summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Stahl <michael.stahl@allotropia.de>2021-10-15 20:52:47 +0200
committerMichael Stahl <michael.stahl@allotropia.de>2022-04-01 14:02:39 +0200
commit3ecd4bf57f9688a0346f5cd83451985bc00a0d8a (patch)
tree1c4548689882153f739f20e2ff03923d4146471e
parenttest: upgrade test NSS database from dbm: to sql: (diff)
downloadcore-3ecd4bf57f9688a0346f5cd83451985bc00a0d8a.tar.gz
core-3ecd4bf57f9688a0346f5cd83451985bc00a0d8a.zip
xmlsecurity: fix test failing because NSS policy forbids SHA1
With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that 8 tests including testODFGood in CppunitTest/xmlsecurity_signing fail because the crypto policy disallows SHA1 for signatures. Apparently this particular policy bit was added in NSS 3.59: https://bugzilla.mozilla.org/show_bug.cgi?id=1670835 For signatures, maybe it's not a good idea to override system policy for product builds, so do it locally in the tests, at least for now. If similar problems turn up for encrypted documents in the future, that should be fixed in product builds too of course, as encrypted documents must always be decryptable. Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123768 Tested-by: Jenkins Tested-by: Caolán McNamara <caolanm@redhat.com> Reviewed-by: Caolán McNamara <caolanm@redhat.com> (cherry picked from commit 51e82016e8783a452fe5f7921d12c1bf20bfd6b5) xmlsecurity: fix --without-system-nss usage of NSS_SetAlgorithmPolicy The problem with commit ff572d9222ec16ffd679ae907a0bf4a8900265e1 is that it's using the wrong library; NSS_SetAlgorithmPolicy is actually in libnssutil3.so. This causes a linking problem when upgrading the internal NSS to a version that has NSS_USE_ALG_IN_ANY_SIGNATURE. Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123819 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> (cherry picked from commit 395c0c0bbaceadf909e0189af99c6358487c7978) Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123838 Tested-by: Michael Stahl <michael.stahl@allotropia.de> Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> (cherry picked from commit 0f3431026dbff0251efeb0b92be335841a08cc5d)
-rw-r--r--RepositoryExternal.mk26
-rw-r--r--xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk8
-rw-r--r--xmlsecurity/CppunitTest_xmlsecurity_signing.mk8
-rw-r--r--xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx16
-rw-r--r--xmlsecurity/qa/unit/signing/signing.cxx11
5 files changed, 69 insertions, 0 deletions
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index 717b70efa0dc..82da26bfe624 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -3399,6 +3399,11 @@ $(call gb_LinkTarget_add_libs,$(1),\
endef
+define gb_LinkTarget__use_nssutil3
+$(call gb_LinkTarget__use_nss3,$(1))
+
+endef
+
define gb_LinkTarget__use_plc4
$(call gb_LinkTarget__use_nss3,$(1))
@@ -3468,6 +3473,27 @@ endif
endef
+define gb_LinkTarget__use_nssutil3
+$(call gb_LinkTarget_use_package,$(1),nss)
+$(call gb_LinkTarget_set_include,$(1),\
+ $$(INCLUDE) \
+ -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss \
+ -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include \
+)
+
+ifeq ($(COM),MSC)
+$(call gb_LinkTarget_add_libs,$(1),\
+ $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/nssutil3.lib \
+)
+else
+$(call gb_LinkTarget_add_libs,$(1),\
+ -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib \
+ -lnssutil3 \
+)
+endif
+
+endef
+
define gb_ExternalProject__use_nss3
$(call gb_ExternalProject_use_package,$(1),nss)
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
index f2500b5d3100..f6a74a9eabd7 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
@@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
boost_headers \
))
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
+ nssutil3 \
+))
+endif
+endif
+
$(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\
-I$(SRCDIR)/xmlsecurity/inc \
$$(INCLUDE) \
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index 84e7a76c043b..7ed85aed76f5 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
libxml2 \
))
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
+ nssutil3 \
+))
+endif
+endif
+
$(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\
-I$(SRCDIR)/xmlsecurity/inc \
$$(INCLUDE) \
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 2894b4a2fa2d..6dd7a86cac5c 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -7,6 +7,10 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
#include <com/sun/star/xml/crypto/SEInitializer.hpp>
#include <com/sun/star/security/DocumentSignatureInformation.hpp>
@@ -85,6 +89,18 @@ void PDFSigningTest::setUp()
osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "/pkcs11.txt");
setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1);
#endif
+
+ uno::Reference<xml::crypto::XSEInitializer> xSEInitializer
+ = xml::crypto::SEInitializer::create(mxComponentContext);
+ uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext
+ = xSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+ // policy may disallow using SHA1 for signatures but unit test documents
+ // have such existing signatures (call this after createSecurityContext!)
+ NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
}
std::vector<SignatureInformation> PDFSigningTest::verify(const OUString& rURL, size_t nCount,
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx
index fb1cdb86eee0..e7835324072f 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -14,6 +14,10 @@
#include <cstdlib>
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
#include <test/bootstrapfixture.hxx>
#include <unotest/macros_test.hxx>
#include <test/xmltesttools.hxx>
@@ -152,6 +156,13 @@ void SigningTest::setUp()
mxDesktop.set(frame::Desktop::create(mxComponentContext));
mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
mxSecurityContext = mxSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+ // policy may disallow using SHA1 for signatures but unit test documents
+ // have such existing signatures (call this after createSecurityContext!)
+ NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
}
void SigningTest::tearDown()