gpg4libre: use SHA512 digests for GPG signing unconditionally

Change-Id: I2ee6b0ba440a50b4627b3732c52afe08ba02d664
Reviewed-on: https://gerrit.libreoffice.org/42087
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

3 files changed, 12 insertions, 2 deletions

diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index ad0744f54d27..616ffcfb2ae4 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -661,6 +661,9 @@ void XSecController::exportSignature(
             /* Write SignatureMethod element */
             pAttributeList = new SvXMLAttributeList();
 
+            // TODO: actually roundtrip this value from parsing documentsignatures.xml - entirely
+            // broken to assume this would in any way relate to the 1st reference's digest algo
+
             // Assume that all Reference elements use the same DigestMethod:Algorithm, and that the
             // SignatureMethod:Algorithm should be the corresponding one.
             pAttributeList->AddAttribute(
diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
index be6f0b7c3dd2..81b7ebf7e630 100644
--- a/xmlsecurity/source/helper/xsecparser.cxx
+++ b/xmlsecurity/source/helper/xsecparser.cxx
@@ -151,6 +151,8 @@ void SAL_CALL XSecParser::startElement(
                     m_nReferenceDigestID = cssxc::DigestID::SHA256;
                 else if (ouAlgorithm == ALGO_XMLDSIGSHA512)
                     m_nReferenceDigestID = cssxc::DigestID::SHA512;
+                else
+                    m_nReferenceDigestID = 0;
             }
         }
         else if (aName == "Transform")
diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index 278eba79f8af..cd173e2fb956 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -144,7 +144,9 @@ cssu::Reference< cssxc::sax::XReferenceResolvedListener > XSecController::prepar
     cssu::Reference<cssxc::sax::XKeyCollector> keyCollector (xReferenceResolvedListener, cssu::UNO_QUERY);
     keyCollector->setKeyId(0);
 
-    const sal_Int32 digestID = bXAdESCompliantIfODF ? cssxc::DigestID::SHA256 : cssxc::DigestID::SHA1;
+    // use sha512 for gpg signing unconditionally
+    const sal_Int32 digestID = !internalSignatureInfor.signatureInfor.ouGpgCertificate.isEmpty()?
+        cssxc::DigestID::SHA512 : (bXAdESCompliantIfODF ? cssxc::DigestID::SHA256 : cssxc::DigestID::SHA1);
 
     if (nStorageFormat != embed::StorageFormats::OFOPXML)
     {
@@ -194,7 +196,7 @@ cssu::Reference< cssxc::sax::XReferenceResolvedListener > XSecController::prepar
 void XSecController::signAStream( sal_Int32 securityId, const OUString& uri, bool isBinary, bool bXAdESCompliantIfODF)
 {
     const SignatureReferenceType type = isBinary ? SignatureReferenceType::BINARYSTREAM : SignatureReferenceType::XMLSTREAM;
-    const sal_Int32 digestID = bXAdESCompliantIfODF ? cssxc::DigestID::SHA256 : cssxc::DigestID::SHA1;
+    sal_Int32 digestID = bXAdESCompliantIfODF ? cssxc::DigestID::SHA256 : cssxc::DigestID::SHA1;
 
     int index = findSignatureInfor( securityId );
 
@@ -206,6 +208,9 @@ void XSecController::signAStream( sal_Int32 securityId, const OUString& uri, boo
     }
     else
     {
+        // use sha512 for gpg signing unconditionally
+        if (!m_vInternalSignatureInformations[index].signatureInfor.ouGpgCertificate.isEmpty())
+            digestID = cssxc::DigestID::SHA512;
         m_vInternalSignatureInformations[index].addReference(type, digestID, uri, -1);
     }
 }