xmlsecurity: use xmlsec API instead of patching out cert verification

This flag does exactly what we need since xmlsec-1.2.24. Change-Id: I3ae052d4bfe564c3234aef2511ef82ebdb452ebe Reviewed-on: https://gerrit.libreoffice.org/37700Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>

xmlsecurity: use xmlsec API instead of patching out cert verification
This flag does exactly what we need since xmlsec-1.2.24. Change-Id: I3ae052d4bfe564c3234aef2511ef82ebdb452ebe Reviewed-on: https://gerrit.libreoffice.org/37700Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>
273da4e3 · Miklos Vajna · 7ae50f52 · 273da4e3 · 7ae50f52 · 273da4e3
Kaydet (Commit) 273da4e3 authored May 17, 2017 tarafından Miklos Vajna
4 changed files
--- a/external/libxmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/libxmlsec/UnpackedTarball_xmlsec.mk
@@ -10,7 +10,6 @@
 xmlsec_patches :=
 xmlsec_patches += xmlsec1-configure.patch.1
 xmlsec_patches += xmlsec1-nssdisablecallbacks.patch.1
-xmlsec_patches += xmlsec1-noverify.patch.1
 xmlsec_patches += xmlsec1-vc.patch.1
 xmlsec_patches += xmlsec1-1.2.14_fix_extern_c.patch.1
 xmlsec_patches += xmlsec1-customkeymanage.patch.1

--- a/external/libxmlsec/xmlsec1-noverify.patch.1
+++ b/external/libxmlsec/xmlsec1-noverify.patch.1
-From 4960b231f67eb86e5f6d6a79154c15268c959b34 Mon Sep 17 00:00:00 2001
-From: Miklos Vajna <vmiklos@collabora.co.uk>
-Date: Fri, 4 Mar 2016 16:10:16 +0100
-Subject: [PATCH] xmlsec1-noverify.patch
-
-Conflicts:
-	src/mscrypto/x509vfy.c
-	src/nss/x509vfy.c
---
- src/mscrypto/x509vfy.c | 12 ++++++++----
- src/nss/x509vfy.c      | 24 ++++++++++--------------
- 2 files changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c
-index e4a84a60..a12cb709 100644
--- a/src/mscrypto/x509vfy.c
-+++ b/src/mscrypto/x509vfy.c
-@@ -525,10 +525,14 @@ xmlSecMSCryptoX509StoreVerify(xmlSecKeyDataStorePtr store, HCERTSTORE certs,
-         }
- 
-         if(selected == 1) {
-	    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) != 0
-               || xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
-                return(cert);
-            }
-+        /* JL: OpenOffice.org implements its own certificate verification routine. 
-+           The goal is to separate validation of the signature
-+           and the certificate. For example, OOo could show that the document signature is valid,
-+           but the certificate could not be verified. If we do not prevent the verification of
-+           the certificate by libxmlsec and the verification fails, then the XML signature will not be 
-+           verified. This would happen, for example, if the root certificate is not installed.                
-+         */
-+            return(cert);
-         }
-     }
- 
-diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
-index cd328fea..b28a37e1 100644
--- a/src/nss/x509vfy.c
-+++ b/src/nss/x509vfy.c
-@@ -213,20 +213,16 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
-             continue;
-         }
- 
-        if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) {
-            /* it's important to set the usage here, otherwise no real verification
-             * is performed. */
-            status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
-                                            cert, PR_FALSE,
-                                            certificateUsageEmailSigner,
-                                            timeboundary , NULL, NULL, NULL);
-            if(status == SECSuccess) {
-                break;
-            }
-        } else {
-            status = SECSuccess;
-            break;
-        }
-+       /*
-+      JL: OpenOffice.org implements its own certificate verification routine. 
-+      The goal is to separate validation of the signature
-+      and the certificate. For example, OOo could show that the document signature is valid,
-+      but the certificate could not be verified. If we do not prevent the verification of
-+      the certificate by libxmlsec and the verification fails, then the XML signature may not be 
-+      verified. This would happen, for example, if the root certificate is not installed.
-+    */
-+        status = SECSuccess;
-+        break;
-     }
- 
-     if (status == SECSuccess) {
-- 
-2.12.0
-
--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
@@ -196,6 +196,9 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
        return aTemplate;
    }

+    // We do certificate verification ourselves.
+    pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+
    //Verify signature
    //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0)
    //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if

--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
@@ -221,6 +221,9 @@ SAL_CALL XMLSignature_NssImpl::validate(
            return aTemplate;
        }

+        // We do certificate verification ourselves.
+        pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+
        //Verify signature
        int rs = xmlSecDSigCtxVerify( pDsigCtx , pNode );