diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2017-06-20 21:47:38 +0200 |
---|---|---|
committer | Rene Engelhard <rene@debian.org> | 2017-07-04 19:22:19 +0200 |
commit | c349af53490d5e883ec791fb743092243c7ad46e (patch) | |
tree | e1c4f506a16c2a3262383a20ac8d1236e5c70b24 /xmlsecurity | |
parent | 10019608fd49c9d96b7015f982f40b1c09bc8b14 (diff) |
xmlsecurity nss: adopt the private key of the signing certificate explicitly
xmlsec1-customkeymanage.patch.1 of our bundled xmlsec extends
xmlSecNssKeyDataX509VerifyAndExtractKey(), so that it calls
xmlSecNssPKIAdoptKey() for the private key of the signing certificate.
Make this explicit in xmlsecurity/ code, so we don't depend on the
patched xmlSecNssKeyDataX509VerifyAndExtractKey().
This is harmless for the patched xmlsec, but it prevents this error:
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: keys.c:1246: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:790: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:503: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:286: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxSignatureProcessNode' 1 ' '
when xmlsec is not patched.
(This is needed, but not enough to build against system xmlsec.)
Change-Id: I5d68a8be7aefcb529566213f9b9c2985eab6a80a
Reviewed-on: https://gerrit.libreoffice.org/39023
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/39273
Reviewed-by: Rene Engelhard <rene@debian.org>
Tested-by: Rene Engelhard <rene@debian.org>
Diffstat (limited to 'xmlsecurity')
-rw-r--r-- | xmlsecurity/inc/xmlsec-wrapper.h | 3 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx | 39 | ||||
-rw-r--r-- | xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx | 2 |
3 files changed, 29 insertions, 15 deletions
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h index 3d5c24b9b6f1..4a8a6554311b 100644 --- a/xmlsecurity/inc/xmlsec-wrapper.h +++ b/xmlsecurity/inc/xmlsec-wrapper.h @@ -40,6 +40,9 @@ #include "xmlsec/xmlenc.h" #include "xmlsec/xmlsec.h" #include "xmlsec/xmltree.h" +#ifdef XMLSEC_CRYPTO_NSS +#include "xmlsec/nss/pkikeys.h" +#endif #endif diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index 959e62cc34e0..a5b29017d180 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -474,6 +474,9 @@ Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUS } Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) { + // Remember the signing certificate. + m_xSigningCertificate = begin; + const X509Certificate_NssImpl* xcert ; const CERTCertificate* cert ; CERTCertList* certChain ; @@ -881,19 +884,8 @@ X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey ) return xcert ; } - -/* Native methods */ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() { - unsigned int i ; - CERTCertDBHandle* handler = nullptr ; - PK11SymKey* symKey = nullptr ; - SECKEYPublicKey* pubKey = nullptr ; - SECKEYPrivateKey* priKey = nullptr ; - xmlSecKeysMngrPtr pKeysMngr = nullptr ; - - handler = m_pHandler; - /*- * The following lines is based on the private version of xmlSec-NSS * crypto engine @@ -905,14 +897,15 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() { for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); ++islots, ++count) slots[count] = *islots; - pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ; + xmlSecKeysMngrPtr pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, m_pHandler ) ; if( pKeysMngr == nullptr ) throw RuntimeException() ; /*- * Adopt symmetric key into keys manager */ - for( i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) { + PK11SymKey* symKey = nullptr ; + for( unsigned int i = 0 ; ( symKey = this->getSymKey( i ) ) != nullptr ; i ++ ) { if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) { throw RuntimeException() ; } @@ -921,7 +914,8 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() { /*- * Adopt asymmetric public key into keys manager */ - for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) { + SECKEYPublicKey* pubKey = nullptr ; + for( unsigned int i = 0 ; ( pubKey = this->getPubKey( i ) ) != nullptr ; i ++ ) { if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) { throw RuntimeException() ; } @@ -930,11 +924,26 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() { /*- * Adopt asymmetric private key into keys manager */ - for( i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) { + SECKEYPrivateKey* priKey = nullptr ; + for( unsigned int i = 0 ; ( priKey = this->getPriKey( i ) ) != nullptr ; i ++ ) { if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) { throw RuntimeException() ; } } + + // Adopt the private key of the signing certificate, if it has any. + if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get())) + { + if (auto pCERTCertificate = const_cast<CERTCertificate*>(pCertificate->getNssCert())) + { + SECKEYPrivateKey* pPrivateKey = PK11_FindPrivateKeyFromCert(pCERTCertificate->slot, pCERTCertificate, nullptr); + xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr); + xmlSecKeyPtr pKey = xmlSecKeyCreate(); + xmlSecKeySetValue(pKey, pKeyData); + xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey); + } + } + return pKeysMngr ; } void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) { diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx index 5b0e8920abd2..46aba7bc0990 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx @@ -54,6 +54,8 @@ private: std::list< PK11SlotInfo* > m_Slots; typedef std::list< PK11SlotInfo* >::const_iterator CIT_SLOTS; + /// The last used certificate which has the private key for signing. + css::uno::Reference<css::security::XCertificate> m_xSigningCertificate; osl::Mutex m_mutex; |