xmlsecurity: implement support for building against system-xmlsec

The only remaining difference is that in the system-xmlsec case we work
with the default key manager, not with the one that's only added by our
xmlsec patches.

This works for me for the uses I know of (see
<https://lists.freedesktop.org/archives/libreoffice/2017-February/076947.html>
for the motivation): signing and verifying of different signatures (bad
signature, good with non-trusted CA, good with trusted CA) with
software-based certificates all behave as expected.

Change-Id: If3f3e2b8373ab7397db3f98070a5a2ce51fa7c06
Reviewed-on: https://gerrit.libreoffice.org/39075Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>

Repository.mk

@@ -917,7 +917,6 @@ $(eval $(call gb_Helper_register_packages_for_install,ooo,\
 	wizards_basicusr \
 	wizards_properties \
 	wizards_wizardshare \
-	xmlsec \
 	$(if $(ENABLE_HEADLESS),, \
 		chart2_opengl_shader \
 	) \

RepositoryExternal.mk

@@ -921,6 +921,34 @@ endef
 endif # SYSTEM_LIBXSLT
 
 
+ifneq ($(SYSTEM_XMLSEC),)
+
+define gb_LinkTarget__use_xmlsec
+$(call gb_LinkTarget_add_defs,$(1),\
+	-DSYSTEM_XMLSEC \
+)
+$(call gb_LinkTarget_set_include,$(1),\
+	$$(INCLUDE) \
+	$(XMLSEC_CFLAGS) \
+)
+$(call gb_LinkTarget_add_libs,$(1),$(XMLSEC_LIBS))
+
+endef
+
+gb_ExternalProject__use_xmlsec:=
+
+else # !SYSTEM_XMLSEC
+
+$(eval $(call gb_Helper_register_packages_for_install,ooo,\
+	xmlsec \
+))
+
+define gb_LinkTarget__use_xmlsec
+
+endef
+
+endif # SYSTEM_XMLSEC
+
 ifneq ($(SYSTEM_LIBLANGTAG),)
 
 define gb_LinkTarget__use_liblangtag

config_host.mk.in

@@ -557,6 +557,7 @@ export SYSTEM_VISIO=@SYSTEM_VISIO@
 export SYSTEM_WPD=@SYSTEM_WPD@
 export SYSTEM_WPG=@SYSTEM_WPG@
 export SYSTEM_WPS=@SYSTEM_WPS@
+export SYSTEM_XMLSEC=@SYSTEM_XMLSEC@
 export SYSTEM_ZLIB=@SYSTEM_ZLIB@
 export SYSTEM_ZMF=@SYSTEM_ZMF@
 export TARFILE_LOCATION=@TARFILE_LOCATION@
@@ -611,6 +612,8 @@ export XCODE_ARCHS=@XCODE_ARCHS@
 export XCODEBUILD_SDK=@XCODEBUILD_SDK@
 export XINERAMA_LINK=@XINERAMA_LINK@
 export XMLLINT=@XMLLINT@
+export XMLSEC_CFLAGS=$(gb_SPACE)@XMLSEC_CFLAGS@
+export XMLSEC_LIBS=$(gb_SPACE)@XMLSEC_LIBS@
 export XRANDR_CFLAGS=$(gb_SPACE)@XRANDR_CFLAGS@
 export XRANDR_LIBS=$(gb_SPACE)@XRANDR_LIBS@
 export XRENDER_CFLAGS=$(gb_SPACE)@XRENDER_CFLAGS@

configure.ac

@@ -7683,6 +7683,11 @@ dnl Check for system expat
 dnl ===================================================================
 libo_CHECK_SYSTEM_MODULE([expat], [EXPAT], [expat])
 
+dnl ===================================================================
+dnl Check for system xmlsec
+dnl ===================================================================
+libo_CHECK_SYSTEM_MODULE([xmlsec], [XMLSEC], [xmlsec1-nss >= 1.2.24])
+
 AC_MSG_CHECKING([whether to enable Embedded OpenType support])
 if test "$_os" != "WINNT" -a "$_os" != "Darwin" -a "$enable_eot" = "yes"; then
     ENABLE_EOT="TRUE"

external/Module_external.mk

@@ -14,7 +14,7 @@ $(eval $(call gb_Module_add_moduledir,external,msc-externals))
 endif
 
 $(eval $(call gb_Module_add_moduledirs,external,\
-	$(if $(filter-out IOS,$(OS)),libxmlsec) \
+	$(if $(filter-out IOS,$(OS)),$(call gb_Helper_optional,XMLSEC,libxmlsec)) \
 	$(call gb_Helper_optional,ABW,libabw) \
 	$(call gb_Helper_optional,APACHE_COMMONS,apache-commons) \
 	$(call gb_Helper_optional,APR,apr) \

xmlsecurity/Library_xsec_xmlsec.mk

@@ -46,12 +46,16 @@ $(eval $(call gb_Library_use_libraries,xsec_xmlsec,\
 	xo \
 ))
 
+ifeq ($(SYSTEM_XMLSEC),)
 $(eval $(call gb_Library_use_packages,xsec_xmlsec,\
 	xmlsec \
 ))
+endif
+
 $(eval $(call gb_Library_use_externals,xsec_xmlsec,\
 	boost_headers \
 	libxml2 \
+	xmlsec \
 ))
 ifneq ($(filter-out WNT MACOSX ANDROID IOS,$(OS)),)
 $(eval $(call gb_Library_use_externals,xsec_xmlsec,\
@@ -128,12 +132,16 @@ $(eval $(call gb_Library_add_libs,xsec_xmlsec,\
 	$(call gb_UnpackedTarball_get_dir,xmlsec)/src/.libs/libxmlsec1.a \
 ))
 else
+
+ifeq ($(SYSTEM_XMLSEC),)
 $(eval $(call gb_Library_add_libs,xsec_xmlsec,\
 	$(call gb_UnpackedTarball_get_dir,xmlsec)/src/nss/.libs/libxmlsec1-nss.a \
 	$(call gb_UnpackedTarball_get_dir,xmlsec)/src/.libs/libxmlsec1.a \
 ))
 endif
 
+endif
+
 $(eval $(call gb_Library_use_externals,xsec_xmlsec,\
 	plc4 \
 ))

xmlsecurity/inc/xmlsec-wrapper.h

@@ -25,7 +25,7 @@
 #include <sal/types.h>
 
 // Cf. xmlsec's configure.in (but which isn't used for MSVC):
-#if !defined _MSC_VER && SAL_TYPES_SIZEOFPOINTER != 4
+#if !defined _MSC_VER && SAL_TYPES_SIZEOFPOINTER != 4 && !defined SYSTEM_XMLSEC
 #define XMLSEC_NO_SIZE_T
 #endif
 

xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx

@@ -897,6 +897,7 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); ++islots, ++count)
         slots[count] = *islots;
 
+#ifndef SYSTEM_XMLSEC
     xmlSecKeysMngrPtr pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, m_pHandler ) ;
     if( pKeysMngr == nullptr )
         throw RuntimeException() ;
@@ -930,6 +931,14 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
             throw RuntimeException() ;
         }
     }
+#else // SYSTEM_XMLSEC
+    xmlSecKeysMngrPtr pKeysMngr = xmlSecKeysMngrCreate();
+    if (!pKeysMngr)
+        throw RuntimeException();
+
+    if (xmlSecNssAppDefaultKeysMngrInit(pKeysMngr) < 0)
+        throw RuntimeException();
+#endif // SYSTEM_XMLSEC
 
     // Adopt the private key of the signing certificate, if it has any.
     if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))