| Age | Commit message (Collapse) | Author |
|---|
|
SHA1_WITH_RSA is a signing algorithm, not a digest one, but let's
accept it, so LO on Linux can verify a signature generated by LO on
Windows.
It's annoying that equivalent mapping in NSS is not part of their public
API.
Change-Id: I97186fcc1d118f922e5ee3cb472aa5b52bc4b5ca
|
|
And use it in xmlsecurity when signing an existing PDF. This is
especially important on Windows, where the PKCS#7 blob doesn't have an
(unsigned) timestamp.
Change-Id: I4051dc19a43f8f8114d9f4d02309f28d6754e9ae
|
|
and update modules writerfilter..xmloff with the resulting changes
Change-Id: I54d19c22ddb0ff579b32e4934d266c925b19305c
Reviewed-on: https://gerrit.libreoffice.org/30530
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
|
|
Now that the mscrypto part of PDFDocument::ValidateSignature() is
implemented it's possible to run these tests on Windows as well,
provided the machine has at least one signing certificate installed.
Also fix a race, where the workdir of the signing test was used by the
pdfsigning test.
Change-Id: I80bbfbb5dc4baa400f9a6b85961883a247b0f22b
|
|
It was only assigned to. Some follow-up simplification.
Change-Id: I3b522064e946667d3a4c8fb82ee40bd0d44dd569
|
|
No need to have a comment saying 'write signatures' when calling a
function that is called WriteSignature(). (Actually, the function name
is slightly misleading, as it says 'signature' in singular while what
it actually does is write multiple signatures, if present.)
Also drop some leftover comments that were related to code that was
commented out already in 2004 or 2007 and removed completely in 2010.
Change-Id: I7a53b3eabb81fc03c66e746f78267be4c1751b0f
|
|
Change-Id: Icc0ead769fa0a052f7d4dfbc825c96dbb513b33f
|
|
All the catch blocks for classes derivved from uno::Exception
contained the same single statement as the catch block for
uno::Exception itself.
Change-Id: Ic33b432416abfda7557862d25237dc7221585327
|
|
The timestamp isn't extracted yet, but the digest match is already
checked correctly and the certificate is exposed.
Change-Id: Ieca002a5c4ca0b96f4dc397c460adb7f88f5ffc7
Reviewed-on: https://gerrit.libreoffice.org/30499
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Change-Id: I4ebdca6a7d09a228122842a79b217ac2611a7c06
|
|
It has been commented out since creation in 2004.
Change-Id: I25ff3ff953430ecbb84fecd3228e662a9c3e1276
|
|
Change-Id: I37e614f6dfa0778cb126a6de282921a15417af1c
|
|
Adobe Acrobat uses object streams (PDF 1.6) when it signs a PDF exported
from LO (PDF 1.4), with this we can verify that signature.
If the PDF had at least one signature in LO, then the doc is not
upgraded from PDF 1.4, so that was working already.
Change-Id: I54b4447ca965a8ba1ffc69bde228ab6f0bda59ee
|
|
Change-Id: I2a690caea7656f2a18beb6d09f53154178a30f34
Reviewed-on: https://gerrit.libreoffice.org/30460
Reviewed-by: Jochen Nitschke <j.nitschke+logerrit@ok.de>
Tested-by: Jochen Nitschke <j.nitschke+logerrit@ok.de>
|
|
Change-Id: I4b87541c6e64e6b2b7c912f47a80a4aa37842014
|
|
Change-Id: I0d7e6a14ec890b8a1dbdea3685b543b63426c628
|
|
...after 1b98f38cfac2ac6caa7f178f70bcd9c5f74f16a4 "css.xml.sax.XAttributeList is
broken by design"
Change-Id: I052baf70f7798c47a9022bb7623149cb41069227
|
|
In the Java interface it was reportedly copied from, getValue can return null to
indicate a missing attribute, but in UNOIDL that's not possible. The workaround
that implementations of the UNOIDL interface resorted to is apparently to return
an empty string (another option would have been to throw an exception).
But the code in xmlsecurity appears to be written under the ill assumption that
getValueByName would return null for a missing attribute. What the code as
written actually did check was whether the return value is an empty string
(because it picks the operator ==(OUString const &, sal_Unicode const *)
overload, which happens to treat a null second argument like an empty string).
Ideally, the code in xmlsecurity would have some way to tell a missing attribute
from an empty one (via some extended XAttributeList2, or by iterating over all
getNameByIndex, or ...). But for none of the affected attributes it seems
expected that the attribute's value could be an empty string, so checking for an
empty string seems to work reasonably well in practice. So keep it simple and
just check for an empty string properly.
Thanks to Tor for spotting that odd xmlsecurity code.
Change-Id: Ib068ee98ef818683a43309ab4d7c3a4731e8deff
|
|
Change-Id: I2353d3c73130ed9420e8d803a9a96a06549bb6bd
Reviewed-on: https://gerrit.libreoffice.org/30429
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Tested-by: Noel Grandin <noel.grandin@collabora.co.uk>
|
|
e.g. ooo112863-2.pdf
Change-Id: I359f7e50f416f0a756e16099cdf47be3b1c32d90
|
|
This is needed (but not enough) to verify PDF 1.5 signatures. What's
missing next is support for object streams.
Change-Id: I5afec0a77839ffabe0aaa07e367064210535a1a9
|
|
This adds support for cross-reference streams (which can be used instead
of plain-text cross-reference tables) + also one stream predictor.
The actual parsed data is still not used, though.
Change-Id: Ia806abd8a97636a1bd25dfdafea377b088800f00
|
|
Change-Id: I78e85923e2c5da366c0bec0812c8fe0240310b67
|
|
They just make grepping harder, and don't really avoid a risk of
mistyping. For instance, there were both TAG_TRANSFORM and
TAG_TRANSFORMS (with values "Transform" and "Transforms"), so if you
think you are likely to misspell "Transforms" as "Transform", you are
as likely to misspell TAG_TRANSFORMS as TAG_TRANSFORM. Typos affecting
generated XML should be catched by unit tests anyway.
Some of the (newer) code here is already in this style, using string
literals directly for tags and attributes, so this change just makes
the style more uniform.
I did not touch the macros that have long URIs as value. For them
there is some usefulness in having the shorter macros in the
code. (But the names of the ALGO_* macros are not consistently
constructed from the URIs.)
Change-Id: I9130395f45fafc13fb2a6ac47e98177647e27cf9
|
|
Support for Cross-Reference Streams is still missing, but this avoids
a crash at least.
Change-Id: I8c5d16531f8603feeebe8feddb7c3bdfa61943cb
|
|
The signature date can be placed as the value of the "M" key, and also
inside the signed PKCS#7 binary. When the later is missing show what's
described in the previous.
Change-Id: Idb40d91adb70486bc1f19d4755a3f8e17d35e9e9
|
|
Each pdf signature is mentioned in the Annots key of a page object.
Usually the key contains an array value. But it's valid for the key to
contain a reference to an object, where the object contains the actual
array, so support this case as well.
Also:
- stop parsing name tokens on the first seen '(' character (usually
there is a whitespace between the two, but that's not required)
- handle \0 characters in the last 1024 bytes of the document by using
std::search() instead of strstr().
Change-Id: I3a167b23340230f99f1ae4112473ed10e1c96b09
|
|
We should also just use the string literals as such in the code (some
newer parts of this module already does that), and not hide them
behind preprocessor macros. An Easy Hack?
Change-Id: I3ab5793ff265a4aceff2fed1562a54bfb0ce3ccb
|
|
And various other minor fixes.
Change-Id: Ifcccebf48aac8ad526406f2d7a402a840d3c91cd
|
|
Previously we only managed to verify a signature in case the certificate
was already imported in the local NSS db. Don't depend on that by
(temporarily) importing certificates from the PDF signature.
Also adjust a test file that failed previously (the test DB has only an
"Alice" cert imported, intentionally sign the file as "Bob" as well).
Change-Id: Id8440acc31915f5a1718ea48129b950bb67e7486
|
|
PDF signatures are always chained, so when removing a signature not only
the item at a given position should be removed on the UI, but the whole
position-last range.
Change-Id: I76b14308885267cdac994fa957218a8b7df6b3cf
|
|
We can mandate that the byte range end is the end of the file for the
last signature only.
With this, signing a previously unsigned file multiple times works, so
add a matching testcase for that as well.
Change-Id: I8fe5482890fca4dab8da6305aa7fc7f60df612d8
|
|
We used to just dump all the object offsets in the xref of the
incremental update, but Adobe Acrobat doesn't like that, and considers
that a second signature invalidates the first. If we properly only
mention new and changed objects in the xref, then this doesn't happen.
This requires actually parsing incremental updates, the previous code
depended on LO writing not-really-incremental xrefs at the end of
incremental updates.
Change-Id: Icdd73fe0a3eab16f8c5a62f1355edbb49f6e73de
Reviewed-on: https://gerrit.libreoffice.org/30288
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
Otherwise Adobe Acrobat thinks they are different versions of the same
signature.
Change-Id: I454c7d87106e348fd70f18fad83f2c3aeda29dff
Reviewed-on: https://gerrit.libreoffice.org/30278
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
Similar to the Page object's Annots key, but here we want to append our
reference to the nested AcroForm/Fields key, so that needs more
infrastructure.
This is also needed (but not enough) to be able to sign a PDF document
multiple times.
Change-Id: I4d5e2aa8f49d2181a15cbf7c4e27577fc98b547d
Reviewed-on: https://gerrit.libreoffice.org/30267
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
Previously we assumed that the Page object's dictionary has no Annots
key. Now detect if that's not true, and in that case don't just copy of
the whole dictionary (as part of the incremental update), instead copy
it in two steps, so we can insert our reference in the middle.
This is needed (but not enough alone) to be able to sign a PDF document
multiple times.
Change-Id: Ia5bf993320428eef80551e7e9cc7bfb2b858db7f
Reviewed-on: https://gerrit.libreoffice.org/30257
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
This one needs no access to private test keys, so no workaround is
needed for older NSS.
Change-Id: Ia233901658832cf55157511b4c5b5c2ccb243425
|
|
Change-Id: I55a0388838a7b9aebc6fd07c92e4d1a8081a4fb6
|
|
The pdfdocument problem is present only on 32bit.
The pdfsigning problem is present on RHEL6, but not on RHEL7, for some
reason NSS fails to parse the provided profile (generated by a bit newer
NSS). Just return early in that case, we want to test the PDF code
there, not NSS.
Change-Id: I1123865d4b2176676a8fdaf648222fda8ca0b923
Reviewed-on: https://gerrit.libreoffice.org/30229
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Change-Id: If75874ee12197edd367f5527a37e467041005794
|
|
Change-Id: I460d5e7c431d2613999db86a73d4e14663ff038d
|
|
Change-Id: Ia5829219eda13832857848267afae25167a31ab8
|
|
Change-Id: Ie0116a7c9c51268204647499b26f4247e55e0523
|
|
Unlike with ZIP-based storage, it can happen that the removal fails, so
make sure we only remove the signature from the listbox when
PDFDocument::RemoveSignature() succeeds.
Change-Id: I3241fc11425686bc1ea5452b8f602e053aec0769
Reviewed-on: https://gerrit.libreoffice.org/30224
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
This reverts commit f736c71dde8f4a84688b932b1531808d4c7cbd8c.
Change-Id: I83df90a5fc6cefb4e0c4fdbb37fa46a546809b83
Reviewed-on: https://gerrit.libreoffice.org/30223
Reviewed-by: Julien Nabet <serval2412@yahoo.fr>
Tested-by: Julien Nabet <serval2412@yahoo.fr>
|
|
Change-Id: Ib7b17f85c7b6a1937c3f6e1617ceec58074643b4
Reviewed-on: https://gerrit.libreoffice.org/30040
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: jan iversen <jani@documentfoundation.org>
Tested-by: jan iversen <jani@documentfoundation.org>
|
|
Change-Id: I74165378255e3c844ee7f91a5d4eb09a573784bd
Reviewed-on: https://gerrit.libreoffice.org/30179
Reviewed-by: Julien Nabet <serval2412@yahoo.fr>
Tested-by: Julien Nabet <serval2412@yahoo.fr>
|
|
It's not exactly clear how one should guess what was file end before
signing, for now assume the followings:
- the file ended with a %%EOF, an optional \r, and a \n
- the number of incremental updates is the same as the number of
signatures
When the later is not the case, don't attempt to remove the signature.
Change-Id: I203a7b0605fc061ec6aacfde3a8eedc4736379f2
Reviewed-on: https://gerrit.libreoffice.org/30140
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
"In addition, the added trailer dictionary shall contain a Prev entry
giving the location of the previous cross-reference section."
(ISO-32000-1, section 7.5.6). Add it, even if it seems Adobe Acrobat can
live with not writing it.
Change-Id: I1f53e75ebe7dba4b45b3cf1908b2d3b031ef6b02
Reviewed-on: https://gerrit.libreoffice.org/30133
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
If the NSS binary files ever need re-generating, it's just a copy from a
fresh Firefox user profile, after importing
'example-xmlsecurity-Alice.cert.p12', as produced by
'./create-certs.sh'.
Change-Id: Iabe15a816cb674d1691e3ff3e10aa2bd851f8e0d
Reviewed-on: https://gerrit.libreoffice.org/30126
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
