summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>2017-07-14 15:48:57 +0200
committerThorsten Behrens <Thorsten.Behrens@CIB.de>2017-07-17 22:42:21 +0200
commitdfcb7895f61243f1e0f21c25bbdf815d8a9976a0 (patch)
treeb73c864ea0e1a20580094527eebe56df81369d06
parentf7dd0774e3dbd5a5001666b045f06bebafc701ae (diff)
gpg4libre: Show whether pgp keys are trusted or not
Owner trust levels considered valid keys: Marginal Full Ultimate Owner trust levels considered invalid keys: Unkown Undefined Never Change-Id: I7338b587acfd105ca24e40b45960cea8d2c04ded Reviewed-on: https://gerrit.libreoffice.org/39958 Reviewed-by: Vasily Melenchuk <vasily.melenchuk@cib.de> Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de> Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
-rw-r--r--xmlsecurity/source/component/documentdigitalsignatures.cxx56
-rw-r--r--xmlsecurity/source/gpg/SecurityEnvironment.cxx18
2 files changed, 43 insertions, 31 deletions
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index 518b4acb1c93..b4445f3c6968 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -327,46 +327,44 @@ DocumentDigitalSignatures::ImplVerifySignatures(
const SignatureInformation& rInfo = aSignInfos[n];
css::security::DocumentSignatureInformation& rSigInfo = arInfos[n];
- if (!rInfo.ouX509Certificate.isEmpty())
- rSigInfo.Signer = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ;
- if (!rSigInfo.Signer.is())
- rSigInfo.Signer = xSecEnv->getCertificate( rInfo.ouX509IssuerName, xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
-
- // Time support again (#i38744#)
- Date aDate( rInfo.stDateTime.Day, rInfo.stDateTime.Month, rInfo.stDateTime.Year );
- tools::Time aTime( rInfo.stDateTime.Hours, rInfo.stDateTime.Minutes,
- rInfo.stDateTime.Seconds, rInfo.stDateTime.NanoSeconds );
- rSigInfo.SignatureDate = aDate.GetDate();
- rSigInfo.SignatureTime = aTime.GetTime();
-
- // Verify certificate
- //We have patched our version of libxmlsec, so that it does not verify the certificates. This has two
- //reasons. First we want two separate status for signature and certificate. Second libxmlsec calls
- //CERT_VerifyCertificate (Solaris, Linux) falsely, so that it always regards the certificate as valid.
- //On Windows the checking of the certificate path is buggy. It does name matching (issuer, subject name)
- //to find the parent certificate. It does not take into account that there can be several certificates
- //with the same subject name.
- if (rSigInfo.Signer.is())
+ if (rInfo.ouGpgCertificate.isEmpty()) // X.509
{
+ if (!rInfo.ouX509Certificate.isEmpty())
+ rSigInfo.Signer = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ;
+ if (!rSigInfo.Signer.is())
+ rSigInfo.Signer = xSecEnv->getCertificate( rInfo.ouX509IssuerName,
+ xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
+
+ // Verify certificate
+ //We have patched our version of libxmlsec, so that it does not verify the certificates. This has two
+ //reasons. First we want two separate status for signature and certificate. Second libxmlsec calls
+ //CERT_VerifyCertificate (Solaris, Linux) falsely, so that it always regards the certificate as valid.
+ //On Windows the checking of the certificate path is buggy. It does name matching (issuer, subject name)
+ //to find the parent certificate. It does not take into account that there can be several certificates
+ //with the same subject name.
+
try {
rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer,
- Sequence<Reference<css::security::XCertificate> >());
+ Sequence<Reference<css::security::XCertificate> >());
} catch (SecurityException& ) {
OSL_FAIL("Verification of certificate failed");
rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
}
}
- else
+ else // GPG
{
- //We should always be able to get the certificates because it is contained in the document,
- //unless the document is damaged so that signature xml file could not be parsed.
- rSigInfo.CertificateStatus =
- xGpgSecEnv->verifyCertificate(rSigInfo.Signer,
- Sequence<Reference<css::security::XCertificate> >());
- // well - except for gpg signatures ...
- //rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ rSigInfo.Signer = xGpgSecEnv->getCertificate( rInfo.ouGpgKeyID, xmlsecurity::numericStringToBigInteger("") );
+ rSigInfo.CertificateStatus = xGpgSecEnv->verifyCertificate(rSigInfo.Signer,
+ Sequence<Reference<css::security::XCertificate> >());
}
+ // Time support again (#i38744#)
+ Date aDate( rInfo.stDateTime.Day, rInfo.stDateTime.Month, rInfo.stDateTime.Year );
+ tools::Time aTime( rInfo.stDateTime.Hours, rInfo.stDateTime.Minutes,
+ rInfo.stDateTime.Seconds, rInfo.stDateTime.NanoSeconds );
+ rSigInfo.SignatureDate = aDate.GetDate();
+ rSigInfo.SignatureTime = aTime.GetTime();
+
rSigInfo.SignatureIsValid = ( rInfo.nStatus == css::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED );
diff --git a/xmlsecurity/source/gpg/SecurityEnvironment.cxx b/xmlsecurity/source/gpg/SecurityEnvironment.cxx
index e910ee50b2ad..6cf0c10de932 100644
--- a/xmlsecurity/source/gpg/SecurityEnvironment.cxx
+++ b/xmlsecurity/source/gpg/SecurityEnvironment.cxx
@@ -142,10 +142,24 @@ Reference< XCertificate > SecurityEnvironmentGpg::createCertificateFromAscii( co
return nullptr;
}
-sal_Int32 SecurityEnvironmentGpg::verifyCertificate( const Reference< XCertificate >& /*aCert*/,
+sal_Int32 SecurityEnvironmentGpg::verifyCertificate( const Reference< XCertificate >& aCert,
const Sequence< Reference< XCertificate > >& /*intermediateCerts*/ )
{
- return 0;
+ const CertificateImpl* xCert = dynamic_cast<CertificateImpl*>(aCert.get());
+ if (xCert == nullptr) {
+ // Can't find the key locally -> unknown owner
+ return security::CertificateValidity::ISSUER_UNKNOWN;
+ }
+
+ const GpgME::Key* key = xCert->getCertificate();
+ if (key->ownerTrust() == GpgME::Key::OwnerTrust::Marginal ||
+ key->ownerTrust() == GpgME::Key::OwnerTrust::Full ||
+ key->ownerTrust() == GpgME::Key::OwnerTrust::Ultimate)
+ {
+ return security::CertificateValidity::VALID;
+ }
+
+ return security::CertificateValidity::ISSUER_UNTRUSTED;
}
sal_Int32 SecurityEnvironmentGpg::getCertificateCharacters(