diff options
| author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-10-17 08:12:17 +0200 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-10-17 08:26:28 +0000 |
| commit | d67a7ff3dfd726372d3619fe963a5b90f24a9ebd (patch) | |
| tree | 179dc23efb921fc4a93b557a5fac1f30713fce7c | |
| parent | 2b3cf45bb557d95aa67b5bc4eb1ba549e7638d6b (diff) | |
xmlsecurity: verify certificate of PDF signatures
We patch xmlsec to not verify certificates, and the PDF tokenizer in
xmlsecurity doesn't do that, either. The point of doing so, is that the
DocumentSignatureInformation UNO struct has separate CertificateStatus
and SignatureIsValid fields for the validity of the certificate and the
signature.
That means the certificate has to be validated somewhere as well.
ZIP-based formats do that in
DocumentDigitalSignatures::ImplVerifySignatures(), and this commit
implements the same for PDF signatures, too.
Change-Id: Ic486afc8f392625b1efcad989fd9053b014a261b
Reviewed-on: https://gerrit.libreoffice.org/29889
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
| -rw-r--r-- | xmlsecurity/source/helper/pdfsignaturehelper.cxx | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx index cc4b388c13a4..2e6fa89f78e6 100644 --- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx +++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx @@ -11,6 +11,7 @@ #include <memory> +#include <com/sun/star/security/CertificateValidity.hpp> #include <com/sun/star/xml/crypto/SEInitializer.hpp> #include <comphelper/sequence.hxx> @@ -82,6 +83,22 @@ uno::Sequence<security::DocumentSignatureInformation> PDFSignatureHelper::GetDoc security::DocumentSignatureInformation& rExternal = aRet[i]; rExternal.SignatureIsValid = rInternal.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED; rExternal.Signer = xSecurityEnvironment->createCertificateFromAscii(rInternal.ouX509Certificate); + + // Verify certificate. + if (rExternal.Signer.is()) + { + try + { + rExternal.CertificateStatus = xSecurityEnvironment->verifyCertificate(rExternal.Signer, {}); + } + catch (const uno::SecurityException& rException) + { + SAL_WARN("xmlsecurity.helper", "failed to verify certificate: " << rException.Message); + rExternal.CertificateStatus = security::CertificateValidity::INVALID; + } + } + else + rExternal.CertificateStatus = security::CertificateValidity::INVALID; } return aRet; |