diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-06-25 08:02:09 +0200 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-06-25 08:59:17 +0200 |
commit | 71d02f5b6ca78935df3d09ec0a5817f5870b056e (patch) | |
tree | 9282edc3b122d86e0c82500997acea4d119d60d8 | |
parent | 364c828e6ea9e78a145a4ec32a677c7539a913a9 (diff) |
xmlsecurity windows: implement ODF sign/verify with ECDSA keys
By making it possible to use libxmlsec's mscng backend instead of the old
mscrypto one which lacks ECDSA support.
make -sr CppunitTest_xmlsecurity_signing SVL_CRYPTO_CNG=1 CPPUNIT_TEST_NAME="SigningTest::testECDSA"
passes with these changes, while it failed in the SVL_CRYPTO_CNG=1 case previously.
Change-Id: Ic23e5af11d271ed84175abe3d5ad008c7cc9e071
Reviewed-on: https://gerrit.libreoffice.org/56370
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins
-rw-r--r-- | xmlsecurity/Library_xsec_xmlsec.mk | 1 | ||||
-rw-r--r-- | xmlsecurity/inc/xmlsec-wrapper.h | 3 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/mscrypt/akmngr.cxx | 146 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 8 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/mscrypt/seinitializer_mscryptimpl.cxx | 22 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/xmlsec_init.cxx | 48 |
6 files changed, 184 insertions, 44 deletions
diff --git a/xmlsecurity/Library_xsec_xmlsec.mk b/xmlsecurity/Library_xsec_xmlsec.mk index 445d48e72a32..0c711885fc27 100644 --- a/xmlsecurity/Library_xsec_xmlsec.mk +++ b/xmlsecurity/Library_xsec_xmlsec.mk @@ -92,6 +92,7 @@ $(eval $(call gb_Library_add_defs,xsec_xmlsec,\ $(eval $(call gb_Library_add_libs,xsec_xmlsec,\ $(call gb_UnpackedTarball_get_dir,xmlsec)/win32/binaries/libxmlsec-mscrypto.lib \ + $(call gb_UnpackedTarball_get_dir,xmlsec)/win32/binaries/libxmlsec-mscng.lib \ $(call gb_UnpackedTarball_get_dir,xmlsec)/win32/binaries/libxmlsec.lib \ )) diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h index c6edfba935e0..0633bd3c1585 100644 --- a/xmlsecurity/inc/xmlsec-wrapper.h +++ b/xmlsecurity/inc/xmlsec-wrapper.h @@ -31,7 +31,6 @@ #include <xmlsec/base64.h> #include <xmlsec/bn.h> -#include <xmlsec/crypto.h> #include <xmlsec/errors.h> #include <xmlsec/io.h> #include <xmlsec/keysmngr.h> @@ -41,6 +40,8 @@ #include <xmlsec/xmlsec.h> #include <xmlsec/xmltree.h> #ifdef XMLSEC_CRYPTO_NSS +#include <xmlsec/nss/app.h> +#include <xmlsec/nss/crypto.h> #include <xmlsec/nss/pkikeys.h> #endif diff --git a/xmlsecurity/source/xmlsec/mscrypt/akmngr.cxx b/xmlsecurity/source/xmlsec/mscrypt/akmngr.cxx index 778cb93e3f38..8918e1d80b24 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/akmngr.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/akmngr.cxx @@ -27,6 +27,10 @@ #include <xmlsec/mscrypto/crypto.h> #include <xmlsec/mscrypto/keysstore.h> #include <xmlsec/mscrypto/x509.h> +#include <xmlsec/mscng/crypto.h> +#include <xmlsec/mscng/keysstore.h> +#include <xmlsec/mscng/x509.h> +#include <svl/cryptosign.hxx> namespace xmlsecurity { @@ -43,7 +47,10 @@ xmlSecKeysMngrPtr MSCryptoAppliedKeysMngrCreate() xmlSecKeysMngrPtr keyMngr = nullptr ; xmlSecKeyStorePtr keyStore = nullptr ; - keyStore = xmlSecKeyStoreCreate(xmlSecMSCryptoKeysStoreId) ; + if (!svl::crypto::isMSCng()) + keyStore = xmlSecKeyStoreCreate(xmlSecMSCryptoKeysStoreId) ; + else + keyStore = xmlSecKeyStoreCreate(xmlSecMSCngKeysStoreId); if (keyStore == nullptr) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -95,16 +102,33 @@ xmlSecKeysMngrPtr MSCryptoAppliedKeysMngrCreate() /*- * Initialize crypto library specific data in keys manager */ - if (xmlSecMSCryptoKeysMngrInit(keyMngr) < 0) + if (!svl::crypto::isMSCng()) { - xmlSecError(XMLSEC_ERRORS_HERE, - nullptr, - "xmlSecMSCryptoKeysMngrInit", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE) ; - - xmlSecKeysMngrDestroy(keyMngr) ; - return nullptr ; + if (xmlSecMSCryptoKeysMngrInit(keyMngr) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + nullptr, + "xmlSecMSCryptoKeysMngrInit", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE) ; + + xmlSecKeysMngrDestroy(keyMngr) ; + return nullptr ; + } + } + else + { + if (xmlSecMSCngKeysMngrInit(keyMngr) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + nullptr, + "xmlSecMSCngKeysMngrInit", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + + xmlSecKeysMngrDestroy(keyMngr); + return nullptr; + } } /*- @@ -133,7 +157,10 @@ MSCryptoAppliedKeysMngrAdoptKeyStore( xmlSecAssert2(mngr != nullptr, -1) ; xmlSecAssert2(keyStore != nullptr, -1) ; - x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + if (!svl::crypto::isMSCng()) + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + else + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCngX509StoreId); if (x509Store == nullptr) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -144,14 +171,29 @@ MSCryptoAppliedKeysMngrAdoptKeyStore( return -1 ; } - if (xmlSecMSCryptoX509StoreAdoptKeyStore(x509Store, keyStore) < 0) + if (!svl::crypto::isMSCng()) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), - "xmlSecMSCryptoX509StoreAdoptKeyStore", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE) ; - return -1 ; + if (xmlSecMSCryptoX509StoreAdoptKeyStore(x509Store, keyStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCryptoX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE) ; + return -1 ; + } + } + else + { + if (xmlSecMSCngX509StoreAdoptKeyStore(x509Store, keyStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCngX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return -1; + } } return 0 ; @@ -168,7 +210,10 @@ MSCryptoAppliedKeysMngrAdoptTrustedStore( xmlSecAssert2(mngr != nullptr, -1) ; xmlSecAssert2(trustedStore != nullptr, -1) ; - x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + if (!svl::crypto::isMSCng()) + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + else + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCngX509StoreId); if (x509Store == nullptr) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -179,14 +224,29 @@ MSCryptoAppliedKeysMngrAdoptTrustedStore( return -1 ; } - if (xmlSecMSCryptoX509StoreAdoptTrustedStore(x509Store, trustedStore) < 0) + if (!svl::crypto::isMSCng()) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), - "xmlSecMSCryptoX509StoreAdoptKeyStore", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE) ; - return -1 ; + if (xmlSecMSCryptoX509StoreAdoptTrustedStore(x509Store, trustedStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCryptoX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE) ; + return -1 ; + } + } + else + { + if (xmlSecMSCngX509StoreAdoptTrustedStore(x509Store, trustedStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCngX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return -1; + } } return 0 ; @@ -203,7 +263,10 @@ MSCryptoAppliedKeysMngrAdoptUntrustedStore( xmlSecAssert2(mngr != nullptr, -1) ; xmlSecAssert2(untrustedStore != nullptr, -1) ; - x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + if (!svl::crypto::isMSCng()) + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCryptoX509StoreId) ; + else + x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecMSCngX509StoreId); if (x509Store == nullptr) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -214,14 +277,29 @@ MSCryptoAppliedKeysMngrAdoptUntrustedStore( return -1 ; } - if (xmlSecMSCryptoX509StoreAdoptUntrustedStore(x509Store, untrustedStore) < 0) + if (!svl::crypto::isMSCng()) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), - "xmlSecMSCryptoX509StoreAdoptKeyStore", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE) ; - return -1 ; + if (xmlSecMSCryptoX509StoreAdoptUntrustedStore(x509Store, untrustedStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCryptoX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE) ; + return -1 ; + } + } + else + { + if (xmlSecMSCngX509StoreAdoptUntrustedStore(x509Store, untrustedStore) < 0) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(x509Store)), + "xmlSecMSCngX509StoreAdoptKeyStore", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return -1; + } } return 0 ; diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index 4f1b7e81221f..9e2ccf928a08 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -1056,6 +1056,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_MSCryptImpl::createKeysManager() { m_hMySystemStore = nullptr; throw uno::RuntimeException() ; } + if (svl::crypto::isMSCng()) + m_hMySystemStore = nullptr; } //Add system root store into the keys manager. @@ -1066,6 +1068,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_MSCryptImpl::createKeysManager() { m_hRootSystemStore = nullptr; throw uno::RuntimeException() ; } + if (svl::crypto::isMSCng()) + m_hRootSystemStore = nullptr; } //Add system trusted store into the keys manager. @@ -1076,6 +1080,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_MSCryptImpl::createKeysManager() { m_hTrustSystemStore = nullptr; throw uno::RuntimeException() ; } + if (svl::crypto::isMSCng()) + m_hTrustSystemStore = nullptr; } //Add system CA store into the keys manager. @@ -1086,6 +1092,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_MSCryptImpl::createKeysManager() { m_hCaSystemStore = nullptr; throw uno::RuntimeException() ; } + if (svl::crypto::isMSCng()) + m_hCaSystemStore = nullptr; } } diff --git a/xmlsecurity/source/xmlsec/mscrypt/seinitializer_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/seinitializer_mscryptimpl.cxx index c31041cedc03..f2df751addfb 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/seinitializer_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/seinitializer_mscryptimpl.cxx @@ -24,10 +24,12 @@ #include <xmlsec-wrapper.h> #include <xmlsec/mscrypto/app.h> +#include <xmlsec/mscng/app.h> #include <com/sun/star/xml/crypto/SecurityEnvironment.hpp> #include <com/sun/star/xml/crypto/XMLSecurityContext.hpp> #include <cppuhelper/supportsservice.hxx> #include <o3tl/char16_t2wchar_t.hxx> +#include <svl/cryptosign.hxx> using namespace com::sun::star; namespace cssl = com::sun::star::lang; @@ -69,7 +71,10 @@ uno::Reference< cssxc::XXMLSecurityContext > SAL_CALL n_hStoreHandle = nullptr ; } - xmlSecMSCryptoAppInit( n_pCertStore ) ; + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoAppInit( n_pCertStore ) ; + else + xmlSecMSCngAppInit(n_pCertStore); try { /* Build Security Environment */ @@ -85,7 +90,10 @@ uno::Reference< cssxc::XXMLSecurityContext > SAL_CALL CertCloseStore( n_hStoreHandle, CERT_CLOSE_STORE_FORCE_FLAG ) ; } - xmlSecMSCryptoAppShutdown() ; + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoAppShutdown() ; + else + xmlSecMSCngAppShutdown(); return nullptr; } @@ -112,7 +120,10 @@ uno::Reference< cssxc::XXMLSecurityContext > SAL_CALL CertCloseStore( n_hStoreHandle, CERT_CLOSE_STORE_FORCE_FLAG ) ; } - xmlSecMSCryptoAppShutdown() ; + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoAppShutdown() ; + else + xmlSecMSCngAppShutdown(); return nullptr; } } @@ -143,7 +154,10 @@ void SAL_CALL SEInitializer_MSCryptImpl::freeSecurityContext( const uno::Referen } */ - xmlSecMSCryptoAppShutdown() ; + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoAppShutdown() ; + else + xmlSecMSCngAppShutdown(); } /* XServiceInfo */ diff --git a/xmlsecurity/source/xmlsec/xmlsec_init.cxx b/xmlsecurity/source/xmlsec/xmlsec_init.cxx index 181fcac98a1b..552c1d481695 100644 --- a/xmlsecurity/source/xmlsec/xmlsec_init.cxx +++ b/xmlsecurity/source/xmlsec/xmlsec_init.cxx @@ -13,6 +13,13 @@ #include <xmlsec/xmlstreamio.hxx> #include <xmlsec-wrapper.h> +#include <svl/cryptosign.hxx> +#ifdef XMLSEC_CRYPTO_MSCRYPTO +#include <xmlsec/mscrypto/crypto.h> +#include <xmlsec/mscng/crypto.h> +#else +#include <xmlsec/nss/crypto.h> +#endif using namespace css::uno; @@ -24,14 +31,38 @@ XSECXMLSEC_DLLPUBLIC void initXmlSec() } //Init xmlsec crypto engine library - if( xmlSecCryptoInit() < 0 ) { - xmlSecShutdown() ; - throw RuntimeException() ; +#ifdef XMLSEC_CRYPTO_MSCRYPTO + if (!svl::crypto::isMSCng()) + { + if( xmlSecMSCryptoInit() < 0 ) { + xmlSecShutdown() ; + throw RuntimeException() ; + } + } + else + { + if( xmlSecMSCngInit() < 0 ) { + xmlSecShutdown(); + throw RuntimeException(); + } + } +#else + if( xmlSecNssInit() < 0 ) { + xmlSecShutdown(); + throw RuntimeException(); } +#endif //Enable external stream handlers if( xmlEnableStreamInputCallbacks() < 0 ) { - xmlSecCryptoShutdown() ; +#ifdef XMLSEC_CRYPTO_MSCRYPTO + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoShutdown(); + else + xmlSecMSCngShutdown(); +#else + xmlSecNssShutdown(); +#endif xmlSecShutdown() ; throw RuntimeException() ; } @@ -40,7 +71,14 @@ XSECXMLSEC_DLLPUBLIC void initXmlSec() XSECXMLSEC_DLLPUBLIC void deInitXmlSec() { xmlDisableStreamInputCallbacks(); - xmlSecCryptoShutdown(); +#ifdef XMLSEC_CRYPTO_MSCRYPTO + if (!svl::crypto::isMSCng()) + xmlSecMSCryptoShutdown(); + else + xmlSecMSCngShutdown(); +#else + xmlSecNssShutdown(); +#endif xmlSecShutdown(); } |