diff options
author | Miklos Vajna <vmiklos@collabora.com> | 2020-09-04 17:17:48 +0200 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.com> | 2020-11-27 13:38:20 +0100 |
commit | 9d27b59f64a1c04a27cf5fa0c91245a74b063bdf (patch) | |
tree | 5ee3f509b9180cbaa455a362efdcf939e8aa2c89 /xmlsecurity/source | |
parent | vcl pdf tokenizer: fix handling of dict -> array -> dict tokens (diff) | |
download | core-9d27b59f64a1c04a27cf5fa0c91245a74b063bdf.tar.gz core-9d27b59f64a1c04a27cf5fa0c91245a74b063bdf.zip |
xmlsecurity: pdf incremental updates that are non-commenting are invalid
I.e. it's OK to add incremental updates for annotation/commenting
purposes and that doesn't invalite existing signatures. Everything else
does.
(cherry picked from commit 61834cd574568613f0b0a2ee099a60fa5a8d9804)
Conflicts:
include/vcl/filter/PDFiumLibrary.hxx
vcl/source/pdf/PDFiumLibrary.cxx
xmlsecurity/qa/unit/signing/signing.cxx
Change-Id: I4607c242b3c6f6b01517b02407e9e7a095e2e069
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/106762
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Diffstat (limited to 'xmlsecurity/source')
-rw-r--r-- | xmlsecurity/source/pdfio/pdfdocument.cxx | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx index 7cf2c137c1c4..a506f3e0c3ed 100644 --- a/xmlsecurity/source/pdfio/pdfdocument.cxx +++ b/xmlsecurity/source/pdfio/pdfdocument.cxx @@ -12,6 +12,9 @@ #include <memory> #include <vector> +#include <config_features.h> + +#include <vcl/filter/PDFiumLibrary.hxx> #include <rtl/string.hxx> #include <rtl/ustrbuf.hxx> #include <sal/log.hxx> @@ -20,6 +23,7 @@ #include <svl/sigstruct.hxx> #include <svl/cryptosign.hxx> #include <vcl/filter/pdfdocument.hxx> +#include <vcl/bitmap.hxx> using namespace com::sun::star; @@ -133,6 +137,67 @@ bool IsCompleteSignature(SvStream& rStream, vcl::filter::PDFDocument& rDocument, size_t nFileEnd = rStream.Tell(); return std::find(rAllEOFs.begin(), rAllEOFs.end(), nFileEnd) != rAllEOFs.end(); } + +/// Collects the checksum of each page of one version of the PDF. +void AnalyizeSignatureStream(SvMemoryStream& rStream, std::vector<BitmapChecksum>& rPageChecksums) +{ +#if HAVE_FEATURE_PDFIUM + auto pPdfium = vcl::pdf::PDFiumLibrary::get(); + FPDF_DOCUMENT pPdfDocument( + FPDF_LoadMemDocument(rStream.GetData(), rStream.GetSize(), /*password=*/nullptr)); + + int nPageCount = FPDF_GetPageCount(pPdfDocument); + for (int nPage = 0; nPage < nPageCount; ++nPage) + { + auto pPdfPage = std::make_unique<vcl::pdf::PDFiumPage>(FPDF_LoadPage(pPdfDocument, nPage)); + if (!pPdfPage) + { + return; + } + + BitmapChecksum nPageChecksum = pPdfPage->getChecksum(); + rPageChecksums.push_back(nPageChecksum); + } + FPDF_CloseDocument(pPdfDocument); +#else + (void)rStream; +#endif +} + +/** + * Checks if incremental updates after singing performed valid modifications only. + * Annotations/commenting is OK, other changes are not. + */ +bool IsValidSignature(SvStream& rStream, vcl::filter::PDFObjectElement* pSignature) +{ + size_t nSignatureEOF = 0; + if (!GetEOFOfSignature(pSignature, nSignatureEOF)) + { + return false; + } + + SvMemoryStream aSignatureStream; + sal_uInt64 nPos = rStream.Tell(); + rStream.Seek(0); + aSignatureStream.WriteStream(rStream, nSignatureEOF); + rStream.Seek(nPos); + aSignatureStream.Seek(0); + std::vector<BitmapChecksum> aSignedPages; + AnalyizeSignatureStream(aSignatureStream, aSignedPages); + + SvMemoryStream aFullStream; + nPos = rStream.Tell(); + rStream.Seek(0); + aFullStream.WriteStream(rStream); + rStream.Seek(nPos); + aFullStream.Seek(0); + std::vector<BitmapChecksum> aAllPages; + AnalyizeSignatureStream(aFullStream, aAllPages); + + // Fail if any page looks different after signing and at the end. Annotations/commenting doesn't + // count, though. + return aSignedPages == aAllPages; +} } namespace xmlsecurity @@ -247,6 +312,11 @@ bool ValidateSignature(SvStream& rStream, vcl::filter::PDFObjectElement* pSignat return false; } rInformation.bPartialDocumentSignature = !IsCompleteSignature(rStream, rDocument, pSignature); + if (!IsValidSignature(rStream, pSignature)) + { + SAL_WARN("xmlsecurity.pdfio", "ValidateSignature: invalid incremental update detected"); + return false; + } // At this point there is no obviously missing info to validate the // signature. |