diff options
author | Miklos Vajna <vmiklos@collabora.com> | 2024-11-05 08:22:05 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.com> | 2024-11-06 08:54:56 +0100 |
commit | 27753561a1899949c5cbd5cc6b72a238769e1eeb (patch) | |
tree | 93ce6f9f01aca08e64ce0997d662df45378add2c /xmlsecurity | |
parent | 0c1ae785e3fb3a800f6b7743a03245dca6c01f14 (diff) |
cool#9992 lok doc sign, create-certs.sh password-less mode: still create a .p12
I have a case where LOK convert-to with ODT->PDF and
SignCertificateCaPem/SignCertificateCertPem/SignCertificateKeyPem set
creates a corrupted PDF signature, while more or less the same on the
desktop works.
The PDF signature is a hex dump, and once converted to binary, one can
analyze the content using 'openssl asn1parse -inform der -in ... -i'.
Still, the LOK and the desktop case differs, because this script
generates random certificates and then the binary output in the two
cases differs, so hard to see the actual difference.
Fix the problem by still generating .p12 output (needed for the desktop
case) in the no-password case, so a single run can emit ca/cert/key PEM
files and a .p12 archive, so exactly the same input can be used for
desktop and LOK signing.
It turns out the actual problem I looked at was some setup problem,
because now that the same input can be used in the two cases, the LOK
signing during PDF export works fine.
Change-Id: Ifc5ff73cd6fbbc057af536c84e4367ce1d489931
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176081
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins
Diffstat (limited to 'xmlsecurity')
-rwxr-xr-x | xmlsecurity/qa/create-certs/create-certs.sh | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/xmlsecurity/qa/create-certs/create-certs.sh b/xmlsecurity/qa/create-certs/create-certs.sh index 9fce95ac566d..7ac81b353f2e 100755 --- a/xmlsecurity/qa/create-certs/create-certs.sh +++ b/xmlsecurity/qa/create-certs/create-certs.sh @@ -200,6 +200,14 @@ do -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \ -certfile intermediate/certs/ca-chain.cert.pem \ -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" + else + openssl pkcs12 -export \ + -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \ + -passout env:SSLPASS \ + -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \ + -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \ + -certfile intermediate/certs/ca-chain.cert.pem \ + -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" fi fi done @@ -209,9 +217,8 @@ echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pe echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'." for i in Alice Bob do - if [ "$pass" == "y" ]; then - echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>." - else + echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>." + if [ "$pass" != "y" ]; then echo "Cert file is at <$root/ca/intermediate/certs/example-xmlsecurity-${i}.cert.pem>." echo "Key file is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.key.pem>." fi |