diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2021-02-24 19:18:51 +0100 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-03-03 12:47:04 +0100 |
| commit | 5af5ea893bcb8a8eb472ac11133da10e5a604e66 (patch) | |
| tree | d89e39aa0a98b05ca66b32597e06ae056ad1fdb4 /svl | |
| parent | 9e82509b09f5fe2eb77bcdb8fd193c71923abb67 (diff) | |
xmlsecurity: improve handling of multiple certificates per X509Data
It turns out that an X509Data element can contain an arbitrary number of
each of its child elements.
How exactly certificates of an issuer chain may or should be distributed
across multiple X509Data elements isn't terribly obvious.
One thing that is clear is that any element that refers to or contains
one particular certificate has to be a child of the same X509Data
element, although in no particular order, so try to match the 2 such
elements that the parser supports in XSecController::setX509Data().
Presumably the only way it makes sense to have multiple signing
certificates is if they all contain the same key but are signed by
different CAs. This case isn't handled currently; CheckX509Data() will
complain there's not a single chain and validation of the certificates
will fail.
Change-Id: I9633a980b0c18d58dfce24fc59396a833498a77d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111500
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'svl')
| -rw-r--r-- | svl/source/crypto/cryptosign.cxx | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx index f57b3e6639d8..8aa47ee36cba 100644 --- a/svl/source/crypto/cryptosign.cxx +++ b/svl/source/crypto/cryptosign.cxx @@ -2023,8 +2023,9 @@ bool Signing::Verify(const std::vector<unsigned char>& aData, OUStringBuffer aBuffer; comphelper::Base64::encode(aBuffer, aDerCert); SignatureInformation::X509Data temp; - temp.X509Certificate = aBuffer.makeStringAndClear(); - temp.X509Subject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8); + temp.emplace_back(); + temp.back().X509Certificate = aBuffer.makeStringAndClear(); + temp.back().X509Subject = OUString(pCertificate->subjectName, PL_strlen(pCertificate->subjectName), RTL_TEXTENCODING_UTF8); rInformation.X509Datas.clear(); rInformation.X509Datas.emplace_back(temp); } @@ -2206,8 +2207,9 @@ bool Signing::Verify(const std::vector<unsigned char>& aData, OUStringBuffer aBuffer; comphelper::Base64::encode(aBuffer, aDerCert); SignatureInformation::X509Data temp; - temp.X509Certificate = aBuffer.makeStringAndClear(); - temp.X509Subject = GetSubjectName(pSignerCertContext); + temp.emplace_back(); + temp.back().X509Certificate = aBuffer.makeStringAndClear(); + temp.back().X509Subject = GetSubjectName(pSignerCertContext); rInformation.X509Datas.clear(); rInformation.X509Datas.emplace_back(temp); } |