xmlsecurity PDF verify: fix handling of non-imported certs

Previously we only managed to verify a signature in case the certificate
was already imported in the local NSS db. Don't depend on that by
(temporarily) importing certificates from the PDF signature.

Also adjust a test file that failed previously (the test DB has only an
"Alice" cert imported, intentionally sign the file as "Bob" as well).

Change-Id: Id8440acc31915f5a1718ea48129b950bb67e7486

2 files changed, 3 insertions, 0 deletions

diff --git a/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf b/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf
index af668fc20f16..10528c57f783 100644
--- a/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf
+++ b/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 4442ac54e0fd..1f9ef8341810 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -214,6 +214,9 @@ void PDFSigningTest::testPDFRemoveAll()
     aManager.mxSignatureStream = xStream;
     aManager.read(/*bUseTempStream=*/false);
     std::vector<SignatureInformation>& rInformations = aManager.maCurrentSignatureInformations;
+    // This was 1 when NSS_CMSSignerInfo_GetSigningCertificate() failed, which
+    // means that we only used the locally imported certificates for
+    // verification, not the ones provided in the PDF signature data.
     CPPUNIT_ASSERT_EQUAL(static_cast<std::size_t>(2), rInformations.size());
 
     // Request removal of the first signature, should imply removal of the