xmlsecurity: verify certificate of PDF signatures

We patch xmlsec to not verify certificates, and the PDF tokenizer in xmlsecurity doesn't do that, either. The point of doing so, is that the DocumentSignatureInformation UNO struct has separate CertificateStatus and SignatureIsValid fields for the validity of the certificate and the signature. That means the certificate has to be validated somewhere as well. ZIP-based formats do that in DocumentDigitalSignatures::ImplVerifySignatures(), and this commit implements the same for PDF signatures, too. Change-Id: Ic486afc8f392625b1efcad989fd9053b014a261b Reviewed-on: https://gerrit.libreoffice.org/29889Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>

xmlsecurity: verify certificate of PDF signatures
We patch xmlsec to not verify certificates, and the PDF tokenizer in xmlsecurity doesn't do that, either. The point of doing so, is that the DocumentSignatureInformation UNO struct has separate CertificateStatus and SignatureIsValid fields for the validity of the certificate and the signature. That means the certificate has to be validated somewhere as well. ZIP-based formats do that in DocumentDigitalSignatures::ImplVerifySignatures(), and this commit implements the same for PDF signatures, too. Change-Id: Ic486afc8f392625b1efcad989fd9053b014a261b Reviewed-on: https://gerrit.libreoffice.org/29889Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
d67a7ff3 · Miklos Vajna · 2b3cf45b · d67a7ff3
Kaydet (Commit) d67a7ff3 authored Eki 17, 2016 tarafından Miklos Vajna
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

pdfsignaturehelper.cxx xmlsecurity/source/helper/pdfsignaturehelper.cxx +17 -0

No files found.
--- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
@@ -11,6 +11,7 @@

 #include <memory>

+#include <com/sun/star/security/CertificateValidity.hpp>
 #include <com/sun/star/xml/crypto/SEInitializer.hpp>

 #include <comphelper/sequence.hxx>
@@ -82,6 +83,22 @@ uno::Sequence<security::DocumentSignatureInformation> PDFSignatureHelper::GetDoc
        security::DocumentSignatureInformation& rExternal = aRet[i];
        rExternal.SignatureIsValid = rInternal.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
        rExternal.Signer = xSecurityEnvironment->createCertificateFromAscii(rInternal.ouX509Certificate);
+
+        // Verify certificate.
+        if (rExternal.Signer.is())
+        {
+            try
+            {
+                rExternal.CertificateStatus = xSecurityEnvironment->verifyCertificate(rExternal.Signer, {});
+            }
+            catch (const uno::SecurityException& rException)
+            {
+                SAL_WARN("xmlsecurity.helper", "failed to verify certificate: " << rException.Message);
+                rExternal.CertificateStatus = security::CertificateValidity::INVALID;
+            }
+        }
+        else
+            rExternal.CertificateStatus = security::CertificateValidity::INVALID;
    }

    return aRet;