diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2021-02-19 22:04:33 +0100 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-03-03 12:46:43 +0100 |
commit | 9e82509b09f5fe2eb77bcdb8fd193c71923abb67 (patch) | |
tree | c977053f11c3d6527c94e63670a0af626af76e8a /svl | |
parent | 1d3da3486d827dd5e7a3bf1c7a533f5aa9860e42 (diff) |
xmlsecurity: improve handling of multiple X509Data elements
Combine everything related to a certificate in a new struct X509Data.
The CertDigest is not actually written in the X509Data element but in
xades:Cert, so try to find the matching entry in
XSecController::setX509CertDigest().
There was a confusing interaction with PGP signatures, where ouGpgKeyID
was used for import, but export wrote the value from ouCertDigest
instead - this needed fixing.
The main point of this is enforcing a constraint from xmldsig-core 4.5.4:
All certificates appearing in an X509Data element MUST relate to the
validation key by either containing it or being part of a certification
chain that terminates in a certificate containing the validation key.
Change-Id: I5254aa393f8e7172da59709923e4bbcd625ec713
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111254
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'svl')
-rw-r--r-- | svl/source/crypto/cryptosign.cxx | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx index ac2f6a0ee24b..f57b3e6639d8 100644 --- a/svl/source/crypto/cryptosign.cxx +++ b/svl/source/crypto/cryptosign.cxx @@ -2022,8 +2022,11 @@ bool Signing::Verify(const std::vector<unsigned char>& aData, aDerCert[i] = pCertificate->derCert.data[i]; OUStringBuffer aBuffer; comphelper::Base64::encode(aBuffer, aDerCert); - rInformation.ouX509Certificate = aBuffer.makeStringAndClear(); - rInformation.ouSubject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8); + SignatureInformation::X509Data temp; + temp.X509Certificate = aBuffer.makeStringAndClear(); + temp.X509Subject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8); + rInformation.X509Datas.clear(); + rInformation.X509Datas.emplace_back(temp); } PRTime nSigningTime; @@ -2202,8 +2205,11 @@ bool Signing::Verify(const std::vector<unsigned char>& aData, aDerCert[i] = pSignerCertContext->pbCertEncoded[i]; OUStringBuffer aBuffer; comphelper::Base64::encode(aBuffer, aDerCert); - rInformation.ouX509Certificate = aBuffer.makeStringAndClear(); - rInformation.ouSubject = GetSubjectName(pSignerCertContext); + SignatureInformation::X509Data temp; + temp.X509Certificate = aBuffer.makeStringAndClear(); + temp.X509Subject = GetSubjectName(pSignerCertContext); + rInformation.X509Datas.clear(); + rInformation.X509Datas.emplace_back(temp); } if (bNonDetached) |