diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-23 11:27:32 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-29 08:08:50 +0000 |
commit | d02c3ba8c5e723561edb694e7ed8b2f2c33604af (patch) | |
tree | b7ada52cc1c914f7d94028f8ddc5a0bac5ead847 /xmlsecurity/source | |
parent | b992da28c595f40a75ddf3237edec10d73e56d91 (diff) |
vcl mscrypto PDF sign: bring it up to date with NSS, part 1
This is a combination of 6 commits:
1) vcl mscrypto PDF sign: add initial 'signing-certificate' signed attribute
Equivalent of the earlier NSS commit, payload is just an empty sequence
at the moment.
(cherry picked from commit cb851cbb09adc637bb6e8095050292f7a8c6a7b1)
2) vcl mscrypto PDF sign: write ESSCertIDv2
With this, the value of signing-certificate conforms to the RFC on
Windows as well.
(cherry picked from commit b12410f212658996fdb5fb291a06038e9ac39b2e)
3) xmlsecurity mscrypto PDF sign: conditionally add back CAdES SubFilter
We can now write that on Windows as well when requested, after the
signing-certificate attribute is implemented using mscrypto.
With this, the PAdES validator at
<http://signatures-conformance-checker.etsi.org/protected/upload.php?sigtype=padesconf>
finds our Windows signature valid.
(cherry picked from commit 8a279d7de4cf94c99f655f6edd0da0c24ab4003c)
4) CppunitTest_xmlsecurity_signing: don't assume we always have a signing cert
This makes this suite in sync with CppunitTest_xmlsecurity_pdfsigning. A
signing certificate is available on 64bit NSS platforms, as there we
provide a pre-created NSS db, but on other platforms by default there is
just no signing certificate. The certificate.crt I added earlier is not
enough, that's just the certificate, but it doesn't provide a private
key.
(cherry picked from commit 748f778d0f42f2cbb78a7ca7e013bfbd77cdf2b7)
5) CppunitTest_xmlsecurity_signing: add XAdES testcase
Assert the two user-visible changes: SHA-256 hashes and the digest of
the signing certificate.
(cherry picked from commit 426495cb441e6a83cd0d1f74b0ddf656322815b5)
6) CppunitTest_xmlsecurity_pdfsigning: add PAdES testcase
Assert the two user-visible changes: SHA-256 hashes and the SubFilter of the
signature.
(cherry picked from commit 5cb580144c286117db485e605c79ce1139cb94fb)
Change-Id: I12a2355e2ddfc368bed4430a7b5ad244b5778afe
Reviewed-on: https://gerrit.libreoffice.org/31316
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'xmlsecurity/source')
-rw-r--r-- | xmlsecurity/source/pdfio/pdfdocument.cxx | 74 |
1 files changed, 5 insertions, 69 deletions
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx index ef9900c13f3b..29b4a026cf2b 100644 --- a/xmlsecurity/source/pdfio/pdfdocument.cxx +++ b/xmlsecurity/source/pdfio/pdfdocument.cxx @@ -54,7 +54,6 @@ namespace pdfio const int MAX_SIGNATURE_CONTENT_LENGTH = 50000; class PDFTrailerElement; -class PDFObjectElement; /// A one-liner comment. class PDFCommentElement : public PDFElement @@ -85,54 +84,6 @@ public: }; class PDFReferenceElement; -class PDFDictionaryElement; -class PDFArrayElement; -class PDFStreamElement; - -/// Indirect object: something with a unique ID. -class PDFObjectElement : public PDFElement -{ - PDFDocument& m_rDoc; - double m_fObjectValue; - double m_fGenerationValue; - std::map<OString, PDFElement*> m_aDictionary; - /// Position after the '<<' token. - sal_uInt64 m_nDictionaryOffset; - /// Length of the dictionary buffer till (before) the '<<' token. - sal_uInt64 m_nDictionaryLength; - PDFDictionaryElement* m_pDictionaryElement; - /// The contained direct array, if any. - PDFArrayElement* m_pArrayElement; - /// The stream of this object, used when this is an object stream. - PDFStreamElement* m_pStreamElement; - /// Objects of an object stream. - std::vector< std::unique_ptr<PDFObjectElement> > m_aStoredElements; - /// Elements of an object in an object stream. - std::vector< std::unique_ptr<PDFElement> > m_aElements; - /// Uncompressed buffer of an object in an object stream. - std::unique_ptr<SvMemoryStream> m_pStreamBuffer; - -public: - PDFObjectElement(PDFDocument& rDoc, double fObjectValue, double fGenerationValue); - bool Read(SvStream& rStream) override; - PDFElement* Lookup(const OString& rDictionaryKey); - PDFObjectElement* LookupObject(const OString& rDictionaryKey); - double GetObjectValue() const; - void SetDictionaryOffset(sal_uInt64 nDictionaryOffset); - sal_uInt64 GetDictionaryOffset(); - void SetDictionaryLength(sal_uInt64 nDictionaryLength); - sal_uInt64 GetDictionaryLength(); - PDFDictionaryElement* GetDictionary() const; - void SetDictionary(PDFDictionaryElement* pDictionaryElement); - void SetArray(PDFArrayElement* pArrayElement); - void SetStream(PDFStreamElement* pStreamElement); - PDFArrayElement* GetArray() const; - /// Parse objects stored in this object stream. - void ParseStoredObjects(); - std::vector< std::unique_ptr<PDFElement> >& GetStoredElements(); - SvMemoryStream* GetStreamBuffer() const; - void SetStreamBuffer(std::unique_ptr<SvMemoryStream>& pStreamBuffer); -}; /// Dictionary object: a set key-value pairs. class PDFDictionaryElement : public PDFElement @@ -170,22 +121,6 @@ public: sal_uInt64 GetLocation() const; }; -/// Name object: a key string. -class PDFNameElement : public PDFElement -{ - OString m_aValue; - /// Offset after the '/' token. - sal_uInt64 m_nLocation; - /// Length till the next token start. - sal_uInt64 m_nLength; -public: - PDFNameElement(); - bool Read(SvStream& rStream) override; - const OString& GetValue() const; - sal_uInt64 GetLocation() const; - sal_uInt64 GetLength() const; -}; - /// Reference object: something with a unique ID. class PDFReferenceElement : public PDFElement { @@ -375,13 +310,9 @@ sal_Int32 PDFDocument::WriteSignatureObject(const OUString& rDescription, bool b comphelper::string::padToLength(aContentFiller, MAX_SIGNATURE_CONTENT_LENGTH, '0'); aSigBuffer.append(aContentFiller.makeStringAndClear()); aSigBuffer.append(">\n/Type/Sig/SubFilter"); -#ifdef XMLSEC_CRYPTO_NSS if (bAdES) aSigBuffer.append("/ETSI.CAdES.detached"); else -#else - (void)bAdES; -#endif aSigBuffer.append("/adbe.pkcs7.detached"); // Time of signing. @@ -2243,9 +2174,14 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat { case SEC_OID_SHA1: nMaxResultLen = msfilter::SHA1_HASH_LENGTH; + rInformation.nDigestID = xml::crypto::DigestID::SHA1; break; case SEC_OID_SHA256: nMaxResultLen = msfilter::SHA256_HASH_LENGTH; + rInformation.nDigestID = xml::crypto::DigestID::SHA256; + break; + case SEC_OID_SHA512: + nMaxResultLen = msfilter::SHA512_HASH_LENGTH; break; default: SAL_WARN("xmlsecurity.pdfio", "PDFDocument::ValidateSignature: unrecognized algorithm"); |