From c88063e80d464af195afe88d558a44ef77d69f4a Mon Sep 17 00:00:00 2001 From: Samuel Mehrbrodt Date: Wed, 21 Jun 2017 16:22:32 +0200 Subject: gpg4libre: Make viewing signatures work for gpg signatures Change-Id: Ic10846cb87e23ca9ffa0eb0d64c56fcf79c73a9d --- xmlsecurity/inc/digitalsignaturesdialog.hxx | 4 + .../source/dialogs/digitalsignaturesdialog.cxx | 91 +++++++++++----------- 2 files changed, 51 insertions(+), 44 deletions(-) (limited to 'xmlsecurity') diff --git a/xmlsecurity/inc/digitalsignaturesdialog.hxx b/xmlsecurity/inc/digitalsignaturesdialog.hxx index 44cf85da7d50..e49419e57a4a 100644 --- a/xmlsecurity/inc/digitalsignaturesdialog.hxx +++ b/xmlsecurity/inc/digitalsignaturesdialog.hxx @@ -101,6 +101,10 @@ private: void ImplFillSignaturesBox(); void ImplShowSignaturesDetails(); + css::uno::Reference getCertificate(const SignatureInformation& rInfo); + css::uno::Reference getSecurityEnvironmentForCertificate( + css::uno::Reference xCert); + //Checks if adding is allowed. //See the spec at specs/www/appwide/security/Electronic_Signatures_and_Security.sxw //(6.6.2)Behaviour with regard to ODF 1.2 diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx index aac3ca15bc30..d9f9bba47ec2 100644 --- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx +++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx @@ -501,11 +501,6 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() { m_pSignaturesLB->Clear(); - uno::Reference xSecEnv = maSignatureManager.getSecurityEnvironment(); - uno::Reference xGpgSecEnv = maSignatureManager.getGpgSecurityEnvironment(); - - uno::Reference< css::security::XCertificate > xCert; - size_t nInfos = maSignatureManager.maCurrentSignatureInformations.size(); size_t nValidSigs = 0, nValidCerts = 0; bool bAllNewSignatures = true; @@ -521,27 +516,7 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() aElementsToBeVerified = DocumentSignatureHelper::CreateElementList(maSignatureManager.mxStore, maSignatureManager.meSignatureMode, mode); const SignatureInformation& rInfo = maSignatureManager.maCurrentSignatureInformations[n]; - //First we try to get the certificate which is embedded in the XML Signature - if (!rInfo.ouX509Certificate.isEmpty()) - xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); - else { - //There must be an embedded certificate because we use it to get the - //issuer name. We cannot use /Signature/KeyInfo/X509Data/X509IssuerName - //because it could be modified by an attacker. The issuer is displayed - //in the digital signature dialog. - //Comparing the X509IssuerName with the one from the X509Certificate in order - //to find out if the X509IssuerName was modified does not work. See #i62684 - SAL_WARN( "xmlsecurity.dialogs", "Could not find embedded certificate!"); - } - - //In case there is no embedded certificate we try to get it from a local store - //Todo: This probably could be removed, see above. - if (!xCert.is()) - xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); - if (!xCert.is()) - xCert = xGpgSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); - - SAL_WARN_IF( !xCert.is(), "xmlsecurity.dialogs", "Certificate not found and can't be created!" ); + uno::Reference< css::security::XCertificate > xCert = getCertificate(rInfo); OUString aSubject; OUString aIssuer; @@ -555,13 +530,8 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() { //check the validity of the cert try { - sal_Int32 certResult; - if (xCert->getCertificateKind() == CertificateKind_OPENPGP) - certResult = xGpgSecEnv->verifyCertificate(xCert,Sequence >()); - else if (xCert->getCertificateKind() == CertificateKind_X509) - certResult = xSecEnv->verifyCertificate(xCert, Sequence >()); - else - throw RuntimeException("Unknown certificate kind"); + sal_Int32 certResult = getSecurityEnvironmentForCertificate(xCert)->verifyCertificate(xCert, + Sequence >()); bCertValid = certResult == css::security::CertificateValidity::VALID; if ( bCertValid ) @@ -674,6 +644,46 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() SignatureHighlightHdl( nullptr ); } +uno::Reference DigitalSignaturesDialog::getCertificate(const SignatureInformation& rInfo) +{ + uno::Reference xSecEnv = maSignatureManager.getSecurityEnvironment(); + uno::Reference xGpgSecEnv = maSignatureManager.getGpgSecurityEnvironment(); + uno::Reference xCert; + + //First we try to get the certificate which is embedded in the XML Signature + if (!rInfo.ouX509Certificate.isEmpty()) + xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); + else { + //There must be an embedded certificate because we use it to get the + //issuer name. We cannot use /Signature/KeyInfo/X509Data/X509IssuerName + //because it could be modified by an attacker. The issuer is displayed + //in the digital signature dialog. + //Comparing the X509IssuerName with the one from the X509Certificate in order + //to find out if the X509IssuerName was modified does not work. See #i62684 + SAL_WARN( "xmlsecurity.dialogs", "Could not find embedded certificate!"); + } + + //In case there is no embedded certificate we try to get it from a local store + if (!xCert.is()) + xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); + if (!xCert.is()) + xCert = xGpgSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); + + SAL_WARN_IF( !xCert.is(), "xmlsecurity.dialogs", "Certificate not found and can't be created!" ); + + return xCert; +} + +uno::Reference DigitalSignaturesDialog::getSecurityEnvironmentForCertificate(uno::Reference xCert) +{ + if (xCert->getCertificateKind() == CertificateKind_OPENPGP) + return maSignatureManager.getGpgSecurityEnvironment(); + else if (xCert->getCertificateKind() == CertificateKind_X509) + return maSignatureManager.getSecurityEnvironment(); + + throw RuntimeException("Unknown certificate kind"); +} + //If bUseTempStream is true then the temporary signature stream is used. //Otherwise the real signature stream is used. void DigitalSignaturesDialog::ImplGetSignatureInformations(bool bUseTempStream, bool bCacheLastSignature) @@ -688,19 +698,12 @@ void DigitalSignaturesDialog::ImplShowSignaturesDetails() { sal_uInt16 nSelected = (sal_uInt16) reinterpret_cast( m_pSignaturesLB->FirstSelected()->GetUserData() ); const SignatureInformation& rInfo = maSignatureManager.maCurrentSignatureInformations[ nSelected ]; - uno::Reference xSecEnv = maSignatureManager.getSecurityEnvironment(); - // Use Certificate from doc, not from key store - uno::Reference< css::security::XCertificate > xCert; - if (!rInfo.ouX509Certificate.isEmpty()) - xCert = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate); - //fallback if no certificate is embedded, get if from store - if (!xCert.is()) - xCert = xSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) ); - - SAL_WARN_IF( !xCert.is(), "xmlsecurity.dialogs", "Error getting Certificate!" ); + uno::Reference xCert = getCertificate(rInfo); + uno::Reference xSecEnv = getSecurityEnvironmentForCertificate(xCert); + if ( xCert.is() ) { - ScopedVclPtrInstance aViewer(this, maSignatureManager.getSecurityEnvironment(), xCert, false); + ScopedVclPtrInstance aViewer(this, xSecEnv, xCert, false); aViewer->Execute(); } } -- cgit