Age | Commit message (Collapse) | Author |
|
The problem: an object stream provies obj#1 and obj#2, then an
incremental updates provides an updated obj#1'. Then we look up obj#2,
parse the stored objects on-demand, so at the end when later we look up
the first object, we find obj#1, not obj#1'.
An easy workaround would be to never update already existing objects
from object streams, but that would break when an incremental update
provides an object stream.
Fix the problem by parsing stored objects right after tokenizing the
object stream, and not later, on-demand, when we no longer have the
context what objects should be ignored.
This is needed (but not enough) to correctly append a signature at the
end of a PDF file that has both object streams and incremental updates.
Change-Id: I3c1fae5ac26804c8e8cc1984511f43cfa881c97b
|
|
Pass an XAdES flag to a couple more functions and adapt to that.
Factor out writeDigestMethod() and writeSignedProperties() from
OOXMLSecExporter::Impl to DocumentSignatureHelper and use them in an
additional place.
Write xd:UnsignedProperties with EncapsulatedX509Certificate. Probably
much more work needed.
Change-Id: I2a0cd1db6dd487b9c7ba256ad29473de3d271cd8
|
|
This is especially needed, as we don't bother compressing updated
objects into sections on signing, we simply use a separate section for
each updated object.
Work towards supporting xref streams and incremental updates at the same
time.
Change-Id: Ie9759edbba816991615fafc6602cdd440141b989
|
|
With this our xref stream output is close enough to Acrobat so that the
existing signature verifier runs without any problems.
Change-Id: I6eca7966890365759c269b465e4bf4d86d335219
|
|
Change-Id: I8f2963c9b6b1c8717ea4d19453815fffa6e68484
|
|
This way it's a bit smaller for large files and our output is closer to
what Acrobat produces.
Change-Id: Ide5f7b58a74a9d6ad7d806814eb57cb6931023cc
Reviewed-on: https://gerrit.libreoffice.org/30726
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
So that when we have a single signature with ID="Signature2", then we
use "Signature3" for the next ID, not "Signature2". (Acrobat uses that ID
for the first signature.)
Change-Id: I7032fbf014184da2a5be24730a92abc32a9a1258
Reviewed-on: https://gerrit.libreoffice.org/30725
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
In case the input document used a PDF 1.5 xref stream, not an old xref
table, then write that as part of the incremental update. Acrobat seems
to require this.
Change-Id: I9f1f73140c26308f8720aa1ffe1b905d0e60ede0
Reviewed-on: https://gerrit.libreoffice.org/30724
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Normally it's a direct dictionary, but it's OK to have it as a reference, and
then the referenced object is a dictionary.
Change-Id: If09edaf23501883be68148e430c42e721ec68247
Reviewed-on: https://gerrit.libreoffice.org/30719
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Sure, using a namespace means we have to decorate each function with the
XMLSECURITY_DLLPUBLIC, but who cares.
Change-Id: If9a364d1be9c5f4cd02f3f146e8b01bd608b373e
|
|
Change-Id: Id9daf4f5e3208eca8d3d845983b58ab056557621
|
|
Normally it's a direct array, but it's OK to have it as a reference, and
then the referenced object is an array.
Change-Id: I191150632c2d8317ee6fd8c8169a90996298faa4
Reviewed-on: https://gerrit.libreoffice.org/30718
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
In case our xref table doesn't have an entry for "free" object types,
then the table size won't provide a valid id for a next object. That
resulted in creating all new objects with the same ID.
With this, our verifier at least can see the new signature when
appending one to a signed PDF 1.6 file.
Change-Id: Iac39a400706cfcd23dd814d2b81cb8b950c69fc6
Reviewed-on: https://gerrit.libreoffice.org/30704
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Don't give up signing just because PDF 1.4 trailer is missing, provided
that PDF 1.5 xref stream is available.
Change-Id: I03360d428346537583a4398aa3a94b195b428713
Reviewed-on: https://gerrit.libreoffice.org/30703
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
This will need cross-reference stream write support, just don't crash
for now.
Change-Id: Id48c131b22d4ed96174693f3e96b14c273d596a8
Reviewed-on: https://gerrit.libreoffice.org/30702
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
The signature manager always creates an XML helper, and optionally creates a
PDF helper as well. Both of them initialize xmlsec, and when the signature
manager is deleted, there are two de-inits, leading to an assertion failure in
xmlsec.
Fix the problem by moving the duplicated xmlsec init to the signature manager.
This has the additional benefit that general security-related code no longer
has to talk to the XML helper, it can use the signature manager, which feels
more natural. (What viewing a certificate had to do with XML?)
Change-Id: If6a6bc433636445f3782849a367d4a7ac0be7688
Reviewed-on: https://gerrit.libreoffice.org/30695
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
Remove SignatureInformation::nSecurityEnvironmentIndex as it was
always -1.
Change-Id: I39247e5c40ce36e394c30b450626eca533f46267
|
|
The XSecController::setX509Certificate() overload that took a
sal_Int32 nSecurityEnvironmentIndex was called in just one place, and
-1 was always passed for the nSecurityEnvironmentIndex.
Change-Id: Ic37b7053c90a6fbb8b4e5b6485483d34c605b965
|
|
xmlsecurity is such a mess. Too many different classes that actually
have more or less identical life-time, with names that smell of
delusions of grandeur. "Manager", "security framework controller" etc
for stuff that actually exist only during the execution of a simple
dialog. And then a "helper" class that actually in on a higher level
than a "framework controller". But oh well.
Change-Id: I86e461b1bc91a0d8f5b7fb9f13a5be201729df1e
|
|
Change-Id: I45d45513b102f4fdcb55e8de20b95b37f66ea463
Reviewed-on: https://gerrit.libreoffice.org/30658
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>
|
|
SHA1_WITH_RSA is a signing algorithm, not a digest one, but let's
accept it, so LO on Linux can verify a signature generated by LO on
Windows.
It's annoying that equivalent mapping in NSS is not part of their public
API.
Change-Id: I97186fcc1d118f922e5ee3cb472aa5b52bc4b5ca
|
|
And use it in xmlsecurity when signing an existing PDF. This is
especially important on Windows, where the PKCS#7 blob doesn't have an
(unsigned) timestamp.
Change-Id: I4051dc19a43f8f8114d9f4d02309f28d6754e9ae
|
|
and update modules writerfilter..xmloff with the resulting changes
Change-Id: I54d19c22ddb0ff579b32e4934d266c925b19305c
Reviewed-on: https://gerrit.libreoffice.org/30530
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
|
|
Now that the mscrypto part of PDFDocument::ValidateSignature() is
implemented it's possible to run these tests on Windows as well,
provided the machine has at least one signing certificate installed.
Also fix a race, where the workdir of the signing test was used by the
pdfsigning test.
Change-Id: I80bbfbb5dc4baa400f9a6b85961883a247b0f22b
|
|
It was only assigned to. Some follow-up simplification.
Change-Id: I3b522064e946667d3a4c8fb82ee40bd0d44dd569
|
|
No need to have a comment saying 'write signatures' when calling a
function that is called WriteSignature(). (Actually, the function name
is slightly misleading, as it says 'signature' in singular while what
it actually does is write multiple signatures, if present.)
Also drop some leftover comments that were related to code that was
commented out already in 2004 or 2007 and removed completely in 2010.
Change-Id: I7a53b3eabb81fc03c66e746f78267be4c1751b0f
|
|
Change-Id: Icc0ead769fa0a052f7d4dfbc825c96dbb513b33f
|
|
All the catch blocks for classes derivved from uno::Exception
contained the same single statement as the catch block for
uno::Exception itself.
Change-Id: Ic33b432416abfda7557862d25237dc7221585327
|
|
The timestamp isn't extracted yet, but the digest match is already
checked correctly and the certificate is exposed.
Change-Id: Ieca002a5c4ca0b96f4dc397c460adb7f88f5ffc7
Reviewed-on: https://gerrit.libreoffice.org/30499
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Change-Id: I4ebdca6a7d09a228122842a79b217ac2611a7c06
|
|
It has been commented out since creation in 2004.
Change-Id: I25ff3ff953430ecbb84fecd3228e662a9c3e1276
|
|
Change-Id: I37e614f6dfa0778cb126a6de282921a15417af1c
|
|
Adobe Acrobat uses object streams (PDF 1.6) when it signs a PDF exported
from LO (PDF 1.4), with this we can verify that signature.
If the PDF had at least one signature in LO, then the doc is not
upgraded from PDF 1.4, so that was working already.
Change-Id: I54b4447ca965a8ba1ffc69bde228ab6f0bda59ee
|
|
Change-Id: I2a690caea7656f2a18beb6d09f53154178a30f34
Reviewed-on: https://gerrit.libreoffice.org/30460
Reviewed-by: Jochen Nitschke <j.nitschke+logerrit@ok.de>
Tested-by: Jochen Nitschke <j.nitschke+logerrit@ok.de>
|
|
Change-Id: I4b87541c6e64e6b2b7c912f47a80a4aa37842014
|
|
Change-Id: I0d7e6a14ec890b8a1dbdea3685b543b63426c628
|
|
...after 1b98f38cfac2ac6caa7f178f70bcd9c5f74f16a4 "css.xml.sax.XAttributeList is
broken by design"
Change-Id: I052baf70f7798c47a9022bb7623149cb41069227
|
|
In the Java interface it was reportedly copied from, getValue can return null to
indicate a missing attribute, but in UNOIDL that's not possible. The workaround
that implementations of the UNOIDL interface resorted to is apparently to return
an empty string (another option would have been to throw an exception).
But the code in xmlsecurity appears to be written under the ill assumption that
getValueByName would return null for a missing attribute. What the code as
written actually did check was whether the return value is an empty string
(because it picks the operator ==(OUString const &, sal_Unicode const *)
overload, which happens to treat a null second argument like an empty string).
Ideally, the code in xmlsecurity would have some way to tell a missing attribute
from an empty one (via some extended XAttributeList2, or by iterating over all
getNameByIndex, or ...). But for none of the affected attributes it seems
expected that the attribute's value could be an empty string, so checking for an
empty string seems to work reasonably well in practice. So keep it simple and
just check for an empty string properly.
Thanks to Tor for spotting that odd xmlsecurity code.
Change-Id: Ib068ee98ef818683a43309ab4d7c3a4731e8deff
|
|
Change-Id: I2353d3c73130ed9420e8d803a9a96a06549bb6bd
Reviewed-on: https://gerrit.libreoffice.org/30429
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Tested-by: Noel Grandin <noel.grandin@collabora.co.uk>
|
|
e.g. ooo112863-2.pdf
Change-Id: I359f7e50f416f0a756e16099cdf47be3b1c32d90
|
|
This is needed (but not enough) to verify PDF 1.5 signatures. What's
missing next is support for object streams.
Change-Id: I5afec0a77839ffabe0aaa07e367064210535a1a9
|
|
This adds support for cross-reference streams (which can be used instead
of plain-text cross-reference tables) + also one stream predictor.
The actual parsed data is still not used, though.
Change-Id: Ia806abd8a97636a1bd25dfdafea377b088800f00
|
|
Change-Id: I78e85923e2c5da366c0bec0812c8fe0240310b67
|
|
They just make grepping harder, and don't really avoid a risk of
mistyping. For instance, there were both TAG_TRANSFORM and
TAG_TRANSFORMS (with values "Transform" and "Transforms"), so if you
think you are likely to misspell "Transforms" as "Transform", you are
as likely to misspell TAG_TRANSFORMS as TAG_TRANSFORM. Typos affecting
generated XML should be catched by unit tests anyway.
Some of the (newer) code here is already in this style, using string
literals directly for tags and attributes, so this change just makes
the style more uniform.
I did not touch the macros that have long URIs as value. For them
there is some usefulness in having the shorter macros in the
code. (But the names of the ALGO_* macros are not consistently
constructed from the URIs.)
Change-Id: I9130395f45fafc13fb2a6ac47e98177647e27cf9
|
|
Support for Cross-Reference Streams is still missing, but this avoids
a crash at least.
Change-Id: I8c5d16531f8603feeebe8feddb7c3bdfa61943cb
|
|
The signature date can be placed as the value of the "M" key, and also
inside the signed PKCS#7 binary. When the later is missing show what's
described in the previous.
Change-Id: Idb40d91adb70486bc1f19d4755a3f8e17d35e9e9
|
|
Each pdf signature is mentioned in the Annots key of a page object.
Usually the key contains an array value. But it's valid for the key to
contain a reference to an object, where the object contains the actual
array, so support this case as well.
Also:
- stop parsing name tokens on the first seen '(' character (usually
there is a whitespace between the two, but that's not required)
- handle \0 characters in the last 1024 bytes of the document by using
std::search() instead of strstr().
Change-Id: I3a167b23340230f99f1ae4112473ed10e1c96b09
|
|
We should also just use the string literals as such in the code (some
newer parts of this module already does that), and not hide them
behind preprocessor macros. An Easy Hack?
Change-Id: I3ab5793ff265a4aceff2fed1562a54bfb0ce3ccb
|
|
And various other minor fixes.
Change-Id: Ifcccebf48aac8ad526406f2d7a402a840d3c91cd
|
|
Previously we only managed to verify a signature in case the certificate
was already imported in the local NSS db. Don't depend on that by
(temporarily) importing certificates from the PDF signature.
Also adjust a test file that failed previously (the test DB has only an
"Alice" cert imported, intentionally sign the file as "Bob" as well).
Change-Id: Id8440acc31915f5a1718ea48129b950bb67e7486
|