gpg4libre: initial GPG signature generation

* takes XML-Sec signature template
* calculates digest for all added reference streams
* produces signature value over canonicalized signature template
* writes same as detached signature into template, streams that out

Change-Id: I303e080dc25c440175fe1ae897f03cf356d5d0f2
Reviewed-on: https://gerrit.libreoffice.org/36106
Reviewed-by: Siegmund Gorr <siegmund.gorr@cib.de>
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>

19 files changed, 576 insertions, 109 deletions

diff --git a/xmlsecurity/Library_xsec_gpg.mk b/xmlsecurity/Library_xsec_gpg.mk
index 95bd533531de..5a42136bb2a4 100644
--- a/xmlsecurity/Library_xsec_gpg.mk
+++ b/xmlsecurity/Library_xsec_gpg.mk
@@ -9,13 +9,20 @@
 
 $(eval $(call gb_Library_Library,xsec_gpg))
 
+ifneq ($(OS),WNT)
+$(eval $(call gb_Library_set_componentfile,xsec_gpg,xmlsecurity/util/xsec_gpg))
+endif
+
 $(eval $(call gb_Library_set_include,xsec_gpg,\
 	$$(INCLUDE) \
 	-I$(SRCDIR)/xmlsecurity/inc \
 	-I$(SRCDIR)/xmlsecurity/source/gpg \
-))
+	-I$(call gb_UnpackedTarball_get_dir,xmlsec/include \
+)))
 
 $(eval $(call gb_Library_add_defs,xsec_gpg,\
+	-DXMLSEC_NO_XSLT \
+	-DXMLSEC_CRYPTO_NSS \
 	-DXSECGPG_DLLIMPLEMENTATION \
 ))
 
@@ -27,7 +34,14 @@ $(eval $(call gb_Library_use_sdk_api,xsec_gpg))
 
 $(eval $(call gb_Library_set_precompiled_header,xsec_gpg,$(SRCDIR)/xmlsecurity/inc/pch/precompiled_xsec_gpg))
 
-$(eval $(call gb_Library_use_externals,xsec_gpg,gpgmepp))
+$(eval $(call gb_Library_use_packages,xsec_gpg,\
+	xmlsec \
+))
+$(eval $(call gb_Library_use_externals,xsec_gpg,\
+	boost_headers \
+	libxml2 \
+	nss3 \
+	gpgmepp))
 
 $(eval $(call gb_Library_use_libraries,xsec_gpg,\
 	comphelper \
@@ -37,17 +51,27 @@ $(eval $(call gb_Library_use_libraries,xsec_gpg,\
 	svl \
 	tl \
 	xo \
+	xsec_xmlsec \
+))
+
+$(eval $(call gb_Library_add_defs,xsec_gpg,\
+	-DXMLSEC_CRYPTO_NSS \
+))
+$(eval $(call gb_Library_add_libs,xsec_gpg,\
+	$(call gb_UnpackedTarball_get_dir,xmlsec)/src/nss/.libs/libxmlsec1-nss.a \
+	$(call gb_UnpackedTarball_get_dir,xmlsec)/src/.libs/libxmlsec1.a \
 ))
 
 $(eval $(call gb_Library_add_exception_objects,xsec_gpg,\
 	xmlsecurity/source/gpg/CertificateImpl \
 	xmlsecurity/source/gpg/CipherContext \
 	xmlsecurity/source/gpg/DigestContext \
+	xmlsecurity/source/gpg/GpgComponentFactory \
 	xmlsecurity/source/gpg/SecurityEnvironment \
 	xmlsecurity/source/gpg/SEInitializer \
 	xmlsecurity/source/gpg/XMLEncryption \
 	xmlsecurity/source/gpg/XMLSecurityContext \
-	xmlsecurity/source/gpg/XMLSignature \
+	xmlsecurity/source/gpg/xmlsignature_gpgimpl \
 ))
 
 # vim: set noet sw=4 ts=4:
diff --git a/xmlsecurity/source/xmlsec/errorcallback.hxx b/xmlsecurity/inc/xmlsec/errorcallback.hxx
index 61f23aaa6b0e..61f23aaa6b0e 100644
--- a/xmlsecurity/source/xmlsec/errorcallback.hxx
+++ b/xmlsecurity/inc/xmlsec/errorcallback.hxx
diff --git a/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.hxx b/xmlsecurity/inc/xmlsec/xmlelementwrapper_xmlsecimpl.hxx
index 70beb87eb6a6..1967370a3928 100644
--- a/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.hxx
+++ b/xmlsecurity/inc/xmlsec/xmlelementwrapper_xmlsecimpl.hxx
@@ -27,12 +27,13 @@
 #include <cppuhelper/implbase.hxx>
 
 #include <libxml/tree.h>
+#include <xsecxmlsecdllapi.h>
 
 namespace com { namespace sun { namespace star { namespace uno {
     class XComponentContext;
 } } } }
 
-class XMLElementWrapper_XmlSecImpl : public cppu::WeakImplHelper
+class XSECXMLSEC_DLLPUBLIC XMLElementWrapper_XmlSecImpl : public cppu::WeakImplHelper
 <
     css::xml::wrapper::XXMLElementWrapper,
     css::lang::XUnoTunnel,
diff --git a/xmlsecurity/source/xmlsec/xmlstreamio.hxx b/xmlsecurity/inc/xmlsec/xmlstreamio.hxx
index 6676dc68aeab..6676dc68aeab 100644
--- a/xmlsecurity/source/xmlsec/xmlstreamio.hxx
+++ b/xmlsecurity/inc/xmlsec/xmlstreamio.hxx
diff --git a/xmlsecurity/source/gpg/GpgComponentFactory.cxx b/xmlsecurity/source/gpg/GpgComponentFactory.cxx
new file mode 100644
index 000000000000..88d1ac854395
--- /dev/null
+++ b/xmlsecurity/source/gpg/GpgComponentFactory.cxx
@@ -0,0 +1,50 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include <sal/config.h>
+
+#include <osl/mutex.hxx>
+#include <osl/thread.h>
+#include <cppuhelper/factory.hxx>
+#include <com/sun/star/lang/XSingleServiceFactory.hpp>
+
+#include "xmlsignature_gpgimpl.hxx"
+
+using namespace ::cppu;
+using namespace ::com::sun::star::uno;
+using namespace ::com::sun::star::lang;
+using namespace ::com::sun::star::registry;
+
+extern "C"
+{
+
+void* SAL_CALL gpg_component_getFactory( const sal_Char* pImplName , void* pServiceManager , void* /*pRegistryKey*/ )
+{
+    void* pRet = nullptr;
+    Reference< XSingleServiceFactory > xFactory ;
+
+    if( pImplName != nullptr && pServiceManager != nullptr )
+    {
+        if( XMLSignature_GpgImpl::impl_getImplementationName().equalsAscii( pImplName ) )
+        {
+            xFactory = XMLSignature_GpgImpl::impl_createFactory( static_cast< XMultiServiceFactory* >( pServiceManager ) ) ;
+        }
+    }
+
+    if( xFactory.is() ) {
+        xFactory->acquire() ;
+        pRet = xFactory.get() ;
+    }
+
+    return pRet ;
+}
+
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/gpg/XMLSignature.cxx b/xmlsecurity/source/gpg/XMLSignature.cxx
deleted file mode 100644
index 6bebb698d434..000000000000
--- a/xmlsecurity/source/gpg/XMLSignature.cxx
+++ /dev/null
@@ -1,43 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-/*
- * This file is part of the LibreOffice project.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-#include "XMLSignature.hxx"
-#include "SecurityEnvironment.hxx"
-#include "XMLSecurityContext.hxx"
-
-#include <cppuhelper/supportsservice.hxx>
-
-using namespace css::uno;
-using namespace css::lang;
-using namespace css::xml::wrapper;
-using namespace css::xml::crypto;
-
-XMLSignatureGpg::XMLSignatureGpg()
-{
-}
-
-XMLSignatureGpg::~XMLSignatureGpg()
-{
-}
-
-/* XXMLSignature */
-Reference< XXMLSignatureTemplate > SAL_CALL XMLSignatureGpg::generate(const Reference< XXMLSignatureTemplate >& /*aTemplate*/,
-                                                                   const Reference< XSecurityEnvironment >& /*aEnvironment*/)
-{
-    return nullptr;
-}
-
-/* XXMLSignature */
-Reference< XXMLSignatureTemplate > SAL_CALL XMLSignatureGpg::validate(const Reference< XXMLSignatureTemplate >& /*aTemplate*/,
-                                                                   const Reference< XXMLSecurityContext >& /*aSecurityCtx*/)
-{
-    return nullptr;
-}
-
-/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/gpg/XMLSignature.hxx b/xmlsecurity/source/gpg/XMLSignature.hxx
deleted file mode 100644
index 8e8a49cb3ad5..000000000000
--- a/xmlsecurity/source/gpg/XMLSignature.hxx
+++ /dev/null
@@ -1,44 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-/*
- * This file is part of the LibreOffice project.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-#ifndef INCLUDED_XMLSECURITY_SOURCE_XMLSEC_GPG_XMLSIGNATURE_HXX
-#define INCLUDED_XMLSECURITY_SOURCE_XMLSEC_GPG_XMLSIGNATURE_HXX
-
-#include <sal/config.h>
-#include <rtl/ustring.hxx>
-#include <cppuhelper/implbase.hxx>
-#include <com/sun/star/uno/Exception.hpp>
-
-#include <com/sun/star/uno/Reference.hxx>
-#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
-#include <com/sun/star/xml/crypto/XXMLSignatureTemplate.hpp>
-#include <com/sun/star/xml/crypto/XXMLSecurityContext.hpp>
-#include <com/sun/star/xml/crypto/XMLSignatureException.hpp>
-
-class XMLSignatureGpg : public cppu::WeakImplHelper< css::xml::crypto::XXMLSignature >
-{
-public:
-    explicit XMLSignatureGpg();
-    virtual ~XMLSignatureGpg() override;
-
-    // XXMLSignature
-    virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL generate(
-        const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
-        const css::uno::Reference< css::xml::crypto::XSecurityEnvironment >& aEnvironment
-    ) override;
-
-    virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL validate(
-        const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
-        const css::uno::Reference< css::xml::crypto::XXMLSecurityContext >& aContext
-    ) override;
-};
-
-#endif // INCLUDED_XMLSECURITY_SOURCE_XMLSEC_GPG_XMLSIGNATURE_HXX
-
-/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
new file mode 100644
index 000000000000..b33d7990c66d
--- /dev/null
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
@@ -0,0 +1,371 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#include <sal/config.h>
+#include <rtl/uuid.h>
+#include "xmlsignature_gpgimpl.hxx"
+
+#include <gpgme.h>
+#include <context.h>
+#include <key.h>
+#include <data.h>
+#include <signingresult.h>
+
+#include "xmlsec/xmldocumentwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlstreamio.hxx"
+#include "xmlsec/errorcallback.hxx"
+
+#include "SecurityEnvironment.hxx"
+#include "xmlsec-wrapper.h"
+
+using namespace ::com::sun::star::uno ;
+using namespace ::com::sun::star::lang ;
+using ::com::sun::star::lang::XMultiServiceFactory ;
+using ::com::sun::star::lang::XSingleServiceFactory ;
+
+using ::com::sun::star::xml::wrapper::XXMLElementWrapper ;
+using ::com::sun::star::xml::wrapper::XXMLDocumentWrapper ;
+using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
+using ::com::sun::star::xml::crypto::XXMLSignature ;
+using ::com::sun::star::xml::crypto::XXMLSignatureTemplate ;
+using ::com::sun::star::xml::crypto::XXMLSecurityContext ;
+using ::com::sun::star::xml::crypto::XUriBinding ;
+
+XMLSignature_GpgImpl::XMLSignature_GpgImpl() {
+}
+
+XMLSignature_GpgImpl::~XMLSignature_GpgImpl() {
+}
+
+/* XXMLSignature */
+Reference< XXMLSignatureTemplate >
+SAL_CALL XMLSignature_GpgImpl::generate(
+    const Reference< XXMLSignatureTemplate >& aTemplate ,
+    const Reference< XSecurityEnvironment >& aEnvironment
+)
+{
+    xmlSecDSigCtxPtr pDsigCtx = nullptr ;
+    xmlNodePtr pNode = nullptr ;
+
+    if( !aTemplate.is() )
+        throw RuntimeException() ;
+
+    if( !aEnvironment.is() )
+        throw RuntimeException() ;
+
+    //Get the xml node
+    Reference< XXMLElementWrapper > xElement = aTemplate->getTemplate() ;
+    if( !xElement.is() ) {
+        throw RuntimeException() ;
+    }
+
+    XMLElementWrapper_XmlSecImpl* pElement =
+        dynamic_cast<XMLElementWrapper_XmlSecImpl*>(xElement.get());
+    if( pElement == nullptr ) {
+        throw RuntimeException() ;
+    }
+
+    pNode = pElement->getNativeElement() ;
+
+    //Get the stream/URI binding
+    Reference< XUriBinding > xUriBinding = aTemplate->getBinding() ;
+    if( xUriBinding.is() ) {
+        //Register the stream input callbacks into libxml2
+        if( xmlRegisterStreamInputCallbacks( xUriBinding ) < 0 )
+            throw RuntimeException() ;
+    }
+
+    //Get Keys Manager
+    SecurityEnvironmentGpg* pSecEnv =
+        dynamic_cast<SecurityEnvironmentGpg*>(aEnvironment.get());
+    if( pSecEnv == nullptr )
+        throw RuntimeException() ;
+
+    // TODO figure out key from pSecEnv!
+    // unclear how/where that is transported in nss impl...
+    setErrorRecorder();
+
+    //Create Signature context
+    pDsigCtx = xmlSecDSigCtxCreate( nullptr ) ;
+    if( pDsigCtx == nullptr )
+    {
+        clearErrorRecorder();
+        return aTemplate;
+    }
+
+    // Calculate digest for all references
+    xmlNodePtr cur = xmlSecGetNextElementNode(pNode->children);
+    if( cur != NULL )
+        cur = xmlSecGetNextElementNode(cur->children);
+    while( cur != NULL )
+    {
+        // some of those children I suppose should be reference elements
+        if( xmlSecCheckNodeName(cur, xmlSecNodeReference, xmlSecDSigNs) )
+        {
+            xmlSecDSigReferenceCtxPtr pDsigRefCtx =
+                xmlSecDSigReferenceCtxCreate(pDsigCtx,
+                                             xmlSecDSigReferenceOriginSignedInfo);
+            if(pDsigRefCtx == NULL)
+                throw RuntimeException();
+
+            // add this one to the list
+            if( xmlSecPtrListAdd(&(pDsigCtx->signedInfoReferences),
+                                 pDsigRefCtx) < 0 )
+            {
+                // TODO resource handling
+                xmlSecDSigReferenceCtxDestroy(pDsigRefCtx);
+                throw RuntimeException();
+            }
+
+            if( xmlSecDSigReferenceCtxProcessNode(pDsigRefCtx, cur) < 0 )
+                throw RuntimeException();
+
+            // final check - all good?
+            if(pDsigRefCtx->status != xmlSecDSigStatusSucceeded)
+            {
+                pDsigCtx->status = xmlSecDSigStatusInvalid;
+                return aTemplate; // TODO - harder error?
+            }
+        }
+
+        cur = xmlSecGetNextElementNode(cur->next);
+    }
+
+    // get me a digestible buffer from the signature template!
+    // -------------------------------------------------------
+
+    // run the transformations
+    xmlSecNodeSetPtr nodeset = NULL;
+    nodeset = xmlSecNodeSetGetChildren(pNode->doc, pNode, 1, 0);
+    if(nodeset == NULL)
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    if( xmlSecTransformCtxXmlExecute(&(pDsigCtx->transformCtx), nodeset) < 0 )
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    //Sign the template via gpgme
+    GpgME::initializeLibrary();
+    if( GpgME::checkEngine(GpgME::OpenPGP) )
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    GpgME::Context* ctx = GpgME::Context::createForProtocol(GpgME::OpenPGP);
+    if( ctx == nullptr )
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    ctx->setKeyListMode(GPGME_KEYLIST_MODE_LOCAL);
+    GpgME::Error err;
+    if( ctx->addSigningKey(ctx->key("0x909BE2575CEDBEA3", err, true)) )
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    // good, ctx is setup now, let's sign the lot
+    GpgME::Data data_in(
+        reinterpret_cast<char*>(xmlSecBufferGetData(pDsigCtx->transformCtx.result)),
+        xmlSecBufferGetSize(pDsigCtx->transformCtx.result), false);
+    GpgME::Data data_out;
+
+    GpgME::SigningResult sign_res=ctx->sign(data_in, data_out,
+                                            GpgME::Clearsigned);
+    // TODO: needs some error handling
+    data_out.seek(0,SEEK_SET);
+    int len=0, curr=0; char buf;
+    while( (curr=data_out.read(&buf, 1)) )
+        len += curr;
+
+    // write signed data to xml
+    std::vector<unsigned char> buf2(len);
+    data_out.seek(0,SEEK_SET);
+    if( data_out.read(&buf2[0], len) != len )
+        throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
+
+    // walk xml tree to sign value node - go to children, first is
+    // SignedInfo, 2nd is signaturevalue
+    cur = xmlSecGetNextElementNode(pNode->children);
+    cur = xmlSecGetNextElementNode(cur->next);
+
+    xmlNodeSetContentLen(cur, &buf2[0], len);
+
+    // done
+    xmlSecDSigCtxDestroy( pDsigCtx ) ;
+
+    //Unregistered the stream/URI binding
+    if( xUriBinding.is() )
+        xmlUnregisterStreamInputCallbacks() ;
+
+    clearErrorRecorder();
+    return aTemplate ;
+}
+
+/* XXMLSignature */
+Reference< XXMLSignatureTemplate >
+SAL_CALL XMLSignature_GpgImpl::validate(
+    const Reference< XXMLSignatureTemplate >& aTemplate ,
+    const Reference< XXMLSecurityContext >& aSecurityCtx
+) {
+    xmlSecKeysMngrPtr pMngr = nullptr ;
+    xmlSecDSigCtxPtr pDsigCtx = nullptr ;
+    xmlNodePtr pNode = nullptr ;
+    //sal_Bool valid ;
+    (void)pMngr; (void)pDsigCtx; (void)pNode;
+
+    if( !aTemplate.is() )
+        throw RuntimeException() ;
+
+    if( !aSecurityCtx.is() )
+        throw RuntimeException() ;
+
+    //Get the xml node
+    Reference< XXMLElementWrapper > xElement = aTemplate->getTemplate() ;
+    if( !xElement.is() )
+        throw RuntimeException() ;
+
+    XMLElementWrapper_XmlSecImpl* pElement =
+        dynamic_cast<XMLElementWrapper_XmlSecImpl*>(xElement.get());
+    if( pElement == nullptr )
+        throw RuntimeException() ;
+
+    pNode = pElement->getNativeElement() ;
+
+    //Get the stream/URI binding
+    Reference< XUriBinding > xUriBinding = aTemplate->getBinding() ;
+    if( xUriBinding.is() ) {
+        //Register the stream input callbacks into libxml2
+        if( xmlRegisterStreamInputCallbacks( xUriBinding ) < 0 )
+            throw RuntimeException() ;
+    }
+
+    setErrorRecorder();
+
+    sal_Int32 nSecurityEnvironment = aSecurityCtx->getSecurityEnvironmentNumber();
+    sal_Int32 i;
+
+    for (i=0; i<nSecurityEnvironment; ++i)
+    {
+        Reference< XSecurityEnvironment > aEnvironment = aSecurityCtx->getSecurityEnvironmentByIndex(i);
+
+        //Get Keys Manager
+        Reference< XUnoTunnel > xSecTunnel( aEnvironment , UNO_QUERY_THROW ) ;
+#if 0
+        SecurityEnvironment_NssImpl* pSecEnv =
+            reinterpret_cast<SecurityEnvironment_NssImpl*>(
+                sal::static_int_cast<sal_uIntPtr>(
+                    xSecTunnel->getSomething( SecurityEnvironment_NssImpl::getUnoTunnelId() )));
+        if( pSecEnv == nullptr )
+            throw RuntimeException() ;
+
+        pMngr = pSecEnv->createKeysManager();
+        if( !pMngr ) {
+            throw RuntimeException() ;
+        }
+
+        //Create Signature context
+        pDsigCtx = xmlSecDSigCtxCreate( pMngr ) ;
+        if( pDsigCtx == nullptr )
+        {
+            SecurityEnvironment_NssImpl::destroyKeysManager( pMngr );
+            //throw XMLSignatureException() ;
+            clearErrorRecorder();
+            return aTemplate;
+        }
+
+        //Verify signature
+        int rs = xmlSecDSigCtxVerify( pDsigCtx , pNode );
+
+        // Also verify manifest: this is empty for ODF, but contains everything (except signature metadata) for OOXML.
+        xmlSecSize nReferenceCount = xmlSecPtrListGetSize(&pDsigCtx->manifestReferences);
+        // Require that all manifest references are also good.
+        xmlSecSize nReferenceGood = 0;
+        for (xmlSecSize nReference = 0; nReference < nReferenceCount; ++nReference)
+        {
+            xmlSecDSigReferenceCtxPtr pReference = static_cast<xmlSecDSigReferenceCtxPtr>(xmlSecPtrListGetItem(&pDsigCtx->manifestReferences, nReference));
+            if (pReference)
+            {
+                if (pReference->status == xmlSecDSigStatusSucceeded)
+                    ++nReferenceGood;
+            }
+        }
+
+        if (rs == 0 && pDsigCtx->status == xmlSecDSigStatusSucceeded && nReferenceCount == nReferenceGood)
+        {
+            aTemplate->setStatus(css::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED);
+            xmlSecDSigCtxDestroy( pDsigCtx ) ;
+            SecurityEnvironment_NssImpl::destroyKeysManager( pMngr );
+            break;
+        }
+        else
+        {
+            aTemplate->setStatus(css::xml::crypto::SecurityOperationStatus_UNKNOWN);
+        }
+        xmlSecDSigCtxDestroy( pDsigCtx ) ;
+        SecurityEnvironment_NssImpl::destroyKeysManager( pMngr );
+#endif
+    }
+
+
+    //Unregistered the stream/URI binding
+    if( xUriBinding.is() )
+        xmlUnregisterStreamInputCallbacks() ;
+
+    //return valid ;
+    clearErrorRecorder();
+    return aTemplate;
+}
+
+/* XServiceInfo */
+OUString SAL_CALL XMLSignature_GpgImpl::getImplementationName() {
+    return impl_getImplementationName() ;
+}
+
+/* XServiceInfo */
+sal_Bool SAL_CALL XMLSignature_GpgImpl::supportsService( const OUString& serviceName) {
+    Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
+    const OUString* pArray = seqServiceNames.getConstArray() ;
+    for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
+        if( *( pArray + i ) == serviceName )
+            return true ;
+    }
+    return false ;
+}
+
+/* XServiceInfo */
+Sequence< OUString > SAL_CALL XMLSignature_GpgImpl::getSupportedServiceNames() {
+    return impl_getSupportedServiceNames() ;
+}
+
+//Helper for XServiceInfo
+Sequence< OUString > XMLSignature_GpgImpl::impl_getSupportedServiceNames() {
+    ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
+    Sequence<OUString> seqServiceNames { "com.sun.star.xml.crypto.XMLSignature" };
+    return seqServiceNames ;
+}
+
+OUString XMLSignature_GpgImpl::impl_getImplementationName() {
+    return OUString("com.sun.star.xml.security.bridge.xmlsec.XMLSignature_GpgImpl") ;
+}
+
+//Helper for registry
+Reference< XInterface > SAL_CALL XMLSignature_GpgImpl::impl_createInstance( const Reference< XMultiServiceFactory >& ) {
+    return Reference< XInterface >( *new XMLSignature_GpgImpl ) ;
+}
+
+Reference< XSingleServiceFactory > XMLSignature_GpgImpl::impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
+    return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.hxx b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.hxx
new file mode 100644
index 000000000000..96dfa0c39f3e
--- /dev/null
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.hxx
@@ -0,0 +1,83 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef INCLUDED_XMLSECURITY_SOURCE_GPG_XMLSIGNATURE_GPGIMPL_HXX
+#define INCLUDED_XMLSECURITY_SOURCE_GPG_XMLSIGNATURE_GPGIMPL_HXX
+
+#include <sal/config.h>
+#include <rtl/ustring.hxx>
+#include <xsecgpgdllapi.h>
+
+#include <cppuhelper/factory.hxx>
+#include <cppuhelper/implbase.hxx>
+#include <com/sun/star/uno/Exception.hpp>
+
+#include <com/sun/star/uno/Reference.hxx>
+#include <com/sun/star/lang/XSingleServiceFactory.hpp>
+
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignatureTemplate.hpp>
+#include <com/sun/star/xml/crypto/XXMLSecurityContext.hpp>
+
+// TODO: hack, remove dllpublic again...
+class XSECGPG_DLLPUBLIC XMLSignature_GpgImpl : public ::cppu::WeakImplHelper<
+    css::xml::crypto::XXMLSignature ,
+    css::lang::XServiceInfo >
+{
+    public:
+        explicit XMLSignature_GpgImpl();
+        virtual ~XMLSignature_GpgImpl() override ;
+
+        //Methods from XXMLSignature
+        virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL generate(
+            const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
+            const css::uno::Reference< css::xml::crypto::XSecurityEnvironment >& aEnvironment
+        ) override ;
+
+        virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL validate(
+            const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
+            const css::uno::Reference< css::xml::crypto::XXMLSecurityContext >& aContext
+        ) override;
+
+        //Methods from XServiceInfo
+        virtual OUString SAL_CALL getImplementationName() override ;
+
+        virtual sal_Bool SAL_CALL supportsService(
+            const OUString& ServiceName
+        ) override ;
+
+        virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames() override ;
+
+        //Helper for XServiceInfo
+        static css::uno::Sequence< OUString > impl_getSupportedServiceNames() ;
+
+        /// @throws css::uno::RuntimeException
+        static OUString impl_getImplementationName() ;
+
+        //Helper for registry
+        /// @throws css::uno::RuntimeException
+        static css::uno::Reference< css::uno::XInterface > SAL_CALL impl_createInstance( const css::uno::Reference< css::lang::XMultiServiceFactory >& aServiceManager ) ;
+
+        static css::uno::Reference< css::lang::XSingleServiceFactory > impl_createFactory( const css::uno::Reference< css::lang::XMultiServiceFactory >& aServiceManager ) ;
+} ;
+
+#endif // INCLUDED_XMLSECURITY_SOURCE_GPG_XMLSIGNATURE_GPGIMPL_HXX
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/source/xmlsec/errorcallback.cxx b/xmlsecurity/source/xmlsec/errorcallback.cxx
index dc817db1e0bd..fa99d8d8a5b1 100644
--- a/xmlsecurity/source/xmlsec/errorcallback.cxx
+++ b/xmlsecurity/source/xmlsec/errorcallback.cxx
@@ -17,7 +17,7 @@
  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  */
 
-#include "errorcallback.hxx"
+#include "xmlsec/errorcallback.hxx"
 
 #include "xmlsec-wrapper.h"
 
@@ -48,12 +48,12 @@ void errorCallback(const char* file,
     SAL_WARN("xmlsecurity.xmlsec", file << ":" << line << ": " << func << "() '" << pErrorObject << "' '" << pErrorSubject << "' " << reason << " '" << pMsg << "'" << systemErrorString);
 }
 
-void setErrorRecorder()
+SAL_DLLPUBLIC_EXPORT void setErrorRecorder()
 {
     xmlSecErrorsSetCallback(errorCallback);
 }
 
-void clearErrorRecorder()
+SAL_DLLPUBLIC_EXPORT void clearErrorRecorder()
 {
     xmlSecErrorsSetCallback(nullptr);
 }
diff --git a/xmlsecurity/source/xmlsec/nss/xmlencryption_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlencryption_nssimpl.cxx
index b058fc645895..35c149896ddb 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlencryption_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlencryption_nssimpl.cxx
@@ -24,11 +24,10 @@
 #include "xmlencryption_nssimpl.hxx"
 
 #include "xmlsec/xmldocumentwrapper_xmlsecimpl.hxx"
-
-#include "xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/errorcallback.hxx"
 
 #include "securityenvironment_nssimpl.hxx"
-#include "errorcallback.hxx"
 
 #include "xmlsec-wrapper.h"
 
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsecuritycontext_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsecuritycontext_nssimpl.cxx
index 825fdb7d3530..6b7a78b1e6a1 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsecuritycontext_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsecuritycontext_nssimpl.cxx
@@ -22,7 +22,7 @@
 #include "securityenvironment_nssimpl.hxx"
 
 #include "xmlsecuritycontext_nssimpl.hxx"
-#include "xmlstreamio.hxx"
+#include "xmlsec/xmlstreamio.hxx"
 
 #include "xmlsec-wrapper.h"
 
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
index 385a083884b3..a78ff38695ef 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
@@ -22,14 +22,13 @@
 #include "xmlsignature_nssimpl.hxx"
 
 #include "xmlsec/xmldocumentwrapper_xmlsecimpl.hxx"
-
-#include "xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlstreamio.hxx"
+#include "xmlsec/errorcallback.hxx"
 
 #include "securityenvironment_nssimpl.hxx"
 
 #include "xmlsecuritycontext_nssimpl.hxx"
-#include "xmlstreamio.hxx"
-#include "errorcallback.hxx"
 
 #include "xmlsec-wrapper.h"
 
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.hxx
index 92f50d9acb26..ecaad3cab95b 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.hxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.hxx
@@ -34,7 +34,9 @@
 #include <com/sun/star/xml/crypto/XXMLSignatureTemplate.hpp>
 #include <com/sun/star/xml/crypto/XXMLSecurityContext.hpp>
 
-class XMLSignature_NssImpl : public ::cppu::WeakImplHelper<
+#include "xsecxmlsecdllapi.h"
+
+class XSECXMLSEC_DLLPUBLIC XMLSignature_NssImpl : public ::cppu::WeakImplHelper<
     css::xml::crypto::XXMLSignature ,
     css::lang::XServiceInfo >
 {
diff --git a/xmlsecurity/source/xmlsec/xmldocumentwrapper_xmlsecimpl.cxx b/xmlsecurity/source/xmlsec/xmldocumentwrapper_xmlsecimpl.cxx
index 1a40f347d74f..5ff6935a9075 100644
--- a/xmlsecurity/source/xmlsec/xmldocumentwrapper_xmlsecimpl.cxx
+++ b/xmlsecurity/source/xmlsec/xmldocumentwrapper_xmlsecimpl.cxx
@@ -23,9 +23,9 @@
 #include <com/sun/star/uno/XComponentContext.hpp>
 #include <cppuhelper/supportsservice.hxx>
 #include "xmlsec/xmldocumentwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
 
 #include <xmloff/attrlist.hxx>
-#include "xmlelementwrapper_xmlsecimpl.hxx"
 
 #include <stdlib.h>
 #include <string.h>
diff --git a/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.cxx b/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.cxx
index 6c9efb970083..36e5b5e8931b 100644
--- a/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.cxx
+++ b/xmlsecurity/source/xmlsec/xmlelementwrapper_xmlsecimpl.cxx
@@ -19,7 +19,7 @@
 
 #include <string.h>
 
-#include "xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
 #include <com/sun/star/uno/XComponentContext.hpp>
 #include <cppuhelper/supportsservice.hxx>
 #include <cppuhelper/typeprovider.hxx>
diff --git a/xmlsecurity/source/xmlsec/xmlstreamio.cxx b/xmlsecurity/source/xmlsec/xmlstreamio.cxx
index cfebd125856d..710f9795aca4 100644
--- a/xmlsecurity/source/xmlsec/xmlstreamio.cxx
+++ b/xmlsecurity/source/xmlsec/xmlstreamio.cxx
@@ -21,7 +21,7 @@
 /*
  * Implementation of the I/O interfaces based on stream and URI binding
  */
-#include "xmlstreamio.hxx"
+#include "xmlsec/xmlstreamio.hxx"
 #include <rtl/ustring.hxx>
 #include <rtl/uri.hxx>
 
@@ -180,7 +180,7 @@ int xmlEnableStreamInputCallbacks()
     return 0 ;
 }
 
-int xmlRegisterStreamInputCallbacks(
+SAL_DLLPUBLIC_EXPORT int xmlRegisterStreamInputCallbacks(
     css::uno::Reference< css::xml::crypto::XUriBinding >& aUriBinding
 ) {
     if( !( enableXmlStreamIO & XMLSTREAMIO_INITIALIZED ) ) {
@@ -197,7 +197,7 @@ int xmlRegisterStreamInputCallbacks(
     return 0 ;
 }
 
-int xmlUnregisterStreamInputCallbacks()
+SAL_DLLPUBLIC_EXPORT int xmlUnregisterStreamInputCallbacks()
 {
     if( ( enableXmlStreamIO & XMLSTREAMIO_REGISTERED ) ) {
         //Clear the uri-stream binding
diff --git a/xmlsecurity/source/xmlsec/xsec_xmlsec.cxx b/xmlsecurity/source/xmlsec/xsec_xmlsec.cxx
index 93d3e7c834bb..99738064c09f 100644
--- a/xmlsecurity/source/xmlsec/xsec_xmlsec.cxx
+++ b/xmlsecurity/source/xmlsec/xsec_xmlsec.cxx
@@ -23,7 +23,7 @@
 #include <cppuhelper/factory.hxx>
 
 #include "serialnumberadapter.hxx"
-#include "xmlelementwrapper_xmlsecimpl.hxx"
+#include "xmlsec/xmlelementwrapper_xmlsecimpl.hxx"
 #include "xmlsec/xmldocumentwrapper_xmlsecimpl.hxx"
 #include "xsec_xmlsec.hxx"
 
diff --git a/xmlsecurity/util/xsec_gpg.component b/xmlsecurity/util/xsec_gpg.component
new file mode 100644
index 000000000000..9a8f30ecfd10
--- /dev/null
+++ b/xmlsecurity/util/xsec_gpg.component
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ -->
+
+<component loader="com.sun.star.loader.SharedLibrary" environment="@CPPU_ENV@"
+    prefix="xsec_gpg" xmlns="http://openoffice.org/2010/uno-components">
+  <implementation name="com.sun.star.xml.security.bridge.xmlsec.XMLSignature_GpgImpl">
+    <service name="com.sun.star.xml.crypto.XMLSignature"/>
+  </implementation>
+</component>