xmlsecurity: use xmlsec API instead of patching out cert verification

This flag does exactly what we need since xmlsec-1.2.24.

Change-Id: I3ae052d4bfe564c3234aef2511ef82ebdb452ebe
Reviewed-on: https://gerrit.libreoffice.org/37700
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>

4 files changed, 6 insertions, 75 deletions

diff --git a/external/libxmlsec/UnpackedTarball_xmlsec.mk b/external/libxmlsec/UnpackedTarball_xmlsec.mk
index 62adcf788a85..f41434c6d76b 100644
--- a/external/libxmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/libxmlsec/UnpackedTarball_xmlsec.mk
@@ -10,7 +10,6 @@
 xmlsec_patches :=
 xmlsec_patches += xmlsec1-configure.patch.1
 xmlsec_patches += xmlsec1-nssdisablecallbacks.patch.1
-xmlsec_patches += xmlsec1-noverify.patch.1
 xmlsec_patches += xmlsec1-vc.patch.1
 xmlsec_patches += xmlsec1-1.2.14_fix_extern_c.patch.1
 xmlsec_patches += xmlsec1-customkeymanage.patch.1
diff --git a/external/libxmlsec/xmlsec1-noverify.patch.1 b/external/libxmlsec/xmlsec1-noverify.patch.1
deleted file mode 100644
index 1c5672494caa..000000000000
--- a/external/libxmlsec/xmlsec1-noverify.patch.1
+++ /dev/null
@@ -1,74 +0,0 @@
-From 4960b231f67eb86e5f6d6a79154c15268c959b34 Mon Sep 17 00:00:00 2001
-From: Miklos Vajna <vmiklos@collabora.co.uk>
-Date: Fri, 4 Mar 2016 16:10:16 +0100
-Subject: [PATCH] xmlsec1-noverify.patch
-
-Conflicts:
-	src/mscrypto/x509vfy.c
-	src/nss/x509vfy.c
----
- src/mscrypto/x509vfy.c | 12 ++++++++----
- src/nss/x509vfy.c      | 24 ++++++++++--------------
- 2 files changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c
-index e4a84a60..a12cb709 100644
---- a/src/mscrypto/x509vfy.c
-+++ b/src/mscrypto/x509vfy.c
-@@ -525,10 +525,14 @@ xmlSecMSCryptoX509StoreVerify(xmlSecKeyDataStorePtr store, HCERTSTORE certs,
-         }
- 
-         if(selected == 1) {
--	    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) != 0
--               || xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
--                return(cert);
--            }
-+        /* JL: OpenOffice.org implements its own certificate verification routine. 
-+           The goal is to separate validation of the signature
-+           and the certificate. For example, OOo could show that the document signature is valid,
-+           but the certificate could not be verified. If we do not prevent the verification of
-+           the certificate by libxmlsec and the verification fails, then the XML signature will not be 
-+           verified. This would happen, for example, if the root certificate is not installed.                
-+         */
-+            return(cert);
-         }
-     }
- 
-diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
-index cd328fea..b28a37e1 100644
---- a/src/nss/x509vfy.c
-+++ b/src/nss/x509vfy.c
-@@ -213,20 +213,16 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
-             continue;
-         }
- 
--        if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) {
--            /* it's important to set the usage here, otherwise no real verification
--             * is performed. */
--            status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
--                                            cert, PR_FALSE,
--                                            certificateUsageEmailSigner,
--                                            timeboundary , NULL, NULL, NULL);
--            if(status == SECSuccess) {
--                break;
--            }
--        } else {
--            status = SECSuccess;
--            break;
--        }
-+       /*
-+      JL: OpenOffice.org implements its own certificate verification routine. 
-+      The goal is to separate validation of the signature
-+      and the certificate. For example, OOo could show that the document signature is valid,
-+      but the certificate could not be verified. If we do not prevent the verification of
-+      the certificate by libxmlsec and the verification fails, then the XML signature may not be 
-+      verified. This would happen, for example, if the root certificate is not installed.
-+    */
-+        status = SECSuccess;
-+        break;
-     }
- 
-     if (status == SECSuccess) {
--- 
-2.12.0
-
diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
index 010743509469..c61af389528a 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
@@ -196,6 +196,9 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
         return aTemplate;
     }
 
+    // We do certificate verification ourselves.
+    pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+
     //Verify signature
     //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0)
     //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
index 39aa6e9187d9..385a083884b3 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
@@ -221,6 +221,9 @@ SAL_CALL XMLSignature_NssImpl::validate(
             return aTemplate;
         }
 
+        // We do certificate verification ourselves.
+        pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+
         //Verify signature
         int rs = xmlSecDSigCtxVerify( pDsigCtx , pNode );