xmlsecurity: reject a few dangerous annotation types during pdf sig verify

(cherry picked from commit f231dacde9df1c4aa5f4e0970535c4f4093364a7) Conflicts: include/vcl/filter/PDFiumLibrary.hxx xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx xmlsecurity/source/helper/pdfsignaturehelper.cxx xmlsecurity/source/pdfio/pdfdocument.cxx Change-Id: I950b49a6e7181639daf27348ddfa0f36586baa65 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107000 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com> Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
author: Miklos Vajna <vmiklos@collabora.com> 2020-11-04 21:39:04 +0100
committer: Miklos Vajna <vmiklos@collabora.com> 2020-12-01 18:06:31 +0100
commit: 91a39edbbd353326bd2cd37ea93be9f27d533ea5 (patch)
tree: 6f67c9fb411883bd4eeb63146027449d7bf8aecf
parent: 008cb880632ea5143ddadc2c944297af010074e7 (diff)
3 files changed, 76 insertions, 5 deletions
diff --git a/xmlsecurity/qa/unit/pdfsigning/data/bad-cert-p3-stamp.pdf b/xmlsecurity/qa/unit/pdfsigning/data/bad-cert-p3-stamp.pdf
new file mode 100644
index 000000000000..b30f5b03867c
--- /dev/null
+++ b/xmlsecurity/qa/unit/pdfsigning/data/bad-cert-p3-stamp.pdf
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 60dcd0fc7544..05a91714ff09 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -78,6 +78,7 @@ public:
     void testPartial();
     void testPartialInBetween();
     void testBadCertP1();
+    void testBadCertP3Stamp();
     /// Test writing a PAdES signature.
     void testSigningCertificateAttribute();
     /// Test that we accept files which are supposed to be good.
@@ -101,6 +102,7 @@ public:
     CPPUNIT_TEST(testPartial);
     CPPUNIT_TEST(testPartialInBetween);
     CPPUNIT_TEST(testBadCertP1);
+    CPPUNIT_TEST(testBadCertP3Stamp);
     CPPUNIT_TEST(testSigningCertificateAttribute);
     CPPUNIT_TEST(testGood);
     CPPUNIT_TEST(testTokenize);
@@ -456,6 +458,22 @@ void PDFSigningTest::testBadCertP1()
                          rInformation.nStatus);
 }
 
+void PDFSigningTest::testBadCertP3Stamp()
+{
+    std::vector<SignatureInformation> aInfos
+        = verify(m_directories.getURLFromSrc(DATA_DIRECTORY) + "bad-cert-p3-stamp.pdf", 1,
+                 /*rExpectedSubFilter=*/OString());
+    CPPUNIT_ASSERT(!aInfos.empty());
+    SignatureInformation& rInformation = aInfos[0];
+
+    // Without the accompanying fix in place, this test would have failed with:
+    // - Expected: 0 (SecurityOperationStatus_UNKNOWN)
+    // - Actual  : 1 (SecurityOperationStatus_OPERATION_SUCCEEDED)
+    // i.e. adding a stamp annotation was not considered as a bad modification.
+    CPPUNIT_ASSERT_EQUAL(xml::crypto::SecurityOperationStatus::SecurityOperationStatus_UNKNOWN,
+                         rInformation.nStatus);
+}
+
 void PDFSigningTest::testSigningCertificateAttribute()
 {
     // Create a new signature.
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 3cedf7b62273..047141b731be 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -24,6 +24,11 @@
 #include <svl/cryptosign.hxx>
 #include <vcl/filter/pdfdocument.hxx>
 #include <vcl/bitmap.hxx>
+#include <basegfx/range/b2drectangle.hxx>
+
+#if HAVE_FEATURE_PDFIUM
+#include <fpdf_annot.h>
+#endif
 
 using namespace com::sun::star;
 
@@ -138,8 +143,29 @@ bool IsCompleteSignature(SvStream& rStream, vcl::filter::PDFDocument& rDocument,
     return std::find(rAllEOFs.begin(), rAllEOFs.end(), nFileEnd) != rAllEOFs.end();
 }
 
+/**
+ * Contains checksums of a PDF page, which is rendered without annotations. It also contains
+ * the geometry of a few dangerous annotation types.
+ */
+struct PageChecksum
+{
+    BitmapChecksum m_nPageContent;
+    std::vector<basegfx::B2DRectangle> m_aAnnotations;
+    bool operator==(const PageChecksum& rChecksum) const;
+};
+
+bool PageChecksum::operator==(const PageChecksum& rChecksum) const
+{
+    if (m_nPageContent != rChecksum.m_nPageContent)
+    {
+        return false;
+    }
+
+    return m_aAnnotations == rChecksum.m_aAnnotations;
+}
+
 /// Collects the checksum of each page of one version of the PDF.
-void AnalyizeSignatureStream(SvMemoryStream& rStream, std::vector<BitmapChecksum>& rPageChecksums,
+void AnalyizeSignatureStream(SvMemoryStream& rStream, std::vector<PageChecksum>& rPageChecksums,
                              int nMDPPerm)
 {
 #if HAVE_FEATURE_PDFIUM
@@ -156,8 +182,35 @@ void AnalyizeSignatureStream(SvMemoryStream& rStream, std::vector<BitmapChecksum
             return;
         }
 
-        BitmapChecksum nPageChecksum = pPdfPage->getChecksum(nMDPPerm);
-        rPageChecksums.push_back(nPageChecksum);
+        PageChecksum aPageChecksum;
+        aPageChecksum.m_nPageContent = pPdfPage->getChecksum(nMDPPerm);
+        for (int i = 0; i < FPDFPage_GetAnnotCount(pPdfPage->getPointer()); ++i)
+        {
+            FPDF_ANNOTATION pAnnotation = FPDFPage_GetAnnot(pPdfPage->getPointer(), i);
+            int nType = FPDFAnnot_GetSubtype(pAnnotation);
+            switch (nType)
+            {
+                case FPDF_ANNOT_UNKNOWN:
+                case FPDF_ANNOT_FREETEXT:
+                case FPDF_ANNOT_STAMP:
+                case FPDF_ANNOT_REDACT:
+                {
+                    basegfx::B2DRectangle aB2DRectangle;
+                    FS_RECTF aRect;
+                    if (FPDFAnnot_GetRect(pAnnotation, &aRect))
+                    {
+                        aB2DRectangle = basegfx::B2DRectangle(aRect.left, aRect.top, aRect.right,
+                                                              aRect.bottom);
+                    }
+                    aPageChecksum.m_aAnnotations.push_back(aB2DRectangle);
+                    break;
+                }
+                default:
+                    break;
+            }
+            FPDFPage_CloseAnnot(pAnnotation);
+        }
+        rPageChecksums.push_back(aPageChecksum);
     }
     FPDF_CloseDocument(pPdfDocument);
 #else
@@ -183,7 +236,7 @@ bool IsValidSignature(SvStream& rStream, vcl::filter::PDFObjectElement* pSignatu
     aSignatureStream.WriteStream(rStream, nSignatureEOF);
     rStream.Seek(nPos);
     aSignatureStream.Seek(0);
-    std::vector<BitmapChecksum> aSignedPages;
+    std::vector<PageChecksum> aSignedPages;
     AnalyizeSignatureStream(aSignatureStream, aSignedPages, nMDPPerm);
 
     SvMemoryStream aFullStream;
@@ -192,7 +245,7 @@ bool IsValidSignature(SvStream& rStream, vcl::filter::PDFObjectElement* pSignatu
     aFullStream.WriteStream(rStream);
     rStream.Seek(nPos);
     aFullStream.Seek(0);
-    std::vector<BitmapChecksum> aAllPages;
+    std::vector<PageChecksum> aAllPages;
     AnalyizeSignatureStream(aFullStream, aAllPages, nMDPPerm);
 
     // Fail if any page looks different after signing and at the end. Annotations/commenting doesn't
author	Miklos Vajna <vmiklos@collabora.com>	2020-11-04 21:39:04 +0100
committer	Miklos Vajna <vmiklos@collabora.com>	2020-12-01 18:06:31 +0100
commit	91a39edbbd353326bd2cd37ea93be9f27d533ea5 (patch)
tree	6f67c9fb411883bd4eeb63146027449d7bf8aecf
parent	008cb880632ea5143ddadc2c944297af010074e7 (diff)