Age | Commit message (Collapse) | Author |
|
Change-Id: Ied4520670478d04fce3620c4f3375b1a435f98af
|
|
Change-Id: I9a6209e02c2609c7594763ba01e84f0e598b4873
|
|
Change-Id: I7dbc3017f2bba7b186174be2e4fd8c9ce7005d34
(cherry picked from commit 708d201884c4940647dc65e43e887803f06dce87)
|
|
The previous fixes were incomplete solutions (see the new test
cases of the bug reports).
Change-Id: I928f09d94edf68d268de9046c16582e6f016d561
|
|
Cherry-picked from 7600a2942ce2b9dac66836105bed6620d55abec2
Change-Id: I7584ed179e92abcb10ef0e3a7e4e0d30d24f86bf
|
|
That allows us to potentially change the import depending on the
producer of the document.
This becomes necessary to handle MSO 2007 chart drawingml streams
correctly.
(cherry picked from commit a2fa9e2468aa5c4fd4b610c5d0ebc8959e87a072)
Conflicts:
sc/source/filter/oox/excelfilter.cxx
Conflicts:
sc/source/filter/oox/excelfilter.cxx
Change-Id: I9be8b019fae69cd206203591982a89648965692f
|
|
(cherry picked from commit 15174177091367332b57cd79575e2f7dd27388b2)
Conflicts:
oox/source/core/xmlfilterbase.cxx
Conflicts:
oox/source/core/xmlfilterbase.cxx
Change-Id: I4052c6f1e5dde71ce4cede1ec9a313f461861d71
|
|
Conflicts:
oox/source/drawingml/chart/chartspacefragment.cxx
oox/source/drawingml/chart/chartspacemodel.cxx
Change-Id: Ie143751d22404dac8f31c8ecef90a0e185e07973
|
|
Using the NSS API for CMS and ASN.1-based stuff in general correctly is
extremely hard. It is very easy to do things slightly wrong. Of course no
compiler warnings are produced. You just get code that happens to work by
accident when compiled with one compiler, but not another, or depending on
contents of uninitialised memory, or the phase of the moon.
The problem was that the "values" field of a NSSCMSAttribute struct apparently
is supposed to point to *two* SECItem pointers, one pointing to the actual
value, and a NULL one.
Anyway, now valgrind finally does not complain about any use of uninitialised
memory.
Most likely my earlier recent commits to this file were not necessary after
all. They just seemed to help by accident, at least at one stage. But
whatever...
Change-Id: Ic98401b5d151bbb2398f809f47699f670e9720fa
|
|
In NSS's <secasn1t.h>, for non-Windows:
#define SEC_ASN1_SUB(x) x
#define SEC_ASN1_XTRN 0
#define SEC_ASN1_MKSUB(x)
Change-Id: Ie42d881cebffdd060309d6a15d8d9c319c260699
|
|
Change-Id: I07080c0d42029b7e44f4a6104c18dd75c7356ae0
|
|
We didn't actually check this correctly at all, but gladly overwrote the
allocated part of the output PDF, thus obviously rendering it invalid.
The parameter passed to PORT_NewArea is a default chunk size, not a maximum
anything, so it was misleading, even if not wrong as such, to pass
MAX_SIGNATURE_CONTENT_LENGTH to it. Use 10000 instead.
No need to do the overflow check twice in the Win32 case.
Change-Id: Ifa796dbb74b32e857f7184c1e8ada97ba124b020
|
|
Change-Id: I03ab90c90448e456fc497fb082ad230a434f9f3a
|
|
One or more pointers into them apparently gets stored into the NSSCMSMessage
data structures during the my_NSS_CMSSignerInfo_AddUnauthAttr() call, and thus
when the variables go out of scope said data can and will be reused for some
arbitrary other thing, and those pointers in the NSSCMSMessage will point to
bogus data.
Avoids a crash when compiled with gcc. (No crash when compiled with Clang, it
apparently allocates nested block stack variables differently.)
(The Windows MSVC build uses a different code path entirely here.)
Change-Id: Ic941d766904a216cce86ee6bd38864801b9110e8
(cherry picked from commit 90a684b32b93988e890d854deff384addd875de9)
|
|
Change-Id: I2bb67ba310cfeda2a57d5bbdcd8064eaf09aa087
|
|
Reviewed-on: https://gerrit.libreoffice.org/14770
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit 097a16b59884c777f724cec6c5d42734974ed44b)
Conflicts:
sc/qa/unit/ucalc.cxx
sc/qa/unit/ucalc.hxx
Change-Id: I500008b32e5af07702b76afb901a3ec270453462
|
|
Work in progress. The selection not used for anything yet.
(cherry picked from commit b8b9d51b8cf1cafe1a94e1baf957f3f282abb32f)
Conflicts:
filter/source/pdf/impdialog.cxx
include/sal/log-areas.dox
Change-Id: Ia86fa0f59dcfee8e9d332a028a3fad37f4019fe0
|
|
It is just a simple list of entered URLs, accessed from the Security page. No
sanity checks for now. No selection of a "default" one for now. Implementation
is much simpler this way. The actual selection of one TSA (or none) is done
when exporting to PDF.
Change-Id: I0392eabc9b9629a6f0a767d1b2337622a61c120f
(cherry picked from commit 24ad0629ae9edad83514e329e7173b94a8680ea6)
|
|
Work in progress. If a TSA is selected, pass it along to the signature
generation in vcl.
Change-Id: Ibe105b6d02ab9241b93dd66ab3cb1fa8c6d10093
(cherry picked from commit d83e6e9cdb727b3ca2938048e115ba38886d4c70)
|
|
Now Adobe Reader is satisfied with the signature timestamp also for a
PDF signed and timestamped on Windows.
My gleeful commit comment from yesterday about how much simpler the
Win32 crypto API was to use for this task was not entirely true. It is
simpler than using NSS and curl, but not as simple as I had hoped. Oh
well, I am not really surprised.
I now use the "low-level" message functions instead of the single
"simplified" CryptSignMessage(). And just like with NSS, I need to
create the message twice; first to get the signature to timestamp, and
then a second time to attach the timestamp. But now I wonder whether
doing CryptSignMessage() twice would work too. Anyway, won't touch the
code now for a while.
I am actually a bit surprised that the code works... Must have been my
lucky day. Or then I just am good at making educated guesses at what
an API does, even if the documentation doesn't make it perfectly
clear. Especially, I am a bit surprised that calling
CryptMsgGetParam(hMsg, CMSG_BARE_CONTENT_PARAM) returns (just) the
signature. OTOH, what else would it return?
Change-Id: Iec20c7605cf3d841b9e1787184c7b665837f1bc2
(cherry picked from commit 2c78736c19a8f2a1df0f406c3e92f5ac55576148)
|
|
Now Adobe Reader is satisfied with the signature timestamp.
I just need to figure out how to do the corresponding fix for the Win32
version, too.
Change-Id: Ie2cce177a9a356e729ca157b4c181e95a2c60c91
(cherry picked from commit ce0e240ef10566f1cc334386dbde83b43ebb9281)
|
|
Luckily doable with much simpler code than the horrible NSS and curl mess used
on Linux (and, sadly, OS X).
Basically only one new API call needed: CryptRetrieveTimestamp(). A few hours
of work, compared to about a week for the Linux case.
However, amusingly, it causes the same message in Adobe Reader as when using
the NSS code: "The signature includes an embedded timestamp but it could not
be verified". Sigh.
Change-Id: I98c973bd50b841d1ae3feb8a695bac29da538b6c
(cherry picked from commit 00646102569739e0bf8929c271963f129d747a5a)
|
|
... it could not be verified"
I got some insight reading this question and reply on stackoverflow:
http://stackoverflow.com/questions/18761993/steps-to-include-timestamp-in-pdf-signature
I had been doing the timestamping wrong in the same way: I had timestamped the
hash of the PDF document, not of the signature. That is wrong. If you think
hard, it is obvious: It is the (rest of the) signature that needs an
authenticated timestamp, not the PDF document contents. After all, if the
document contents is timestamped, but not the signature, that doesn't prevent
tampering with the signature after the timestamping. When you timestamp the
signature, that proves the date of the signature. (And the signature proves
the authenticity of the document contents.)
So I had to re-engineer the code a bit. I create two originally identical NSS
CMS messages with signatures, encode one signature into DER, take the hash of
the signature, get a timestamp from the TSA for that hash. Then I add that
timestamp to the other CMS message as an unsigned attribute of its signature,
sign it, encode it, convert to hex, and store it the document.
(I first tried to use just one CMS message, but NSS stopped with an assertion
when I tried to encode the signature of the same message a second time, after
adding the timestamp attribute to the signature. Go figure.)
(I did verify the the encoded signatures, taken from what should be identical
but separate CMS messages, was in fact identical. So I am fairly sure the idea
described above is sound.)
But, it doesn't help. Adobe Reader still complains "The signature includes an
embedded timestamp but it could not be verified".
Change-Id: I4e4cd0443005e82f597586942badc7145ef64160
(cherry picked from commit 86796f127b15fd33374f2a18344dc944b7b8314d)
|
|
No change to functionality or end result. Preparation for an attempt to fix
the remaining problem with RFC3161 timestamped signature.
Change-Id: I5790a85399e9f94d816e8fab791a03d607113116
(cherry picked from commit 0874849206a38cbe15cc981b6cb814d3a7abf38b)
|
|
Note that checks in the code against exceeding that limit apparently are
broken, though. After the previous change I ended up with an invalid PDF where
the signature hex string in the output PDF had brutally overrun its
allocation.
Now Adobe Reader says "The signature includes an embedded timestamp but it
could not be verified". This is progress. Perhaps I just need to tell Adobe
Reader to trust the certificate from the TSA I used.
(cherry picked from commit ca2d878659400b783ae72267f47d0c719b50a1ad)
Conflicts:
vcl/source/gdi/pdfwriter_impl.cxx
Change-Id: I1e8644ee641592a985e0190b52bf76839f99b3e7
|
|
I think Adobe Reader expects the timestamp info to include the TSA's
certificate.
Change-Id: Iedf1c4a9952b12ac61b4ba7f73bee339480e821d
(cherry picked from commit 4702f6ae2f671ac48e4cae3cd46d5941d021e533)
|
|
It it scary to keep pointers to stack variables that have gone out of scope in
a data structure that is in an outer block and used there later.
Change-Id: Iced8b809d50089a4e6f9867be9b8501cce59d16f
(cherry picked from commit 5ffeec96228e0adb829612ecb855cd28e2063f1d)
|
|
Why is a separate field then needed? Dunno, but probably because the type and
values fields make up an encoded NSSCMSAttribute. (The comment in <nss/cmst.h>
says so, but it took a while before I realized what it meant.) The typeTag and
encoded fields are for NSS internal use or something.
Now Adobe Reader says "The signature includes an embedded timestamp but it is
invalid". Progress...
Change-Id: I390947db8d414a7ceecc1f67aaeed5fa0f66fe6f
(cherry picked from commit 167569bfea0bfa5f697ed7a25a354537bc97fa53)
|
|
Not that it seems to help. Adobe Reader still claims "signing time is from the
clock on the signer's computer".
(Why can't RFCs come with standard C header files (and Java and C# sources)
defining macros/constants for the magic numbers, OIDs etc that the RFC
defines?)
Change-Id: I56e8cb4ef56e20345506a080e4d23764d2dfb956
(cherry picked from commit c98f569d035861b6b8c74b469512fa2ae7c9576f)
|
|
They can and should be terse, technical and informative. Simply say exactly
what API function call failed. The tag and source file name in the SAL_WARN
output should already tell a technical reader of the warning what
functionality it is related to.
Change-Id: I93509bddaca836bd6a07d2899b3faf693b071957
(cherry picked from commit d1f679cacb2e17c4aa94ae6b9f15011c9ec74b25)
|
|
Something is still wrong, Adobe Reader still says the PDF is signed with the
local machine's timestamp, though.
Change-Id: Ic9ed3190901025be48e1de191df976e1aa454822
(cherry picked from commit 7d7c2ab1dffa82cfc0e2d6b15702d965b8b0245b)
|
|
Change-Id: If8d64b1e03c8318cd3329cd258131fddeb86fa7b
(cherry picked from commit d1132ff3895aa67ed662446ef6f43612124455ae)
|
|
Despite being declared in a public header, they are not exported from
libsmime, so copy them here. Sigh.
Fix fallout from fe480d8136b204c8dc6c68916cce7e816f8b9c48.
Change-Id: I9ecba690a66c263528e5c12738d60cacec4f14ee
(cherry picked from commit e075fec6e18b24f4037c11f015e870a470fa8ef8)
|
|
Anyway, we can't assume that a string from an external source is correctly
formed UTF-8.
Change-Id: Ic906c7047b933388d5b51b23095a5a3d4ac7e508
(cherry picked from commit 639730a75294346d4195539c26f466f14d030802)
|
|
Change-Id: I651041a86083eb49aad9a96f6f379149c21854f3
(cherry picked from commit f4f08203ba4acebb4ae3143323ca508fdc0644bd)
|
|
Inside #if 0, as the two NSS functions I would want to use aren't exported
from libsmime, despite being declared in public headers. Back to the old
drawing board.
Change-Id: I8b868b4d645a7bbab670e237568c8ff7d97c98cc
(cherry picked from commit d1293c666f08963cebb5f1439034dd11634392df)
|
|
OMG, it is really horrible to use the NSS SEC_ASN1DecodeItem() API. Figuring
out how to set up the SEC_ASN1Template data structure for decoding
TimeStampResp was much harder than setting up the template for encoding a
TimeStampReq. Luckily I don't actually need to look into the timeStampToken,
but can copy that as such into the CMS as an unsigned attribute.
I'll cheerfully ignore for now RFC3161's requirements on how the TSA client
should check the validity of the response. Let's leave that up to the PDF
viewing (and validating) application.
Also improve the SAL_INFO logging, use a timeout for the curl operation, add
more ASN.1 in comments for information, etc.
Still to do: Actually add the TimeStampResp to the NSSCMSSignerInfo.
(cherry picked from commit 3cc45e97dd9189b4c76747fce8925bfe48fac70a)
Conflicts:
vcl/source/gdi/pdfwriter_impl.cxx
Change-Id: Id4f800e2cf12a01106b326a31c34eb99f2aa724e
|
|
Change-Id: I633bd5d697321678d5c179161ac18bc5655246ec
(cherry picked from commit 4146b5c3fefcfce10ed6bc7e739408de8acafb92)
|
|
Use libcurl to perform the request and get the response. Improve error
messages (only use SAL_WARN, though, so sadly not visible to end-users).
Still to do: Decode the response and attach it to the signature. Implement
request encoding and response decoding for Windows.
I probably should extend (and rename) the HashContextScope class to handle all
resources that need explicit deallocation, instead of calling
curl_slist_free_all(), curl_easy_cleanup() and SECITEM_FreeItem() in so many
places.
The error handling of the PDF export functionality would need to be
re-designed so that we could show actual error messages to the user instead of
generic "signing failed" ones. But that is typical for much of our code...
Change-Id: I6288de3f09021f8e0f385870143fefffbac2a706
(cherry picked from commit 27d7aea00d22ad3fcdff2e7b267be1cf5c28d43c)
|
|
Change-Id: Ia5687bf2d68eef06aeb618d5387c663807d24560
(cherry picked from commit 2ddfaa6d323b5db2f59f06f7708c5209549abeee)
|
|
Use the digestAlg in the NSSCMSSignerInfo, once we have it, as
hashAlgorithm. Use a random number as nonce.
Temporarily, dump the TimeStampReq object to a file for inspection in a
DBG_UTIL build.
Change-Id: I696271b3ccc6cef86a70bc78f86d6eae27a4af77
(cherry picked from commit 159a4c3c75e3a7aecbf1656f3254331892098ba7)
|
|
Also, pass dest as NULL to SEC_ASN1EncodeItem(). Now we can call
SECITEM_FreeItem(item, PR_TRUE) on its return value.
(cherry picked from commit 4ece31faef6279cdb0d7eafa26f696e393649fd4)
Conflicts:
vcl/source/gdi/pdfwriter_impl.cxx
Change-Id: Ia30b70990971aba15158f97528524d879a04da3c
|
|
It took a while to figure out how to use the NSS API to construct ASN.1
DER-encoded data using the SEC_ASN1_Template data structs. But I am getting
closer. Now the SEC_ASN1EncodeItem() doesn't crash at least.
Change-Id: I863542bbeed47d48d05a67b851648f87ba9ccf31
(cherry picked from commit 4f69b6de069b7ed70a4aa0095ad9bf981eed53ae)
|
|
Change-Id: I2a2f18d76b0deb5f6cfd68b36699d940703372b3
(cherry picked from commit 77d844c9a92fdc1b8ffa043f46ea50bc1cfa7e05)
|
|
One clear bug in the code, in my opinion, was that
PDFSigningPKCS7PasswordCallback() returned its argument as such. However, a
PK11PasswordFunc should return "a pointer to the password. This memory must
have been allocated with PR_Malloc or PL_strdup", says
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/pkfnc.html
.
I could not test this fix fully before my hardware token decided to block
itself, thanks to too many wrong PIN attempts. Possibly it would work to even
just pass NULL for the password callback function and its argument to
NSS_CMSEncoder_Start(). After all, at least with the hardware token and
associated software that I tested with, the software itself pops up a dialog
asking for the PIN (password).
(cherry picked from commit cbf0c9f8332be9abfed6016f9708e3260331eb2d)
Conflicts:
vcl/source/gdi/pdfwriter_impl.cxx
Change-Id: I85a8b2833cfdd1a1d7b7779016fefb71dd53ab80
|
|
Change-Id: I69402778e68a2955bdda1ba2c9d31d9b10fb60cc
Reviewed-on: https://gerrit.libreoffice.org/14748
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit 3381cb4a421bf390445b7dac9ea42f9ccaf3d875)
|
|
Change-Id: I32f44acbcf5a6aed4d9f7442ad7212af31073352
Reviewed-on: https://gerrit.libreoffice.org/14723
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit 4acffa65b58c8bd359215345dca2c61e2c5ceba5)
|
|
Change-Id: I1185a2c490895493012d5b1ddbb2bdf6e8fac5ec
|
|
and some contain a column in the second child
Change-Id: Ifd69758336233ed0233120b3315d4f33655fa994
Reviewed-on: https://gerrit.libreoffice.org/14719
Tested-by: David Tardon <dtardon@redhat.com>
Reviewed-by: David Tardon <dtardon@redhat.com>
(cherry picked from commit 1ce2461ab77f2ad28671ac1542509bbb16a155ef)
|
|
at *m_aValue.m_pValue.
But there could not even be a pointer there, e.g. if m_aValue.m_nIntXX is in use.
Then the pointer dereference usually leads to a crash.
Can e.g. be reproduced by calling getBytes() on an integer column of a RowSet.
Change-Id: Ib5361d838d2869142fd797d4e3454e2562ea7acf
Reviewed-on: https://gerrit.libreoffice.org/14720
Tested-by: David Tardon <dtardon@redhat.com>
Reviewed-by: David Tardon <dtardon@redhat.com>
(cherry picked from commit 998f8cf5419f3da086246094408a50ab1e9d61f3)
|