external/libxmlsec/xmlsec1-noverify.patch.1


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

From 56bd53dc3c8b7f05c55023700b3e0439dcd66aac Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@collabora.co.uk>
Date: Fri, 4 Mar 2016 16:10:16 +0100
Subject: [PATCH] xmlsec1-noverify.patch

Conflicts:
	src/nss/x509vfy.c
---
 src/mscrypto/x509vfy.c | 13 ++++++++++---
 src/nss/x509vfy.c      | 28 +++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c
index cf31787..80de2c9 100644
--- a/src/mscrypto/x509vfy.c
+++ b/src/mscrypto/x509vfy.c
@@ -560,9 +560,16 @@ xmlSecMSCryptoX509StoreVerify(xmlSecKeyDataStorePtr store, HCERTSTORE certs,
             CertFreeCertificateContext(nextCert);
         }
 
-        if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
-            return(cert);
-        }
+        /* JL: OpenOffice.org implements its own certificate verification routine. 
+           The goal is to separate validation of the signature
+           and the certificate. For example, OOo could show that the document signature is valid,
+           but the certificate could not be verified. If we do not prevent the verification of
+           the certificate by libxmlsec and the verification fails, then the XML signature will not be 
+           verified. This would happen, for example, if the root certificate is not installed.                
+         */
+/*      if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
+        if (selected == 1)
+            return cert;
     }
 
     return (NULL);
diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
index fdb866f..8a6e97a 100644
--- a/src/nss/x509vfy.c
+++ b/src/nss/x509vfy.c
@@ -211,13 +211,27 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
             continue;
         }
 
-        status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
-                                        cert, PR_FALSE,
-                                        (SECCertificateUsage)0,
-                                        timeboundary , NULL, NULL, NULL);
-        if (status == SECSuccess) {
-            break;
-        }
+
+       /*
+      JL: OpenOffice.org implements its own certificate verification routine. 
+      The goal is to separate validation of the signature
+      and the certificate. For example, OOo could show that the document signature is valid,
+      but the certificate could not be verified. If we do not prevent the verification of
+      the certificate by libxmlsec and the verification fails, then the XML signature may not be 
+      verified. This would happen, for example, if the root certificate is not installed.
+      
+      status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 
+          cert, PR_FALSE, 
+          (SECCertificateUsage)0,
+          timeboundary , NULL, NULL, NULL);
+      if (status == SECSuccess) {
+         break;
+      }
+        
+    */
+       status = SECSuccess;
+       break;
+
     }
 
     if (status == SECSuccess) {
-- 
2.6.2