diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2021-10-15 20:52:47 +0200 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-10-19 15:32:56 +0200 |
| commit | ff572d9222ec16ffd679ae907a0bf4a8900265e1 (patch) | |
| tree | 4ced40fa2325414e64eb2eab8bb403aa76db85d0 /xmlsecurity | |
| parent | e95bcf952abfcde18caca2058260e9213003df8a (diff) | |
xmlsecurity: fix test failing because NSS policy forbids SHA1
With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
8 tests including testODFGood in CppunitTest/xmlsecurity_signing
fail because the crypto policy disallows SHA1 for signatures.
Apparently this particular policy bit was added in NSS 3.59:
https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
For signatures, maybe it's not a good idea to override system policy
for product builds, so do it locally in the tests, at least for now.
Another option would be to set NSS_HASH_ALG_SUPPORT environmental
variable to something like "+SHA-1".
If similar problems turn up for encrypted documents in the future,
that should be fixed in product builds too of course, as encrypted
documents must always be decryptable.
Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123678
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'xmlsecurity')
| -rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 8 | ||||
| -rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 8 | ||||
| -rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 18 | ||||
| -rw-r--r-- | xmlsecurity/qa/unit/signing/signing.cxx | 12 |
4 files changed, 46 insertions, 0 deletions
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index 2441d47e046b..dbedd1a1f7c9 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ boost_headers \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ + nss3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 323c5c1bb37e..126427fdada0 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -37,6 +37,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ libxml2 \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ + nss3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index db3ac9b3d663..f9e2cab1b365 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -9,6 +9,12 @@ #include <sal/config.h> +#include <config_crypto.h> + +#if USE_CRYPTO_NSS +#include <secoid.h> +#endif + #include <string_view> #include <com/sun/star/xml/crypto/SEInitializer.hpp> @@ -66,6 +72,18 @@ void PDFSigningTest::setUp() { test::BootstrapFixture::setUp(); MacrosTest::setUpNssGpg(m_directories, "xmlsecurity_pdfsigning"); + + uno::Reference<xml::crypto::XSEInitializer> xSEInitializer + = xml::crypto::SEInitializer::create(mxComponentContext); + uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext + = xSEInitializer->createSecurityContext(OUString()); +#if USE_CRYPTO_NSS +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void PDFSigningTest::tearDown() diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index 32dba85f951b..109287c93fe1 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -7,11 +7,16 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include <config_crypto.h> #include <config_features.h> #include <config_gpgme.h> #include <sal/config.h> +#if USE_CRYPTO_NSS +#include <secoid.h> +#endif + #include <test/bootstrapfixture.hxx> #include <unotest/macros_test.hxx> #include <test/xmltesttools.hxx> @@ -100,6 +105,13 @@ void SigningTest::setUp() mxDesktop.set(frame::Desktop::create(mxComponentContext)); mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext); mxSecurityContext = mxSEInitializer->createSecurityContext(OUString()); +#if USE_CRYPTO_NSS +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void SigningTest::tearDown() |