diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2021-02-24 19:18:51 +0100 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-03-03 12:47:04 +0100 |
commit | 5af5ea893bcb8a8eb472ac11133da10e5a604e66 (patch) | |
tree | d89e39aa0a98b05ca66b32597e06ae056ad1fdb4 /include | |
parent | 9e82509b09f5fe2eb77bcdb8fd193c71923abb67 (diff) |
xmlsecurity: improve handling of multiple certificates per X509Data
It turns out that an X509Data element can contain an arbitrary number of
each of its child elements.
How exactly certificates of an issuer chain may or should be distributed
across multiple X509Data elements isn't terribly obvious.
One thing that is clear is that any element that refers to or contains
one particular certificate has to be a child of the same X509Data
element, although in no particular order, so try to match the 2 such
elements that the parser supports in XSecController::setX509Data().
Presumably the only way it makes sense to have multiple signing
certificates is if they all contain the same key but are signed by
different CAs. This case isn't handled currently; CheckX509Data() will
complain there's not a single chain and validation of the certificates
will fail.
Change-Id: I9633a980b0c18d58dfce24fc59396a833498a77d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111500
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'include')
-rw-r--r-- | include/svl/sigstruct.hxx | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/include/svl/sigstruct.hxx b/include/svl/sigstruct.hxx index 4544fd182d90..77be7c48cae9 100644 --- a/include/svl/sigstruct.hxx +++ b/include/svl/sigstruct.hxx @@ -87,7 +87,7 @@ struct SignatureInformation sal_Int32 nSecurityId; css::xml::crypto::SecurityOperationStatus nStatus; SignatureReferenceInformations vSignatureReferenceInfors; - struct X509Data + struct X509CertInfo { OUString X509IssuerName; OUString X509SerialNumber; @@ -97,10 +97,21 @@ struct SignatureInformation /// The certificate owner (aka subject). OUString X509Subject; }; + typedef std::vector<X509CertInfo> X509Data; // note: at parse time, it's unkown which one is the signing certificate; // ImplVerifySignatures() figures it out and puts it at the back std::vector<X509Data> X509Datas; + X509CertInfo const* GetSigningCertificate() const + { + if (X509Datas.empty()) + { + return nullptr; + } + assert(!X509Datas.back().empty()); + return & X509Datas.back().back(); + } + OUString ouGpgKeyID; OUString ouGpgCertificate; OUString ouGpgOwner; |