From 5af5ea893bcb8a8eb472ac11133da10e5a604e66 Mon Sep 17 00:00:00 2001
From: Michael Stahl <michael.stahl@allotropia.de>
Date: Wed, 24 Feb 2021 19:18:51 +0100
Subject: xmlsecurity: improve handling of multiple certificates per X509Data

It turns out that an X509Data element can contain an arbitrary number of
each of its child elements.

How exactly certificates of an issuer chain may or should be distributed
across multiple X509Data elements isn't terribly obvious.

One thing that is clear is that any element that refers to or contains
one particular certificate has to be a child of the same X509Data
element, although in no particular order, so try to match the 2 such
elements that the parser supports in XSecController::setX509Data().

Presumably the only way it makes sense to have multiple signing
certificates is if they all contain the same key but are signed by
different CAs. This case isn't handled currently; CheckX509Data() will
complain there's not a single chain and validation of the certificates
will fail.

Change-Id: I9633a980b0c18d58dfce24fc59396a833498a77d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111500
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
 xmlsecurity/source/helper/ooxmlsecexporter.cxx | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'xmlsecurity/source/helper/ooxmlsecexporter.cxx')

diff --git a/xmlsecurity/source/helper/ooxmlsecexporter.cxx b/xmlsecurity/source/helper/ooxmlsecexporter.cxx
index e9a4e02fb222..324657a96ee0 100644
--- a/xmlsecurity/source/helper/ooxmlsecexporter.cxx
+++ b/xmlsecurity/source/helper/ooxmlsecexporter.cxx
@@ -201,15 +201,19 @@ void OOXMLSecExporter::Impl::writeKeyInfo()
 {
     m_xDocumentHandler->startElement(
         "KeyInfo", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
-    assert(!m_rInformation.X509Datas.empty());
-    for (auto const& it : m_rInformation.X509Datas)
+    assert(m_rInformation.GetSigningCertificate());
+    for (auto const& rData : m_rInformation.X509Datas)
     {
         m_xDocumentHandler->startElement(
             "X509Data", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
-        m_xDocumentHandler->startElement(
-            "X509Certificate", uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
-        m_xDocumentHandler->characters(it.X509Certificate);
-        m_xDocumentHandler->endElement("X509Certificate");
+        for (auto const& it : rData)
+        {
+            m_xDocumentHandler->startElement(
+                "X509Certificate",
+                uno::Reference<xml::sax::XAttributeList>(new SvXMLAttributeList()));
+            m_xDocumentHandler->characters(it.X509Certificate);
+            m_xDocumentHandler->endElement("X509Certificate");
+        }
         m_xDocumentHandler->endElement("X509Data");
     }
     m_xDocumentHandler->endElement("KeyInfo");
-- 
cgit