xmlsec: update to 1.2.26

Allows dropping the xmlsec1-ecdsa-assert.patch.1 backport. Also fix the generated test certs + generator script to avoid expired certs for a while (.db files generated with Firefox 57.0). Change-Id: I8cba9a01633a3952c845e15e23b18d44544cdb59 Reviewed-on: https://gerrit.libreoffice.org/56123 Tested-by: Jenkins Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>

xmlsec: update to 1.2.26
Allows dropping the xmlsec1-ecdsa-assert.patch.1 backport. Also fix the generated test certs + generator script to avoid expired certs for a while (.db files generated with Firefox 57.0). Change-Id: I8cba9a01633a3952c845e15e23b18d44544cdb59 Reviewed-on: https://gerrit.libreoffice.org/56123 Tested-by: Jenkins Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
71198fe7 · Miklos Vajna · 231035fe · 71198fe7 · 71198fe7 · 71198fe7
Kaydet (Commit) 71198fe7 authored Haz 19, 2018 tarafından Miklos Vajna
9 changed files
--- a/download.lst
+++ b/download.lst
@@ -152,8 +152,8 @@ export LIBNUMBERTEXT_SHA256SUM := 98dd193983c9bdd31af053ddf7687640d2365b470755c8
 export LIBNUMBERTEXT_TARBALL := libnumbertext-1.0.2.tar.xz
 export LIBTOMMATH_SHA256SUM := 083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304f7281f8f7347483
 export LIBTOMMATH_TARBALL := ltm-1.0.zip
-export XMLSEC_SHA256SUM := 967ca83edf25ccb5b48a3c4a09ad3405a63365576503bf34290a42de1b92fcd2
-export XMLSEC_TARBALL := xmlsec1-1.2.25.tar.gz
+export XMLSEC_SHA256SUM := 8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50
+export XMLSEC_TARBALL := xmlsec1-1.2.26.tar.gz
 export LIBXML_SHA256SUM := 0b74e51595654f958148759cfef0993114ddccccbb6f31aee018f3558e8e2732
 export LIBXML_VERSION_MICRO := 8
 export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.gz

--- a/external/xmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -11,8 +11,6 @@ xmlsec_patches :=
 xmlsec_patches += xmlsec1-configure.patch.1
 xmlsec_patches += xmlsec1-vc.patch.1
 xmlsec_patches += xmlsec1-1.2.14_fix_extern_c.patch.1
-# Backport of <https://github.com/lsh123/xmlsec/pull/172>.
-xmlsec_patches += xmlsec1-ecdsa-assert.patch.1

 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec))


--- a/external/xmlsec/xmlsec1-1.2.14_fix_extern_c.patch.1
+++ b/external/xmlsec/xmlsec1-1.2.14_fix_extern_c.patch.1
-From d1c1da86faff8210235255b485e12cf160c6ed6f Mon Sep 17 00:00:00 2001
+From 0e49768aca7371f247dc8eea849b2bc6e77a9c9c Mon Sep 17 00:00:00 2001
 From: Miklos Vajna <vmiklos@collabora.co.uk>
 Date: Fri, 4 Mar 2016 16:12:48 +0100
 Subject: [PATCH] xmlsec1-1.2.14_fix_extern_c.patch
@@ -35,5 +35,5 @@ index 71523197..4e13ea8d 100644
  *
  * Basic types to make ports to exotic platforms easier
 -- 
-2.13.5
+2.16.3

--- a/external/xmlsec/xmlsec1-configure.patch.1
+++ b/external/xmlsec/xmlsec1-configure.patch.1
-From 633ee29e9b15eb2b9d7dc3adb76dfea50ce31221 Mon Sep 17 00:00:00 2001
+From d986998536465ad4244f5b2936bf704485f8906c Mon Sep 17 00:00:00 2001
 From: Miklos Vajna <vmiklos@collabora.co.uk>
 Date: Fri, 4 Mar 2016 16:06:19 +0100
 Subject: [PATCH] xmlsec1-configure.patch
@@ -9,27 +9,31 @@ Conflicts:
 	configure.ac
 	win32/Makefile.msvc
 ---
- configure.ac        | 42 +++++++++++++++++++++++++++++++++---------
+ configure.ac        | 35 ++++++++++++++++++++++++++++++-----
 win32/Makefile.msvc |  2 +-
- 2 files changed, 34 insertions(+), 10 deletions(-)
+ 2 files changed, 31 insertions(+), 6 deletions(-)

 diff --git a/configure.ac b/configure.ac
-index 32782002..1c19c223 100644
+index 951b3ebe..83fe34cb 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -570,12 +570,26 @@ dnl ==========================================================================
- XMLSEC_NO_NSS="1"
+@@ -863,15 +863,28 @@ NSS_MIN_VERSION="3.11.1"
+ NSPR_MIN_VERSION="4.4.1"
 SEAMONKEY_MIN_VERSION="1.0"
 MOZILLA_MIN_VERSION="1.4"
 +if test "z$MOZ_FLAVOUR" = "zfirefox" ; then
 +    MOZILLA_MIN_VERSION="1.0"
 +fi
- NSS_MIN_VERSION="3.11.1"
- NSPR_MIN_VERSION="4.4.1"
- NSS_CFLAGS=""
- NSS_LIBS=""
-NSS_LIBS_LIST="-lnss3 -lsmime3"
+ NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss"
+ NSPR_PACKAGE=mozilla-nspr
+ NSS_PACKAGE=mozilla-nss
+-NSPR_INCLUDE_MARKER="nspr/nspr.h"
+NSPR_INCLUDE_MARKER="nspr.h"
+ NSPR_LIB_MARKER="libnspr4$shrext"
 -NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+ NSS_INCLUDE_MARKER="nss/nss.h"
+ NSS_LIB_MARKER="libnss3$shrext"
+-NSS_LIBS_LIST="-lnss3 -lsmime3"
 +
 +case $host_os in
 +cygwin* | pw32*)
@@ -42,78 +46,53 @@ index 32782002..1c19c223 100644
 +    NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
 +    ;;
 +esac
-+
- NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss"
- NSS_FOUND="no"
- NSPR_PACKAGE=mozilla-nspr
-@@ -602,6 +616,16 @@ elif test "z$with_nss" = "z" -a "z$with_nspr" = "z" -a "z$with_mozilla_ver" = "z
-     dnl We are going to try all options
-     dnl
-     if test "z$NSS_FOUND" = "zno" ; then
-+        PKG_CHECK_MODULES(NSS, $MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR >= $MOZILLA_MIN_VERSION,
-+            [NSS_FOUND=yes NSPR_PACKAGE=$MOZ_FLAVOUR-nspr NSS_PACKAGE=$MOZ_FLAVOUR-nss],
-+            [NSS_FOUND=no])
-+    fi
-+    if test "z$NSS_FOUND" = "zno" ; then
-+        PKG_CHECK_MODULES(NSS, nss >= 3.9.3 nspr >= 4.8,
-+            [NSS_FOUND=yes NSPR_PACKAGE=nspr NSS_PACKAGE=nss],
-+            [NSS_FOUND=no])
-+    fi
-+    if test "z$NSS_FOUND" = "zno" ; then
-         PKG_CHECK_MODULES(NSS, seamonkey-nspr >= $NSPR_MIN_VERSION seamonkey-nss >= $SEAMONKEY_MIN_VERSION,
-     	    [NSS_FOUND=yes NSPR_PACKAGE=seamonkey-nspr NSS_PACKAGE=seamonkey-nss],
- 	    [NSS_FOUND=no])
-@@ -633,8 +657,8 @@ if test "z$NSS_FOUND" = "zno" ; then
-         ac_mozilla_name=mozilla-$MOZILLA_MIN_VERSION
-     fi
 
-    ac_nss_lib_dir="/usr/lib /usr/lib64 /usr/local/lib /usr/lib/$ac_mozilla_name /usr/local/lib/$ac_mozilla_name"
-    ac_nss_inc_dir="/usr/include /usr/include/mozilla /usr/local/include /usr/local/include/mozilla /usr/include/$ac_mozilla_name /usr/local/include/$ac_mozilla_name"
-+    ac_nss_lib_dir="${WORKDIR}/UnpackedTarball/nss/dist/out/lib"
-+    ac_nss_inc_dir="${WORKDIR}/UnpackedTarball/nss/dist/out/include ${WORKDIR}/UnpackedTarball/nss/dist/public"
+ XMLSEC_NO_NSS="1"
+ NSPR_INCLUDE_PATH=
+@@ -896,6 +909,7 @@ if test "z$with_nss" = "zno" -o "z$with_nspr" = "zno" ; then
+ fi
 
-     AC_MSG_CHECKING(for nspr libraries >= $NSPR_MIN_VERSION)
-     NSPR_INCLUDES_FOUND="no"
-@@ -655,21 +679,21 @@ if test "z$NSS_FOUND" = "zno" ; then
- 	NSPR_PRINIT_H="$with_nspr/include/prinit.h"
-     else
- 	for dir in $ac_nss_inc_dir ; do
-    	    if test -f $dir/nspr/prinit.h ; then
-+            if test -f $dir/prinit.h ; then
-     		dnl do not add -I/usr/include because compiler does it anyway
-         	if test "z$dir" = "z/usr/include" ; then
-     		    NSPR_CFLAGS=""
-     		else
-    		    NSPR_CFLAGS="-I$dir/nspr"
-+                    NSPR_CFLAGS="-I$dir"
-     		fi
- 		NSPR_INCLUDES_FOUND="yes"
-		NSPR_PRINIT_H="$dir/nspr/prinit.h"
-+		NSPR_PRINIT_H="$dir/prinit.h"
-     		break
-     	    fi
- 	done
- 	
- 	for dir in $ac_nss_lib_dir ; do
-    	    if test -f $dir/libnspr4$shrext ; then
-+            if test -f $dir/libnspr4.so -o -f $dir/libnspr4.dylib ; then
- 		dnl do not add -L/usr/lib because compiler does it anyway
-         	if test "z$dir" = "z/usr/lib" ; then
-             	    NSPR_LIBS="$NSPR_LIBS_LIST"
-@@ -740,7 +764,7 @@ if test "z$NSS_FOUND" = "zno" ; then
-         done
-        
-         for dir in $ac_nss_lib_dir ; do
-    	    if test -f $dir/libnss3$shrext ; then
-+            if test -f $dir/libnss3.so -o -f $dir/libnss3.dylib ; then
-         	dnl do not add -L/usr/lib because compiler does it anyway
-     		if test "z$dir" = "z/usr/lib" ; then
-         	    NSS_LIBS="$NSS_LIBS_LIST"
+ dnl Priority 1: User specifies the path to installation
+with_nspr="${WORKDIR}/UnpackedTarball/nss/dist/out"
+ if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then
+     AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder)
+     if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then
+@@ -907,10 +921,11 @@ if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes
+         AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?])
+     fi
+ fi
+with_nss="${WORKDIR}/UnpackedTarball/nss/dist/public"
+ if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then
+     AC_MSG_CHECKING(for nss library installation in "$with_nss" folder)
+-    if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then
+-        NSS_INCLUDE_PATH="$with_nss/include"
+    if test -f "$with_nss/$NSS_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSS_LIB_MARKER" ; then
+        NSS_INCLUDE_PATH="$with_nss"
+         NSS_LIB_PATH="$with_nss/lib"
+         NSS_FOUND="yes"
+         AC_MSG_RESULT([yes])
+@@ -935,6 +950,16 @@ dnl     seamonkey-nspr and seamonkey-nss
+ dnl     mozilla-nspr and mozilla-nss
+ dnl     xulrunner-nspr and xulrunner-nss
+ dnl     nspr and nss
+if test "z$NSS_FOUND" = "zno" ; then
+    PKG_CHECK_MODULES(NSS, $MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR >= $MOZILLA_MIN_VERSION,
+        [NSS_FOUND=yes NSPR_PACKAGE=$MOZ_FLAVOUR-nspr NSS_PACKAGE=$MOZ_FLAVOUR-nss],
+        [NSS_FOUND=no])
+fi
+if test "z$NSS_FOUND" = "zno" ; then
+    PKG_CHECK_MODULES(NSS, nss >= 3.9.3 nspr >= 4.8,
+        [NSS_FOUND=yes NSPR_PACKAGE=nspr NSS_PACKAGE=nss],
+        [NSS_FOUND=no])
+fi
+ if test "z$NSPR_FOUND" = "zno" -a "z$PKGCONFIG_FOUND" = "zyes" -a "z$with_mozilla_ver" = "z" -a "z$with_seamonkey_ver" ; then
+     if test "z$NSPR_FOUND" = "zno" ; then
+         PKG_CHECK_MODULES(NSPR, seamonkey-nspr >= $NSPR_MIN_VERSION,
 diff --git a/win32/Makefile.msvc b/win32/Makefile.msvc
-index 5a7e2d13..e34c3e9f 100644
+index 0689f11b..e7cd5c38 100644
 --- a/win32/Makefile.msvc
 +++ b/win32/Makefile.msvc
-@@ -399,7 +399,7 @@ XMLSEC_OPENSSL_SOLIBS   = libeay32.lib wsock32.lib kernel32.lib user32.lib gdi32
+@@ -451,7 +451,7 @@ XMLSEC_OPENSSL_SOLIBS   = libeay32.lib wsock32.lib kernel32.lib user32.lib gdi32
 XMLSEC_OPENSSL_ALIBS    = libeay32.lib wsock32.lib kernel32.lib user32.lib gdi32.lib crypt32.lib advapi32.lib
 !endif
 
@@ -123,5 +102,21 @@ index 5a7e2d13..e34c3e9f 100644
 
 XMLSEC_MSCRYPTO_SOLIBS  = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib
 -- 
-2.13.5
+2.16.3

+diff --git a/configure.ac b/configure.ac
+index 951b3ebe..b66bdc10 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -165,7 +165,10 @@ dnl ==========================================================================
+ dnl Hack for autoconf version mismatch
+ dnl ==========================================================================
+ if test "z$shrext" = "z" ; then
+-    shrext=$shrext_cmds
+    AC_MSG_CHECKING(for shared library suffix)
+    module=no
+    eval shrext=$shrext_cmds
+    AC_MSG_RESULT($shrext)
+ fi
+ 
+ dnl ==========================================================================
--- a/external/xmlsec/xmlsec1-ecdsa-assert.patch.1
+++ b/external/xmlsec/xmlsec1-ecdsa-assert.patch.1
-From 34899117d1c43022d2d9454bf59e3a30cfaa666a Mon Sep 17 00:00:00 2001
-Date: Mon, 7 May 2018 18:59:33 +0200
-Subject: [PATCH] NSS: ECDSA updates (#172)
-
-* nss: register ecdsa key data
-
-This test started to fail when 2ae61923d6e8db7eca0a8476e934e4af5b1cc5de
-(MS CNG: adopt trusted certificate (#141), 2018-01-15) fixed the typo in
-the test to require ecdsa key data.
-
-The implementation was there, just not the registration.
-
-Testcase: aleksey-xmldsig-01/enveloping-sha256-ecdsa-sha256
-
-* nss: fix assert condition when getting key type of ECDSA key
-
-The condition is now consistent with the RSA getter. In practice this
-fixes a crash when using libxmlsec via its API and setting only the
-private key (but not the public key) for signing -- as
-SECKEY_GetPublicKeyType(NULL) is not safe.
-
-Bugreport: https://bugs.documentfoundation.org/show_bug.cgi?id=109180
---
- src/nss/crypto.c  | 4 ++++
- src/nss/pkikeys.c | 2 +-
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/nss/crypto.c b/src/nss/crypto.c
-index 57767465..bb50bfb5 100644
--- a/src/nss/crypto.c
-+++ b/src/nss/crypto.c
-@@ -75,6 +75,10 @@ xmlSecCryptoGetFunctions_nss(void) {
-     gXmlSecNssFunctions->keyDataDsaGetKlass             = xmlSecNssKeyDataDsaGetKlass;
- #endif /* XMLSEC_NO_DSA */
- 
-+#ifndef XMLSEC_NO_ECDSA
-+    gXmlSecNssFunctions->keyDataEcdsaGetKlass          = xmlSecNssKeyDataEcdsaGetKlass;
-+#endif /* XMLSEC_NO_ECDSA */
-+
- #ifndef XMLSEC_NO_HMAC
-     gXmlSecNssFunctions->keyDataHmacGetKlass            = xmlSecNssKeyDataHmacGetKlass;
- #endif /* XMLSEC_NO_HMAC */
-diff --git a/src/nss/pkikeys.c b/src/nss/pkikeys.c
-index 25828aec..cf18d1c0 100644
--- a/src/nss/pkikeys.c
-+++ b/src/nss/pkikeys.c
-@@ -1471,7 +1471,7 @@ xmlSecNssKeyDataEcdsaGetType(xmlSecKeyDataPtr data) {
-     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataEcdsaId), xmlSecKeyDataTypeUnknown);
-     ctx = xmlSecNssPKIKeyDataGetCtx(data);
-     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == ecKey, -1);
-+    xmlSecAssert2(ctx->pubkey == NULL || SECKEY_GetPublicKeyType(ctx->pubkey) == ecKey, -1);
-     if (ctx->privkey != NULL) {
-         return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
-     } else {
-- 
-2.13.6
-
--- a/external/xmlsec/xmlsec1-vc.patch.1
+++ b/external/xmlsec/xmlsec1-vc.patch.1
-From d5548168e6e25a96e2cad3c68534c57a0a890fca Mon Sep 17 00:00:00 2001
+From 654d217917039a1abbdad20e2ce94555cedf0785 Mon Sep 17 00:00:00 2001
 From: Miklos Vajna <vmiklos@collabora.co.uk>
 Date: Fri, 4 Mar 2016 16:12:29 +0100
 Subject: [PATCH] xmlsec1-vc.patch
@@ -10,10 +10,10 @@ Conflicts:
 1 file changed, 4 insertions(+)

 diff --git a/win32/Makefile.msvc b/win32/Makefile.msvc
-index e34c3e9f..aedb0188 100644
+index e7cd5c38..51c91399 100644
 --- a/win32/Makefile.msvc
 +++ b/win32/Makefile.msvc
-@@ -312,6 +312,10 @@ CFLAGS 			= $(CFLAGS) /D "HAVE_STDIO_H" /D "HAVE_STDLIB_H"
+@@ -363,6 +363,10 @@ CFLAGS 			= $(CFLAGS) /D "HAVE_STDIO_H" /D "HAVE_STDLIB_H"
 CFLAGS 			= $(CFLAGS) /D "HAVE_STRING_H" /D "HAVE_CTYPE_H"
 CFLAGS 			= $(CFLAGS) /D "HAVE_MALLOC_H" /D "HAVE_MEMORY_H"
 CFLAGS 			= $(CFLAGS) /D "XMLSEC_NO_GOST" /D "XMLSEC_NO_GOST2012" 
@@ -25,5 +25,5 @@ index e34c3e9f..aedb0188 100644
 !if "$(UNICODE)" == "1"
 CFLAGS 			= $(CFLAGS) /D "UNICODE" /D "_UNICODE"
 -- 
-2.13.5
+2.16.3

--- a/xmlsecurity/qa/create-certs/create-certs.sh
+++ b/xmlsecurity/qa/create-certs/create-certs.sh
@@ -65,7 +65,7 @@ chmod 400 private/ca.key.pem
 cd "$root/ca"
 openssl req -config openssl.cnf \
    -key private/ca.key.pem \
-    -new -x509 -days 7300 -sha256 -extensions v3_ca \
+    -new -x509 -days 36500 -sha256 -extensions v3_ca \
    -out certs/ca.cert.pem \
    -passin env:SSLPASS \
    -subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test Root CA"
@@ -107,7 +107,7 @@ openssl req -config intermediate/openssl.cnf -new -sha256 \

 # The certificate itself.
 openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
-    -days 3650 -notext -md sha256 \
+    -days 36500 -notext -md sha256 \
    -in intermediate/csr/intermediate.csr.pem \
    -passin env:SSLPASS \
    -out intermediate/certs/intermediate.cert.pem
@@ -147,7 +147,7 @@ do
    cd "$root/ca"
    # usr_cert: the cert will be used for signing.
    openssl ca -batch -config intermediate/openssl.cnf \
-        -extensions usr_cert -days 375 -notext -md sha256 \
+        -extensions usr_cert -days 36500 -notext -md sha256 \
        -in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
        -passin env:SSLPASS \
        -out intermediate/certs/example-xmlsecurity-${i}.cert.pem

--- a/xmlsecurity/qa/unit/signing/data/cert8.db
+++ b/xmlsecurity/qa/unit/signing/data/cert8.db
--- a/xmlsecurity/qa/unit/signing/data/key3.db
+++ b/xmlsecurity/qa/unit/signing/data/key3.db