diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2021-10-15 20:52:47 +0200 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2022-04-01 14:02:39 +0200 |
commit | 3ecd4bf57f9688a0346f5cd83451985bc00a0d8a (patch) | |
tree | 1c4548689882153f739f20e2ff03923d4146471e | |
parent | test: upgrade test NSS database from dbm: to sql: (diff) | |
download | core-3ecd4bf57f9688a0346f5cd83451985bc00a0d8a.tar.gz core-3ecd4bf57f9688a0346f5cd83451985bc00a0d8a.zip |
xmlsecurity: fix test failing because NSS policy forbids SHA1
With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
8 tests including testODFGood in CppunitTest/xmlsecurity_signing
fail because the crypto policy disallows SHA1 for signatures.
Apparently this particular policy bit was added in NSS 3.59:
https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
For signatures, maybe it's not a good idea to override system policy
for product builds, so do it locally in the tests, at least for now.
If similar problems turn up for encrypted documents in the future,
that should be fixed in product builds too of course, as encrypted
documents must always be decryptable.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123768
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 51e82016e8783a452fe5f7921d12c1bf20bfd6b5)
xmlsecurity: fix --without-system-nss usage of NSS_SetAlgorithmPolicy
The problem with commit ff572d9222ec16ffd679ae907a0bf4a8900265e1
is that it's using the wrong library; NSS_SetAlgorithmPolicy is actually
in libnssutil3.so.
This causes a linking problem when upgrading the internal NSS to a
version that has NSS_USE_ALG_IN_ANY_SIGNATURE.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123819
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 395c0c0bbaceadf909e0189af99c6358487c7978)
Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123838
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 0f3431026dbff0251efeb0b92be335841a08cc5d)
-rw-r--r-- | RepositoryExternal.mk | 26 | ||||
-rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 8 | ||||
-rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 8 | ||||
-rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 16 | ||||
-rw-r--r-- | xmlsecurity/qa/unit/signing/signing.cxx | 11 |
5 files changed, 69 insertions, 0 deletions
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk index 717b70efa0dc..82da26bfe624 100644 --- a/RepositoryExternal.mk +++ b/RepositoryExternal.mk @@ -3399,6 +3399,11 @@ $(call gb_LinkTarget_add_libs,$(1),\ endef +define gb_LinkTarget__use_nssutil3 +$(call gb_LinkTarget__use_nss3,$(1)) + +endef + define gb_LinkTarget__use_plc4 $(call gb_LinkTarget__use_nss3,$(1)) @@ -3468,6 +3473,27 @@ endif endef +define gb_LinkTarget__use_nssutil3 +$(call gb_LinkTarget_use_package,$(1),nss) +$(call gb_LinkTarget_set_include,$(1),\ + $$(INCLUDE) \ + -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss \ + -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include \ +) + +ifeq ($(COM),MSC) +$(call gb_LinkTarget_add_libs,$(1),\ + $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/nssutil3.lib \ +) +else +$(call gb_LinkTarget_add_libs,$(1),\ + -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib \ + -lnssutil3 \ +) +endif + +endef + define gb_ExternalProject__use_nss3 $(call gb_ExternalProject_use_package,$(1),nss) diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index f2500b5d3100..f6a74a9eabd7 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ boost_headers \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ + nssutil3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 84e7a76c043b..7ed85aed76f5 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ libxml2 \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ + nssutil3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index 2894b4a2fa2d..6dd7a86cac5c 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -7,6 +7,10 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _WIN32 +#include <secoid.h> +#endif + #include <com/sun/star/xml/crypto/SEInitializer.hpp> #include <com/sun/star/security/DocumentSignatureInformation.hpp> @@ -85,6 +89,18 @@ void PDFSigningTest::setUp() osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "/pkcs11.txt"); setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1); #endif + + uno::Reference<xml::crypto::XSEInitializer> xSEInitializer + = xml::crypto::SEInitializer::create(mxComponentContext); + uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext + = xSEInitializer->createSecurityContext(OUString()); +#ifndef _WIN32 +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } std::vector<SignatureInformation> PDFSigningTest::verify(const OUString& rURL, size_t nCount, diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index fb1cdb86eee0..e7835324072f 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -14,6 +14,10 @@ #include <cstdlib> +#ifndef _WIN32 +#include <secoid.h> +#endif + #include <test/bootstrapfixture.hxx> #include <unotest/macros_test.hxx> #include <test/xmltesttools.hxx> @@ -152,6 +156,13 @@ void SigningTest::setUp() mxDesktop.set(frame::Desktop::create(mxComponentContext)); mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext); mxSecurityContext = mxSEInitializer->createSecurityContext(OUString()); +#ifndef _WIN32 +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void SigningTest::tearDown() |