summaryrefslogtreecommitdiffstats
path: root/xmlsecurity/source/component/documentdigitalsignatures.cxx
diff options
context:
space:
mode:
Diffstat (limited to 'xmlsecurity/source/component/documentdigitalsignatures.cxx')
-rw-r--r--xmlsecurity/source/component/documentdigitalsignatures.cxx50
1 files changed, 32 insertions, 18 deletions
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index c67d893b0624..fdd08892d24a 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -499,27 +499,36 @@ DocumentDigitalSignatures::ImplVerifySignatures(
const SignatureInformation& rInfo = aSignInfos[n];
css::security::DocumentSignatureInformation& rSigInfo = arInfos[n];
- if (rInfo.ouGpgCertificate.isEmpty()) // X.509
+ if (!rInfo.X509Datas.empty()) // X.509
{
- if (!rInfo.ouX509Certificate.isEmpty())
- rSigInfo.Signer = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ;
- if (!rSigInfo.Signer.is())
- rSigInfo.Signer = xSecEnv->getCertificate( rInfo.ouX509IssuerName,
- xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
-
+ std::vector<uno::Reference<security::XCertificate>> certs(
+ rSignatureHelper.CheckAndUpdateSignatureInformation(
+ xSecEnv, rInfo));
+ if (certs.empty())
+ {
+ rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ }
+ else
+ {
+ rSigInfo.Signer = certs.back();
+ // get only intermediates
+ certs.pop_back();
// On Windows checking the certificate path is buggy. It does name matching (issuer, subject name)
// to find the parent certificate. It does not take into account that there can be several certificates
// with the same subject name.
-
- try {
- rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer,
- Sequence<Reference<css::security::XCertificate> >());
- } catch (SecurityException& ) {
- OSL_FAIL("Verification of certificate failed");
- rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ try
+ {
+ rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(
+ rSigInfo.Signer, comphelper::containerToSequence(certs));
+ }
+ catch (SecurityException&)
+ {
+ SAL_WARN("xmlsecurity.comp", "Verification of certificate failed");
+ rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+ }
}
}
- else if (xGpgSecEnv.is()) // GPG
+ else if (!rInfo.ouGpgCertificate.isEmpty() && xGpgSecEnv.is()) // GPG
{
// TODO not ideal to retrieve cert by keyID, might
// collide, or PGPKeyID format might change - can't we
@@ -604,11 +613,15 @@ void DocumentDigitalSignatures::showCertificate(
}
sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
- const Reference< css::security::XCertificate >& Author )
+ const Reference<css::security::XCertificate>& xAuthor)
{
+ if (!xAuthor.is())
+ {
+ return false;
+ }
bool bFound = false;
- OUString sSerialNum = xmlsecurity::bigIntegerToNumericString( Author->getSerialNumber() );
+ OUString sSerialNum = xmlsecurity::bigIntegerToNumericString(xAuthor->getSerialNumber());
Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors();
const SvtSecurityOptions::Certificate* pAuthors = aTrustedAuthors.getConstArray();
@@ -616,7 +629,8 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
for ( ; pAuthors != pAuthorsEnd; ++pAuthors )
{
SvtSecurityOptions::Certificate aAuthor = *pAuthors;
- if ( ( aAuthor[0] == Author->getIssuerName() ) && ( aAuthor[1] == sSerialNum ) )
+ if (xmlsecurity::EqualDistinguishedNames(aAuthor[0], xAuthor->getIssuerName())
+ && (aAuthor[1] == sSerialNum))
{
bFound = true;
break;