diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-15 17:58:48 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-15 18:06:19 +0000 |
commit | 8397ce996c444de64cd94efa096b9b376aad393f (patch) | |
tree | 5beaae77561c2c5b7e549e61eda04fa371df205b /vcl | |
parent | 21005d0ded0dfb5cf1bd7f4858cba6b6735dd341 (diff) |
vcl PDF sign: add initial 'signing-certificate' signed attribute
Page 10 of "PAdES Basic" specification from
<http://www.etsi.org/deliver/etsi_ts%5C102700_102799%5C10277802%5C01.02.01_60%5Cts_10277802v010201p.pdf>
says:
"At minimum, it [the signature] shall include the signer's X.509 signing
certificate."
This adds the signed attribute, but it's disabled by default as the
value is just an empty sequence at the moment.
Change-Id: Icda96f63618b08fadcb411204e132fe88d5f7d1d
Reviewed-on: https://gerrit.libreoffice.org/30877
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/source/gdi/pdfwriter_impl.cxx | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx index 75580ed78499..79bdad2b2ddf 100644 --- a/vcl/source/gdi/pdfwriter_impl.cxx +++ b/vcl/source/gdi/pdfwriter_impl.cxx @@ -6036,6 +6036,10 @@ typedef struct { Extension *extensions; } TimeStampReq; +struct SigningCertificateV2 +{ +}; + // (Partial) ASN.1 for the time stamp response. Very complicated. Pulled // together from various RFCs. @@ -6251,6 +6255,16 @@ const SEC_ASN1Template TimeStampReq_Template[] = { 0, 0, nullptr, 0 } }; +/** + * SigningCertificateV2 ::= SEQUENCE { + * } + */ +const SEC_ASN1Template SigningCertificateV2Template[] = +{ + {SEC_ASN1_SEQUENCE, 0, nullptr, sizeof(SigningCertificateV2)}, + {0, 0, nullptr, 0} +}; + typedef struct { SECItem status; SECItem statusString; @@ -6564,6 +6578,12 @@ my_NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute return my_NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr); } +SECStatus +my_NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr) +{ + return my_NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr); +} + NSSCMSMessage *CreateCMSMessage(PRTime time, NSSCMSSignedData **cms_sd, NSSCMSSignerInfo **cms_signer, @@ -7034,6 +7054,53 @@ bool PDFWriter::Sign(PDFSignContext& rContext) } } + // Add the signing certificate as a signed attribute. + SigningCertificateV2 aCertificate; + SECItem* pEncodedCertificate = SEC_ASN1EncodeItem(nullptr, nullptr, &aCertificate, SigningCertificateV2Template); + if (!pEncodedCertificate) + { + SAL_WARN("vcl.pdfwriter", "SEC_ASN1EncodeItem() failed"); + return false; + } + + NSSCMSAttribute aAttribute; + SECItem aAttributeValues[2]; + SECItem* pAttributeValues[2]; + pAttributeValues[0] = aAttributeValues; + pAttributeValues[1] = nullptr; + aAttributeValues[0] = *pEncodedCertificate; + aAttributeValues[1].type = siBuffer; + aAttributeValues[1].data = nullptr; + aAttributeValues[1].len = 0; + aAttribute.values = pAttributeValues; + + SECOidData aOidData; + aOidData.oid.data = nullptr; + /* + * id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= + * { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + * smime(16) id-aa(2) 47 } + */ + if (my_SEC_StringToOID(&aOidData.oid, "1.2.840.113549.1.9.16.2.47", 0) != SECSuccess) + { + SAL_WARN("vcl.pdfwriter", "my_SEC_StringToOID() failed"); + return false; + } + aOidData.offset = SEC_OID_UNKNOWN; + aOidData.desc = "id-aa-signingCertificateV2"; + aOidData.mechanism = CKM_SHA_1; + aOidData.supportedExtension = UNSUPPORTED_CERT_EXTENSION; + aAttribute.typeTag = &aOidData; + aAttribute.type = aOidData.oid; + aAttribute.encoded = PR_TRUE; + + // Don't enable this by default till it works completely. + if (g_bDebugDisableCompression && my_NSS_CMSSignerInfo_AddAuthAttr(cms_signer, &aAttribute) != SECSuccess) + { + SAL_WARN("vcl.pdfwriter", "my_NSS_CMSSignerInfo_AddAuthAttr() failed"); + return false; + } + SECItem cms_output; cms_output.data = nullptr; cms_output.len = 0; @@ -7081,6 +7148,7 @@ bool PDFWriter::Sign(PDFSignContext& rContext) for (unsigned int i = 0; i < cms_output.len ; i++) appendHex(cms_output.data[i], rContext.m_rCMSHexBuffer); + SECITEM_FreeItem(pEncodedCertificate, PR_TRUE); NSS_CMSMessage_Destroy(cms_msg); return true; |