xmlsecurity: XSecParser confused about multiple timestamps

LO writes timestamp both to dc:date and xades:SigningTime elements.

The parser tries to avoid reading multiple dc:date, preferring the first
one, but doesn't care about multiple xades:SigningTime, for undocumented
reasons.

Ideally something should check all read values for consistency.

Change-Id: Ic018ee89797a1c8a4f870ae102af48006de930ef
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111160
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

3 files changed, 14 insertions, 29 deletions

diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
index 5166464f6f1d..24f5f33bff58 100644
--- a/xmlsecurity/source/helper/xsecparser.cxx
+++ b/xmlsecurity/source/helper/xsecparser.cxx
@@ -974,6 +974,9 @@ class XSecParser::XadesSigningCertificateContext
 class XSecParser::XadesSigningTimeContext
     : public XSecParser::Context
 {
+    private:
+        OUString m_Value;
+
     public:
         XadesSigningTimeContext(XSecParser & rParser,
                 std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
@@ -981,20 +984,14 @@ class XSecParser::XadesSigningTimeContext
         {
         }
 
-        virtual void StartElement(
-            css::uno::Reference<css::xml::sax::XAttributeList> const& /*xAttrs*/) override
-        {
-            m_rParser.m_ouDate.clear();
-        }
-
         virtual void EndElement() override
         {
-            m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate );
+            m_rParser.m_pXSecController->setDate(m_Value);
         }
 
         virtual void Characters(OUString const& rChars) override
         {
-            m_rParser.m_ouDate += rChars;
+            m_Value += rChars;
         }
 };
 
@@ -1100,7 +1097,7 @@ class XSecParser::DcDateContext
     : public XSecParser::Context
 {
     private:
-        bool m_isIgnore = false;
+        OUString m_Value;
 
     public:
         DcDateContext(XSecParser & rParser,
@@ -1109,26 +1106,14 @@ class XSecParser::DcDateContext
         {
         }
 
-        virtual void StartElement(
-            css::uno::Reference<css::xml::sax::XAttributeList> const& /*xAttrs*/) override
-        {
-            m_isIgnore = !m_rParser.m_ouDate.isEmpty();
-        }
-
         virtual void EndElement() override
         {
-            if (!m_isIgnore)
-            {
-                m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate );
-            }
+            m_rParser.m_pXSecController->setDate(m_Value);
         }
 
         virtual void Characters(OUString const& rChars) override
         {
-            if (!m_isIgnore)
-            {
-                m_rParser.m_ouDate += rChars;
-            }
+            m_Value += rChars;
         }
 };
 
diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx
index b99a170b87c3..e146340612da 100644
--- a/xmlsecurity/source/helper/xsecparser.hxx
+++ b/xmlsecurity/source/helper/xsecparser.hxx
@@ -97,12 +97,6 @@ private:
     class DsSignatureContext;
     class DsigSignaturesContext;
 
-    /*
-     * the following members are used to reserve the signature information,
-     * including X509IssuerName, X509SerialNumber, and X509Certificate,etc.
-     */
-    OUString m_ouDate;
-
     std::stack<std::unique_ptr<Context>> m_ContextStack;
     std::unique_ptr<SvXMLNamespaceMap> m_pNamespaceMap;
 
diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
index ec8d4f34f6b3..9a50207e733c 100644
--- a/xmlsecurity/source/helper/xsecverify.cxx
+++ b/xmlsecurity/source/helper/xsecverify.cxx
@@ -325,6 +325,12 @@ void XSecController::setDate( OUString const & ouDate )
         return;
     }
     InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
+    // there may be multiple timestamps in a signature - check them for consistency
+    if (!isi.signatureInfor.ouDateTime.isEmpty()
+        && isi.signatureInfor.ouDateTime != ouDate)
+    {
+        isi.signatureInfor.hasInconsistentSigningTime = true;
+    }
     (void)utl::ISO8601parseDateTime( ouDate, isi.signatureInfor.stDateTime);
     isi.signatureInfor.ouDateTime = ouDate;
 }