diff options
| author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-16 15:41:55 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-16 15:54:51 +0000 |
| commit | 2a5e7c6e59f56fa70a5388cb30c75b06b90eef6f (patch) | |
| tree | 07c935bbab1c14fcd21daf18333f68aadc45e77e /vcl | |
| parent | ece5862b5dbe6b7af28465ae3d452c548e37e7a3 (diff) | |
vcl PDF sign: write ESSCertIDv2.hashAlgorithm/certHash
With this, the value of signing-certificate conforms to the RFC.
Change-Id: I27595068be46651efcbf0bd63fc51f79c6e18b4f
Reviewed-on: https://gerrit.libreoffice.org/30907
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/gdi/pdfwriter_impl.cxx | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx index 5543ef023bcc..9a3e18a8ff58 100644 --- a/vcl/source/gdi/pdfwriter_impl.cxx +++ b/vcl/source/gdi/pdfwriter_impl.cxx @@ -6042,6 +6042,8 @@ typedef struct { */ struct ESSCertIDv2 { + SECAlgorithmID hashAlgorithm; + SECItem certHash; }; /** @@ -6273,12 +6275,19 @@ const SEC_ASN1Template TimeStampReq_Template[] = }; /** + * Hash ::= OCTET STRING + * * ESSCertIDv2 ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256}, + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL * } */ const SEC_ASN1Template ESSCertIDv2Template[] = { {SEC_ASN1_SEQUENCE, 0, nullptr, sizeof(ESSCertIDv2)}, + {SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(ESSCertIDv2, hashAlgorithm), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), 0}, + {SEC_ASN1_OCTET_STRING, offsetof(ESSCertIDv2, certHash), nullptr, 0}, {0, 0, nullptr, 0} }; @@ -7085,6 +7094,26 @@ bool PDFWriter::Sign(PDFSignContext& rContext) // Add the signing certificate as a signed attribute. ESSCertIDv2* aCertIDs[2]; ESSCertIDv2 aCertID; + // Write ESSCertIDv2.hashAlgorithm. + aCertID.hashAlgorithm.algorithm.data = nullptr; + aCertID.hashAlgorithm.parameters.data = nullptr; + SECOID_SetAlgorithmID(nullptr, &aCertID.hashAlgorithm, SEC_OID_SHA256, nullptr); + // Write ESSCertIDv2.certHash. + SECItem aCertHashItem; + unsigned char aCertHash[SHA256_LENGTH]; + HashContextScope aCertHashContext(HASH_Create(HASH_AlgSHA256)); + if (!aCertHashContext.get()) + { + SAL_WARN("vcl.pdfwriter", "HASH_Create() failed"); + return false; + } + HASH_Begin(aCertHashContext.get()); + HASH_Update(aCertHashContext.get(), reinterpret_cast<const unsigned char *>(rContext.m_pDerEncoded), rContext.m_nDerEncoded); + aCertHashItem.type = siBuffer; + aCertHashItem.data = aCertHash; + HASH_End(aCertHashContext.get(), aCertHashItem.data, &aCertHashItem.len, SHA256_LENGTH); + aCertID.certHash = aCertHashItem; + // Write SigningCertificateV2.certs. aCertIDs[0] = &aCertID; aCertIDs[1] = nullptr; SigningCertificateV2 aCertificate; @@ -7127,8 +7156,7 @@ bool PDFWriter::Sign(PDFSignContext& rContext) aAttribute.type = aOidData.oid; aAttribute.encoded = PR_TRUE; - // Don't enable this by default till it works completely. - if (g_bDebugDisableCompression && my_NSS_CMSSignerInfo_AddAuthAttr(cms_signer, &aAttribute) != SECSuccess) + if (my_NSS_CMSSignerInfo_AddAuthAttr(cms_signer, &aAttribute) != SECSuccess) { SAL_WARN("vcl.pdfwriter", "my_NSS_CMSSignerInfo_AddAuthAttr() failed"); return false; |