xmlsecurity nss: adopt the private key of the signing certificate explicitly

xmlsec1-customkeymanage.patch.1 of our bundled xmlsec extends xmlSecNssKeyDataX509VerifyAndExtractKey(), so that it calls xmlSecNssPKIAdoptKey() for the private key of the signing certificate. Make this explicit in xmlsecurity/ code, so we don't depend on the patched xmlSecNssKeyDataX509VerifyAndExtractKey(). This is harmless for the patched xmlsec, but it prevents this error: warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: keys.c:1246: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' ' warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:790: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:503: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:286: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxSignatureProcessNode' 1 ' ' when xmlsec is not patched. (This is needed, but not enough to build against system xmlsec.) Change-Id: I5d68a8be7aefcb529566213f9b9c2985eab6a80a Reviewed-on: https://gerrit.libreoffice.org/39023 Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org> Reviewed-on: https://gerrit.libreoffice.org/39273 Reviewed-by: Rene Engelhard <rene@debian.org> Tested-by: Rene Engelhard <rene@debian.org>
author: Miklos Vajna <vmiklos@collabora.co.uk> 2017-06-20 21:47:38 +0200
committer: Rene Engelhard <rene@debian.org> 2017-07-04 19:22:19 +0200
commit: c349af53490d5e883ec791fb743092243c7ad46e (patch)
tree: e1c4f506a16c2a3262383a20ac8d1236e5c70b24 /xmlsecurity
parent: 10019608fd49c9d96b7015f982f40b1c09bc8b14 (diff)
3 files changed, 29 insertions, 15 deletions
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
index 3d5c24b9b6f1..4a8a6554311b 100644
--- a/xmlsecurity/inc/xmlsec-wrapper.h
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -40,6 +40,9 @@
 #include "xmlsec/xmlenc.h"
 #include "xmlsec/xmlsec.h"
 #include "xmlsec/xmltree.h"
+#ifdef XMLSEC_CRYPTO_NSS
+#include "xmlsec/nss/pkikeys.h"
+#endif
 
 #endif
 
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 959e62cc34e0..a5b29017d180 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -474,6 +474,9 @@ Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUS
 }
 
 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
+    // Remember the signing certificate.
+    m_xSigningCertificate = begin;
+
     const X509Certificate_NssImpl* xcert ;
     const CERTCertificate* cert ;
     CERTCertList* certChain ;
@@ -881,19 +884,8 @@ X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
     return xcert ;
 }
 
-
-/* Native methods */
 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
 
-    unsigned int i ;
-    CERTCertDBHandle* handler = nullptr ;
-    PK11SymKey* symKey = nullptr ;
-    SECKEYPublicKey* pubKey = nullptr ;
-    SECKEYPrivateKey* priKey = nullptr ;
-    xmlSecKeysMngrPtr pKeysMngr = nullptr ;
-
-    handler = m_pHandler;
-
     /*-
      * The following lines is based on the private version of xmlSec-NSS
      * crypto engine
@@ -905,14 +897,15 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); ++islots, ++count)
         slots[count] = *islots;
 
-    pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
+    xmlSecKeysMngrPtr pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, m_pHandler ) ;
     if( pKeysMngr == nullptr )
         throw RuntimeException() ;
 
     /*-
      * Adopt symmetric key into keys manager
      */
-    for( i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
+    PK11SymKey* symKey = nullptr ;
+    for( unsigned int i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
             throw RuntimeException() ;
         }
@@ -921,7 +914,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     /*-
      * Adopt asymmetric public key into keys manager
      */
-    for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
+    SECKEYPublicKey* pubKey = nullptr ;
+    for( unsigned int i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
             throw RuntimeException() ;
         }
@@ -930,11 +924,26 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     /*-
      * Adopt asymmetric private key into keys manager
      */
-    for( i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
+    SECKEYPrivateKey* priKey = nullptr ;
+    for( unsigned int i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) {
         if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
             throw RuntimeException() ;
         }
     }
+
+    // Adopt the private key of the signing certificate, if it has any.
+    if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
+    {
+        if (auto pCERTCertificate = const_cast<CERTCertificate*>(pCertificate->getNssCert()))
+        {
+            SECKEYPrivateKey* pPrivateKey = PK11_FindPrivateKeyFromCert(pCERTCertificate->slot, pCERTCertificate, nullptr);
+            xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
+            xmlSecKeyPtr pKey = xmlSecKeyCreate();
+            xmlSecKeySetValue(pKey, pKeyData);
+            xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
+        }
+    }
+
     return pKeysMngr ;
 }
 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
index 5b0e8920abd2..46aba7bc0990 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx
@@ -54,6 +54,8 @@ private:
 
     std::list< PK11SlotInfo* > m_Slots;
     typedef std::list< PK11SlotInfo* >::const_iterator CIT_SLOTS;
+    /// The last used certificate which has the private key for signing.
+    css::uno::Reference<css::security::XCertificate> m_xSigningCertificate;
 
     osl::Mutex m_mutex;
author	Miklos Vajna <vmiklos@collabora.co.uk>	2017-06-20 21:47:38 +0200
committer	Rene Engelhard <rene@debian.org>	2017-07-04 19:22:19 +0200
commit	c349af53490d5e883ec791fb743092243c7ad46e (patch)
tree	e1c4f506a16c2a3262383a20ac8d1236e5c70b24 /xmlsecurity
parent	10019608fd49c9d96b7015f982f40b1c09bc8b14 (diff)