions(+), 5141 deletions(-)
New commits:
commit ed3eddce65aa42b0c203aeb3631cdd8daef9f8c4
Author: Miklos Vajna <vmiklos at collabora.co.uk>
AuthorDate: Tue Jun 19 19:50:02 2018 +0200
Commit: Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Mon Mar 29 16:46:59 2021 +0200
Also fix the generated test certs + generator script to avoid expired
certs for a while (.db files generated with Firefox 57.0).
Reviewed-on: https://gerrit.libreoffice.org/56123
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
(cherry picked from commit 71198fe7d9539859883b6226738fbea52a08a5c4)
Change-Id: I30e1b13454cc45ead7605d076e8e24984ae186c1
diff --git a/xmlsecurity/qa/create-certs/create-certs.sh b/xmlsecurity/qa/create-certs/create-certs.sh
index 30ae73df7463..93511dc2e371 100755
--- a/xmlsecurity/qa/create-certs/create-certs.sh
+++ b/xmlsecurity/qa/create-certs/create-certs.sh
@@ -60,7 +60,7 @@ chmod 400 private/ca.key.pem
cd "$root/ca"
openssl req -config openssl.cnf \
-key private/ca.key.pem \
- -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ -new -x509 -days 36500 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem \
-passin env:SSLPASS \
-subj '/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Test Root CA'
@@ -102,7 +102,7 @@ openssl req -config intermediate/openssl.cnf -new -sha256 \
# The certificate itself.
openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
- -days 3650 -notext -md sha256 \
+ -days 36500 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-passin env:SSLPASS \
-out intermediate/certs/intermediate.cert.pem
@@ -137,7 +137,7 @@ do
cd "$root/ca"
# usr_cert: the cert will be used for signing.
openssl ca -batch -config intermediate/openssl.cnf \
- -extensions usr_cert -days 375 -notext -md sha256 \
+ -extensions usr_cert -days 36500 -notext -md sha256 \
-in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
-passin env:SSLPASS \
-out intermediate/certs/example-xmlsecurity-${i}.cert.pem
diff --git a/xmlsecurity/qa/unit/signing/data/cert8.db b/xmlsecurity/qa/unit/signing/data/cert8.db
index 07afe1566989..95e58ffe5b92 100644
Binary files a/xmlsecurity/qa/unit/signing/data/cert8.db and b/xmlsecurity/qa/unit/signing/data/cert8.db differ
diff --git a/xmlsecurity/qa/unit/signing/data/key3.db b/xmlsecurity/qa/unit/signing/data/key3.db
index fac36c06870a..f449e60a667f 100644
Binary files a/xmlsecurity/qa/unit/signing/data/key3.db and b/xmlsecurity/qa/unit/signing/data/key3.db differ
commit 160312879f39d53f0231a46aa22e0b6bf7540fcb
Author: Michael Stahl <michael.stahl at allotropia.de>
AuthorDate: Thu Feb 25 14:17:48 2021 +0100
Commit: Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Mon Mar 29 16:46:59 2021 +0200
xmlsecurity: improve handling of multiple X509Data elements
Combine everything related to a certificate in a new struct X509Data.
The CertDigest is not actually written in the X509Data element but in
xades:Cert, so try to find the matching entry in
XSecController::setX509CertDigest().
There was a confusing interaction with PGP signatures, where ouGpgKeyID
was used for import, but export wrote the value from ouCertDigest
instead - this needed fixing.
The main point of this is enforcing a constraint from xmldsig-core 4.5.4:
All certificates appearing in an X509Data element MUST relate to the
validation key by either containing it or being part of a certification
chain that terminates in a certificate containing the validation key.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111254
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
(cherry picked from commit 9e82509b09f5fe2eb77bcdb8fd193c71923abb67)
xmlsecurity: improve handling of multiple certificates per X509Data
It turns out that an X509Data element can contain an arbitrary number of
each of its child elements.
How exactly certificates of an issuer chain may or should be distributed
across multiple X509Data elements isn't terribly obvious.
One thing that is clear is that any element that refers to or contains
one particular certificate has to be a child of the same X509Data
element, although in no particular order, so try to match the 2 such
elements that the parser supports in XSecController::setX509Data().
Presumably the only way it makes sense to have multiple signing
certificates is if they all contain the same key but are signed by
different CAs. This case isn't handled currently; CheckX509Data() will
complain there's not a single chain and validation of the certificates
will fail.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111500
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
(cherry picked from commit 5af5ea893bcb8a8eb472ac11133da10e5a604e66)
xmlsecurity: add EqualDistinguishedNames()
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111545
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
(cherry picked from commit 1d3da3486d827dd5e7a3bf1c7a533f5aa9860e42)
xmlsecurity: avoid exception in DigitalSignaturesDialog::getCertificate()
Fallback to PGP if there's no X509 signing certificate because
CheckX509Data() failed prevents the dialog from popping up.
To avoid confusing the user in this situation, the dialog should
show no certificate, which is already the case.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111664
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
(cherry picked from commit 90b725675c2964f4a151d802d9afedd8bc2ae1a7)
xmlsecurity: fix crash in DocumentDigitalSignatures::isAuthorTrusted()
If the argument is null.
This function also should use EqualDistinguishedNames().
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111667
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
(cherry picked from commit ca98e505cd69bf95d8ddb9387cf3f8e03ae4577d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111910
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit a1cf770c2d7ca3e153e0b1f01ddcc313bc2bed7f)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113058
Tested-by: Michael Stahl <michael.stahl at allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
Change-Id: I9633a980b0c18d58dfce24fc59396a833498a77d
diff --git a/include/svl/sigstruct.hxx b/include/svl/sigstruct.hxx
index 891f620ec547..02b5c11e73a3 100644
--- a/include/svl/sigstruct.hxx
+++ b/include/svl/sigstruct.hxx
@@ -88,9 +88,30 @@ struct SignatureInformation
sal_Int32 nSecurityId;
css::xml::crypto::SecurityOperationStatus nStatus;
SignatureReferenceInformations vSignatureReferenceInfors;
- OUString ouX509IssuerName;
- OUString ouX509SerialNumber;
- OUString ouX509Certificate;
+ struct X509CertInfo
+ {
+ OUString X509IssuerName;
+ OUString X509SerialNumber;
+ OUString X509Certificate;
+ /// OOXML certificate SHA-256 digest, empty for ODF except when doing XAdES signature.
+ OUString CertDigest;
+ /// The certificate owner (aka subject).
+ OUString X509Subject;
+ };
+ typedef std::vector<X509CertInfo> X509Data;
+ // note: at parse time, it's unkown which one is the signing certificate;
+ // ImplVerifySignatures() figures it out and puts it at the back
+ std::vector<X509Data> X509Datas;
+
+ X509CertInfo const* GetSigningCertificate() const
+ {
+ if (X509Datas.empty())
+ {
+ return nullptr;
+ }
+ assert(!X509Datas.back().empty());
+ return & X509Datas.back().back();
+ }
OUString ouGpgKeyID;
OUString ouGpgCertificate;
@@ -123,8 +144,6 @@ struct SignatureInformation
OUString ouDescription;
/// The Id attribute of the <SignatureProperty> element that contains the <dc:description>.
OUString ouDescriptionPropertyId;
- /// OOXML certificate SHA-256 digest, empty for ODF except when doing XAdES signature.
- OUString ouCertDigest;
/// Valid and invalid signature line images
css::uno::Reference<css::graphic::XGraphic> aValidSignatureImage;
css::uno::Reference<css::graphic::XGraphic> aInvalidSignatureImage;
@@ -139,9 +158,6 @@ struct SignatureInformation
/// For PDF: the byte range doesn't cover the whole document.
bool bPartialDocumentSignature;
- /// The certificate owner (aka subject).
- OUString ouSubject;
-
svl::crypto::SignatureMethodAlgorithm eAlgorithmID;
SignatureInformation( sal_Int32 nId )
diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx
index 96c349d68861..ee86756a02a2 100644
--- a/svl/source/crypto/cryptosign.cxx
+++ b/svl/source/crypto/cryptosign.cxx
@@ -2077,8 +2077,12 @@ bool Signing::Verify(const std::vector<unsigned char>& aData,
aDerCert[i] = pCertificate->derCert.data[i];
OUStringBuffer aBuffer;
comphelper::Base64::encode(aBuffer, aDerCert);
- rInformation.ouX509Certificate = aBuffer.makeStringAndClear();
- rInformation.ouSubject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8);
+ SignatureInformation::X509Data temp;
+ temp.emplace_back();
+ temp.back().X509Certificate = aBuffer.makeStringAndClear();
+ temp.back().X509Subject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8);
+ rInformation.X509Datas.clear();
+ rInformation.X509Datas.emplace_back(temp);
}
PRTime nSigningTime;
@@ -2257,8 +2261,12 @@ bool Signing::Verify(const std::vector<unsigned char>& aData,
aDerCert[i] = pSignerCertContext->pbCertEncoded[i];
OUStringBuffer aBuffer;
comphelper::Base64::encode(aBuffer, aDerCert);
- rInformation.ouX509Certificate = aBuffer.makeStringAndClear();
- rInformation.ouSubject = GetSubjectName(pSignerCertContext);
+ SignatureInformation::X509Data temp;
+ temp.emplace_back();
+ temp.back().X509Certificate = aBuffer.makeStringAndClear();
+ temp.back().X509Subject = GetSubjectName(pSignerCertContext);
+ rInformation.X509Datas.clear();
+ rInformation.X509Datas.emplace_back(temp);
}
if (bNonDetached)
diff --git a/sw/source/core/edit/edfcol.cxx b/sw/source/core/edit/edfcol.cxx
index ee76998aac75..2bc3835783a0 100644
--- a/sw/source/core/edit/edfcol.cxx
+++ b/sw/source/core/edit/edfcol.cxx
@@ -398,7 +398,8 @@ lcl_MakeParagraphSignatureFieldText(const SignatureDescr& aDescr,
valid = svl::crypto::Signing::Verify(data, false, sig, aInfo);
valid = valid && aInfo.nStatus == css::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
- msg = SwResId(STR_SIGNED_BY) + ": " + aInfo.ouSubject + ", ";
+ assert(aInfo.GetSigningCertificate()); // it was valid
+ msg = SwResId(STR_SIGNED_BY) + ": " + aInfo.GetSigningCertificate()->X509Subject + ", ";
msg += aDescr.msDate;
msg += (!aDescr.msUsage.isEmpty() ? (" (" + aDescr.msUsage + "): ") : OUString(": "));
msg += (valid ? SwResId(STR_VALID) : SwResId(STR_INVALID));
diff --git a/xmlsecurity/inc/biginteger.hxx b/xmlsecurity/inc/biginteger.hxx
index d07ecf45d8af..8b4d8a9143b5 100644
--- a/xmlsecurity/inc/biginteger.hxx
+++ b/xmlsecurity/inc/biginteger.hxx
@@ -31,6 +31,9 @@ namespace xmlsecurity
{
XSECXMLSEC_DLLPUBLIC OUString bigIntegerToNumericString( const css::uno::Sequence< sal_Int8 >& serial );
XSECXMLSEC_DLLPUBLIC css::uno::Sequence< sal_Int8 > numericStringToBigInteger ( const OUString& serialNumber );
+
+XSECXMLSEC_DLLPUBLIC bool EqualDistinguishedNames(OUString const& rName1,
+ OUString const& rName2);
}
#endif
diff --git a/xmlsecurity/inc/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsignaturehelper.hxx
index 02128bb4f6a8..9d6bf7b3c6de 100644
--- a/xmlsecurity/inc/xmlsignaturehelper.hxx
+++ b/xmlsecurity/inc/xmlsignaturehelper.hxx
@@ -37,6 +37,9 @@
#include <com/sun/star/xml/crypto/sax/XSignatureCreationResultListener.hpp>
#include <com/sun/star/xml/crypto/sax/XSignatureVerifyResultListener.hpp>
+#include <com/sun/star/security/XCertificate.hpp>
+#include <com/sun/star/xml/crypto/XSecurityEnvironment.hpp>
+
class DateTime;
namespace com {
@@ -95,6 +98,15 @@ public:
// After signing/verifying, get information about signatures
SignatureInformation GetSignatureInformation( sal_Int32 nSecurityId ) const;
SignatureInformations GetSignatureInformations() const;
+ /// ImplVerifySignature calls this to figure out which X509Data is the
+ /// signing certificate and update the internal state with the result.
+ /// @return
+ /// A sequence with the signing certificate at the back on success.
+ /// An empty sequence on failure.
+ std::vector<css::uno::Reference<css::security::XCertificate>>
+ CheckAndUpdateSignatureInformation(
+ css::uno::Reference<css::xml::crypto::XSecurityEnvironment> const& xSecEnv,
+ SignatureInformation const& rInfo);
// See XSecController for documentation
void StartMission(const css::uno::Reference<css::xml::crypto::XXMLSecurityContext>& xSecurityContext);
diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
index a8167949e159..1b61be773f7d 100644
--- a/xmlsecurity/inc/xsecctl.hxx
+++ b/xmlsecurity/inc/xsecctl.hxx
@@ -270,9 +270,13 @@ private:
sal_Int32 nDigestID );
void setReferenceCount() const;
- void setX509IssuerName( OUString const & ouX509IssuerName );
- void setX509SerialNumber( OUString const & ouX509SerialNumber );
- void setX509Certificate( OUString const & ouX509Certificate );
+ void setX509Data(
+ std::vector<std::pair<OUString, OUString>> & rX509IssuerSerials,
+ std::vector<OUString> const& rX509Certificates);
+ void setX509CertDigest(
+ OUString const& rCertDigest, sal_Int32 const nReferenceDigestID,
+ OUString const& rX509IssuerName, OUString const& rX509SerialNumber);
+
void setSignatureValue( OUString const & ouSignatureValue );
void setDigestValue( sal_Int32 nDigestID, OUString const & ouDigestValue );
void setGpgKeyID( OUString const & ouKeyID );
@@ -281,7 +285,6 @@ private:
void setDate(OUString const& rId, OUString const& ouDate);
void setDescription(OUString const& rId, OUString const& rDescription);
- void setCertDigest(const OUString& rCertDigest);
void setValidSignatureImage(const OUString& rValidSigImg);
void setInvalidSignatureImage(const OUString& rInvalidSigImg);
void setSignatureLineId(const OUString& rSignatureLineId);
@@ -310,6 +313,9 @@ public:
SignatureInformation getSignatureInformation( sal_Int32 nSecurityId ) const;
SignatureInformations getSignatureInformations() const;
+ /// only verify can figure out which X509Data is the signing certificate
+ void UpdateSignatureInformation(sal_Int32 nSecurityId,
+ std::vector<SignatureInformation::X509Data> const& rDatas);
static void exportSignature(
const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index 392dba4babd9..bedc07e261df 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -486,27 +486,36 @@ DocumentDigitalSignatures::ImplVerifySignatures(
const SignatureInformation& rInfo = aSignInfos[n];
css::security::DocumentSignatureInformation& rSigInfo = arInfos[n];
- if (rInfo.ouGpgCertificate.isEmpty()) // X.509
+ if (!rInfo.X509Datas.empty()) // X.509
{
- if (!rInfo.ouX509Certificate.isEmpty())
- rSigInfo.Signer = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ;
- if (!rSigInfo.Signer.is())
- rSigInfo.Signer = xSecEnv->getCertificate( rInfo.ouX509IssuerName,
- xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
-
+ std::vector<uno::Reference<security::XCertificate>> certs(
+ rSignatureHelper.CheckAndUpdateSignatureInformation(
+ xSecEnv, rInfo));
+ if (certs.empty())
+ {
+ rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ }
+ else
+ {
+ rSigInfo.Signer = certs.back();
+ // get only intermediates
+ certs.pop_back();
// On Windows checking the certificate path is buggy. It does name matching (issuer, subject name)
// to find the parent certificate. It does not take into account that there can be several certificates
// with the same subject name.
-
- try {
- rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer,
- Sequence<Reference<css::security::XCertificate> >());
- } catch (SecurityException& ) {
- OSL_FAIL("Verification of certificate failed");
- rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ try
+ {
+ rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(
+ rSigInfo.Signer, comphelper::containerToSequence(certs));
+ }
+ catch (SecurityException&)
+ {
+ SAL_WARN("xmlsecurity.comp", "Verification of certificate failed");
+ rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ }
}
}
- else if (xGpgSecEnv.is()) // GPG
+ else if (!rInfo.ouGpgCertificate.isEmpty() && xGpgSecEnv.is()) // GPG
{
// TODO not ideal to retrieve cert by keyID, might
// collide, or PGPKeyID format might change - can't we
@@ -591,11 +600,15 @@ void DocumentDigitalSignatures::showCertificate(
}
sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
- const Reference< css::security::XCertificate >& Author )
+ const Reference<css::security::XCertificate>& xAuthor)
{
+ if (!xAuthor.is())
+ {
+ return false;
+ }
bool bFound = false;
- OUString sSerialNum = xmlsecurity::bigIntegerToNumericString( Author->getSerialNumber() );
+ OUString sSerialNum = xmlsecurity::bigIntegerToNumericString(xAuthor->getSerialNumber());
Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors();
const SvtSecurityOptions::Certificate* pAuthors = aTrustedAuthors.getConstArray();
@@ -603,7 +616,8 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
for ( ; pAuthors != pAuthorsEnd; ++pAuthors )
{
SvtSecurityOptions::Certificate aAuthor = *pAuthors;
- if ( ( aAuthor[0] == Author->getIssuerName() ) && ( aAuthor[1] == sSerialNum ) )
+ if (xmlsecurity::EqualDistinguishedNames(aAuthor[0], xAuthor->getIssuerName())
+ && (aAuthor[1] == sSerialNum))
{
bFound = true;
break;
diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
index 104206ab5c4f..dd5ce3b78d37 100644
--- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
+++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
@@ -609,7 +609,7 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox()
if (!rInfo.ouGpgCertificate.isEmpty())
aType = "OpenPGP";
// XML based: XAdES or not.
- else if (!rInfo.ouCertDigest.isEmpty())
+ else if (rInfo.GetSigningCertificate() && !rInfo.GetSigningCertificate()->CertDigest.isEmpty())
aType = "XAdES";
else
aType = "XML-DSig";
@@ -721,8 +721,8 @@ uno::Reference<security::XCertificate> DigitalSignaturesDialog::getCertificate(c
uno::Reference<security::XCertificate> xCert;
//First we try to get the certificate which is embedded in the XML Signature
- if (xSecEnv.is() && !rInfo.ouX509Certificate.isEmpty())
- xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate);
+ if (xSecEnv.is() && rInfo.GetSigningCertificate() && !rInfo.GetSigningCertificate()->X509Certificate.isEmpty())
+ xCert = xSecEnv->createCertificateFromAscii(rInfo.GetSigningCertificate()->X509Certificate);
else {
//There must be an embedded certificate because we use it to get the
//issuer name. We cannot use /Signature/KeyInfo/X509Data/X509IssuerName
@@ -734,9 +734,12 @@ uno::Reference<security::XCertificate> DigitalSignaturesDialog::getCertificate(c
}
//In case there is no embedded certificate we try to get it from a local store
- if (!xCert.is() && xSecEnv.is())
- xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
- if (!xCert.is() && xGpgSecEnv.is())
+ if (!xCert.is() && xSecEnv.is() && rInfo.GetSigningCertificate())
+ {
+ xCert = xSecEnv->getCertificate(rInfo.GetSigningCertificate()->X509IssuerName,
+ xmlsecurity::numericStringToBigInteger(rInfo.GetSigningCertificate()->X509SerialNumber));
+ }
+ if (!xCert.is() && xGpgSecEnv.is() && !rInfo.ouGpgKeyID.isEmpty())
xCert = xGpgSecEnv->getCertificate( rInfo.ouGpgKeyID, xmlsecurity::numericStringToBigInteger("") );
SAL_WARN_IF( !xCert.is(), "xmlsecurity.dialogs", "Certificate not found and can't be created!" );
diff --git a/xmlsecurity/source/helper/documentsignaturehelper.cxx b/xmlsecurity/source/helper/documentsignaturehelper.cxx
index 37342b536349..397543cd2457 100644
--- a/xmlsecurity/source/helper/documentsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/documentsignaturehelper.cxx
@@ -545,6 +545,29 @@ void DocumentSignatureHelper::writeDigestMethod(
xDocumentHandler->endElement("DigestMethod");
}
+static void WriteXadesCert(
+ uno::Reference<xml::sax::XDocumentHandler> const& xDocumentHandler,
+ SignatureInformation::X509CertInfo const& rCertInfo)
+{
+ xDocumentHandler->startElement("xd:Cert", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ xDocumentHandler->startElement("xd:CertDigest", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ DocumentSignatureHelper::writeDigestMethod(xDocumentHandler);
+ xDocumentHandler->startElement("DigestValue", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ assert(!rCertInfo.CertDigest.isEmpty());
+ xDocumentHandler->characters(rCertInfo.CertDigest);
+ xDocumentHandler->endElement("DigestValue");
+ xDocumentHandler->endElement("xd:CertDigest");
+ xDocumentHandler->startElement("xd:IssuerSerial", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ xDocumentHandler->startElement("X509IssuerName", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ xDocumentHandler->characters(rCertInfo.X509IssuerName);
+ xDocumentHandler->endElement("X509IssuerName");
+ xDocumentHandler->startElement("X509SerialNumber", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ xDocumentHandler->characters(rCertInfo.X509SerialNumber);
+ xDocumentHandler->endElement("X509SerialNumber");
+ xDocumentHandler->endElement("xd:IssuerSerial");
+ xDocumentHandler->endElement("xd:Cert");
+}
+
void DocumentSignatureHelper::writeSignedProperties(
const uno::Reference<xml::sax::XDocumentHandler>& xDocumentHandler,
const SignatureInformation& signatureInfo,
@@ -561,26 +584,26 @@ void DocumentSignatureHelper::writeSignedProperties(
xDocumentHandler->characters(sDate);
xDocumentHandler->endElement("xd:SigningTime");
xDocumentHandler->startElement("xd:SigningCertificate", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- xDocumentHandler->startElement("xd:Cert", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- xDocumentHandler->startElement("xd:CertDigest", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- writeDigestMethod(xDocumentHandler);
-
- xDocumentHandler->startElement("DigestValue", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- // TODO: this is empty for gpg signatures currently
- //assert(!signatureInfo.ouCertDigest.isEmpty());
- xDocumentHandler->characters(signatureInfo.ouCertDigest);
- xDocumentHandler->endElement("DigestValue");
-
- xDocumentHandler->endElement("xd:CertDigest");
- xDocumentHandler->startElement("xd:IssuerSerial", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- xDocumentHandler->startElement("X509IssuerName", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- xDocumentHandler->characters(signatureInfo.ouX509IssuerName);
- xDocumentHandler->endElement("X509IssuerName");
- xDocumentHandler->startElement("X509SerialNumber", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- xDocumentHandler->characters(signatureInfo.ouX509SerialNumber);
- xDocumentHandler->endElement("X509SerialNumber");
- xDocumentHandler->endElement("xd:IssuerSerial");
- xDocumentHandler->endElement("xd:Cert");
+ assert(signatureInfo.GetSigningCertificate() || !signatureInfo.ouGpgKeyID.isEmpty());
+ if (signatureInfo.GetSigningCertificate())
+ {
+ // how should this deal with multiple X509Data elements?
+ // for now, let's write all of the certificates ...
+ for (auto const& rData : signatureInfo.X509Datas)
+ {
+ for (auto const& it : rData)
+ {
+ WriteXadesCert(xDocumentHandler, it);
+ }
+ }
+ }
+ else
+ {
+ // for PGP, write empty mandatory X509IssuerName, X509SerialNumber
+ SignatureInformation::X509CertInfo temp;
+ temp.CertDigest = signatureInfo.ouGpgKeyID;
+ WriteXadesCert(xDocumentHandler, temp);
+ }
xDocumentHandler->endElement("xd:SigningCertificate");
xDocumentHandler->startElement("xd:SignaturePolicyIdentifier", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
xDocumentHandler->startElement("xd:SignaturePolicyImplied", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx
index c88c18964b22..3f48f20bafff 100644
--- a/xmlsecurity/source/helper/documentsignaturemanager.cxx
+++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx
@@ -555,6 +555,18 @@ void DocumentSignatureManager::read(bool bUseTempStream, bool bCacheLastSignatur
bCacheLastSignature);
maSignatureHelper.EndMission();
+ // this parses the XML independently from ImplVerifySignatures() - check
+ // certificates here too ...
+ for (auto const& it : maSignatureHelper.GetSignatureInformations())
+ {
+ if (!it.X509Datas.empty())
+ {
+ uno::Reference<xml::crypto::XSecurityEnvironment> const xSecEnv(
+ getSecurityEnvironment());
+ maSignatureHelper.CheckAndUpdateSignatureInformation(xSecEnv, it);
+ }
+ }
+
maCurrentSignatureInformations = maSignatureHelper.GetSignatureInformations();
}
else
diff --git a/xmlsecurity/source/helper/ooxmlsecexporter.cxx b/xmlsecurity/source/helper/ooxmlsecexporter.cxx
index fbb926b63a6e..942a3c0a4618 100644
--- a/xmlsecurity/source/helper/ooxmlsecexporter.cxx
+++ b/xmlsecurity/source/helper/ooxmlsecexporter.cxx
@@ -186,13 +186,21 @@ void OOXMLSecExporter::Impl::writeKeyInfo()
{
m_xDocumentHandler->startElement(
"KeyInfo", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- m_xDocumentHandler->startElement(
- "X509Data", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- m_xDocumentHandler->startElement(
- "X509Certificate", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
- m_xDocumentHandler->characters(m_rInformation.ouX509Certificate);
- m_xDocumentHandler->endElement("X509Certificate");
- m_xDocumentHandler->endElement("X509Data");
+ assert(m_rInformation.GetSigningCertificate());
+ for (auto const& rData : m_rInformation.X509Datas)
+ {
+ m_xDocumentHandler->startElement(
+ "X509Data", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ for (auto const& it : rData)
+ {
+ m_xDocumentHandler->startElement(
+ "X509Certificate",
+ uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+ m_xDocumentHandler->characters(it.X509Certificate);
+ m_xDocumentHandler->endElement("X509Certificate");
+ }
+ m_xDocumentHandler->endElement("X509Data");
+ }
m_xDocumentHandler->endElement("KeyInfo");
}
diff --git a/xmlsecurity/source/helper/ooxmlsecparser.cxx b/xmlsecurity/source/helper/ooxmlsecparser.cxx
index 5a426e7da03d..e329b8d35176 100644
--- a/xmlsecurity/source/helper/ooxmlsecparser.cxx
+++ b/xmlsecurity/source/helper/ooxmlsecparser.cxx
@@ -176,9 +176,22 @@ void SAL_CALL OOXMLSecParser::endElement(const OUString& rName)
m_pXSecController->setSignatureValue(m_aSignatureValue);
m_bInSignatureValue = false;
}
+ else if (rName == "X509Data")
+ {
+ std::vector<std::pair<OUString, OUString>> X509IssuerSerials;
+ std::vector<OUString> X509Certificates;
+ if (!m_aX509Certificate.isEmpty())
+ {
+ X509Certificates.emplace_back(m_aX509Certificate);
+ }
+ if (!m_aX509IssuerName.isEmpty() && !m_aX509SerialNumber.isEmpty())
+ {
+ X509IssuerSerials.emplace_back(m_aX509IssuerName, m_aX509SerialNumber);
+ }
+ m_pXSecController->setX509Data(X509IssuerSerials, X509Certificates);
+ }
else if (rName == "X509Certificate")
{
- m_pXSecController->setX509Certificate(m_aX509Certificate);
m_bInX509Certificate = false;
}
else if (rName == "mdssi:Value")
@@ -193,17 +206,18 @@ void SAL_CALL OOXMLSecParser::endElement(const OUString& rName)
}
else if (rName == "X509IssuerName")
{
- m_pXSecController->setX509IssuerName(m_aX509IssuerName);
m_bInX509IssuerName = false;
}
else if (rName == "X509SerialNumber")
{
- m_pXSecController->setX509SerialNumber(m_aX509SerialNumber);
m_bInX509SerialNumber = false;
}
+ else if (rName == "xd:Cert")
+ {
+ m_pXSecController->setX509CertDigest(m_aCertDigest, css::xml::crypto::DigestID::SHA1, m_aX509IssuerName, m_aX509SerialNumber);
+ }
else if (rName == "xd:CertDigest")
{
- m_pXSecController->setCertDigest(m_aCertDigest);
m_bInCertDigest = false;
}
else if (rName == "Object")
diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
index 49c43fa1f679..0311ffe48b23 100644
--- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
@@ -84,8 +84,12 @@ PDFSignatureHelper::GetDocumentSignatureInformations(
security::DocumentSignatureInformation& rExternal = aRet[i];
rExternal.SignatureIsValid
= rInternal.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
- if (!rInternal.ouX509Certificate.isEmpty())
- rExternal.Signer = xSecEnv->createCertificateFromAscii(rInternal.ouX509Certificate);
+ if (rInternal.GetSigningCertificate()
+ && !rInternal.GetSigningCertificate()->X509Certificate.isEmpty())
+ {
+ rExternal.Signer = xSecEnv->createCertificateFromAscii(
+ rInternal.GetSigningCertificate()->X509Certificate);
+ }
rExternal.PartialDocumentSignature = rInternal.bPartialDocumentSignature;
// Verify certificate.
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 09487ac673e9..86982f03dacf 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -21,6 +21,7 @@
#include <xmlsignaturehelper.hxx>
#include <documentsignaturehelper.hxx>
#include <xsecctl.hxx>
+#include <biginteger.hxx>
#include <xmlsignaturehelper2.hxx>
@@ -48,6 +49,8 @@
#include <comphelper/sequence.hxx>
#include <tools/diagnose_ex.h>
+#include <boost/optional.hpp>
+
#define NS_DOCUMENTSIGNATURES "http://openoffice.org/2004/documentsignatures"
#define NS_DOCUMENTSIGNATURES_ODF_1_2 "urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0"
#define OOXML_SIGNATURE_ORIGIN "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin"
@@ -575,4 +578,162 @@ void XMLSignatureHelper::CreateAndWriteOOXMLSignature(const uno::Reference<embed
xSaxWriter->endDocument();
}
+/** check this constraint from xmldsig-core 4.5.4:
+
+ All certificates appearing in an X509Data element MUST relate to the
+ validation key by either containing it or being part of a certification
+ chain that terminates in a certificate containing the validation key.
+ */
+static auto CheckX509Data(
+ uno::Reference<xml::crypto::XSecurityEnvironment> const& xSecEnv,
+ std::vector<SignatureInformation::X509CertInfo> const& rX509CertInfos,
+ std::vector<uno::Reference<security::XCertificate>> & rCerts,
+ std::vector<SignatureInformation::X509CertInfo> & rSorted) -> bool
+{
+ assert(rCerts.empty());
+ assert(rSorted.empty());
+ if (rX509CertInfos.empty())
+ {
+ SAL_WARN("xmlsecurity.comp", "no X509Data");
+ return false;
+ }
+ std::vector<uno::Reference<security::XCertificate>> certs;
+ for (SignatureInformation::X509CertInfo const& it : rX509CertInfos)
+ {
+ if (!it.X509Certificate.isEmpty())
+ {
+ certs.emplace_back(xSecEnv->createCertificateFromAscii(it.X509Certificate));
+ }
+ else
+ {
+ certs.emplace_back(xSecEnv->getCertificate(
+ it.X509IssuerName,
+ xmlsecurity::numericStringToBigInteger(it.X509SerialNumber)));
+ }
+ if (!certs.back().is())
+ {
+ SAL_WARN("xmlsecurity.comp", "X509Data cannot be parsed");
+ return false;
+ }
+ }
+
+ // first, search one whose issuer isn't in the list, or a self-signed one
+ boost::optional<size_t> start;
+ for (size_t i = 0; i < certs.size(); ++i)
+ {
+ for (size_t j = 0; ; ++j)
+ {
+ if (j == certs.size())
+ {
+ if (start)
+ {
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: certificate has no issuer but already have start of chain: " << certs[i]->getSubjectName());
+ return false;
+ }
+ start = i; // issuer isn't in the list
+ break;
+ }
+ if (xmlsecurity::EqualDistinguishedNames(certs[i]->getIssuerName(), certs[j]->getSubjectName()))
+ {
+ if (i == j) // self signed
+ {
+ if (start)
+ {
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: certificate is self-signed but already have start of chain: " << certs[i]->getSubjectName());
+ return false;
+ }
+ start = i;
+ }
+ break;
+ }
+ }
+ }
+ std::vector<size_t> chain;
+ if (!start)
+ {
+ // this can only be a cycle?
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: cycle detected");
+ return false;
+ }
+ chain.emplace_back(*start);
+
+ // second, check that there is a chain, no tree or cycle...
+ for (size_t i = 0; i < certs.size(); ++i)
+ {
+ assert(chain.size() == i + 1);
+ for (size_t j = 0; j < certs.size(); ++j)
+ {
+ if (chain[i] != j)
+ {
+ if (xmlsecurity::EqualDistinguishedNames(
+ certs[chain[i]]->getSubjectName(), certs[j]->getIssuerName()))
+ {
+ if (chain.size() != i + 1) // already found issuee?
+ {
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: certificate issued 2 others: " << certs[chain[i]]->getSubjectName());
+ return false;
+ }
+ chain.emplace_back(j);
+ }
+ }
+ }
+ if (i == certs.size() - 1)
+ { // last one: must be a leaf
+ if (chain.size() != i + 1)
+ {
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: certificate in cycle: " << certs[chain[i]]->getSubjectName());
+ return false;
+ }
+ }
+ else if (chain.size() != i + 2)
+ { // not issuer of another?
+ SAL_WARN("xmlsecurity.comp", "X509Data do not form a chain: certificate issued 0 others: " << certs[chain[i]]->getSubjectName());
+ return false;
+ }
+ }
+
+ // success
+ assert(chain.size() == rX509CertInfos.size());
+ for (auto const& it : chain)
+ {
+ rSorted.emplace_back(rX509CertInfos[it]);
+ rCerts.emplace_back(certs[it]);
+ }
+ return true;
+}
+
+std::vector<uno::Reference<security::XCertificate>>
+XMLSignatureHelper::CheckAndUpdateSignatureInformation(
+ uno::Reference<xml::crypto::XSecurityEnvironment> const& xSecEnv,
+ SignatureInformation const& rInfo)
+{
+ // if the check fails, it's not possible to determine which X509Data
+ // contained the signing certificate - the UI cannot display something
+ // useful in this case, so prevent anything misleading by clearing the
+ // X509Datas.
+
+ std::vector<uno::Reference<security::XCertificate>> certs;
+ std::vector<SignatureInformation::X509Data> datas;
+ // TODO: for now, just merge all X509Datas together for checking...
+ // (this will probably break round-trip of signature with multiple X509Data,
+ // no idea if that is a problem)
+ SignatureInformation::X509Data temp;
+ SignatureInformation::X509Data tempResult;
+ for (auto const& rData : rInfo.X509Datas)
+ {
+ for (auto const& it : rData)
+ {
+ temp.emplace_back(it);
+ }
+ }
+ if (CheckX509Data(xSecEnv, temp, certs, tempResult))
+ {
+ datas.emplace_back(tempResult);
+ }
+
+ // rInfo is a copy, update the original
+ mpXSecController->UpdateSignatureInformation(rInfo.nSecurityId, datas);
+ return certs;
+}
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index ed7c43c7dfdf..b14fed88adc0 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -739,7 +739,7 @@ void XSecController::exportSignature(
xDocumentHandler->startElement(
"PGPKeyID",
css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
- xDocumentHandler->characters( signatureInfo.ouCertDigest );
+ xDocumentHandler->characters(signatureInfo.ouGpgKeyID);
xDocumentHandler->endElement( "PGPKeyID" );
/* Write PGPKeyPacket element */
@@ -763,43 +763,50 @@ void XSecController::exportSignature(
}
else
{
- /* Write X509Data element */
- xDocumentHandler->startElement(
- "X509Data",
- css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
+ assert(signatureInfo.GetSigningCertificate());
+ for (auto const& rData : signatureInfo.X509Datas)
{
- /* Write X509IssuerSerial element */
+ /* Write X509Data element */
xDocumentHandler->startElement(
- "X509IssuerSerial",
+ "X509Data",
css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
{
- /* Write X509IssuerName element */
- xDocumentHandler->startElement(
- "X509IssuerName",
- css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
- xDocumentHandler->characters( signatureInfo.ouX509IssuerName );
- xDocumentHandler->endElement( "X509IssuerName" );
-
- /* Write X509SerialNumber element */
- xDocumentHandler->startElement(
- "X509SerialNumber",
- css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
- xDocumentHandler->characters( signatureInfo.ouX509SerialNumber );
- xDocumentHandler->endElement( "X509SerialNumber" );
- }
- xDocumentHandler->endElement( "X509IssuerSerial" );
-
- /* Write X509Certificate element */
- if (!signatureInfo.ouX509Certificate.isEmpty())
- {
- xDocumentHandler->startElement(
- "X509Certificate",
- css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
- xDocumentHandler->characters( signatureInfo.ouX509Certificate );
- xDocumentHandler->endElement( "X509Certificate" );
+ for (auto const& it : rData)
+ {
+ /* Write X509IssuerSerial element */
+ xDocumentHandler->startElement(
+ "X509IssuerSerial",
+ css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
+ {
+ /* Write X509IssuerName element */
+ xDocumentHandler->startElement(
+ "X509IssuerName",
+ css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
+ xDocumentHandler->characters(it.X509IssuerName);
+ xDocumentHandler->endElement( "X509IssuerName" );
+
+ /* Write X509SerialNumber element */
+ xDocumentHandler->startElement(
+ "X509SerialNumber",
+ css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
+ xDocumentHandler->characters(it.X509SerialNumber);
+ xDocumentHandler->endElement( "X509SerialNumber" );
+ }
+ xDocumentHandler->endElement( "X509IssuerSerial" );
+
+ /* Write X509Certificate element */
+ if (!it.X509Certificate.isEmpty())
+ {
+ xDocumentHandler->startElement(
+ "X509Certificate",
+ css::uno::Reference< css::xml::sax::XAttributeList > (new SvXMLAttributeList()));
+ xDocumentHandler->characters(it.X509Certificate);
+ xDocumentHandler->endElement( "X509Certificate" );
+ }
+ }
}
+ xDocumentHandler->endElement( "X509Data" );
}
- xDocumentHandler->endElement( "X509Data" );
}
}
xDocumentHandler->endElement( "KeyInfo" );
@@ -918,6 +925,15 @@ void XSecController::exportOOXMLSignature(const uno::Reference<embed::XStorage>&
aExporter.writeSignature();
}
+void XSecController::UpdateSignatureInformation(sal_Int32 const nSecurityId,
+ std::vector<SignatureInformation::X509Data> const& rDatas)
+{
+ SignatureInformation aInf( 0 );
+ int const nIndex = findSignatureInfor(nSecurityId);
+ assert(nIndex != -1); // nothing should touch this between parsing and verify
+ m_vInternalSignatureInformations[nIndex].signatureInfor.X509Datas = rDatas;
+}
+
SignatureInformation XSecController::getSignatureInformation( sal_Int32 nSecurityId ) const
{
SignatureInformation aInf( 0 );
diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
index 7122f9f71905..ff70d888eb51 100644
--- a/xmlsecurity/source/helper/xsecparser.cxx
+++ b/xmlsecurity/source/helper/xsecparser.cxx
@@ -243,98 +243,79 @@ class XSecParser::DsX509CertificateContext
: public XSecParser::Context
{
private:
- OUString m_Value;
+ OUString & m_rValue;
public:
DsX509CertificateContext(XSecParser & rParser,
- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
+ OUString & rValue)
: XSecParser::Context(rParser, std::move(pOldNamespaceMap))
+ , m_rValue(rValue)
{
}
- virtual void EndElement() override
- {
- m_rParser.m_pXSecController->setX509Certificate(m_Value);
- }
-
virtual void Characters(OUString const& rChars) override
{
- m_Value += rChars;
+ m_rValue += rChars;
}
};
class XSecParser::DsX509SerialNumberContext
- : public XSecParser::ReferencedContextImpl
+ : public XSecParser::Context
{
private:
- OUString m_Value;
+ OUString & m_rValue;
public:
DsX509SerialNumberContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
- bool const isReferenced)
- : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
- {
- }
-
- virtual void EndElement() override
+ OUString & rValue)
+ : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
+ , m_rValue(rValue)
{
- if (m_isReferenced)
- {
- m_rParser.m_pXSecController->setX509SerialNumber(m_Value);
- }
- else
- {
- SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509SerialNumber");
- }
}
virtual void Characters(OUString const& rChars) override
{
- m_Value += rChars;
+ m_rValue += rChars;
}
};
class XSecParser::DsX509IssuerNameContext
- : public XSecParser::ReferencedContextImpl
+ : public XSecParser::Context
{
private:
- OUString m_Value;
+ OUString & m_rValue;
public:
DsX509IssuerNameContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
- bool const isReferenced)
- : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
- {
- }
-
- virtual void EndElement() override
+ OUString & rValue)
+ : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
+ , m_rValue(rValue)
{
- if (m_isReferenced)
- {
- m_rParser.m_pXSecController->setX509IssuerName(m_Value);
- }
- else
- {
- SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509IssuerName");
- }
}
virtual void Characters(OUString const& rChars) override
{
- m_Value += rChars;
+ m_rValue += rChars;
}
};
class XSecParser::DsX509IssuerSerialContext
- : public XSecParser::ReferencedContextImpl
+ : public XSecParser::Context
{
+ private:
+ OUString & m_rX509IssuerName;
+ OUString & m_rX509SerialNumber;
+
public:
DsX509IssuerSerialContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
- bool const isReferenced)
- : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ OUString & rIssuerName, OUString & rSerialNumber)
+ : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
+ , m_rX509IssuerName(rIssuerName)
+ , m_rX509SerialNumber(rSerialNumber)
{
}
@@ -344,20 +325,27 @@ class XSecParser::DsX509IssuerSerialContext
{
if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerName")
{
- return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap), m_rX509IssuerName);
}
if (nNamespace == XML_NAMESPACE_DS && rName == "X509SerialNumber")
{
- return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap), m_rX509SerialNumber);
}
// missing: ds:X509SKI, ds:X509SubjectName, ds:X509CRL
return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
}
};
+/// can't be sure what is supposed to happen here because the spec is clear as mud
class XSecParser::DsX509DataContext
: public XSecParser::Context
{
+ private:
+ // sigh... "No ordering is implied by the above constraints."
+ // so store the ball of mud in vectors and try to figure it out later.
+ std::vector<std::pair<OUString, OUString>> m_X509IssuerSerials;
+ std::vector<OUString> m_X509Certificates;
+
public:
DsX509DataContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
@@ -365,18 +353,24 @@ class XSecParser::DsX509DataContext
{
}
+ virtual void EndElement() override
+ {
+ m_rParser.m_pXSecController->setX509Data(m_X509IssuerSerials, m_X509Certificates);
+ }
+
virtual std::unique_ptr<Context> CreateChildContext(
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
sal_uInt16 const nNamespace, OUString const& rName) override
{
if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerSerial")
{
- // can't require KeyInfo to be signed so pass in *true*
- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), true);
+ m_X509IssuerSerials.emplace_back();
+ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), m_X509IssuerSerials.back().first, m_X509IssuerSerials.back().second);
}
if (nNamespace == XML_NAMESPACE_DS && rName == "X509Certificate")
{
- return std::make_unique<DsX509CertificateContext>(m_rParser, std::move(pOldNamespaceMap));
+ m_X509Certificates.emplace_back();
+ return std::make_unique<DsX509CertificateContext>(m_rParser, std::move(pOldNamespaceMap), m_X509Certificates.back());
}
// missing: ds:X509SKI, ds:X509SubjectName, ds:X509CRL
return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
@@ -968,30 +962,20 @@ class XSecParser::LoSignatureLineContext
};
class XSecParser::XadesCertDigestContext
- : public XSecParser::ReferencedContextImpl
+ : public XSecParser::Context
{
private:
- OUString m_Value;
- sal_Int32 m_nReferenceDigestID = css::xml::crypto::DigestID::SHA1;
+ OUString & m_rDigestValue;
+ sal_Int32 & m_rReferenceDigestID;
public:
XadesCertDigestContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
- bool const isReferenced)
- : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
- {
- }
-
- virtual void EndElement() override
+ OUString & rDigestValue, sal_Int32 & rReferenceDigestID)
+ : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
+ , m_rDigestValue(rDigestValue)
+ , m_rReferenceDigestID(rReferenceDigestID)
{
- if (m_isReferenced)
- {
- m_rParser.m_pXSecController->setCertDigest(m_Value/* FIXME , m_nReferenceDigestID*/);
- }
- else
- {
- SAL_INFO("xmlsecurity.helper", "ignoring unsigned CertDigest");
- }
}
virtual std::unique_ptr<Context> CreateChildContext(
@@ -1000,11 +984,11 @@ class XSecParser::XadesCertDigestContext
{
if (nNamespace == XML_NAMESPACE_DS && rName == "DigestMethod")
{
- return std::make_unique<DsDigestMethodContext>(m_rParser, std::move(pOldNamespaceMap), m_nReferenceDigestID);
+ return std::make_unique<DsDigestMethodContext>(m_rParser, std::move(pOldNamespaceMap), m_rReferenceDigestID);
}
if (nNamespace == XML_NAMESPACE_DS && rName == "DigestValue")
{
- return std::make_unique<DsDigestValueContext>(m_rParser, std::move(pOldNamespaceMap), m_Value);
+ return std::make_unique<DsDigestValueContext>(m_rParser, std::move(pOldNamespaceMap), m_rDigestValue);
}
return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
}
@@ -1013,6 +997,12 @@ class XSecParser::XadesCertDigestContext
class XSecParser::XadesCertContext
: public XSecParser::ReferencedContextImpl
{
+ private:
+ sal_Int32 m_nReferenceDigestID = css::xml::crypto::DigestID::SHA1;
+ OUString m_CertDigest;
+ OUString m_X509IssuerName;
+ OUString m_X509SerialNumber;
+
public:
XadesCertContext(XSecParser & rParser,
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
@@ -1021,17 +1011,29 @@ class XSecParser::XadesCertContext
{
}
+ virtual void EndElement() override
+ {
+ if (m_isReferenced)
+ {
+ m_rParser.m_pXSecController->setX509CertDigest(m_CertDigest, m_nReferenceDigestID, m_X509IssuerName, m_X509SerialNumber);
+ }
+ else
+ {
+ SAL_INFO("xmlsecurity.helper", "ignoring unsigned xades:Cert");
+ }
+ }
+
virtual std::unique_ptr<Context> CreateChildContext(
std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
sal_uInt16 const nNamespace, OUString const& rName) override
{
if (nNamespace == XML_NAMESPACE_XADES132 && rName == "CertDigest")
{
- return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap), m_CertDigest, m_nReferenceDigestID);
}
if (nNamespace == XML_NAMESPACE_XADES132 && rName == "IssuerSerial")
{
- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), m_X509IssuerName, m_X509SerialNumber);
}
return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
}
diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index edd31b4f29ee..f2e349a94ef6 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -197,6 +197,7 @@ void XSecController::signAStream( sal_Int32 securityId, const OUString& uri, boo
}
}
+// note: this is called when creating a new signature from scratch
void XSecController::setX509Certificate(
sal_Int32 nSecurityId,
const OUString& ouX509IssuerName,
@@ -210,10 +211,13 @@ void XSecController::setX509Certificate(
if ( index == -1 )
{
InternalSignatureInformation isi(nSecurityId, nullptr);
- isi.signatureInfor.ouX509IssuerName = ouX509IssuerName;
- isi.signatureInfor.ouX509SerialNumber = ouX509SerialNumber;
- isi.signatureInfor.ouX509Certificate = ouX509Cert;
- isi.signatureInfor.ouCertDigest = ouX509CertDigest;
+ isi.signatureInfor.X509Datas.clear();
+ isi.signatureInfor.X509Datas.emplace_back();
+ isi.signatureInfor.X509Datas.back().emplace_back();
+ isi.signatureInfor.X509Datas.back().back().X509IssuerName = ouX509IssuerName;
+ isi.signatureInfor.X509Datas.back().back().X509SerialNumber = ouX509SerialNumber;
+ isi.signatureInfor.X509Datas.back().back().X509Certificate = ouX509Cert;
+ isi.signatureInfor.X509Datas.back().back().CertDigest = ouX509CertDigest;
isi.signatureInfor.eAlgorithmID = eAlgorithmID;
m_vInternalSignatureInformations.push_back( isi );
}
@@ -221,16 +225,19 @@ void XSecController::setX509Certificate(
{
SignatureInformation &si
= m_vInternalSignatureInformations[index].signatureInfor;
- si.ouX509IssuerName = ouX509IssuerName;
- si.ouX509SerialNumber = ouX509SerialNumber;
- si.ouX509Certificate = ouX509Cert;
- si.ouCertDigest = ouX509CertDigest;
+ si.X509Datas.clear();
+ si.X509Datas.emplace_back();
+ si.X509Datas.back().emplace_back();
+ si.X509Datas.back().back().X509IssuerName = ouX509IssuerName;
+ si.X509Datas.back().back().X509SerialNumber = ouX509SerialNumber;
+ si.X509Datas.back().back().X509Certificate = ouX509Cert;
+ si.X509Datas.back().back().CertDigest = ouX509CertDigest;
}
}
void XSecController::setGpgCertificate(
sal_Int32 nSecurityId,
- const OUString& ouCertDigest,
+ const OUString& ouKeyDigest,
const OUString& ouCert,
const OUString& ouOwner)
{
@@ -241,16 +248,17 @@ void XSecController::setGpgCertificate(
InternalSignatureInformation isi(nSecurityId, nullptr);
isi.signatureInfor.ouGpgCertificate = ouCert;
isi.signatureInfor.ouGpgOwner = ouOwner;
- isi.signatureInfor.ouCertDigest = ouCertDigest;
+ isi.signatureInfor.ouGpgKeyID = ouKeyDigest;
m_vInternalSignatureInformations.push_back( isi );
}
else
{
SignatureInformation &si
= m_vInternalSignatureInformations[index].signatureInfor;
+ si.X509Datas.clear(); // it is a PGP signature now
si.ouGpgCertificate = ouCert;
si.ouGpgOwner = ouOwner;
- si.ouCertDigest = ouCertDigest;
+ si.ouGpgKeyID = ouKeyDigest;
}
}
diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
index 1c06a36bf7cb..503bae24d379 100644
--- a/xmlsecurity/source/helper/xsecverify.cxx
+++ b/xmlsecurity/source/helper/xsecverify.cxx
@@ -22,6 +22,7 @@
#include <xsecctl.hxx>
#include "xsecparser.hxx"
#include "ooxmlsecparser.hxx"
+#include <biginteger.hxx>
#include <framework/signatureverifierimpl.hxx>
#include <framework/saxeventkeeperimpl.hxx>
#include <gpg/xmlsignature_gpgimpl.hxx>
@@ -242,7 +243,9 @@ void XSecController::setReferenceCount() const
}
}
-void XSecController::setX509IssuerName( OUString const & ouX509IssuerName )
+void XSecController::setX509Data(
+ std::vector<std::pair<OUString, OUString>> & rX509IssuerSerials,
+ std::vector<OUString> const& rX509Certificates)
{
if (m_vInternalSignatureInformations.empty())
{
@@ -250,29 +253,52 @@ void XSecController::setX509IssuerName( OUString const & ouX509IssuerName )
return;
}
InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
- isi.signatureInfor.ouX509IssuerName = ouX509IssuerName;
-}
-
-void XSecController::setX509SerialNumber( OUString const & ouX509SerialNumber )
-{
- if (m_vInternalSignatureInformations.empty())
+ SignatureInformation::X509Data data;
+ // due to the excessive flexibility of the spec it's possible that there
+ // is both a reference to a cert and the cert itself in one X509Data
+ for (OUString const& it : rX509Certificates)
{
- SAL_INFO("xmlsecurity.helper","XSecController::setX509SerialNumber: no signature");
- return;
+ try
+ {
+ data.emplace_back();
+ data.back().X509Certificate = it;
+ uno::Reference<xml::crypto::XSecurityEnvironment> const xSecEnv(m_xSecurityContext->getSecurityEnvironment());
+ uno::Reference<security::XCertificate> const xCert(xSecEnv->createCertificateFromAscii(it));
+ if (!xCert.is())
+ {
+ SAL_INFO("xmlsecurity.helper", "cannot parse X509Certificate");
+ continue; // will be handled in CheckX509Data
+ }
+ OUString const issuerName(xCert->getIssuerName());
+ OUString const serialNumber(xmlsecurity::bigIntegerToNumericString(xCert->getSerialNumber()));
+ auto const iter = std::find_if(rX509IssuerSerials.begin(), rX509IssuerSerials.end(),
+ [&](auto const& rX509IssuerSerial) {
+ return xmlsecurity::EqualDistinguishedNames(issuerName, rX509IssuerSerial.first)
+ && serialNumber == rX509IssuerSerial.second;
+ });
+ if (iter != rX509IssuerSerials.end())
+ {
+ data.back().X509IssuerName = iter->first;
+ data.back().X509SerialNumber = iter->second;
+ rX509IssuerSerials.erase(iter);
+ }
+ }
+ catch (uno::Exception const&)
+ {
+ SAL_INFO("xmlsecurity.helper", "cannot parse X509Certificate");
+ }
}
- InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
- isi.signatureInfor.ouX509SerialNumber = ouX509SerialNumber;
-}
-
-void XSecController::setX509Certificate( OUString const & ouX509Certificate )
-{
- if (m_vInternalSignatureInformations.empty())
+ // now handle any that are left...
+ for (auto const& it : rX509IssuerSerials)
{
- SAL_INFO("xmlsecurity.helper","XSecController::setX509Certificate: no signature");
- return;
+ data.emplace_back();
+ data.back().X509IssuerName = it.first;
+ data.back().X509SerialNumber = it.second;
+ }
+ if (!data.empty())
+ {
+ isi.signatureInfor.X509Datas.push_back(data);
}
- InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
- isi.signatureInfor.ouX509Certificate = ouX509Certificate;
}
void XSecController::setSignatureValue( OUString const & ouSignatureValue )
@@ -382,13 +408,67 @@ void XSecController::setSignatureBytes(const uno::Sequence<sal_Int8>& rBytes)
rInformation.signatureInfor.aSignatureBytes = rBytes;
}
-void XSecController::setCertDigest(const OUString& rCertDigest)
+void XSecController::setX509CertDigest(
+ OUString const& rCertDigest, sal_Int32 const /*TODO nReferenceDigestID*/,
+ OUString const& rX509IssuerName, OUString const& rX509SerialNumber)
{
if (m_vInternalSignatureInformations.empty())
return;
InternalSignatureInformation& rInformation = m_vInternalSignatureInformations.back();
- rInformation.signatureInfor.ouCertDigest = rCertDigest;
+ for (auto & rData : rInformation.signatureInfor.X509Datas)
+ {
+ for (auto & it : rData)
+ {
+ if (xmlsecurity::EqualDistinguishedNames(it.X509IssuerName, rX509IssuerName)
+ && it.X509SerialNumber == rX509SerialNumber)
+ {
+ it.CertDigest = rCertDigest;
+ return;
+ }
+ }
+ }
+ // fall-back: read the actual certificates
+ for (auto & rData : rInformation.signatureInfor.X509Datas)
+ {
+ for (auto & it : rData)
+ {
+ if (!it.X509Certificate.isEmpty())
+ {
+ try
+ {
+ uno::Reference<xml::crypto::XSecurityEnvironment> const xSecEnv(m_xSecurityContext->getSecurityEnvironment());
+ uno::Reference<security::XCertificate> const xCert(xSecEnv->createCertificateFromAscii(it.X509Certificate));
+ if (!xCert.is())
+ {
+ SAL_INFO("xmlsecurity.helper", "cannot parse X509Certificate");
+ }
+ else if (xmlsecurity::EqualDistinguishedNames(xCert->getIssuerName(),rX509IssuerName)
+ && xmlsecurity::bigIntegerToNumericString(xCert->getSerialNumber()) == rX509SerialNumber)
+ {
+ it.CertDigest = rCertDigest;
+ // note: testInsertCertificate_PEM_DOCX requires these!
+ it.X509SerialNumber = rX509SerialNumber;
+ it.X509IssuerName = rX509IssuerName;
+ return;
+ }
+ }
+ catch (uno::Exception const&)
+ {
+ SAL_INFO("xmlsecurity.helper", "cannot parse X509Certificate");
+ }
+ }
+ }
+ }
+ if (!rInformation.signatureInfor.ouGpgCertificate.isEmpty())
+ {
+ SAL_INFO_IF(rCertDigest != rInformation.signatureInfor.ouGpgKeyID,
+ "xmlsecurity.helper", "PGPKeyID vs CertDigest mismatch");
+ }
+ else
+ {
+ SAL_INFO("xmlsecurity.helper", "cannot find X509Data for CertDigest");
+ }
}
namespace {
diff --git a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
index d213f21631f5..062b91387cba 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
@@ -25,6 +25,7 @@
#include <cppuhelper/supportsservice.hxx>
#include "x509certificate_mscryptimpl.hxx"
#include <certificateextension_xmlsecimpl.hxx>
+#include <biginteger.hxx>
#include "sanextension_mscryptimpl.hxx"
#include "oid.hxx"
@@ -668,4 +669,50 @@ Sequence<OUString> SAL_CALL X509Certificate_MSCryptImpl::getSupportedServiceName
return { OUString() };
}
+namespace xmlsecurity {
+
+static bool EncodeDistinguishedName(OUString const& rName, CERT_NAME_BLOB & rBlob)
+{
+ LPCWSTR pszError;
+ if (!CertStrToNameW(X509_ASN_ENCODING,
+ reinterpret_cast<LPCWSTR>(rName.getStr()), CERT_X500_NAME_STR,
+ nullptr, nullptr, &rBlob.cbData, &pszError))
+ {
+ SAL_INFO("xmlsecurity.xmlsec", "CertStrToNameW failed: " << WindowsErrorString(GetLastError()) << "; " << reinterpret_cast<char16_t const*>(pszError));
+ return false;
+ }
+ rBlob.pbData = new BYTE[rBlob.cbData];
+ if (!CertStrToNameW(X509_ASN_ENCODING,
+ reinterpret_cast<LPCWSTR>(rName.getStr()), CERT_X500_NAME_STR,
+ nullptr, rBlob.pbData, &rBlob.cbData, &pszError))
+ {
+ SAL_INFO("xmlsecurity.xmlsec", "CertStrToNameW failed: " << WindowsErrorString(GetLastError()) << "; " << reinterpret_cast<char16_t const*>(pszError));
+ return false;
+ }
+ return true;
+}
+
+bool EqualDistinguishedNames(
+ OUString const& rName1, OUString const& rName2)
+{
+ CERT_NAME_BLOB blob1;
+ if (!EncodeDistinguishedName(rName1, blob1))
+ {
+ return false;
+ }
+ CERT_NAME_BLOB blob2;
+ if (!EncodeDistinguishedName(rName2, blob2))
+ {
+ delete[] blob1.pbData;
+ return false;
+ }
+ bool const ret(CertCompareCertificateName(X509_ASN_ENCODING,
+ &blob1, &blob2) == TRUE);
+ delete[] blob2.pbData;
+ delete[] blob1.pbData;
+ return ret;
+}
+
+} // namespace xmlsecurity
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
index dfa9c4ad494b..6b16efd46752 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
@@ -18,6 +18,7 @@
*/
#include <sal/config.h>
+#include <sal/log.hxx>
#include <rtl/uuid.h>
#include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
@@ -250,6 +251,7 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
++nReferenceGood;
}
}
+ SAL_INFO("xmlsecurity.xmlsec", "xmlSecDSigCtxVerify status " << pDsigCtx->status << ", references good " << nReferenceGood << " of " << nReferenceCount);
if (rs == 0 && nReferenceCount == nReferenceGood)
{
diff --git a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
index 0cf8c17d3303..332f9363f4dd 100644
--- a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
@@ -32,6 +32,7 @@
#include <rtl/ref.hxx>
#include "x509certificate_nssimpl.hxx"
+#include <biginteger.hxx>
#include <certificateextension_xmlsecimpl.hxx>
#include "sanextension_nssimpl.hxx"
@@ -523,4 +524,28 @@ sal_Bool SAL_CALL X509Certificate_NssImpl::supportsService(const OUString& servi
/* XServiceInfo */
Sequence<OUString> SAL_CALL X509Certificate_NssImpl::getSupportedServiceNames() { return { OUString() }; }
+namespace xmlsecurity {
+
+bool EqualDistinguishedNames(
+ OUString const& rName1, OUString const& rName2)
+{
+ CERTName *const pName1(CERT_AsciiToName(OUStringToOString(rName1, RTL_TEXTENCODING_UTF8).getStr()));
+ if (pName1 == nullptr)
+ {
+ return false;
+ }
+ CERTName *const pName2(CERT_AsciiToName(OUStringToOString(rName2, RTL_TEXTENCODING_UTF8).getStr()));
+ if (pName2 == nullptr)
+ {
+ CERT_DestroyName(pName1);
+ return false;
+ }
+ bool const ret(CERT_CompareName(pName1, pName2) == SECEqual);
+ CERT_DestroyName(pName2);
+ CERT_DestroyName(pName1);
+ return ret;
+}
+
+} // namespace xmlsecurity
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
index f4b1364f52dd..85058a273814 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
@@ -28,6 +28,9 @@
#include "securityenvironment_nssimpl.hxx"
#include <xmlsec-wrapper.h>
+
+#include <sal/log.hxx>
+
#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
using namespace ::com::sun::star;
@@ -258,6 +261,7 @@ SAL_CALL XMLSignature_NssImpl::validate(
++nReferenceGood;
}
}
+ SAL_INFO("xmlsecurity.xmlsec", "xmlSecDSigCtxVerify status " << pDsigCtx->status << ", references good " << nReferenceGood << " of " << nReferenceCount);
if (rs == 0 && pDsigCtx->status == xmlSecDSigStatusSucceeded && nReferenceCount == nReferenceGood)
{
commit 081d77c7a34d1626f15347d452f8360e6a856c76
Author: Miklos Vajna <vmiklos at collabora.co.uk>
AuthorDate: Mon Jun 4 21:25:38 2018 +0200
Commit: Michael Stahl <michael.stahl at allotropia.de>
CommitDate: Mon Mar 29 16:46:59 2021 +0200
libxmlsec: drop not needed xmlsec1-customkeymanage.patch.1
This was added in commit ebd1b95bb5f9235d1dba1b840fd746c9b53320d2
(INTEGRATION: CWS xmlsec08 (1.1.2); FILE ADDED; 2005-03-10) without any
real commit message to explain why this is necessary.
system-xmlsec (not containing this patch) works fine for our XML signing
purposes with software certificates, and just recently I learned that
even hardware-based certificates work fine without this patch, so it can
go away.
I assume this was a refactor to allow some new feature as a next step,
but that feature was never implemented.
[ Committer's note: this xmlsec1-customkeymanage.patch.1 breaks the test
SigningTest::testXAdESNotype():
In xmlSecNssKeyDataX509VerifyAndExtractKey(), code is added to extract
the *private* key of the certificate; upstream only extracts the
public key.
Later this causes a key requirement check in xmlSecKeysMngrGetKey() to
succeed which would otherwise fail, and the certificate to remain
uncleared.
Then xmlSecKeyInfoNodeWrite() writes the certificate into the KeyInfo
element, where it was previously read from, so it is duplicated and
LO's CheckX509Data() fails because of 2 signing certificates. ]
Reviewed-on: https://gerrit.libreoffice.org/55296
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
(cherry picked from commit f06004c03bbd076767a570180b7fc239064713e6)
Change-Id: I31639230483cd34b14b35fd41b4fcd8284476138
diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk
index 24be126f1d84..cd824e4cff9b 100644
--- a/external/xmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -11,7 +11,6 @@ xmlsec_patches :=
xmlsec_patches += xmlsec1-configure.patch.1
xmlsec_patches += xmlsec1-vc.patch.1
xmlsec_patches += xmlsec1-1.2.14_fix_extern_c.patch.1
-xmlsec_patches += xmlsec1-customkeymanage.patch.1
# Backport of <https://github.com/lsh123/xmlsec/pull/172>.
xmlsec_patches += xmlsec1-ecdsa-assert.patch.1
diff --git a/external/xmlsec/xmlsec1-customkeymanage.patch.1 b/external/xmlsec/xmlsec1-customkeymanage.patch.1
deleted file mode 100644
index 14595da6df16..000000000000
--- a/external/xmlsec/xmlsec1-customkeymanage.patch.1
+++ /dev/null
@@ -1,4321 +0,0 @@
-From 57f9146c45b1819afdd79a96a77ea55fb84ddb50 Mon Sep 17 00:00:00 2001
-From: Miklos Vajna <vmiklos at collabora.co.uk>
-Date: Fri, 4 Mar 2016 16:19:12 +0100
-Subject: [PATCH] xmlsec1-customkeymanage.patch
-
-Conflicts:
- include/xmlsec/nss/app.h
- include/xmlsec/nss/keysstore.h
- src/nss/Makefile.in
- src/nss/hmac.c
- src/nss/keysstore.c
- src/nss/pkikeys.c
- src/nss/symkeys.c
- src/nss/x509.c
- src/nss/x509vfy.c
----
- include/xmlsec/nss/Makefile.am | 3 +
- include/xmlsec/nss/Makefile.in | 3 +
- include/xmlsec/nss/akmngr.h | 56 +++
- include/xmlsec/nss/app.h | 5 +
- include/xmlsec/nss/ciphers.h | 35 ++
- include/xmlsec/nss/keysstore.h | 4 +
- include/xmlsec/nss/tokens.h | 182 ++++++++++
- src/nss/Makefile.am | 2 +
- src/nss/Makefile.in | 20 ++
- src/nss/akmngr.c | 384 ++++++++++++++++++++
- src/nss/hmac.c | 6 +-
- src/nss/keysstore.c | 772 +++++++++++++++++++++++++++++------------
- src/nss/pkikeys.c | 81 ++---
- src/nss/symkeys.c | 705 +++++++++++++++++++++++++++++++++++--
- src/nss/tokens.c | 544 +++++++++++++++++++++++++++++
- src/nss/x509.c | 491 ++++++--------------------
- src/nss/x509vfy.c | 248 +++++--------
- 17 files changed, 2703 insertions(+), 838 deletions(-)
- create mode 100644 include/xmlsec/nss/akmngr.h
- create mode 100644 include/xmlsec/nss/ciphers.h
- create mode 100644 include/xmlsec/nss/tokens.h
- create mode 100644 src/nss/akmngr.c
- create mode 100644 src/nss/tokens.c
-
-diff --git a/include/xmlsec/nss/Makefile.am b/include/xmlsec/nss/Makefile.am
-index e3521622..997ca7fd 100644
---- a/include/xmlsec/nss/Makefile.am
-+++ b/include/xmlsec/nss/Makefile.am
-@@ -10,6 +10,9 @@ bignum.h \
- keysstore.h \
- pkikeys.h \
- x509.h \
-+akmngr.h \
-+tokens.h \
-+ciphers.h \
- $(NULL)
-
- install-exec-hook:
-diff --git a/include/xmlsec/nss/Makefile.in b/include/xmlsec/nss/Makefile.in
-index 6fecb4f5..672d10e7 100644
---- a/include/xmlsec/nss/Makefile.in
-+++ b/include/xmlsec/nss/Makefile.in
-@@ -407,6 +407,9 @@ bignum.h \
- keysstore.h \
- pkikeys.h \
- x509.h \
-+akmngr.h \
-+tokens.h \
-+ciphers.h \
- $(NULL)
-
- all: all-am
-diff --git a/include/xmlsec/nss/akmngr.h b/include/xmlsec/nss/akmngr.h
-new file mode 100644
-index 00000000..80535110
---- /dev/null
-+++ b/include/xmlsec/nss/akmngr.h
-@@ -0,0 +1,56 @@
-+/**
-+ * XMLSec library
-+ *
-+ * This is free software; see Copyright file in the source
-+ * distribution for preciese wording.
-+ *
-+ * Copyright ..........................
-+ */
-+#ifndef __XMLSEC_NSS_AKMNGR_H__
-+#define __XMLSEC_NSS_AKMNGR_H__
-+
-+#include <nss.h>
-+#include <nspr.h>
-+#include <pk11func.h>
-+#include <cert.h>
-+
-+#include <xmlsec/xmlsec.h>
-+#include <xmlsec/keys.h>
-+#include <xmlsec/transforms.h>
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif /* __cplusplus */
-+
-+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
-+xmlSecNssAppliedKeysMngrCreate(
-+ PK11SlotInfo** slots,
-+ int cSlots,
-+ CERTCertDBHandle* handler
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssAppliedKeysMngrSymKeyLoad(
-+ xmlSecKeysMngrPtr mngr ,
-+ PK11SymKey* symKey
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssAppliedKeysMngrPubKeyLoad(
-+ xmlSecKeysMngrPtr mngr ,
-+ SECKEYPublicKey* pubKey
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssAppliedKeysMngrPriKeyLoad(
-+ xmlSecKeysMngrPtr mngr ,
-+ SECKEYPrivateKey* priKey
-+) ;
-+
-+#ifdef __cplusplus
-+}
-+#endif /* __cplusplus */
-+
-+#endif /* __XMLSEC_NSS_AKMNGR_H__ */
-+
-+
-diff --git a/include/xmlsec/nss/app.h b/include/xmlsec/nss/app.h
-index 93f6c637..03f6aa14 100644
---- a/include/xmlsec/nss/app.h
-+++ b/include/xmlsec/nss/app.h
-@@ -22,6 +22,9 @@ extern "C" {
- #include <xmlsec/keysmngr.h>
- #include <xmlsec/transforms.h>
-
-+#include <xmlsec/nss/tokens.h>
-+#include <xmlsec/nss/akmngr.h>
-+
- /********************************************************************
- *
- * Init/shutdown
-@@ -40,6 +43,8 @@ XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrAdoptKey(xmlS
- xmlSecKeyPtr key);
- XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrLoad (xmlSecKeysMngrPtr mngr,
- const char* uri);
-+XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr,
-+ xmlSecNssKeySlotPtr keySlot);
- XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrSave (xmlSecKeysMngrPtr mngr,
- const char* filename,
- xmlSecKeyDataType type);
-diff --git a/include/xmlsec/nss/ciphers.h b/include/xmlsec/nss/ciphers.h
-new file mode 100644
-index 00000000..607eb1e0
---- /dev/null
-+++ b/include/xmlsec/nss/ciphers.h
-@@ -0,0 +1,35 @@
-+/**
-+ * XMLSec library
-+ *
-+ * This is free software; see Copyright file in the source
-+ * distribution for preciese wording.
-+ *
-+ * Copyright ..........................
-+ */
-+#ifndef __XMLSEC_NSS_CIPHERS_H__
-+#define __XMLSEC_NSS_CIPHERS_H__
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif /* __cplusplus */
-+
-+#include <xmlsec/xmlsec.h>
-+#include <xmlsec/keys.h>
-+#include <xmlsec/transforms.h>
-+
-+
-+XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data,
-+ PK11SymKey* symkey ) ;
-+
-+XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ;
-+
-+XMLSEC_CRYPTO_EXPORT PK11SymKey* xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data);
-+
-+
-+#ifdef __cplusplus
-+}
-+#endif /* __cplusplus */
-+
-+#endif /* __XMLSEC_NSS_CIPHERS_H__ */
-+
-+
-diff --git a/include/xmlsec/nss/keysstore.h b/include/xmlsec/nss/keysstore.h
-index eb64d3c3..369a1453 100644
---- a/include/xmlsec/nss/keysstore.h
-+++ b/include/xmlsec/nss/keysstore.h
-@@ -16,6 +16,8 @@ extern "C" {
- #endif /* __cplusplus */
-
- #include <xmlsec/xmlsec.h>
-+#include <xmlsec/keysmngr.h>
-+#include <xmlsec/nss/tokens.h>
-
- /****************************************************************************
- *
-@@ -31,6 +33,8 @@ extern "C" {
- XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId xmlSecNssKeysStoreGetKlass (void);
- XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKey (xmlSecKeyStorePtr store,
- xmlSecKeyPtr key);
-+XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store,
-+ xmlSecNssKeySlotPtr keySlot);
- XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreLoad (xmlSecKeyStorePtr store,
- const char *uri,
- xmlSecKeysMngrPtr keysMngr);
-diff --git a/include/xmlsec/nss/tokens.h b/include/xmlsec/nss/tokens.h
-new file mode 100644
-index 00000000..444c5614
---- /dev/null
-+++ b/include/xmlsec/nss/tokens.h
-@@ -0,0 +1,182 @@
-+/**
-+ * XMLSec library
-+ *
-+ * This is free software; see Copyright file in the source
-+ * distribution for preciese wording.
-+ *
-+ * Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
-+ *
-+ * Contributor(s): _____________________________
-+ *
-+ */
-+#ifndef __XMLSEC_NSS_TOKENS_H__
-+#define __XMLSEC_NSS_TOKENS_H__
-+
-+#include <string.h>
-+
-+#include <nss.h>
-+#include <pk11func.h>
-+
-+#include <xmlsec/xmlsec.h>
-+#include <xmlsec/list.h>
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif /* __cplusplus */
-+
-+/**
-+ * xmlSecNssKeySlotListId
-+ *
-+ * The crypto mechanism list klass
-+ */
-+#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass()
-+XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ;
-+
-+/*******************************************
-+ * KeySlot interfaces
-+ *******************************************/
-+/**
-+ * Internal NSS key slot data
-+ * @mechanismList: the mechanisms that the slot bound with.
-+ * @slot: the pkcs slot
-+ *
-+ * This context is located after xmlSecPtrList
-+ */
-+typedef struct _xmlSecNssKeySlot xmlSecNssKeySlot ;
-+typedef struct _xmlSecNssKeySlot* xmlSecNssKeySlotPtr ;
-+
-+struct _xmlSecNssKeySlot {
-+ CK_MECHANISM_TYPE_PTR mechanismList ; /* mech. array, NULL ternimated */
-+ PK11SlotInfo* slot ;
-+} ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotSetMechList(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ CK_MECHANISM_TYPE_PTR mechanismList
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotEnableMech(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ CK_MECHANISM_TYPE mechanism
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotDisableMech(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ CK_MECHANISM_TYPE mechanism
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR
-+xmlSecNssKeySlotGetMechList(
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotSetSlot(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ PK11SlotInfo* slot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotInitialize(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ PK11SlotInfo* slot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT void
-+xmlSecNssKeySlotFinalize(
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT PK11SlotInfo*
-+xmlSecNssKeySlotGetSlot(
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
-+xmlSecNssKeySlotCreate() ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotCopy(
-+ xmlSecNssKeySlotPtr newKeySlot ,
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
-+xmlSecNssKeySlotDuplicate(
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT void
-+xmlSecNssKeySlotDestroy(
-+ xmlSecNssKeySlotPtr keySlot
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotBindMech(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ CK_MECHANISM_TYPE type
-+) ;
-+
-+XMLSEC_CRYPTO_EXPORT int
-+xmlSecNssKeySlotSupportMech(
-+ xmlSecNssKeySlotPtr keySlot ,
-+ CK_MECHANISM_TYPE type
-+) ;
-+
-+
-+/************************************************************************
-+ * PKCS#11 crypto token interfaces
-+ *
-+ * A PKCS#11 slot repository will be defined internally. From the
-+ * repository, a user can specify a particular slot for a certain crypto
-+ * mechanism.
-+ *
-+ * In some situation, some cryptographic operation should act in a user
-+ * designated devices. The interfaces defined here provide the way. If
-+ * the user do not initialize the repository distinctly, the interfaces
-+ * use the default functions provided by NSS itself.
-+ *
-+ ************************************************************************/
-+/**
-+ * Initialize NSS pkcs#11 slot repository
-+ *
-+ * Returns 0 if success or -1 if an error occurs.
-+ */
-+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ;
-+
-+/**
-+ * Shutdown and destroy NSS pkcs#11 slot repository
-+ */
-+XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ;
-+
-+/**
-+ * Get PKCS#11 slot handler
-+ * @type the mechanism that the slot must support.
-+ *
-+ * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
-+ *
-+ * Notes: The returned handler must be destroied distinctly.
-+ */
-+XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ;
-+
-+/**
-+ * Adopt a pkcs#11 slot with a mechanism into the repository
-+ * @slot: the pkcs#11 slot.
-+ * @mech: the mechanism.
-+ *
-+ * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with
-+ * this mechanism only can perform on the @slot.
-+ *
-+ * Returns 0 if success or -1 if an error occurs.
-+ */
-+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ;
-+
-+#ifdef __cplusplus
-+}
-+#endif /* __cplusplus */
-+
-+#endif /* __XMLSEC_NSS_TOKENS_H__ */
-+
-diff --git a/src/nss/Makefile.am b/src/nss/Makefile.am
-index e666f33c..ec9e7896 100644
---- a/src/nss/Makefile.am
-+++ b/src/nss/Makefile.am
-@@ -35,6 +35,8 @@ libxmlsec1_nss_la_SOURCES =\
- kw_des.c \
- kw_aes.c \
- globals.h \
-+ akmngr.c \
-+ tokens.c \
- $(NULL)
-
- libxmlsec1_nss_la_LIBADD = \
-diff --git a/src/nss/Makefile.in b/src/nss/Makefile.in
-index 2861e3ce..7532d90e 100644
---- a/src/nss/Makefile.in
-+++ b/src/nss/Makefile.in
-@@ -140,6 +140,8 @@ am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \
- libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \
- libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \
- libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \
-+ libxmlsec1_nss_la-akmngr.lo \
-+ libxmlsec1_nss_la-tokens.lo \
- $(am__objects_1)
- libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS)
- AM_V_lt = $(am__v_lt_ at AM_V@)
-@@ -474,6 +476,8 @@ libxmlsec1_nss_la_SOURCES = \
- kw_des.c \
- kw_aes.c \
- globals.h \
-+ akmngr.c \
-+ tokens.c \
- $(NULL)
-
- libxmlsec1_nss_la_LIBADD = \
-@@ -584,6 +588,8 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo at am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo at am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo at am__quote@
-+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo at am__quote@
-+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo at am__quote@
-
- .c.o:
- @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@@ -616,6 +622,20 @@ libxmlsec1_nss_la-app.lo: app.c
- @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- @am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c
-
-+libxmlsec1_nss_la-akmngr.lo: akmngr.c
-+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-akmngr.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c
-+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo $(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo
-+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='akmngr.c' object='libxmlsec1_nss_la-akmngr.lo' libtool=yes @AMDEPBACKSLASH@
-+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c
-+
-+libxmlsec1_nss_la-tokens.lo: tokens.c
-+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c
-+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo $(DEPDIR)/libxmlsec1_nss_la-tokens.Plo
-+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tokens.c' object='libxmlsec1_nss_la-tokens.lo' libtool=yes @AMDEPBACKSLASH@
-+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c
-+
- libxmlsec1_nss_la-bignum.lo: bignum.c
- @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-bignum.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo -c -o libxmlsec1_nss_la-bignum.lo `test -f 'bignum.c' || echo '$(srcdir)/'`bignum.c
- @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo $(DEPDIR)/libxmlsec1_nss_la-bignum.Plo
-diff --git a/src/nss/akmngr.c b/src/nss/akmngr.c
-new file mode 100644
-index 00000000..65b94ac5
---- /dev/null
-+++ b/src/nss/akmngr.c
-@@ -0,0 +1,384 @@
-+/**
-+ * XMLSec library
-+ *
-+ * This is free software; see Copyright file in the source
-+ * distribution for preciese wording.
-+ *
-+ * Copyright.........................
-+ */
-+#include "globals.h"
-+
-+#include <nspr.h>
-+#include <nss.h>
-+#include <pk11func.h>
-+#include <cert.h>
-+#include <keyhi.h>
-+
-+#include <xmlsec/xmlsec.h>
-+#include <xmlsec/keys.h>
-+#include <xmlsec/transforms.h>
-+#include <xmlsec/errors.h>
-+
-+#include <xmlsec/nss/crypto.h>
-+#include <xmlsec/nss/tokens.h>
-+#include <xmlsec/nss/akmngr.h>
-+#include <xmlsec/nss/pkikeys.h>
-+#include <xmlsec/nss/ciphers.h>
-+#include <xmlsec/nss/keysstore.h>
-+
-+/**
-+ * xmlSecNssAppliedKeysMngrCreate:
-+ * @slot: array of pointers to NSS PKCS#11 slot information.
-+ * @cSlots: number of slots in the array
-+ * @handler: the pointer to NSS certificate database.
-+ *
-+ * Create and load NSS crypto slot and certificate database into keys manager
-+ *
-+ * Returns keys manager pointer on success or NULL otherwise.
-+ */
-+xmlSecKeysMngrPtr
-+xmlSecNssAppliedKeysMngrCreate(
-+ PK11SlotInfo** slots,
-+ int cSlots,
-+ CERTCertDBHandle* handler
-+) {
-+ xmlSecKeyDataStorePtr certStore = NULL ;
-+ xmlSecKeysMngrPtr keyMngr = NULL ;
-+ xmlSecKeyStorePtr keyStore = NULL ;
-+ int islot = 0;
-+ keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ;
-+ if( keyStore == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecKeyStoreCreate" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return NULL ;
-+ }
-+
-+ for (islot = 0; islot < cSlots; islot++)
-+ {
-+ xmlSecNssKeySlotPtr keySlot ;
-+
-+ /* Create a key slot */
-+ keySlot = xmlSecNssKeySlotCreate() ;
-+ if( keySlot == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecNssKeySlotCreate" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeyStoreDestroy( keyStore ) ;
-+ return NULL ;
-+ }
-+
-+ /* Set slot */
-+ if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecNssKeySlotSetSlot" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeyStoreDestroy( keyStore ) ;
-+ xmlSecNssKeySlotDestroy( keySlot ) ;
-+ return NULL ;
-+ }
-+
-+ /* Adopt keySlot */
-+ if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecNssKeysStoreAdoptKeySlot" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeyStoreDestroy( keyStore ) ;
-+ xmlSecNssKeySlotDestroy( keySlot ) ;
-+ return NULL ;
-+ }
-+ }
-+
-+ keyMngr = xmlSecKeysMngrCreate() ;
-+ if( keyMngr == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecKeysMngrCreate" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeyStoreDestroy( keyStore ) ;
-+ return NULL ;
-+ }
-+
-+ /*-
-+ * Add key store to manager, from now on keys manager destroys the store if
-+ * needed
-+ */
-+ if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecKeysMngrAdoptKeyStore" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeyStoreDestroy( keyStore ) ;
-+ xmlSecKeysMngrDestroy( keyMngr ) ;
-+ return NULL ;
-+ }
-+
-+ /*-
-+ * Initialize crypto library specific data in keys manager
-+ */
-+ if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecKeysMngrCreate" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeysMngrDestroy( keyMngr ) ;
-+ return NULL ;
-+ }
-+
-+ /*-
-+ * Set certificate databse to X509 key data store
-+ */
-+ /**
-+ * Because Tej's implementation of certDB use the default DB, so I ignore
-+ * the certDB handler at present. I'll modify the cert store sources to
-+ * accept particular certDB instead of default ones.
-+ certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ;
-+ if( certStore == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecKeysMngrGetDataStore" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeysMngrDestroy( keyMngr ) ;
-+ return NULL ;
-+ }
-+
-+ if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
-+ "xmlSecNssKeyDataStoreX509SetCertDb" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+
-+ xmlSecKeysMngrDestroy( keyMngr ) ;
-+ return NULL ;
-+ }
-+ */
-+
-+ /*-
-+ * Set the getKey callback
-+ */
-+ keyMngr->getKey = xmlSecKeysMngrGetKey ;
-+
-+ return keyMngr ;
-+}
-+
-+int
-+xmlSecNssAppliedKeysMngrSymKeyLoad(
-+ xmlSecKeysMngrPtr mngr ,
-+ PK11SymKey* symKey
-+) {
-+ xmlSecKeyPtr key ;
-+ xmlSecKeyDataPtr data ;
-+ xmlSecKeyStorePtr keyStore ;
-+
-+ xmlSecAssert2( mngr != NULL , -1 ) ;
-+ xmlSecAssert2( symKey != NULL , -1 ) ;
-+
-+ keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
-+ if( keyStore == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecKeysMngrGetKeysStore" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1) ;
-+ }
-+ xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
-+
-+ data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ;
-+ if( data == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecNssSymKeyDataKeyAdopt" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1) ;
-+ }
-+
-+ key = xmlSecKeyCreate() ;
-+ if( key == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecNssSymKeyDataKeyAdopt" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ xmlSecKeyDataDestroy( data ) ;
-+ return(-1) ;
-+ }
-+
-+ if( xmlSecKeySetValue( key , data ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecNssSymKeyDataKeyAdopt" ,
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
... etc. - the rest is truncated
More information about the Libreoffice-commits
mailing list