tdf#105844 package,sfx2: wholesome ODF package wrapping encryption

Redo the ODF encryption by storing an ODF package and wrapping it as a stream "encrypted-package" in another ODF package, such that there is only one encrypted stream - this requires only one KDF computation. * This is only enabled in Experimental mode for now. * Avoid storing unencrypted data in the pTempFile of SfxMedium, as it is usually created in the same directory as the target file, which may be on a network share or similar less trusted location. * SfxMedium::SetEncryptionDataToStorage_Impl() should just set an error status if it fails (how can it fail anyway) * when loading a document, SfxDocPasswordVerifier extracts an encrypted inner package (by calling SfxMedium::TryEncryptedInnerPackage()) * SfxMedium::GetStorage() automatically decrypts an encrypted inner storage and sets it as the SfxMedium's xStorage * when storing a document, SfxObjectShell::SaveTo_Impl() creates the wrapped storages * One challenge is to keep the macro/scripting signature working; this can only be put in the inner storage, whereas the document signature should continue to be on the outer storage; also it must use a Zip storage, to see the "META-INF" directory. This needs a new SfxMedium::GetScriptingStorageToSign_Impl() and changes in SfxMedium::SignContents_Impl(). Change-Id: Ibfee36ce3a9cd030f2aa2ce1484b6d001cba2389 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160401 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Michael Stahl <michael.stahl@allotropia.de> 2023-12-06 15:28:14 +0100
committer: Michael Stahl <michael.stahl@allotropia.de> 2023-12-07 09:28:38 +0100
commit: 3b347664b26d58d44f685a607a5e6d10dff89cd4 (patch)
tree: 882d5793493bf14b65295773d0129811b9fcb51d /package
parent: f6536f4db61b73cf7fd4a44bb5ba61eff61f8f91 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/package/source/zippackage/ZipPackage.cxx b/package/source/zippackage/ZipPackage.cxx
index 4dc2021a1904..46e87f437c7b 100644
--- a/package/source/zippackage/ZipPackage.cxx
+++ b/package/source/zippackage/ZipPackage.cxx
@@ -287,7 +287,9 @@ void ZipPackage::parseManifest()
                                     const sal_Int32 nStartKeyAlg = xml::crypto::DigestID::SHA256;
                                     pStream->SetImportedStartKeyAlgorithm( nStartKeyAlg );
 
-                                    if ( !m_bHasEncryptedEntries && pStream->getName() == "content.xml" )
+                                    if (!m_bHasEncryptedEntries
+                                        && (pStream->getName() == "content.xml"
+                                            || pStream->getName() == "encrypted-package"))
                                     {
                                         m_bHasEncryptedEntries = true;
                                         m_nChecksumDigestID = nDigestAlg;
@@ -336,7 +338,9 @@ void ZipPackage::parseManifest()
                                     pStream->SetToBeCompressed ( true );
                                     pStream->SetToBeEncrypted ( true );
                                     pStream->SetIsEncrypted ( true );
-                                    if ( !m_bHasEncryptedEntries && pStream->getName() == "content.xml" )
+                                    if (!m_bHasEncryptedEntries
+                                        && (pStream->getName() == "content.xml"
+                                            || pStream->getName() == "encrypted-package"))
                                     {
                                         m_bHasEncryptedEntries = true;
                                         m_nStartKeyGenerationID = nStartKeyAlg;
author	Michael Stahl <michael.stahl@allotropia.de>	2023-12-06 15:28:14 +0100
committer	Michael Stahl <michael.stahl@allotropia.de>	2023-12-07 09:28:38 +0100
commit	3b347664b26d58d44f685a607a5e6d10dff89cd4 (patch)
tree	882d5793493bf14b65295773d0129811b9fcb51d /package
parent	f6536f4db61b73cf7fd4a44bb5ba61eff61f8f91 (diff)