diff options
author | Rüdiger Timm <rt@openoffice.org> | 2005-11-11 08:18:45 +0000 |
---|---|---|
committer | Rüdiger Timm <rt@openoffice.org> | 2005-11-11 08:18:45 +0000 |
commit | bcd50746030fd3de8507c353d552a4d344fd44a2 (patch) | |
tree | 42a0b7e4f1291c3316bb997b173ffc9bd264a0c5 /xmlsecurity | |
parent | a26d6eb1e0651820de2b41083a190e11739e7501 (diff) |
INTEGRATION: CWS xmlsec13 (1.20.12); FILE MERGED
2005/11/01 16:42:09 jl 1.20.12.5: #54495# We use first the embedded certificate and if that is not available then the one from the store
2005/10/31 14:19:54 jl 1.20.12.4: RESYNC: (1.20-1.22); FILE MERGED
2005/10/26 12:48:58 pb 1.20.12.3: fix: #i54495# new status: certificate could not validated
2005/10/25 08:19:18 jl 1.20.12.2: #54495# #54047# extra verification of certificates, better errorhandling
2005/08/17 11:37:47 mt 1.20.12.1: small bug fix to make demo program work again...
Diffstat (limited to 'xmlsecurity')
-rw-r--r-- | xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx | 117 |
1 files changed, 90 insertions, 27 deletions
diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx index 2fe23a2dd956..41bbedef607c 100644 --- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx +++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx @@ -4,9 +4,9 @@ * * $RCSfile: digitalsignaturesdialog.cxx,v $ * - * $Revision: 1.22 $ + * $Revision: 1.23 $ * - * last change: $Author: kz $ $Date: 2005-10-05 14:57:17 $ + * last change: $Author: rt $ $Date: 2005-11-11 09:18:45 $ * * The Contents of this file are made available subject to * the terms of GNU Lesser General Public License Version 2.1. @@ -32,7 +32,6 @@ * MA 02111-1307 USA * ************************************************************************/ - #include <xmlsecurity/digitalsignaturesdialog.hxx> #include <xmlsecurity/certificatechooser.hxx> #include <xmlsecurity/certificateviewer.hxx> @@ -52,6 +51,7 @@ #include <com/sun/star/security/NoPasswordException.hpp> #include <com/sun/star/lang/DisposedException.hpp> #include <com/sun/star/beans/XPropertySet.hpp> +#include <com/sun/star/security/CertificateValidity.hdl> #ifndef _COM_SUN_STAR_PACKAGES_WRONGPASSWORDEXCEPTION_HPP_ #include <com/sun/star/packages/WrongPasswordException.hpp> @@ -67,6 +67,7 @@ #include <vcl/msgbox.hxx> // Until encrypted docs work... using namespace ::com::sun::star::security; +namespace css = ::com::sun::star; /* HACK: disable some warnings for MS-C */ #ifdef _MSC_VER @@ -123,6 +124,8 @@ DigitalSignaturesDialog::DigitalSignaturesDialog( Window* pParent, uno::Referenc ,maSigsValidFI ( this, ResId( FI_STATE_VALID ) ) ,maSigsInvalidImg ( this, ResId( IMG_STATE_BROKEN ) ) ,maSigsInvalidFI ( this, ResId( FI_STATE_BROKEN ) ) + ,maSigsNotvalidatedImg( this, ResId( IMG_STATE_NOTVALIDATED ) ) + ,maSigsNotvalidatedFI ( this, ResId( FI_STATE_NOTVALIDATED ) ) ,maViewBtn ( this, ResId( BTN_VIEWCERT ) ) ,maAddBtn ( this, ResId( BTN_ADDCERT ) ) ,maRemoveBtn ( this, ResId( BTN_REMOVECERT ) ) @@ -135,11 +138,14 @@ DigitalSignaturesDialog::DigitalSignaturesDialog( Window* pParent, uno::Referenc maSignaturesLB.SetTabs( &nTabs[ 0 ] ); maSignaturesLB.InsertHeaderEntry( String( ResId( STR_HEADERBAR ) ) ); + maSigsNotvalidatedFI.SetText( String( ResId( STR_NO_INFO_TO_VERIFY ) ) ); + if ( GetBackground().GetColor().IsDark() ) { // high contrast mode needs other images maSigsValidImg.SetImage( Image( ResId( IMG_STATE_VALID_HC ) ) ); maSigsInvalidImg.SetImage( Image( ResId( IMG_STATE_BROKEN_HC ) ) ); + maSigsNotvalidatedImg.SetImage( Image( ResId( IMG_STATE_NOTVALIDATED_HC ) ) ); } FreeResource(); @@ -170,6 +176,7 @@ DigitalSignaturesDialog::DigitalSignaturesDialog( Window* pParent, uno::Referenc // adjust fixed text to images XmlSec::AlignAndFitImageAndControl( maSigsValidImg, maSigsValidFI, 5 ); XmlSec::AlignAndFitImageAndControl( maSigsInvalidImg, maSigsInvalidFI, 5 ); + XmlSec::AlignAndFitImageAndControl( maSigsNotvalidatedImg, maSigsNotvalidatedFI, 5 ); } DigitalSignaturesDialog::~DigitalSignaturesDialog() @@ -301,12 +308,25 @@ IMPL_LINK( DigitalSignaturesDialog, AddButtonHdl, Button*, EMPTYARG ) maSignatureHelper.EndMission(); + // If stream was not provided, we are responsible for committing it.... + if ( !mxSignatureStream.is() ) + { + uno::Reference< embed::XTransactedObject > xTrans( aStreamHelper.xSignatureStorage, uno::UNO_QUERY ); + xTrans->commit(); + } + + aStreamHelper = SignatureStreamHelper(); // release objects... + sal_Int32 nStatus = maSignatureHelper.GetSignatureInformation( nSecurityId ).nStatus; if ( nStatus == ::com::sun::star::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED ) { mbSignaturesChanged = true; // Can't simply remember current information, need parsing for getting full information :( + // We need to verify the signatures again, otherwise the status in the signature information + // will not contain + // SecurityOperationStatus_OPERATION_SUCCEEDED + mbVerifySignatures = true; ImplGetSignatureInformations(); ImplFillSignaturesBox(); } @@ -345,6 +365,15 @@ IMPL_LINK( DigitalSignaturesDialog, RemoveButtonHdl, Button*, EMPTYARG ) mbSignaturesChanged = true; + // If stream was not provided, we are responsible for committing it.... + if ( !mxSignatureStream.is() ) + { + uno::Reference< embed::XTransactedObject > xTrans( aStreamHelper.xSignatureStorage, uno::UNO_QUERY ); + xTrans->commit(); + } + + aStreamHelper = SignatureStreamHelper(); // release objects... + ImplFillSignaturesBox(); } catch ( uno::Exception& ) @@ -373,7 +402,7 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() String aNullStr; int nInfos = maCurrentSignatureInformations.size(); - int nValidSigs = 0; + int nValidSigs = 0, nValidCerts = 0; if( nInfos ) { @@ -381,36 +410,52 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() for( int n = 0; n < nInfos; ++n ) { const SignatureInformation& rInfo = maCurrentSignatureInformations[n]; - xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); - - // If we don't get it, create it from signature data: - // MT: Maybe after 2.0: Why not always use the attached certificate? - if ( !xCert.is() && rInfo.ouX509Certificate.getLength() ) - xCert = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ; + //First we try to get the certificate which is embedded in the XML Signature + if (rInfo.ouX509Certificate.getLength()) + xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); + //In case there is no embedded certificate we try to get it from a local store + if (!xCert.is()) + xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); DBG_ASSERT( xCert.is(), "Certificate not found and can't be created!" ); String aSubject; String aIssuer; String aDateTimeStr; + + bool bSigValid = false; + bool bCertValid = false; if( xCert.is() ) { + //check the validity of the cert + try { + sal_Int32 certResult = xSecEnv->verifyCertificate(xCert); + + //These errors are alloweds + sal_Int32 validErrors = css::security::CertificateValidity::VALID + | css::security::CertificateValidity::UNKNOWN_REVOKATION; + + //Build a mask to filter out the allowed errors + sal_Int32 mask = ~validErrors; + // "subtract" the allowed error flags from the result + sal_Int32 errors = certResult & mask; + bCertValid = errors > 0 ? false : true; + if ( bCertValid ) + nValidCerts++; + + } catch (css::uno::SecurityException& ) { + OSL_ENSURE(0, "Verification of certificate failed"); + bCertValid = false; + } + aSubject = XmlSec::GetContentPart( xCert->getSubjectName() ); aIssuer = XmlSec::GetContentPart( rInfo.ouX509IssuerName ); // --> PB 2004-10-12 #i20172# String with date and time information aDateTimeStr = XmlSec::GetDateTimeString( rInfo.stDateTime ); } + bSigValid = ( rInfo.nStatus == ::com::sun::star::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED ); - // New signatures are not verified, must be valid. Status is INIT. - // HACK for #i46696# - // KEY_NOT_FOUND only happen because of author or issuer certificates are missing in keystore. - // We always have the key from authors certificate, because it's attached. - // This is a question of trust, not of a *broken* signature. - bool bValid = ( rInfo.nStatus == ::com::sun::star::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED ) - || ( rInfo.nStatus == ::com::sun::star::xml::crypto::SecurityOperationStatus_UNKNOWN ) - || ( ( rInfo.nStatus == ::com::sun::star::xml::crypto::SecurityOperationStatus_KEY_NOT_FOUND) && rInfo.ouX509Certificate.getLength()); - - if ( bValid ) + if ( bSigValid ) { // Can only be valid if ALL streams are signed, which means real stream count == signed stream count int nRealCount = 0; @@ -421,14 +466,21 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() if ( ( rInf.nType == TYPE_BINARYSTREAM_REFERENCE ) || ( rInf.nType == TYPE_XMLSTREAM_REFERENCE ) ) nRealCount++; } - bValid = ( aElementsToBeVerified.size() == nRealCount ); + bSigValid = ( aElementsToBeVerified.size() == nRealCount ); - if( bValid ) + if( bSigValid ) nValidSigs++; } - Image aImg( bValid? maSigsValidImg.GetImage() : maSigsInvalidImg.GetImage() ); - SvLBoxEntry* pEntry = maSignaturesLB.InsertEntry( aNullStr, aImg, aImg ); + Image aImage; + if ( bSigValid && bCertValid ) + aImage = maSigsValidImg.GetImage(); + else if ( bSigValid && !bCertValid ) + aImage = maSigsNotvalidatedImg.GetImage(); + else if ( !bSigValid ) + aImage = maSigsInvalidImg.GetImage(); + + SvLBoxEntry* pEntry = maSignaturesLB.InsertEntry( aNullStr, aImage, aImage ); maSignaturesLB.SetEntryText( aSubject, pEntry, 1 ); maSignaturesLB.SetEntryText( aIssuer, pEntry, 2 ); maSignaturesLB.SetEntryText( aDateTimeStr, pEntry, 3 ); @@ -437,12 +489,16 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() } bool bAllSigsValid = ( nValidSigs == nInfos ); - bool bShowValidState = nInfos && bAllSigsValid; + bool bAllCertsValid = ( nValidCerts == nInfos ); + bool bShowValidState = nInfos && ( bAllSigsValid && bAllCertsValid ); + bool bShowNotValidatedState = nInfos && ( bAllSigsValid && !bAllCertsValid ); bool bShowInvalidState = nInfos && !bAllSigsValid; maSigsValidImg.Show( bShowValidState ); maSigsValidFI.Show( bShowValidState ); maSigsInvalidImg.Show( bShowInvalidState ); maSigsInvalidFI.Show( bShowInvalidState ); + maSigsNotvalidatedImg.Show( bShowNotValidatedState ); + maSigsNotvalidatedFI.Show( bShowNotValidatedState ); SignatureHighlightHdl( NULL ); } @@ -472,9 +528,16 @@ void DigitalSignaturesDialog::ImplShowSignaturesDetails() { USHORT nSelected = (USHORT) (sal_uIntPtr) maSignaturesLB.FirstSelected()->GetUserData(); const SignatureInformation& rInfo = maCurrentSignatureInformations[ nSelected ]; - + css::uno::Reference<css::xml::crypto::XSecurityEnvironment > xSecEnv = + maSignatureHelper.GetSecurityEnvironment(); // Use Certificate from doc, not from key store - uno::Reference< dcss::security::XCertificate > xCert = rInfo.ouX509Certificate.getLength() ? maSignatureHelper.GetSecurityEnvironment()->createCertificateFromAscii( rInfo.ouX509Certificate ) : NULL; + uno::Reference< dcss::security::XCertificate > xCert; + if (rInfo.ouX509Certificate.getLength()) + xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); + //fallback if no certificate is embedded, get if from store + if (!xCert.is()) + xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); + DBG_ASSERT( xCert.is(), "Error getting cCertificate!" ); if ( xCert.is() ) { |