diff options
Diffstat (limited to 'xmlsecurity/source/component/documentdigitalsignatures.cxx')
-rw-r--r-- | xmlsecurity/source/component/documentdigitalsignatures.cxx | 54 |
1 files changed, 32 insertions, 22 deletions
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx index 71251eda2f8a..59759e70999b 100644 --- a/xmlsecurity/source/component/documentdigitalsignatures.cxx +++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx @@ -525,30 +525,36 @@ DocumentDigitalSignatures::ImplVerifySignatures( const SignatureInformation& rInfo = aSignInfos[n]; css::security::DocumentSignatureInformation& rSigInfo = arInfos[n]; - if (rInfo.ouGpgCertificate.isEmpty()) // X.509 + if (!rInfo.X509Datas.empty()) // X.509 { - if (!rInfo.ouX509Certificate.isEmpty()) - rSigInfo.Signer = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); - if (!rSigInfo.Signer.is()) - rSigInfo.Signer = xSecEnv->getCertificate( - rInfo.ouX509IssuerName, - xmlsecurity::numericStringToBigInteger(rInfo.ouX509SerialNumber)); - - // On Windows checking the certificate path is buggy. It does name matching (issuer, subject name) - // to find the parent certificate. It does not take into account that there can be several certificates - // with the same subject name. - try + std::vector<uno::Reference<XCertificate>> certs( + rSignatureHelper.CheckAndUpdateSignatureInformation( + xSecEnv, rInfo)); + if (certs.empty()) { - rSigInfo.CertificateStatus = xSecEnv->verifyCertificate( - rSigInfo.Signer, Sequence<Reference<css::security::XCertificate>>()); + rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID; } - catch (SecurityException&) + else { - OSL_FAIL("Verification of certificate failed"); - rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID; + rSigInfo.Signer = certs.back(); + // get only intermediates + certs.pop_back(); + // On Windows checking the certificate path is buggy. It does name matching (issuer, subject name) + // to find the parent certificate. It does not take into account that there can be several certificates + // with the same subject name. + try + { + rSigInfo.CertificateStatus = xSecEnv->verifyCertificate( + rSigInfo.Signer, comphelper::containerToSequence(certs)); + } + catch (SecurityException&) + { + SAL_WARN("xmlsecurity.comp", "Verification of certificate failed"); + rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID; + } } } - else if (xGpgSecEnv.is()) // GPG + else if (!rInfo.ouGpgCertificate.isEmpty() && xGpgSecEnv.is()) // GPG { // TODO not ideal to retrieve cert by keyID, might // collide, or PGPKeyID format might change - can't we @@ -634,15 +640,19 @@ void DocumentDigitalSignatures::showCertificate( } sal_Bool DocumentDigitalSignatures::isAuthorTrusted( - const Reference< css::security::XCertificate >& Author ) + const Reference<css::security::XCertificate>& xAuthor) { - OUString sSerialNum = xmlsecurity::bigIntegerToNumericString( Author->getSerialNumber() ); + if (!xAuthor.is()) + { + return false; + } + OUString sSerialNum = xmlsecurity::bigIntegerToNumericString(xAuthor->getSerialNumber()); Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors(); return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(), - [&Author, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { - return ( rAuthor[0] == Author->getIssuerName() ) + [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { + return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()) && ( rAuthor[1] == sSerialNum ); }); } |