tdf#109180 xmlsecurity nss: fix signing with ECDSA key

Using an ECDSA key but writing RSA URIs would fail later in libxmlsec.

Also fix up CppunitTest_xmlsecurity_signing (env vars were set too
late), so that the new testcase actually fails without the fix.

Change-Id: I9e584844d5cd046952b2f19130aeaa5a765bfc0a
Reviewed-on: https://gerrit.libreoffice.org/54400
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>

3 files changed, 21 insertions, 2 deletions

diff --git a/xmlsecurity/inc/certificate.hxx b/xmlsecurity/inc/certificate.hxx
index 0698e91f422f..61ad532fdd6b 100644
--- a/xmlsecurity/inc/certificate.hxx
+++ b/xmlsecurity/inc/certificate.hxx
@@ -14,6 +14,14 @@
 
 #include <com/sun/star/uno/Sequence.hxx>
 
+namespace svl
+{
+namespace crypto
+{
+enum class SignatureMethodAlgorithm;
+}
+}
+
 namespace xmlsecurity
 {
 
@@ -27,6 +35,9 @@ public:
     /// @throws css::uno::RuntimeException
     virtual css::uno::Sequence<sal_Int8> getSHA256Thumbprint() = 0;
 
+    /// Same as getSubjectPublicKeyAlgorithm(), but returns an ID, not a string.
+    virtual svl::crypto::SignatureMethodAlgorithm getSignatureMethodAlgorithm() = 0;
+
 protected:
     ~Certificate() noexcept = default;
 };
diff --git a/xmlsecurity/inc/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsignaturehelper.hxx
index 880293f68669..8e4bd48d8af8 100644
--- a/xmlsecurity/inc/xmlsignaturehelper.hxx
+++ b/xmlsecurity/inc/xmlsignaturehelper.hxx
@@ -119,7 +119,8 @@ public:
         certificate.
      */
     void SetX509Certificate(sal_Int32 nSecurityId, const OUString& ouX509IssuerName,
-        const OUString& ouX509SerialNumber, const OUString& ouX509Cert, const OUString& ouX509CertDigest);
+        const OUString& ouX509SerialNumber, const OUString& ouX509Cert, const OUString& ouX509CertDigest,
+        svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
 
     void AddEncapsulatedX509Certificate(const OUString& ouEncapsulatedX509Certificate);
 
diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
index cc3b11db80a7..c01284bea6e7 100644
--- a/xmlsecurity/inc/xsecctl.hxx
+++ b/xmlsecurity/inc/xsecctl.hxx
@@ -57,6 +57,9 @@
 #define ALGO_RSASHA1       "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 #define ALGO_RSASHA256     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 #define ALGO_RSASHA512     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+#define ALGO_ECDSASHA1     "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
+#define ALGO_ECDSASHA256   "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
+#define ALGO_ECDSASHA512   "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
 #define ALGO_XMLDSIGSHA1   "http://www.w3.org/2000/09/xmldsig#sha1"
 #define ALGO_XMLDSIGSHA256 "http://www.w3.org/2001/04/xmlenc#sha256"
 #define ALGO_XMLDSIGSHA512 "http://www.w3.org/2001/04/xmlenc#sha512"
@@ -66,6 +69,7 @@ class XSecParser;
 class XMLDocumentWrapper_XmlSecImpl;
 class SAXEventKeeperImpl;
 class XMLSignatureHelper;
+namespace svl { namespace crypto { enum class SignatureMethodAlgorithm; } }
 
 class InternalSignatureInformation
 {
@@ -251,6 +255,8 @@ private:
      * For signature verification
      */
     void addSignature();
+    /// Sets algorithm from <SignatureMethod Algorithm="...">.
+    void setSignatureMethod(svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
     void switchGpgSignature();
     void addReference(
         const OUString& ouUri,
@@ -338,7 +344,8 @@ public:
         const OUString& ouX509IssuerName,
         const OUString& ouX509SerialNumber,
         const OUString& ouX509Cert,
-        const OUString& ouX509CertDigest);
+        const OUString& ouX509CertDigest,
+        svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
 
     void addEncapsulatedX509Certificate(const OUString& rEncapsulatedX509Certificate);