diff options
Diffstat (limited to 'xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx')
-rw-r--r-- | xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx index b41d754f7407..975c17272dc7 100644 --- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx @@ -20,6 +20,8 @@ #include <sal/config.h> #include <xmlsec-wrapper.h> +#include <xmlsec/nss/x509.h> + #include <xmlelementwrapper_xmlsecimpl.hxx> #include <xmlsec/xmlstreamio.hxx> #include <xmlsec/errorcallback.hxx> @@ -247,6 +249,10 @@ SAL_CALL XMLSignature_NssImpl::validate( // We do certificate verification ourselves. pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; + // limit possible key data to valid X509 certificates only, no KeyValues + if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0) + throw RuntimeException("failed to limit allowed key data"); + //Verify signature int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode ); |