xmlsecurity: extract certificate from PDF signature

So that the UI can show the correct "Signed by" and "Digital ID issued by" fields. Change-Id: Ied2fed480f48baf60cffb4f0ce762a726beab006 Reviewed-on: https://gerrit.libreoffice.org/29776 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
author: Miklos Vajna <vmiklos@collabora.co.uk> 2016-10-13 21:07:55 +0200
committer: Miklos Vajna <vmiklos@collabora.co.uk> 2016-10-14 07:05:52 +0000
commit: e584bc808b634bf18ba5f7538d598e135b28f090 (patch)
tree: c92ad645b1b068db924b248084eee98788a27b1e /xmlsecurity
parent: Revert "Better wording in UI for in case of PDF export from Calc - tdf#90436" (diff)
download: core-e584bc808b634bf18ba5f7538d598e135b28f090.tar.gz
core-e584bc808b634bf18ba5f7538d598e135b28f090.zip
7 files changed, 33 insertions, 16 deletions
diff --git a/xmlsecurity/Executable_pdfverify.mk b/xmlsecurity/Executable_pdfverify.mk
index bc08d5620dcc..8a18dbc08a54 100644
--- a/xmlsecurity/Executable_pdfverify.mk
+++ b/xmlsecurity/Executable_pdfverify.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_Executable_set_include,pdfverify,\
 
 $(eval $(call gb_Executable_use_libraries,pdfverify,\
     comphelper \
+    cppu \
     sal \
     tl \
     xmlsecurity \
diff --git a/xmlsecurity/Library_xmlsecurity.mk b/xmlsecurity/Library_xmlsecurity.mk
index 77368ab39616..c5e8d68d9483 100644
--- a/xmlsecurity/Library_xmlsecurity.mk
+++ b/xmlsecurity/Library_xmlsecurity.mk
@@ -72,12 +72,14 @@ $(eval $(call gb_Library_add_defs,xmlsecurity,\
     -DXMLSEC_CRYPTO_MSCRYPTO \
 ))
 else
+ifneq (,$(filter DESKTOP,$(BUILD_TYPE)))
 $(eval $(call gb_Library_add_defs,xmlsecurity,\
     -DXMLSEC_CRYPTO_NSS \
 ))
 $(eval $(call gb_Library_use_externals,xmlsecurity,\
     nss3 \
 ))
+endif # BUILD_TYPE=DESKTOP
 endif
 
 # vim: set noet sw=4 ts=4:
diff --git a/xmlsecurity/inc/pdfio/pdfdocument.hxx b/xmlsecurity/inc/pdfio/pdfdocument.hxx
index 9d072615b599..79cd7168a364 100644
--- a/xmlsecurity/inc/pdfio/pdfdocument.hxx
+++ b/xmlsecurity/inc/pdfio/pdfdocument.hxx
@@ -16,6 +16,7 @@
 #include <tools/stream.hxx>
 
 #include <xmlsecuritydllapi.h>
+#include <sigstruct.hxx>
 
 namespace xmlsecurity
 {
@@ -58,8 +59,8 @@ public:
 
     bool Read(SvStream& rStream);
     std::vector<PDFObjectElement*> GetSignatureWidgets();
-    /// Return value is about if we can determine a result, bDigestMatch is about the actual result.
-    static bool ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, bool& bDigestMatch);
+    /// Return value is about if we can determine a result, rInformation is about the actual result.
+    static bool ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, SignatureInformation& rInformation);
 };
 
 } // namespace pdfio
diff --git a/xmlsecurity/inc/sigstruct.hxx b/xmlsecurity/inc/sigstruct.hxx
index 8650a8f84ac2..610845cb0ae2 100644
--- a/xmlsecurity/inc/sigstruct.hxx
+++ b/xmlsecurity/inc/sigstruct.hxx
@@ -23,7 +23,7 @@
 #include <rtl/ustring.hxx>
 #include <com/sun/star/util/DateTime.hpp>
 #include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
-#include <com/sun/star/uno/Sequence.h>
+#include <com/sun/star/uno/Sequence.hxx>
 
 #include <vector>
 
diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
index 2054f2b6f2d9..cc4b388c13a4 100644
--- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx
@@ -54,17 +54,12 @@ bool PDFSignatureHelper::ReadAndVerifySignature(const uno::Reference<io::XInputS
     {
         SignatureInformation aInfo(i);
 
-        bool bDigestMatch;
-        if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], bDigestMatch))
+        if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], aInfo))
         {
             SAL_WARN("xmlsecurity.helper", "failed to determine digest match");
             continue;
         }
 
-        if (bDigestMatch)
-            aInfo.nStatus = xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
-        else
-            aInfo.nStatus = xml::crypto::SecurityOperationStatus_UNKNOWN;
         m_aSignatureInfos.push_back(aInfo);
     }
 
@@ -80,11 +75,13 @@ uno::Sequence<security::DocumentSignatureInformation> PDFSignatureHelper::GetDoc
 {
     uno::Sequence<security::DocumentSignatureInformation> aRet(m_aSignatureInfos.size());
 
+    uno::Reference<xml::crypto::XSecurityEnvironment> xSecurityEnvironment = m_xSecurityContext->getSecurityEnvironment();
     for (size_t i = 0; i < m_aSignatureInfos.size(); ++i)
     {
         const SignatureInformation& rInternal = m_aSignatureInfos[i];
         security::DocumentSignatureInformation& rExternal = aRet[i];
         rExternal.SignatureIsValid = rInternal.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
+        rExternal.Signer = xSecurityEnvironment->createCertificateFromAscii(rInternal.ouX509Certificate);
     }
 
     return aRet;
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 4ca43a2c2565..22731dbbbb63 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -13,11 +13,14 @@
 #include <memory>
 #include <vector>
 
+#include <com/sun/star/uno/Sequence.hxx>
+
 #include <comphelper/scopeguard.hxx>
 #include <rtl/strbuf.hxx>
 #include <rtl/string.hxx>
 #include <sal/log.hxx>
 #include <sal/types.h>
+#include <sax/tools/converter.hxx>
 
 #ifdef XMLSEC_CRYPTO_NSS
 #include <cert.h>
@@ -674,7 +677,7 @@ int PDFDocument::AsHex(char ch)
     return nRet;
 }
 
-bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, bool& bDigestMatch)
+bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignature, SignatureInformation& rInformation)
 {
     PDFObjectElement* pValue = pSignature->LookupObject("V");
     if (!pValue)
@@ -841,11 +844,22 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
     unsigned int nActualResultLen;
     HASH_End(pHASHContext, pActualResultBuffer, &nActualResultLen, nMaxResultLen);
 
-    if (!NSS_CMSSignerInfo_GetSigningCertificate(pCMSSignerInfo, CERT_GetDefaultCertDB()))
+    CERTCertificate* pCertificate = NSS_CMSSignerInfo_GetSigningCertificate(pCMSSignerInfo, CERT_GetDefaultCertDB());
+    if (!pCertificate)
     {
         SAL_WARN("xmlsecurity.pdfio", "PDFDocument::ValidateSignature: NSS_CMSSignerInfo_GetSigningCertificate() failed");
         return false;
     }
+    else
+    {
+        uno::Sequence<sal_Int8> aDerCert(pCertificate->derCert.len);
+        for (size_t i = 0; i < pCertificate->derCert.len; ++i)
+            aDerCert[i] = pCertificate->derCert.data[i];
+        OUStringBuffer aBuffer;
+        sax::Converter::encodeBase64(aBuffer, aDerCert);
+        rInformation.ouX509Certificate = aBuffer.makeStringAndClear();
+    }
+
 
     SECItem* pContentInfoContentData = pCMSSignedData->contentInfo.content.data;
     if (pContentInfoContentData && pContentInfoContentData->data)
@@ -857,7 +871,8 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
     SECItem aActualResultItem;
     aActualResultItem.data = pActualResultBuffer;
     aActualResultItem.len = nActualResultLen;
-    bDigestMatch = NSS_CMSSignerInfo_Verify(pCMSSignerInfo, &aActualResultItem, nullptr) == SECSuccess;
+    if (NSS_CMSSignerInfo_Verify(pCMSSignerInfo, &aActualResultItem, nullptr) == SECSuccess)
+        rInformation.nStatus = xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
 
     // Everything went fine
     PORT_Free(pActualResultBuffer);
@@ -868,7 +883,7 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
 #else
     // Not implemented.
     (void)rStream;
-    (void)bDigestMatch;
+    (void)rInformation;
 
     return false;
 #endif
diff --git a/xmlsecurity/source/pdfio/pdfverify.cxx b/xmlsecurity/source/pdfio/pdfverify.cxx
index cbb9a897b705..67dde459ff39 100644
--- a/xmlsecurity/source/pdfio/pdfverify.cxx
+++ b/xmlsecurity/source/pdfio/pdfverify.cxx
@@ -42,14 +42,15 @@ SAL_IMPLEMENT_MAIN_WITH_ARGS(nArgc, pArgv)
         std::cerr << "found " << aSignatures.size() << " signatures" << std::endl;
         for (size_t i = 0; i < aSignatures.size(); ++i)
         {
-            bool bDigestMatch;
-            if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(aStream, aSignatures[i], bDigestMatch))
+            SignatureInformation aInfo(i);
+            if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(aStream, aSignatures[i], aInfo))
             {
                 SAL_WARN("xmlsecurity.pdfio", "failed to determine digest match");
                 return 1;
             }
 
-            std::cerr << "signature #" << i << ": digest match? " << bDigestMatch << std::endl;
+            bool bSuccess = aInfo.nStatus == xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED;
+            std::cerr << "signature #" << i << ": digest match? " << bSuccess << std::endl;
         }
     }
author	Miklos Vajna <vmiklos@collabora.co.uk>	2016-10-13 21:07:55 +0200
committer	Miklos Vajna <vmiklos@collabora.co.uk>	2016-10-14 07:05:52 +0000
commit	e584bc808b634bf18ba5f7538d598e135b28f090 (patch)
tree	c92ad645b1b068db924b248084eee98788a27b1e /xmlsecurity
parent	Revert "Better wording in UI for in case of PDF export from Calc - tdf#90436" (diff)
download	core-e584bc808b634bf18ba5f7538d598e135b28f090.tar.gz core-e584bc808b634bf18ba5f7538d598e135b28f090.zip