xmlsecurity PDF verify: don't hide signatures where digest match is uncertain

Use case: the bugdoc has 2 signatures, one normal one and one with SubFilter=ETSI.RFC3161. By not hiding the second signature it's possible to counter-sign the document, even if we don't handle the contents of the second one. Change-Id: I580e1211072ec9839f01b529b569c98b702b6534 Reviewed-on: https://gerrit.libreoffice.org/31539Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>

xmlsecurity PDF verify: don't hide signatures where digest match is uncertain
Use case: the bugdoc has 2 signatures, one normal one and one with SubFilter=ETSI.RFC3161. By not hiding the second signature it's possible to counter-sign the document, even if we don't handle the contents of the second one. Change-Id: I580e1211072ec9839f01b529b569c98b702b6534 Reviewed-on: https://gerrit.libreoffice.org/31539Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>
61c81c45 · Miklos Vajna · 14a50701 · 61c81c45 · 61c81c45
Kaydet (Commit) 61c81c45 authored Ara 02, 2016 tarafından Miklos Vajna
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 5 deletions

pdfsigning.cxx xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +19 -2

pdfsignaturehelper.cxx xmlsecurity/source/helper/pdfsignaturehelper.cxx +0 -3

No files found.
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -72,6 +72,8 @@ public:
    void testGood();
    /// Test that we don't crash / loop while tokenizing these files.
    void testTokenize();
+    /// Test handling of unknown SubFilter values.
+    void testUnknownSubFilter();

    CPPUNIT_TEST_SUITE(PDFSigningTest);
    CPPUNIT_TEST(testPDFAdd);
@@ -87,6 +89,7 @@ public:
    CPPUNIT_TEST(testSigningCertificateAttribute);
    CPPUNIT_TEST(testGood);
    CPPUNIT_TEST(testTokenize);
+    CPPUNIT_TEST(testUnknownSubFilter);
    CPPUNIT_TEST_SUITE_END();
 };

@@ -388,8 +391,6 @@ void PDFSigningTest::testTokenize()
    {
        // We looped on this broken input.
        OUStringLiteral("no-eof.pdf"),
-        // Failed to read as \r wasn't handled as terminating a comment.
-        OUStringLiteral("cr-comment.pdf"),
        // ']' in a name token was mishandled.
        OUStringLiteral("name-bracket.pdf"),
        // %%EOF at the end wasn't followed by a newline.
@@ -407,6 +408,22 @@ void PDFSigningTest::testTokenize()
    }
 }

+void PDFSigningTest::testUnknownSubFilter()
+{
+    // Tokenize the bugdoc.
+    uno::Reference<xml::crypto::XSEInitializer> xSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
+    uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext = xSEInitializer->createSecurityContext(OUString());
+    SvStream* pStream = utl::UcbStreamHelper::CreateStream(m_directories.getURLFromSrc(DATA_DIRECTORY) + "cr-comment.pdf", StreamMode::READ | StreamMode::WRITE);
+    uno::Reference<io::XStream> xStream(new utl::OStreamWrapper(*pStream));
+    DocumentSignatureManager aManager(mxComponentContext, DocumentSignatureMode::Content);
+    aManager.mxSignatureStream = xStream;
+    aManager.read(/*bUseTempStream=*/false);
+
+    // Make sure we find both signatures, even if the second has unknown SubFilter.
+    std::vector<SignatureInformation>& rInformations = aManager.maCurrentSignatureInformations;
+    CPPUNIT_ASSERT_EQUAL(static_cast<std::size_t>(2), rInformations.size());
+}
+
 CPPUNIT_TEST_SUITE_REGISTRATION(PDFSigningTest);

 CPPUNIT_PLUGIN_IMPLEMENT();

--- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
@@ -56,10 +56,7 @@ bool PDFSignatureHelper::ReadAndVerifySignature(const uno::Reference<io::XInputS

        bool bLast = i == aSignatures.size() - 1;
        if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], aInfo, bLast))
-        {
            SAL_WARN("xmlsecurity.helper", "failed to determine digest match");
-            continue;
-        }

        m_aSignatureInfos.push_back(aInfo);
    }