vcl PDF NSS sign: don't embed signed timestamp to the signature blob

There are several reasons to avoid doing so: - The mscrypto backend doesn't do that, so the previous situation was inconsistent. - PDF provides markup to provide a timestamp, and that's automatically part of the signed data. - Page 10 of "PAdES Basic" specification from <http://www.etsi.org/deliver/etsi_ts%5C102700_102799%5C10277802%5C01.02.01_60%5Cts_10277802v010201p.pdf> explicitly requests either not writing that data, or writing it as an unsigned attribute (probably to underline that the value is from untrusted source, it's the signer's computer clock). Change-Id: I35b1a9ef4a391a24e6695353d617f27c7d96d93b Reviewed-on: https://gerrit.libreoffice.org/30926Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>

vcl PDF NSS sign: don't embed signed timestamp to the signature blob
There are several reasons to avoid doing so: - The mscrypto backend doesn't do that, so the previous situation was inconsistent. - PDF provides markup to provide a timestamp, and that's automatically part of the signed data. - Page 10 of "PAdES Basic" specification from <http://www.etsi.org/deliver/etsi_ts%5C102700_102799%5C10277802%5C01.02.01_60%5Cts_10277802v010201p.pdf> explicitly requests either not writing that data, or writing it as an unsigned attribute (probably to underline that the value is from untrusted source, it's the signer's computer clock). Change-Id: I35b1a9ef4a391a24e6695353d617f27c7d96d93b Reviewed-on: https://gerrit.libreoffice.org/30926Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Jenkins <ci@libreoffice.org>
f099e139 · Miklos Vajna · c6ec6539 · f099e139
Kaydet (Commit) f099e139 authored Kas 17, 2016 tarafından Miklos Vajna
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

pdfwriter_impl.cxx vcl/source/gdi/pdfwriter_impl.cxx +4 -4

No files found.
--- a/vcl/source/gdi/pdfwriter_impl.cxx
+++ b/vcl/source/gdi/pdfwriter_impl.cxx
@@ -6621,7 +6621,7 @@ my_NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *
    return my_NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr);
 }

-NSSCMSMessage *CreateCMSMessage(PRTime time,
+NSSCMSMessage *CreateCMSMessage(PRTime* time,
                                NSSCMSSignedData **cms_sd,
                                NSSCMSSignerInfo **cms_signer,
                                CERTCertificate *cert,
@@ -6671,7 +6671,7 @@ NSSCMSMessage *CreateCMSMessage(PRTime time,
        return nullptr;
    }

-    if (NSS_CMSSignerInfo_AddSigningTime(*cms_signer, time) != SECSuccess)
+    if (time && NSS_CMSSignerInfo_AddSigningTime(*cms_signer, *time) != SECSuccess)
    {
        SAL_WARN("vcl.pdfwriter", "NSS_CMSSignerInfo_AddSigningTime failed");
        NSS_CMSSignedData_Destroy(*cms_sd);
@@ -6778,7 +6778,7 @@ bool PDFWriter::Sign(PDFSignContext& rContext)
    PRTime now = PR_Now();
    NSSCMSSignedData *cms_sd;
    NSSCMSSignerInfo *cms_signer;
-    NSSCMSMessage *cms_msg = CreateCMSMessage(now, &cms_sd, &cms_signer, cert, &digest);
+    NSSCMSMessage *cms_msg = CreateCMSMessage(nullptr, &cms_sd, &cms_signer, cert, &digest);
    if (!cms_msg)
        return false;

@@ -6803,7 +6803,7 @@ bool PDFWriter::Sign(PDFSignContext& rContext)

        NSSCMSSignedData *ts_cms_sd;
        NSSCMSSignerInfo *ts_cms_signer;
-        NSSCMSMessage *ts_cms_msg = CreateCMSMessage(now, &ts_cms_sd, &ts_cms_signer, cert, &digest);
+        NSSCMSMessage *ts_cms_msg = CreateCMSMessage(&now, &ts_cms_sd, &ts_cms_signer, cert, &digest);
        if (!ts_cms_msg)
        {
            free(pass);