From d95ab8d3a3a102c00b69f0b0b49d7eb49e34051e Mon Sep 17 00:00:00 2001 From: Miklos Vajna Date: Wed, 25 Sep 2024 10:43:58 +0200 Subject: [PATCH] cool#9992 lok doc sign: fix import of the private key Once the signing key is taken from the matching SfxViewShell (not yet done), signing with a certificate specified via initializeForRendering() failed with: warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx:330: X509Certificate_NssImpl::getPrivateKey() cannot find private key warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:812: Can't get the private key from the certificate. warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/errorcallback.cxx:53: keys.c:1347: xmlSecKeysMngrGetKey() '' '' 45 'details=NULL' warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:822: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:537: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' warn:xmlsecurity.xmlsec:13020:13005:xmlsecurity/source/xmlsec/errorcallback.cxx:53: xmldsig.c:301: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' ' The trouble was that we wanted to keep the private key in-memory, presumably because initially the whole NSS database was in-memory for the LOK case. This was changed in commit 87eec1b90b6ecd83455f09168430c23f73c25c86 (NSS: create a temporary database instead of in-memory, 2018-12-31), so there is no problem with a not-in-memory private key anymore. Note that the problematic codepath was only triggered when first the certificate chooser was ran and only then we signed. So the testcase also gets the cert flags before signing, otherwise the test would succeed even without the fix. Change-Id: I5086b205c91b630ddd343c0eb91bd9e63b3ea238 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/173892 Reviewed-by: Miklos Vajna Tested-by: Jenkins --- xmlsecurity/CppunitTest_xmlsecurity_xmlsec.mk | 56 ++++++++++ xmlsecurity/Module_xmlsecurity.mk | 6 + xmlsecurity/qa/xmlsec/data/ca.pem | 70 ++++++++++++ xmlsecurity/qa/xmlsec/data/cert.pem | 31 ++++++ xmlsecurity/qa/xmlsec/data/key.pem | 28 +++++ xmlsecurity/qa/xmlsec/xmlsec.cxx | 104 ++++++++++++++++++ .../nss/securityenvironment_nssimpl.cxx | 4 +- 7 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 xmlsecurity/CppunitTest_xmlsecurity_xmlsec.mk create mode 100644 xmlsecurity/qa/xmlsec/data/ca.pem create mode 100644 xmlsecurity/qa/xmlsec/data/cert.pem create mode 100644 xmlsecurity/qa/xmlsec/data/key.pem create mode 100644 xmlsecurity/qa/xmlsec/xmlsec.cxx diff --git a/xmlsecurity/CppunitTest_xmlsecurity_xmlsec.mk b/xmlsecurity/CppunitTest_xmlsecurity_xmlsec.mk new file mode 100644 index 000000000000..526bb85d8a1d --- /dev/null +++ b/xmlsecurity/CppunitTest_xmlsecurity_xmlsec.mk @@ -0,0 +1,56 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +#************************************************************************* +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +#************************************************************************* + +$(eval $(call gb_CppunitTest_CppunitTest,xmlsecurity_xmlsec)) + +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_xmlsec,\ + boost_headers \ +)) + +$(eval $(call gb_CppunitTest_add_exception_objects,xmlsecurity_xmlsec, \ + xmlsecurity/qa/xmlsec/xmlsec \ +)) + +$(eval $(call gb_CppunitTest_use_libraries,xmlsecurity_xmlsec, \ + comphelper \ + cppu \ + cppuhelper \ + embobj \ + sal \ + sfx \ + subsequenttest \ + test \ + tl \ + unotest \ + utl \ + xmlsecurity \ + xsec_xmlsec \ +)) + +$(eval $(call gb_CppunitTest_set_include,xmlsecurity_xmlsec,\ + -I$(SRCDIR)/xmlsecurity/inc \ + $$(INCLUDE) \ +)) + +$(eval $(call gb_CppunitTest_use_sdk_api,xmlsecurity_xmlsec)) + +$(eval $(call gb_CppunitTest_use_ure,xmlsecurity_xmlsec)) +$(eval $(call gb_CppunitTest_use_vcl,xmlsecurity_xmlsec)) + +$(eval $(call gb_CppunitTest_use_rdb,xmlsecurity_xmlsec,services)) + +$(eval $(call gb_CppunitTest_use_custom_headers,xmlsecurity_xmlsec,\ + officecfg/registry \ +)) + +$(eval $(call gb_CppunitTest_use_configuration,xmlsecurity_xmlsec)) + +# vim: set noet sw=4 ts=4: diff --git a/xmlsecurity/Module_xmlsecurity.mk b/xmlsecurity/Module_xmlsecurity.mk index cff200f9fbe2..afb1e251586a 100644 --- a/xmlsecurity/Module_xmlsecurity.mk +++ b/xmlsecurity/Module_xmlsecurity.mk @@ -23,6 +23,12 @@ $(eval $(call gb_Module_add_slowcheck_targets,xmlsecurity,\ CppunitTest_xmlsecurity_pdfsigning \ )) +ifeq ($(OS),LINUX) +$(eval $(call gb_Module_add_slowcheck_targets,xmlsecurity,\ + CppunitTest_xmlsecurity_xmlsec \ +)) +endif + $(eval $(call gb_Module_add_subsequentcheck_targets,xmlsecurity,\ CppunitTest_xmlsecurity_signing \ CppunitTest_xmlsecurity_signing2 \ diff --git a/xmlsecurity/qa/xmlsec/data/ca.pem b/xmlsecurity/qa/xmlsec/data/ca.pem new file mode 100644 index 000000000000..d08c9c67bcae --- /dev/null +++ b/xmlsecurity/qa/xmlsec/data/ca.pem @@ -0,0 +1,70 @@ +-----BEGIN CERTIFICATE----- +MIIGADCCA+igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVL +MRAwDgYDVQQIDAdFbmdsYW5kMTAwLgYDVQQKDCdDcHB1bml0VGVzdF94bWxzZWN1 +cml0eV94bWxzZWMgUlNBIFRlc3QxODA2BgNVBAMML0NwcHVuaXRUZXN0X3htbHNl +Y3VyaXR5X3htbHNlYyBSU0EgVGVzdCBSb290IENBMCAXDTI0MDkyMzEzMzA0MloY +DzIxMjQwODMwMTMzMDQyWjCBjzELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xh +bmQxMDAuBgNVBAoMJ0NwcHVuaXRUZXN0X3htbHNlY3VyaXR5X3htbHNlYyBSU0Eg +VGVzdDE8MDoGA1UEAwwzQ3BwdW5pdFRlc3RfeG1sc2VjdXJpdHlfeG1sc2VjIElu +dGVybWVkaWF0ZSBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC +AgEAj9kribqN994fmGGnL7l3Y4DEVEBUBV2kNlq9fM9wJmOEtaNyKIjYxzCFUAnt +vKp0youu3tu48duDUez4I+Nc4gyez6IlyfPCXiEJulo0g6F3WZZg/xtk56JZnHFe +aBHq3vm3L7a5y8c9j9Y26/BPRAqY1CtBSFUWV1uGPCQkNGNsO7qqtOdcKn7dFJq3 +K2sRaXp4J3QUhtlsEQ4/sWtXjuV7f4wqep0PEjFJ8oF6Jao5QYFHuLx4YZmo9vfX +NSjv1TJbdQ+1zvw8sr3/SYyNt3B7Q3jXq8IC+Tfc1R9t/FaDeS9AiMuDJgq+aHWV +ej8sspl2+d7mFXCuOoy9nE9aCWAwD1v6Ce1nK97qVUKRKxBxlKSM3TULWaJT8VC9 +UK0nsfK9OocCeybOa+irzVcgvVDlD8fPoM82bGAaA5z2SvSyrjk5/h2aHtG9U1tJ +ke6GwxzyVlIySo4EC9SvW8Pu3v0vaHAeDAjUnA8aEPGmuKOMHsYq/Jgy3hkRLKuX +iRENrshP/q0Vfso2NtfErSzqcBV5UWcYUhoCOiQXRo2Q9sy7lJDtRU5yFxlGtqRU +ORY1LI9NMXi5pJioZftPZIMPJeDLeaEaNHD1vH9i/e/bN11/mYzM2SWuKdQbiYFX +pZO8gDkp960R1VG3O0TKz7U678ZrjY0Y3t0uNhPFEOZgoCkCAwEAAaNmMGQwHQYD +VR0OBBYEFFE6wan2eGv91MRbH6vbE4W3cMYNMB8GA1UdIwQYMBaAFOJn33YP7tq0 +45qRr2pHFpbwKe+7MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGG +MA0GCSqGSIb3DQEBCwUAA4ICAQAeNJClgszw5HQysHfoDe8YClRt9NI4b2obxRXY +FGX4TgLNcXGBctOoB0B/kLK6TXSPNJqHQ2+cjm1Ol9vEr4iTuRDRBp1UPp6DycLO +9moTnlw6IKj4Nq+OJ4NVPAl0FED2KWKW9fKHOSn2kqJ7Vf4owAGf3fSy6opeqLxg +GlnwmDSuevdbiKUCTOL4XwAfl1YN7Jj+4lEKSQmJB786MUvb9YzCPXEBDPg0uN8w +Jm/ToiKhN53rpXLToYAidJBJ1TyqKb0i9ohETrgiBHgLI5evd+5YrhEjkKdSsK4T +qiodkiUb5UIEcw21D5M/kjimKQrOKWahOKZCjh3xkkRsJyaeoBetZyW79d6JvB5j +sifp86HQPtohHo8XM6cEXhhQhwAbIoiD4JPoTtQefTvpBCVlh2RIMYgeSKSq/y3E +aoWEt8OinvZw+JhJbK7oNNPsglIJtax8Jqdc3C4PTFrIA1PnWmr/+EbdMcwnYJjn +uyUlSajOmTL50XBHJ4krgNTOCjS42obZ4/W7Z/INVhthqIy33fEq8CKaKKytCjDN +wkZ6dqmMg/9+X/+ClWlr+Q7EPCUw5aW6Qc95aEv59kgct84wxqTQ2jaGuUv2DxNV ++hy8bsFGwPYc6yqbVm+Eu2ibyw+QV3jYJ3t6HdVJGntgRjeumRB/XuhwVwPaIijp +jZWvGw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIUf0E/LAmzIuu4Y81pnWRf+XARWkowDQYJKoZIhvcNAQEL +BQAwgYsxCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdFbmdsYW5kMTAwLgYDVQQKDCdD +cHB1bml0VGVzdF94bWxzZWN1cml0eV94bWxzZWMgUlNBIFRlc3QxODA2BgNVBAMM +L0NwcHVuaXRUZXN0X3htbHNlY3VyaXR5X3htbHNlYyBSU0EgVGVzdCBSb290IENB +MCAXDTI0MDkyMzEzMzA0MVoYDzIxMjQwODMwMTMzMDQxWjCBizELMAkGA1UEBhMC +VUsxEDAOBgNVBAgMB0VuZ2xhbmQxMDAuBgNVBAoMJ0NwcHVuaXRUZXN0X3htbHNl +Y3VyaXR5X3htbHNlYyBSU0EgVGVzdDE4MDYGA1UEAwwvQ3BwdW5pdFRlc3RfeG1s +c2VjdXJpdHlfeG1sc2VjIFJTQSBUZXN0IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDICUjHlgDCX741a9qvNgs2ba7nxLwb350hNzu7JbrP +8R4NUpTgbJwbsxdqPPozXQP2Uos/F5zdLk7ZA5e7tH/sa7ZPbeL6LzSiMvR+Cl4T +DKisr+C/3ASd3d78kLw0UPNpRyVLirxKT9ht10GYBLAgV9kUtQ9lLejOpHDtRq1q +8TlX0c3N6tw4T7PWq52Hym4XaTtxJc1g7CHddg4CqsTVXf4HdooMVH5AECD52Uv7 +hjEQgY+hrNEQE7lN6gp3HtxANbZusL4N0kSXAH1N6A1JDw+V0Cd020CUxCOWN/SV +gX9rV67t+ACbObRNLlSkiGQyaPd2UTlMa1zQbpPQuvxsmtBbh50gIlM5qYuCPT+X +aI93IbGMRp8be7J2QU2T5nrb0wasVKVzaYcIs/fOBi+EL2t+Jd9a8IPrUkHVdcsx +WW8Y/WA95s+G4M0/5uVWmaeraBJRUo/suu08v4w0ShGBlVdfPe5iTMQWVLmAAZ16 +icvcgtdCr7nyi3tl2Bv/VFNqi+T7lqyL1i+91sr2Stca4wfRmqE0KiU5npFjxkh4 +sbzpuZAfjCvF3ltIZ9TFlmxQ2edf95CrPfw8u0MjEh2sWflgZwzSAdThEyMEIty4 +ZomCqqJ76Fw2kJwMq++9uTJTVXsepqA/jQg0WgK2Tyz3/2eY99twcldXVXuMc7Ge +AQIDAQABo2MwYTAdBgNVHQ4EFgQU4mffdg/u2rTjmpGvakcWlvAp77swHwYDVR0j +BBgwFoAU4mffdg/u2rTjmpGvakcWlvAp77swDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC4errXBxYjJGtxT+5+VwISk +4ve5nGna8/SNxt7VB0mREG91gnsu3uJvW05zoU+UUOHaaDvAuox2GGEAq/vKJN5y +TpgnSYSgzFYxd8N+GqFqE3xwIPa02ntPwwLozF3aph4YcqrtCdPPNIXK5CRopnvQ +LuUHwFvmz/nkoCPg/VlwFjxNvwGehy5wrhd3zmqd9dga8k3MWA+cVVtNnZld5HZu +rpHOb3H7SCG+3l/kMdnMQCLvUrbKGSVKX6bOaW+FGm+oTTwLen/HHB21wxfPLySQ +QDEyR1qGNj7sKgGaWU8334boSSjW3OrnHDLlMBr/XQAMgvHfy43qxOmww47xg685 +HNQYtbHIgVLZ6ou8vgzrjzV+Wpu8H7by2HH/yAHwRqsy2nmVPwkrdmCfSwYfZdAW ++Jzazg4gYVnBE89t8HarOXSiSh/YUS0V6F4koQKVv3b8MzmqO3ldRW2JcktrmZmU +BYCh5UaK3X+Yyeus1UGrYCl6Yqj5M1JEmYmX/3EVeIcEK+H6Kx9Aeqr1WyJss0GT +KVA5t+mOZ+SSvF3mFLxTo6ydTLOWA63NGuiLnhU1lbQRkTC0Dq0qenECx2gmG8XG +FHlVbVsYqiaU6FdkFGzm+Scsl8UwygLV5KP0Y/54X8J6ZSRPHNRvBtRnZoRrjNFM +wSJZ4vw/iDJO03o31TJ3 +-----END CERTIFICATE----- diff --git a/xmlsecurity/qa/xmlsec/data/cert.pem b/xmlsecurity/qa/xmlsec/data/cert.pem new file mode 100644 index 000000000000..e5bd58abc2a0 --- /dev/null +++ b/xmlsecurity/qa/xmlsec/data/cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVL +MRAwDgYDVQQIDAdFbmdsYW5kMTAwLgYDVQQKDCdDcHB1bml0VGVzdF94bWxzZWN1 +cml0eV94bWxzZWMgUlNBIFRlc3QxPDA6BgNVBAMMM0NwcHVuaXRUZXN0X3htbHNl +Y3VyaXR5X3htbHNlYyBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0yNDA5MjMxMzMw +NDJaGA8yMTI0MDgzMDEzMzA0MlowgZExCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdF +bmdsYW5kMTAwLgYDVQQKDCdDcHB1bml0VGVzdF94bWxzZWN1cml0eV94bWxzZWMg +UlNBIFRlc3QxPjA8BgNVBAMMNUNwcHVuaXRUZXN0X3htbHNlY3VyaXR5X3htbHNl +YyBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAlSfDFDdlDJv1YY6ANc3RuiGu3oduoDFFJL//l0j52J8btQRQrtp5 +P0OaplTYdLi1hK2cj/XV7KWB+E5p/IwgqNZdOXR+RY1jNkQFiSLdMbkwEoPtaPVh +DAxfSLyIazSsrERgGOBn6EbomVyc87UrVj6QgwzofDRmPtgOFBlDSfFiqIKfxU4T +lntLOnFiGLFGcVDSsRA/UQiy9o0bAfaS68IB7FpW9NoLTEgzGE/PzCFkGAmgC5yB +rvk8/tfCVsx8FeqdZqlBZhrD+sP+rItRRXdSiH52C+XMXqowNxJhPBP4HFv5LVQo +l9oXK5QXieYrFmMpwTJrkNdFXkm+2iJFAQIDAQABo4HFMIHCMAkGA1UdEwQCMAAw +EQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVy +YXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKcwU0F2IER917YAPm5S +FjaVtYHpMB8GA1UdIwQYMBaAFFE6wan2eGv91MRbH6vbE4W3cMYNMA4GA1UdDwEB +/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcN +AQELBQADggIBABtgvYTKyfIZobgnsrO8PjbQIFdyx5YV0RJ8fshcSzSFSZYN0qbC +J4U2i84Hx9HvzzFtHHEgJ4ot6VXsfEGqFkf8dvafqi1gAQ4cbIazdHQoELgFKJwL +U5X/NGl0PQ46/l4vKHKrpAN1TRu7MGE0SwxRYM5KlzibXRL485ck/dzap8qSaxt/ +sSW6YxpttM3umPRL+5Mc+ttJBPYKAwfu/dHkBxGC47E/h2oazNOI2nhLsfbT2YmW +yJpgt/hnqxB7LtZbnAnaMVEWGdlBp79vU6V0+JSznMmc4t1eX6mUl5tXQF+BSmpw +f4agwi+uSE9WEXfhChjLfEtEGgK/+/tl012EqY8qt1SdwDDH8usEcrK2iyd14Wgs +uH3swGqYdBaHnNaAgtuMDlQmJYaq5cKbaTj+PGLr5WU9VIXFSIM03dkyGA13I3ts +cBpWfh3f89q6YoAqdgwUlCg1OqU4LsfS8n8EKvyM1+zb45JlNxzXpFp+/CwR7I2D +Tk4QXELeFOl1KU7X9eTftliwAqctRGLCvr2VXA4FbkFhtreCctCQm/FUgIr01YrW +mhr29Wwaz3DBeymbFXUdYQZqI0OSBBc1bDJkMHftpTBp79EoglKXqMb1/7jcV3bT +oWXfkHN//B4B2gpv7DxHyP7H6teW/hGuCZeIhYDiL0TR1E68RO1sHRT1 +-----END CERTIFICATE----- diff --git a/xmlsecurity/qa/xmlsec/data/key.pem b/xmlsecurity/qa/xmlsec/data/key.pem new file mode 100644 index 000000000000..6407bb9ab319 --- /dev/null +++ b/xmlsecurity/qa/xmlsec/data/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVJ8MUN2UMm/Vh +joA1zdG6Ia7eh26gMUUkv/+XSPnYnxu1BFCu2nk/Q5qmVNh0uLWErZyP9dXspYH4 +Tmn8jCCo1l05dH5FjWM2RAWJIt0xuTASg+1o9WEMDF9IvIhrNKysRGAY4GfoRuiZ +XJzztStWPpCDDOh8NGY+2A4UGUNJ8WKogp/FThOWe0s6cWIYsUZxUNKxED9RCLL2 +jRsB9pLrwgHsWlb02gtMSDMYT8/MIWQYCaALnIGu+Tz+18JWzHwV6p1mqUFmGsP6 +w/6si1FFd1KIfnYL5cxeqjA3EmE8E/gcW/ktVCiX2hcrlBeJ5isWYynBMmuQ10Ve +Sb7aIkUBAgMBAAECggEAANSKkIWiWjAZnRSjRzdkTtN5ZAJd4toK24h+v+wIZV61 +e3n66C4BzHzGDP2wMbJB8wdZjZvmqCxLvGTk+EqUM4Xj0Xwp8DWUQCf3zhuYvrI4 +PbRkok3KO7w7dRvk7FA4A0aHOJi6TdbEFHdVbaIqK9L93FeicTdsQ7aRkZ46UZRu +YcOc//qIy4nD7O4UXaZoV/WKp2c9KJliED7QqnCGGUQpUsY5zvx6LQwWeXzrgCsT +am6Hi38/o66Ikel1aMACeq6lGmYqyqNIzHgihuyfcZKoMIYZrLQd2P6aC45H81DS +gQuMQVZBLDFoUX1ARAvvT8heNB38xPevQBo0uqOvAQKBgQDSdZogxv4c6quIY8xX +3Bf8H+FKD3v82B++c88IUMGKyqZUp7eJoqivKEWDd/vsxEg3SewnRV2OpYgP2ekz +seTzVPu877Kv+S/cZFlKYeKDovgCamWeDHR+PSasadk/7pG7izC3Khf9cdzWwgno +OJKJBKlRwMYAvBNwkK026nTRgQKBgQC1bjimwPjUdtogaIfRqR/9KcShavjMWayh +1QhH3oYoLIEuzIjd0S+zNSOe35fSslr2ss6NEu0yfERW1q/8HWl2TrNEp2oMn2FO +Mg6OkwhsTbjWbr/mHae4stXpNIPO8UbuxpNx5qGkmcdAgbOsQJ4m7BERrVQItDsv +mbNpo4gzgQKBgBVmb+21TlGSay7LNxQYBThV5YqqWGk1cMTk8cBetc9vG8qv4zHT +oGNvLOJZaPyCWPWGRsUXgJPosRUri1L+W9GCarajiP/rzroSWiH+IhJQl/dm6j5P +9eiAP1Z4zOZ7U8ZGOQXm+dmDonkT8f3zArN8DduKRpf8h92CWJqk7IwBAoGAa7m7 +V3/i/zxmvbFzW5DhFo+zWejLO4LPVvPHy+ybmcT7G0+EwLhRa0XVFaNLYWZXTn3S +2L7xKfXRGgK1UawhD4chOFVzSXVk8GoWbJ9u8+eeJWxy8u6OxMMi8iolTT3D0UkF +CS9YsQRB49JfXZqsjQ3EAMv6xoRFVDkd506bM4ECgYBPN8B6QpENSsVoVGcS/gpR +hLno9fIvIhABCDoYNTkNT6ILJ8BcU7+lv/zs8UQacqf6Fy7JozbBeEY/Dxr97DKg +e5djZvWYLqmvAiPilN5YEt5WvuswzrGaTcol/E3X5B3aACFFE8+O9i8T2q0VlAot +hC+h7nh0KmPyzL73JUX2Jg== +-----END PRIVATE KEY----- diff --git a/xmlsecurity/qa/xmlsec/xmlsec.cxx b/xmlsecurity/qa/xmlsec/xmlsec.cxx new file mode 100644 index 000000000000..70775f5427f9 --- /dev/null +++ b/xmlsecurity/qa/xmlsec/xmlsec.cxx @@ -0,0 +1,104 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is part of the LibreOffice project. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +#include + +#include +#include + +#include +#include + +#include + +using namespace ::com::sun::star; + +namespace +{ +/// Covers xmlsecurity/source/xmlsec/ fixes. +class Test : public UnoApiTest +{ +public: + Test() + : UnoApiTest("/xmlsecurity/qa/xmlsec/data/") + { + } + + void setUp() override + { + UnoApiTest::setUp(); + MacrosTest::setUpX509(m_directories, "xmlsecurity_xmlsec"); + } +}; + +OString ReadToString(const OUString& rUrl) +{ + SvFileStream aStream(rUrl, StreamMode::READ); + return read_uInt8s_ToOString(aStream, aStream.remainingSize()); +} + +CPPUNIT_TEST_FIXTURE(Test, testInsertPrivateKey) +{ + // Given a view that has CA/cert/key data data associated: + uno::Reference mxSEInitializer + = xml::crypto::SEInitializer::create(getComponentContext()); + uno::Reference xSecurityContext + = mxSEInitializer->createSecurityContext(OUString()); + load("private:factory/swriter"); + save("writer8"); + DocumentSignatureManager aManager(getComponentContext(), DocumentSignatureMode::Content); + CPPUNIT_ASSERT(aManager.init()); + uno::Reference xStorage + = comphelper::OStorageHelper::GetStorageOfFormatFromURL( + ZIP_STORAGE_FORMAT_STRING, maTempFile.GetURL(), embed::ElementModes::READWRITE); + CPPUNIT_ASSERT(xStorage.is()); + aManager.setStore(xStorage); + aManager.getSignatureHelper().SetStorage(xStorage, u"1.2"); + OUString aCaPath = createFileURL(u"ca.pem"); + std::string aCa; + aCa = ReadToString(aCaPath); + std::vector aCerts = SfxLokHelper::extractCertificates(aCa); + SfxLokHelper::addCertificates(aCerts); + OUString aCertPath = createFileURL(u"cert.pem"); + std::string aCert; + aCert = ReadToString(aCertPath); + OUString aKeyPath; + aKeyPath = createFileURL(u"key.pem"); + std::string aKey; + aKey = ReadToString(aKeyPath); + uno::Reference xCertificate + = SfxLokHelper::getSigningCertificate(aCert, aKey); + CPPUNIT_ASSERT(xCertificate.is()); + + // When getting the certificate flags and signing: + uno::Reference xSecurityEnvironment + = xSecurityContext->getSecurityEnvironment(); + // Get the certificate flags, the certificate chooser dialog does this: + xSecurityEnvironment->getCertificateCharacters(xCertificate); + OUString aDescription; + sal_Int32 nSecurityId; + CPPUNIT_ASSERT(aManager.add(xCertificate, xSecurityContext, aDescription, nSecurityId, false)); + + // Then make sure that signing succeeds: + aManager.read(/*bUseTempStream=*/true); + std::vector& rInformations = aManager.getCurrentSignatureInformations(); + CPPUNIT_ASSERT_EQUAL(static_cast(1), rInformations.size()); + // Without the accompanying fix in place, this test would have failed with: + // - Expected: 0 (UNKNOWN) + // - Actual : 1 (OPERATION_SUCCEEDED) + // i.e. the signing failed with an incorrectly imported private key. + CPPUNIT_ASSERT_EQUAL( + xml::crypto::SecurityOperationStatus::SecurityOperationStatus_OPERATION_SUCCEEDED, + rInformations[0].nStatus); +} +} + +CPPUNIT_PLUGIN_IMPLEMENT(); + +/* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index f50bd6517a37..699284a56366 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -843,7 +843,9 @@ SECKEYPrivateKey* SecurityEnvironment_NssImpl::insertPrivateKey(css::uno::Sequen const unsigned int aKeyUsage = KU_ALL; SECKEYPrivateKey* pPrivateKey = nullptr; - bool bPermanent = PR_FALSE; + // If the import is not permanent, then later we won't be able to find the private key when + // searching for keys and signing will fail. + bool bPermanent = PR_TRUE; bool bPrivate = PR_TRUE; SECStatus nStatus = PK11_ImportDERPrivateKeyInfoAndReturnKey(