From 2caf390474150947c79b5f719e625145f9acd6d0 Mon Sep 17 00:00:00 2001
From: Mike Kaganski <mike.kaganski@collabora.com>
Date: Mon, 18 Sep 2017 22:34:42 +0300
Subject: PDF signing: don't fail unittest on invalid certificates

Without this, expired/not yet valid certificates, as well as
certificates without private key, make test needlessly fail.

Change-Id: Ic8ff85db54f1f1b1fb49fde82424f597f1555c96
Reviewed-on: https://gerrit.libreoffice.org/42434
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
---
 include/sal/log-areas.dox                     |  1 +
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 48 ++++++++++++++++++++++-----
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/include/sal/log-areas.dox b/include/sal/log-areas.dox
index d12ae1675bfe..46a75f5a6151 100644
--- a/include/sal/log-areas.dox
+++ b/include/sal/log-areas.dox
@@ -533,6 +533,7 @@ certain functionality.
 @li @c xmlsecurity.helper
 @li @c xmlsecurity.ooxml - OOXML signature support
 @li @c xmlsecurity.pdfio - signing of existing PDF
+@li @c xmlsecurity.pdfio.test
 @li @c xmlsecurity.xmlsec - xmlsec wrapper
 @li @c xmlsecurity.xmlsec.gpg - gpg xmlsec component
 
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 39746ac2a233..8d8e265c6aec 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -19,6 +19,11 @@
 #include <documentsignaturemanager.hxx>
 #include <pdfio/pdfdocument.hxx>
 
+#ifdef _WIN32
+ #define WIN32_LEAN_AND_MEAN
+ #include <windows.h>
+#endif
+
 using namespace com::sun::star;
 
 namespace
@@ -162,24 +167,51 @@ bool PDFSigningTest::sign(const OUString& rInURL, const OUString& rOutURL, size_
         CPPUNIT_ASSERT_EQUAL(nOriginalSignatureCount, aSignatures.size());
     }
 
+    bool bSignSuccessful = false;
     // Sign it and write out the result.
     {
         uno::Reference<xml::crypto::XSecurityEnvironment> xSecurityEnvironment = xSecurityContext->getSecurityEnvironment();
         uno::Sequence<uno::Reference<security::XCertificate>> aCertificates = xSecurityEnvironment->getPersonalCertificates();
-        if (!aCertificates.hasElements())
+        DateTime now(DateTime::SYSTEM);
+        for (auto& cert : aCertificates)
         {
-            // NSS failed to parse it's own profile or Windows has no certificates installed.
-            return false;
+            css::util::DateTime aNotValidAfter = cert->getNotValidAfter();
+            css::util::DateTime aNotValidBefore = cert->getNotValidBefore();
+
+            // Only try certificates that are already active and not expired
+            if ((now > aNotValidAfter) || (now < aNotValidBefore))
+            {
+                SAL_WARN("xmlsecurity.pdfio.test", "Skipping a certificate that is not yet valid or already not valid");
+            }
+            else
+            {
+                bool bSignResult = aDocument.Sign(cert, "test", /*bAdES=*/true);
+#ifdef _WIN32
+                if (!bSignResult)
+                {
+                    DWORD dwErr = GetLastError();
+                    if (dwErr == CRYPT_E_NO_KEY_PROPERTY)
+                    {
+                        SAL_WARN("xmlsecurity.pdfio.test", "Skipping a certificate without a private key");
+                        continue; // The certificate does not have a private key - not a valid certificate
+                    }
+                }
+#endif
+                CPPUNIT_ASSERT(bSignResult);
+                SvFileStream aOutStream(rOutURL, StreamMode::WRITE | StreamMode::TRUNC);
+                CPPUNIT_ASSERT(aDocument.Write(aOutStream));
+                bSignSuccessful = true;
+                break;
+            }
         }
-        CPPUNIT_ASSERT(aDocument.Sign(aCertificates[0], "test", /*bAdES=*/true));
-        SvFileStream aOutStream(rOutURL, StreamMode::WRITE | StreamMode::TRUNC);
-        CPPUNIT_ASSERT(aDocument.Write(aOutStream));
     }
 
     // This was nOriginalSignatureCount when PDFDocument::Sign() silently returned success, without doing anything.
-    verify(rOutURL, nOriginalSignatureCount + 1, /*rExpectedSubFilter=*/OString());
+    if (bSignSuccessful)
+        verify(rOutURL, nOriginalSignatureCount + 1, /*rExpectedSubFilter=*/OString());
 
-    return true;
+    // May return false if NSS failed to parse it's own profile or Windows has no valid certificates installed.
+    return bSignSuccessful;
 }
 
 void PDFSigningTest::testPDFAdd()
-- 
cgit