diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2021-02-19 22:04:33 +0100 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-03-03 12:46:43 +0100 |
| commit | 9e82509b09f5fe2eb77bcdb8fd193c71923abb67 (patch) | |
| tree | c977053f11c3d6527c94e63670a0af626af76e8a /xmlsecurity/source/helper/documentsignaturemanager.cxx | |
| parent | 1d3da3486d827dd5e7a3bf1c7a533f5aa9860e42 (diff) | |
xmlsecurity: improve handling of multiple X509Data elements
Combine everything related to a certificate in a new struct X509Data.
The CertDigest is not actually written in the X509Data element but in
xades:Cert, so try to find the matching entry in
XSecController::setX509CertDigest().
There was a confusing interaction with PGP signatures, where ouGpgKeyID
was used for import, but export wrote the value from ouCertDigest
instead - this needed fixing.
The main point of this is enforcing a constraint from xmldsig-core 4.5.4:
All certificates appearing in an X509Data element MUST relate to the
validation key by either containing it or being part of a certification
chain that terminates in a certificate containing the validation key.
Change-Id: I5254aa393f8e7172da59709923e4bbcd625ec713
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111254
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'xmlsecurity/source/helper/documentsignaturemanager.cxx')
| -rw-r--r-- | xmlsecurity/source/helper/documentsignaturemanager.cxx | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx index 295522775951..d0ac3d0fc11a 100644 --- a/xmlsecurity/source/helper/documentsignaturemanager.cxx +++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx @@ -587,6 +587,18 @@ void DocumentSignatureManager::read(bool bUseTempStream, bool bCacheLastSignatur bCacheLastSignature); maSignatureHelper.EndMission(); + // this parses the XML independently from ImplVerifySignatures() - check + // certificates here too ... + for (auto const& it : maSignatureHelper.GetSignatureInformations()) + { + if (!it.X509Datas.empty()) + { + uno::Reference<xml::crypto::XSecurityEnvironment> const xSecEnv( + getSecurityEnvironment()); + getSignatureHelper().CheckAndUpdateSignatureInformation(xSecEnv, it); + } + } + maCurrentSignatureInformations = maSignatureHelper.GetSignatureInformations(); } else |