diff options
| author | Miklos Vajna <vmiklos@collabora.co.uk> | 2017-05-17 09:13:09 +0200 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2017-05-17 10:20:50 +0200 |
| commit | 273da4e3d1d2a9fb10807d9300d5bac47e1e2584 (patch) | |
| tree | 843011773b94461b56490871f01d244fd5cb572d /external | |
| parent | 7ae50f522f94987afe85674f6691fc37c55bd3d1 (diff) | |
xmlsecurity: use xmlsec API instead of patching out cert verification
This flag does exactly what we need since xmlsec-1.2.24.
Change-Id: I3ae052d4bfe564c3234aef2511ef82ebdb452ebe
Reviewed-on: https://gerrit.libreoffice.org/37700
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'external')
| -rw-r--r-- | external/libxmlsec/UnpackedTarball_xmlsec.mk | 1 | ||||
| -rw-r--r-- | external/libxmlsec/xmlsec1-noverify.patch.1 | 74 |
2 files changed, 0 insertions, 75 deletions
diff --git a/external/libxmlsec/UnpackedTarball_xmlsec.mk b/external/libxmlsec/UnpackedTarball_xmlsec.mk index 62adcf788a85..f41434c6d76b 100644 --- a/external/libxmlsec/UnpackedTarball_xmlsec.mk +++ b/external/libxmlsec/UnpackedTarball_xmlsec.mk @@ -10,7 +10,6 @@ xmlsec_patches := xmlsec_patches += xmlsec1-configure.patch.1 xmlsec_patches += xmlsec1-nssdisablecallbacks.patch.1 -xmlsec_patches += xmlsec1-noverify.patch.1 xmlsec_patches += xmlsec1-vc.patch.1 xmlsec_patches += xmlsec1-1.2.14_fix_extern_c.patch.1 xmlsec_patches += xmlsec1-customkeymanage.patch.1 diff --git a/external/libxmlsec/xmlsec1-noverify.patch.1 b/external/libxmlsec/xmlsec1-noverify.patch.1 deleted file mode 100644 index 1c5672494caa..000000000000 --- a/external/libxmlsec/xmlsec1-noverify.patch.1 +++ /dev/null @@ -1,74 +0,0 @@ -From 4960b231f67eb86e5f6d6a79154c15268c959b34 Mon Sep 17 00:00:00 2001 -From: Miklos Vajna <vmiklos@collabora.co.uk> -Date: Fri, 4 Mar 2016 16:10:16 +0100 -Subject: [PATCH] xmlsec1-noverify.patch - -Conflicts: - src/mscrypto/x509vfy.c - src/nss/x509vfy.c ---- - src/mscrypto/x509vfy.c | 12 ++++++++---- - src/nss/x509vfy.c | 24 ++++++++++-------------- - 2 files changed, 18 insertions(+), 18 deletions(-) - -diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c -index e4a84a60..a12cb709 100644 ---- a/src/mscrypto/x509vfy.c -+++ b/src/mscrypto/x509vfy.c -@@ -525,10 +525,14 @@ xmlSecMSCryptoX509StoreVerify(xmlSecKeyDataStorePtr store, HCERTSTORE certs, - } - - if(selected == 1) { -- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) != 0 -- || xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { -- return(cert); -- } -+ /* JL: OpenOffice.org implements its own certificate verification routine. -+ The goal is to separate validation of the signature -+ and the certificate. For example, OOo could show that the document signature is valid, -+ but the certificate could not be verified. If we do not prevent the verification of -+ the certificate by libxmlsec and the verification fails, then the XML signature will not be -+ verified. This would happen, for example, if the root certificate is not installed. -+ */ -+ return(cert); - } - } - -diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c -index cd328fea..b28a37e1 100644 ---- a/src/nss/x509vfy.c -+++ b/src/nss/x509vfy.c -@@ -213,20 +213,16 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs, - continue; - } - -- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) { -- /* it's important to set the usage here, otherwise no real verification -- * is performed. */ -- status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), -- cert, PR_FALSE, -- certificateUsageEmailSigner, -- timeboundary , NULL, NULL, NULL); -- if(status == SECSuccess) { -- break; -- } -- } else { -- status = SECSuccess; -- break; -- } -+ /* -+ JL: OpenOffice.org implements its own certificate verification routine. -+ The goal is to separate validation of the signature -+ and the certificate. For example, OOo could show that the document signature is valid, -+ but the certificate could not be verified. If we do not prevent the verification of -+ the certificate by libxmlsec and the verification fails, then the XML signature may not be -+ verified. This would happen, for example, if the root certificate is not installed. -+ */ -+ status = SECSuccess; -+ break; - } - - if (status == SECSuccess) { --- -2.12.0 - |