From ff572d9222ec16ffd679ae907a0bf4a8900265e1 Mon Sep 17 00:00:00 2001
From: Michael Stahl <michael.stahl@allotropia.de>
Date: Fri, 15 Oct 2021 20:52:47 +0200
Subject: xmlsecurity: fix test failing because NSS policy forbids SHA1

With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
8 tests including testODFGood in CppunitTest/xmlsecurity_signing
fail because the crypto policy disallows SHA1 for signatures.

Apparently this particular policy bit was added in NSS 3.59:
https://bugzilla.mozilla.org/show_bug.cgi?id=1670835

For signatures, maybe it's not a good idea to override system policy
for product builds, so do it locally in the tests, at least for now.

Another option would be to set NSS_HASH_ALG_SUPPORT environmental
variable to something like "+SHA-1".

If similar problems turn up for encrypted documents in the future,
that should be fixed in product builds too of course, as encrypted
documents must always be decryptable.

Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123678
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 18 ++++++++++++++++++
 xmlsecurity/qa/unit/signing/signing.cxx       | 12 ++++++++++++
 2 files changed, 30 insertions(+)

(limited to 'xmlsecurity/qa/unit')

diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index db3ac9b3d663..f9e2cab1b365 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -9,6 +9,12 @@
 
 #include <sal/config.h>
 
+#include <config_crypto.h>
+
+#if USE_CRYPTO_NSS
+#include <secoid.h>
+#endif
+
 #include <string_view>
 
 #include <com/sun/star/xml/crypto/SEInitializer.hpp>
@@ -66,6 +72,18 @@ void PDFSigningTest::setUp()
 {
     test::BootstrapFixture::setUp();
     MacrosTest::setUpNssGpg(m_directories, "xmlsecurity_pdfsigning");
+
+    uno::Reference<xml::crypto::XSEInitializer> xSEInitializer
+        = xml::crypto::SEInitializer::create(mxComponentContext);
+    uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext
+        = xSEInitializer->createSecurityContext(OUString());
+#if USE_CRYPTO_NSS
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void PDFSigningTest::tearDown()
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx
index 32dba85f951b..109287c93fe1 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -7,11 +7,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
+#include <config_crypto.h>
 #include <config_features.h>
 #include <config_gpgme.h>
 
 #include <sal/config.h>
 
+#if USE_CRYPTO_NSS
+#include <secoid.h>
+#endif
+
 #include <test/bootstrapfixture.hxx>
 #include <unotest/macros_test.hxx>
 #include <test/xmltesttools.hxx>
@@ -100,6 +105,13 @@ void SigningTest::setUp()
     mxDesktop.set(frame::Desktop::create(mxComponentContext));
     mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
     mxSecurityContext = mxSEInitializer->createSecurityContext(OUString());
+#if USE_CRYPTO_NSS
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void SigningTest::tearDown()
-- 
cgit