fdo#72277: Use NSS CACERT in cmis ucp with internal curl

This fix contains two parts:
* initialize NSS in the CMIS UCP right before sending an HTTP request
in case internal curl is used. This makes internal curl find the NSS
CACERT database from the user mozilla profile.

* add nsspem to allow curl to use CACERTs from libnssckbi. Without
libnsspem curl is unable to read the certificates from the NSS
database. The nss-pem code has been extracted from the fedora-hosted
repository: https://git.fedorahosted.org/cgit/nss-pem.git

Change-Id: Ie8dedf020480cca01bf9761382886566a1150778

2 files changed, 28 insertions, 0 deletions

diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx
index 748aadd09c17..5b817485e7a7 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -32,6 +32,10 @@
 #include <com/sun/star/ucb/UnsupportedOpenModeException.hpp>
 #include <com/sun/star/ucb/XCommandInfo.hpp>
 #include <com/sun/star/ucb/XDynamicResultSet.hpp>
+#include <com/sun/star/xml/crypto/XDigestContext.hpp>
+#include <com/sun/star/xml/crypto/XDigestContextSupplier.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>
 
 #include <comphelper/processfactory.hxx>
 #include <config_oauth2.h>
@@ -272,6 +276,16 @@ namespace cmis
 
         if ( NULL == m_pSession )
         {
+            // Initialize NSS library to make sure libcmis (and curl) can access CACERTs using NSS
+            // when using internal libcurl.
+            uno::Reference< com::sun::star::xml::crypto::XNSSInitializer >
+                xNSSInitializer = com::sun::star::xml::crypto::NSSInitializer::create( m_xContext );
+
+            uno::Reference< com::sun::star::xml::crypto::XDigestContext > xDigestContext(
+                    xNSSInitializer->getDigestContext( com::sun::star::xml::crypto::DigestID::SHA256,
+                                                              uno::Sequence< beans::NamedValue >() ),
+                                                              uno::UNO_SET_THROW );
+
             // Set the SSL Validation handler
             libcmis::CertValidationHandlerPtr certHandler(
                     new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
diff --git a/ucb/source/ucp/cmis/cmis_repo_content.cxx b/ucb/source/ucp/cmis/cmis_repo_content.cxx
index 3771e1a365da..3adc2b34e0b9 100644
--- a/ucb/source/ucp/cmis/cmis_repo_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_repo_content.cxx
@@ -15,6 +15,10 @@
 #include <com/sun/star/ucb/XCommandInfo.hpp>
 #include <com/sun/star/ucb/XDynamicResultSet.hpp>
 #include <com/sun/star/ucb/XProgressHandler.hpp>
+#include <com/sun/star/xml/crypto/XDigestContext.hpp>
+#include <com/sun/star/xml/crypto/XDigestContextSupplier.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>
 
 #include <comphelper/processfactory.hxx>
 #include <config_oauth2.h>
@@ -120,6 +124,16 @@ namespace cmis
 
     void RepoContent::getRepositories( const uno::Reference< ucb::XCommandEnvironment > & xEnv )
     {
+        // Initialize NSS library to make sure libcmis (and curl) can access CACERTs using NSS
+        // when using internal libcurl.
+        uno::Reference< com::sun::star::xml::crypto::XNSSInitializer >
+            xNSSInitializer = com::sun::star::xml::crypto::NSSInitializer::create( m_xContext );
+
+        uno::Reference< com::sun::star::xml::crypto::XDigestContext > xDigestContext(
+                xNSSInitializer->getDigestContext( com::sun::star::xml::crypto::DigestID::SHA256,
+                                                          uno::Sequence< beans::NamedValue >() ),
+                                                          uno::UNO_SET_THROW );
+
         // Set the proxy if needed. We are doing that all times as the proxy data shouldn't be cached.
         ucbhelper::InternetProxyDecider aProxyDecider( m_xContext );
         INetURLObject aBindingUrl( m_aURL.getBindingUrl( ) );