From 4ab8d9c09a5873ca0aea56dafa1ab34758d52ef7 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Thu, 18 Feb 2021 19:22:31 +0100 Subject: xmlsecurity: XSecParser confused about multiple timestamps LO writes timestamp both to dc:date and xades:SigningTime elements. The parser tries to avoid reading multiple dc:date, preferring the first one, but doesn't care about multiple xades:SigningTime, for undocumented reasons. Ideally something should check all read values for consistency. Change-Id: Ic018ee89797a1c8a4f870ae102af48006de930ef Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111160 Tested-by: Jenkins Reviewed-by: Michael Stahl --- xmlsecurity/source/helper/xsecparser.cxx | 31 ++++++++----------------------- xmlsecurity/source/helper/xsecparser.hxx | 6 ------ xmlsecurity/source/helper/xsecverify.cxx | 6 ++++++ 3 files changed, 14 insertions(+), 29 deletions(-) (limited to 'xmlsecurity') diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx index 5166464f6f1d..24f5f33bff58 100644 --- a/xmlsecurity/source/helper/xsecparser.cxx +++ b/xmlsecurity/source/helper/xsecparser.cxx @@ -974,6 +974,9 @@ class XSecParser::XadesSigningCertificateContext class XSecParser::XadesSigningTimeContext : public XSecParser::Context { + private: + OUString m_Value; + public: XadesSigningTimeContext(XSecParser & rParser, std::unique_ptr pOldNamespaceMap) @@ -981,20 +984,14 @@ class XSecParser::XadesSigningTimeContext { } - virtual void StartElement( - css::uno::Reference const& /*xAttrs*/) override - { - m_rParser.m_ouDate.clear(); - } - virtual void EndElement() override { - m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate ); + m_rParser.m_pXSecController->setDate(m_Value); } virtual void Characters(OUString const& rChars) override { - m_rParser.m_ouDate += rChars; + m_Value += rChars; } }; @@ -1100,7 +1097,7 @@ class XSecParser::DcDateContext : public XSecParser::Context { private: - bool m_isIgnore = false; + OUString m_Value; public: DcDateContext(XSecParser & rParser, @@ -1109,26 +1106,14 @@ class XSecParser::DcDateContext { } - virtual void StartElement( - css::uno::Reference const& /*xAttrs*/) override - { - m_isIgnore = !m_rParser.m_ouDate.isEmpty(); - } - virtual void EndElement() override { - if (!m_isIgnore) - { - m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate ); - } + m_rParser.m_pXSecController->setDate(m_Value); } virtual void Characters(OUString const& rChars) override { - if (!m_isIgnore) - { - m_rParser.m_ouDate += rChars; - } + m_Value += rChars; } }; diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx index b99a170b87c3..e146340612da 100644 --- a/xmlsecurity/source/helper/xsecparser.hxx +++ b/xmlsecurity/source/helper/xsecparser.hxx @@ -97,12 +97,6 @@ private: class DsSignatureContext; class DsigSignaturesContext; - /* - * the following members are used to reserve the signature information, - * including X509IssuerName, X509SerialNumber, and X509Certificate,etc. - */ - OUString m_ouDate; - std::stack> m_ContextStack; std::unique_ptr m_pNamespaceMap; diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx index ec8d4f34f6b3..9a50207e733c 100644 --- a/xmlsecurity/source/helper/xsecverify.cxx +++ b/xmlsecurity/source/helper/xsecverify.cxx @@ -325,6 +325,12 @@ void XSecController::setDate( OUString const & ouDate ) return; } InternalSignatureInformation &isi = m_vInternalSignatureInformations.back(); + // there may be multiple timestamps in a signature - check them for consistency + if (!isi.signatureInfor.ouDateTime.isEmpty() + && isi.signatureInfor.ouDateTime != ouDate) + { + isi.signatureInfor.hasInconsistentSigningTime = true; + } (void)utl::ISO8601parseDateTime( ouDate, isi.signatureInfor.stDateTime); isi.signatureInfor.ouDateTime = ouDate; } -- cgit