cool#9992 lok doc sign, hash extract: digest for getCommandValues('Signature')

To be able to sign externally, we need a way to know what is the
document hash that would be passed to
NSS_CMSSignedData_SetDigestValue(), without actually performing the
signing.

Note that svl::crypto::SigningContext already gives us a way to expose
the time that would be used for signing.

Expose the hash in a similar way: the format is a SHA-256 hash in base64
form.

This adapts both places dealing with time: vcl::PDFWriter::GetDateTime()
and svl::crypto::Signing::Sign, to make sure they use the same time,
otherwise the hash would potentially depend on two times, which would be
hard to reproduce later when we serialize the signature we get.

Change-Id: Ib039db4cdd043c8117215c31cb5bc83397693820
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176470
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins

1 files changed, 11 insertions, 2 deletions

diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx
index c3a73d43290a..8a09dc0ae2ea 100644
--- a/svl/source/crypto/cryptosign.cxx
+++ b/svl/source/crypto/cryptosign.cxx
@@ -977,10 +977,19 @@ bool Signing::Sign(OStringBuffer& rCMSHexBuffer)
 
     PRTime now = PR_Now();
 
-    if (!m_rSigningContext.m_xCertificate.is())
+    // The context unit is milliseconds, PR_Now() unit is microseconds.
+    if (m_rSigningContext.m_nSignatureTime)
+    {
+        now = m_rSigningContext.m_nSignatureTime * 1000;
+    }
+    else
     {
-        // The context unit is milliseconds, PR_Now() unit is microseconds.
         m_rSigningContext.m_nSignatureTime = now / 1000;
+    }
+
+    if (!m_rSigningContext.m_xCertificate.is())
+    {
+        m_rSigningContext.m_aDigest = aHashResult;
         // No certificate is provided: don't actually sign -- just update the context with the
         // parameters for the signing and return.
         return false;