From 27753561a1899949c5cbd5cc6b72a238769e1eeb Mon Sep 17 00:00:00 2001 From: Miklos Vajna Date: Tue, 5 Nov 2024 08:22:05 +0100 Subject: cool#9992 lok doc sign, create-certs.sh password-less mode: still create a .p12 I have a case where LOK convert-to with ODT->PDF and SignCertificateCaPem/SignCertificateCertPem/SignCertificateKeyPem set creates a corrupted PDF signature, while more or less the same on the desktop works. The PDF signature is a hex dump, and once converted to binary, one can analyze the content using 'openssl asn1parse -inform der -in ... -i'. Still, the LOK and the desktop case differs, because this script generates random certificates and then the binary output in the two cases differs, so hard to see the actual difference. Fix the problem by still generating .p12 output (needed for the desktop case) in the no-password case, so a single run can emit ca/cert/key PEM files and a .p12 archive, so exactly the same input can be used for desktop and LOK signing. It turns out the actual problem I looked at was some setup problem, because now that the same input can be used in the two cases, the LOK signing during PDF export works fine. Change-Id: Ifc5ff73cd6fbbc057af536c84e4367ce1d489931 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176081 Reviewed-by: Miklos Vajna Tested-by: Jenkins --- xmlsecurity/qa/create-certs/create-certs.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'xmlsecurity') diff --git a/xmlsecurity/qa/create-certs/create-certs.sh b/xmlsecurity/qa/create-certs/create-certs.sh index 9fce95ac566d..7ac81b353f2e 100755 --- a/xmlsecurity/qa/create-certs/create-certs.sh +++ b/xmlsecurity/qa/create-certs/create-certs.sh @@ -200,6 +200,14 @@ do -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \ -certfile intermediate/certs/ca-chain.cert.pem \ -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" + else + openssl pkcs12 -export \ + -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \ + -passout env:SSLPASS \ + -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \ + -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \ + -certfile intermediate/certs/ca-chain.cert.pem \ + -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" fi fi done @@ -209,9 +217,8 @@ echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pe echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'." for i in Alice Bob do - if [ "$pass" == "y" ]; then - echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>." - else + echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>." + if [ "$pass" != "y" ]; then echo "Cert file is at <$root/ca/intermediate/certs/example-xmlsecurity-${i}.cert.pem>." echo "Key file is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.key.pem>." fi -- cgit