xmlsecurity: fix tests to run with system NSS on Fedora 40

testDropMacroTemplateSignature fails printing this:

warn:xmlsecurity.xmlsec:3511616:3511616:xmlsecurity/source/xmlsec/errorcallback.cxx:53: signatures.c:599: xmlSecNssSignatureSetKey() 'rsa-sha1' 'VFY_CreateContext' 4 'NSS error: -8011'

because policy sets NSS_RSA_MIN_KEY_SIZE to 2048.

testPDFGood fails printing this:

warn:svl.crypto:3587940:3587940:svl/source/crypto/cryptosign.cxx:1941: ValidateSignature: message is not signed
warn:xmlsecurity.helper:3587940:3587940:xmlsecurity/source/helper/pdfsignaturehelper.cxx:482: failed to determine digest match

because enabling SEC_OID_SHA1 for NSS_USE_ALG_IN_ANY_SIGNATURE doesn't
enable it for SMIME signatures, so smime_allowed_by_policy() fails -
obviously one has to use NSS_USE_ALG_IN_SIGNATURE to enable it in any
signature.

Change-Id: I59ffaf0994eee6b51362fd3296f61465d0fc7903
(cherry picked from commit a7b7b00b78426bff8607c77106ea62dd213f0821)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178663
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

4 files changed, 10 insertions, 2 deletions

diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
index 667acc97e3e1..67ba9ec124fa 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
@@ -38,6 +38,7 @@ ifneq ($(OS),WNT)
 ifneq (,$(ENABLE_NSS))
 $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
     nssutil3 \
+    nss3 \
 ))
 endif
 endif
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index 37d1c2a7dea7..87dae0916902 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -43,6 +43,7 @@ ifneq ($(OS),WNT)
 ifneq (,$(ENABLE_NSS))
 $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
     nssutil3 \
+    nss3 \
 ))
 endif
 endif
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 9d774735d30c..6f0636a9e5e1 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -13,6 +13,7 @@
 
 #if USE_CRYPTO_NSS
 #include <secoid.h>
+#include <nss.h>
 #endif
 
 #include <string_view>
@@ -80,7 +81,9 @@ void PDFSigningTest::setUp()
 #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
     // policy may disallow using SHA1 for signatures but unit test documents
     // have such existing signatures (call this after createSecurityContext!)
-    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0);
+    // the minimum is 2048 in Fedora 40
+    NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
 #endif
 #endif
 }
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx
index f624aa52a31f..28f889b53ff0 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -15,6 +15,7 @@
 
 #if USE_CRYPTO_NSS
 #include <secoid.h>
+#include <nss.h>
 #endif
 
 #include <test/unoapixml_test.hxx>
@@ -104,7 +105,9 @@ void SigningTest::setUp()
 #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
     // policy may disallow using SHA1 for signatures but unit test documents
     // have such existing signatures (call this after createSecurityContext!)
-    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0);
+    // the minimum is 2048 in Fedora 40
+    NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
 #endif
 #endif
 }