diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-17 12:40:06 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-11-17 15:54:06 +0100 |
commit | 972c1e9e7239ef84611b01dad5b112af8f353d3c (patch) | |
tree | 6c14d93b01a0071d29da179dc0706ebe36fca876 /xmlsecurity/source | |
parent | 07d4f5d9e3b40025aaee12bb309317b2d267fbdc (diff) |
xmlsecurity PDF sign: handle AdES when writing SubFilter
Page 21 of "PAdES baseline signatures" specification from
<http://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf>
says:
"The Signature Dictionary shall contain a value of ETSI.CAdES.detached
for the key SubFilter."
So in case the UI has the adescompliant checkbox enabled, write that
value instead of the Adobe default.
Change-Id: I69e606a32fb09bebd5e9b25b32150d1b8672f544
Diffstat (limited to 'xmlsecurity/source')
-rw-r--r-- | xmlsecurity/source/helper/documentsignaturemanager.cxx | 10 | ||||
-rw-r--r-- | xmlsecurity/source/helper/pdfsignaturehelper.cxx | 4 | ||||
-rw-r--r-- | xmlsecurity/source/pdfio/pdfdocument.cxx | 14 | ||||
-rw-r--r-- | xmlsecurity/source/pdfio/pdfverify.cxx | 2 |
4 files changed, 17 insertions, 13 deletions
diff --git a/xmlsecurity/source/helper/documentsignaturemanager.cxx b/xmlsecurity/source/helper/documentsignaturemanager.cxx index f9b435502e6b..76e0b0aefaa9 100644 --- a/xmlsecurity/source/helper/documentsignaturemanager.cxx +++ b/xmlsecurity/source/helper/documentsignaturemanager.cxx @@ -232,7 +232,7 @@ SignatureStreamHelper DocumentSignatureManager::ImplOpenSignatureStream(sal_Int3 return aHelper; } -bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>& xCert, const OUString& rDescription, sal_Int32& nSecurityId, bool bXAdESCompliantIfODF) +bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>& xCert, const OUString& rDescription, sal_Int32& nSecurityId, bool bAdESCompliant) { if (!xCert.is()) { @@ -255,7 +255,7 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>& getPDFSignatureHelper().SetX509Certificate(xCert); getPDFSignatureHelper().SetDescription(rDescription); uno::Reference<io::XInputStream> xInputStream(mxSignatureStream, uno::UNO_QUERY); - if (!getPDFSignatureHelper().Sign(xInputStream)) + if (!getPDFSignatureHelper().Sign(xInputStream, bAdESCompliant)) { SAL_WARN("xmlsecurity.helper", "PDFSignatureHelper::Sign() failed"); return false; @@ -299,7 +299,7 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>& for (sal_Int32 n = 0; n < nElements; n++) { bool bBinaryMode = !isXML(aElements[n]); - maSignatureHelper.AddForSigning(nSecurityId, aElements[n], aElements[n], bBinaryMode, bXAdESCompliantIfODF); + maSignatureHelper.AddForSigning(nSecurityId, aElements[n], aElements[n], bBinaryMode, bAdESCompliant); } maSignatureHelper.SetDateTime(nSecurityId, Date(Date::SYSTEM), tools::Time(tools::Time::SYSTEM)); @@ -321,10 +321,10 @@ bool DocumentSignatureManager::add(const uno::Reference<security::XCertificate>& uno::Reference<xml::sax::XDocumentHandler> xDocumentHandler(xSaxWriter, uno::UNO_QUERY_THROW); std::size_t nInfos = maCurrentSignatureInformations.size(); for (std::size_t n = 0; n < nInfos; n++) - XMLSignatureHelper::ExportSignature(xDocumentHandler, maCurrentSignatureInformations[n], bXAdESCompliantIfODF); + XMLSignatureHelper::ExportSignature(xDocumentHandler, maCurrentSignatureInformations[n], bAdESCompliant); // Create a new one... - maSignatureHelper.CreateAndWriteSignature(xDocumentHandler, bXAdESCompliantIfODF); + maSignatureHelper.CreateAndWriteSignature(xDocumentHandler, bAdESCompliant); // That's it... XMLSignatureHelper::CloseDocumentHandler(xDocumentHandler); diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx index ff79af8ca730..a7cfbed66e72 100644 --- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx +++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx @@ -118,7 +118,7 @@ void PDFSignatureHelper::SetDescription(const OUString& rDescription) m_aDescription = rDescription; } -bool PDFSignatureHelper::Sign(const uno::Reference<io::XInputStream>& xInputStream) +bool PDFSignatureHelper::Sign(const uno::Reference<io::XInputStream>& xInputStream, bool bAdES) { std::unique_ptr<SvStream> pStream(utl::UcbStreamHelper::CreateStream(xInputStream, true)); xmlsecurity::pdfio::PDFDocument aDocument; @@ -128,7 +128,7 @@ bool PDFSignatureHelper::Sign(const uno::Reference<io::XInputStream>& xInputStre return false; } - if (!aDocument.Sign(m_xCertificate, m_aDescription)) + if (!aDocument.Sign(m_xCertificate, m_aDescription, bAdES)) { SAL_WARN("xmlsecurity.helper", "failed to sign"); return false; diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx index 0d5aec0ca1f2..9c71451601c4 100644 --- a/xmlsecurity/source/pdfio/pdfdocument.cxx +++ b/xmlsecurity/source/pdfio/pdfdocument.cxx @@ -357,7 +357,7 @@ sal_uInt32 PDFDocument::GetNextSignature() return nRet + 1; } -sal_Int32 PDFDocument::WriteSignatureObject(const OUString& rDescription, sal_uInt64& rLastByteRangeOffset, sal_Int64& rContentOffset) +sal_Int32 PDFDocument::WriteSignatureObject(const OUString& rDescription, bool bAdES, sal_uInt64& rLastByteRangeOffset, sal_Int64& rContentOffset) { // Write signature object. sal_Int32 nSignatureId = m_aXRef.size(); @@ -374,7 +374,11 @@ sal_Int32 PDFDocument::WriteSignatureObject(const OUString& rDescription, sal_uI OStringBuffer aContentFiller(MAX_SIGNATURE_CONTENT_LENGTH); comphelper::string::padToLength(aContentFiller, MAX_SIGNATURE_CONTENT_LENGTH, '0'); aSigBuffer.append(aContentFiller.makeStringAndClear()); - aSigBuffer.append(">\n/Type/Sig/SubFilter/adbe.pkcs7.detached"); + aSigBuffer.append(">\n/Type/Sig/SubFilter"); + if (bAdES) + aSigBuffer.append("/ETSI.CAdES.detached"); + else + aSigBuffer.append("/adbe.pkcs7.detached"); // Time of signing. aSigBuffer.append(" /M ("); @@ -941,14 +945,14 @@ void PDFDocument::WriteXRef(sal_uInt64 nXRefOffset, PDFReferenceElement* pRoot) } } -bool PDFDocument::Sign(const uno::Reference<security::XCertificate>& xCertificate, const OUString& rDescription) +bool PDFDocument::Sign(const uno::Reference<security::XCertificate>& xCertificate, const OUString& rDescription, bool bAdES) { m_aEditBuffer.Seek(STREAM_SEEK_TO_END); m_aEditBuffer.WriteCharPtr("\n"); sal_uInt64 nSignatureLastByteRangeOffset = 0; sal_Int64 nSignatureContentOffset = 0; - sal_Int32 nSignatureId = WriteSignatureObject(rDescription, nSignatureLastByteRangeOffset, nSignatureContentOffset); + sal_Int32 nSignatureId = WriteSignatureObject(rDescription, bAdES, nSignatureLastByteRangeOffset, nSignatureContentOffset); sal_Int32 nAppearanceId = WriteAppearanceObject(); @@ -2021,7 +2025,7 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat } auto pSubFilter = dynamic_cast<PDFNameElement*>(pValue->Lookup("SubFilter")); - if (!pSubFilter || pSubFilter->GetValue() != "adbe.pkcs7.detached") + if (!pSubFilter || (pSubFilter->GetValue() != "adbe.pkcs7.detached" && pSubFilter->GetValue() != "ETSI.CAdES.detached")) { SAL_WARN("xmlsecurity.pdfio", "PDFDocument::ValidateSignature: no or unsupported sub-filter"); return false; diff --git a/xmlsecurity/source/pdfio/pdfverify.cxx b/xmlsecurity/source/pdfio/pdfverify.cxx index b288067c080d..04c33d8fc139 100644 --- a/xmlsecurity/source/pdfio/pdfverify.cxx +++ b/xmlsecurity/source/pdfio/pdfverify.cxx @@ -136,7 +136,7 @@ SAL_IMPLEMENT_MAIN_WITH_ARGS(nArgc, pArgv) SAL_WARN("xmlsecurity.pdfio", "no signing certificates found"); return 1; } - if (!aDocument.Sign(aCertificates[0], "pdfverify")) + if (!aDocument.Sign(aCertificates[0], "pdfverify", /*bAdES=*/true)) { SAL_WARN("xmlsecurity.pdfio", "failed to sign"); return 1; |