diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-12-02 11:51:09 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-12-02 13:16:54 +0000 |
commit | 61c81c4500e5d5849b43d3a9d3efdabba94d513b (patch) | |
tree | 94bff4a93b461875773983ce6d45f4203fd3d73f /xmlsecurity | |
parent | 14a5070149b84b804cf646780abf5962fa2dd401 (diff) |
xmlsecurity PDF verify: don't hide signatures where digest match is uncertain
Use case: the bugdoc has 2 signatures, one normal one and one with
SubFilter=ETSI.RFC3161. By not hiding the second signature it's possible
to counter-sign the document, even if we don't handle the contents of
the second one.
Change-Id: I580e1211072ec9839f01b529b569c98b702b6534
Reviewed-on: https://gerrit.libreoffice.org/31539
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'xmlsecurity')
-rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 21 | ||||
-rw-r--r-- | xmlsecurity/source/helper/pdfsignaturehelper.cxx | 3 |
2 files changed, 19 insertions, 5 deletions
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index fae2a71d38f7..2da9c0e7adef 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -72,6 +72,8 @@ public: void testGood(); /// Test that we don't crash / loop while tokenizing these files. void testTokenize(); + /// Test handling of unknown SubFilter values. + void testUnknownSubFilter(); CPPUNIT_TEST_SUITE(PDFSigningTest); CPPUNIT_TEST(testPDFAdd); @@ -87,6 +89,7 @@ public: CPPUNIT_TEST(testSigningCertificateAttribute); CPPUNIT_TEST(testGood); CPPUNIT_TEST(testTokenize); + CPPUNIT_TEST(testUnknownSubFilter); CPPUNIT_TEST_SUITE_END(); }; @@ -388,8 +391,6 @@ void PDFSigningTest::testTokenize() { // We looped on this broken input. OUStringLiteral("no-eof.pdf"), - // Failed to read as \r wasn't handled as terminating a comment. - OUStringLiteral("cr-comment.pdf"), // ']' in a name token was mishandled. OUStringLiteral("name-bracket.pdf"), // %%EOF at the end wasn't followed by a newline. @@ -407,6 +408,22 @@ void PDFSigningTest::testTokenize() } } +void PDFSigningTest::testUnknownSubFilter() +{ + // Tokenize the bugdoc. + uno::Reference<xml::crypto::XSEInitializer> xSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext); + uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext = xSEInitializer->createSecurityContext(OUString()); + SvStream* pStream = utl::UcbStreamHelper::CreateStream(m_directories.getURLFromSrc(DATA_DIRECTORY) + "cr-comment.pdf", StreamMode::READ | StreamMode::WRITE); + uno::Reference<io::XStream> xStream(new utl::OStreamWrapper(*pStream)); + DocumentSignatureManager aManager(mxComponentContext, DocumentSignatureMode::Content); + aManager.mxSignatureStream = xStream; + aManager.read(/*bUseTempStream=*/false); + + // Make sure we find both signatures, even if the second has unknown SubFilter. + std::vector<SignatureInformation>& rInformations = aManager.maCurrentSignatureInformations; + CPPUNIT_ASSERT_EQUAL(static_cast<std::size_t>(2), rInformations.size()); +} + CPPUNIT_TEST_SUITE_REGISTRATION(PDFSigningTest); CPPUNIT_PLUGIN_IMPLEMENT(); diff --git a/xmlsecurity/source/helper/pdfsignaturehelper.cxx b/xmlsecurity/source/helper/pdfsignaturehelper.cxx index 2218129a9485..4218a8305ee4 100644 --- a/xmlsecurity/source/helper/pdfsignaturehelper.cxx +++ b/xmlsecurity/source/helper/pdfsignaturehelper.cxx @@ -56,10 +56,7 @@ bool PDFSignatureHelper::ReadAndVerifySignature(const uno::Reference<io::XInputS bool bLast = i == aSignatures.size() - 1; if (!xmlsecurity::pdfio::PDFDocument::ValidateSignature(*pStream, aSignatures[i], aInfo, bLast)) - { SAL_WARN("xmlsecurity.helper", "failed to determine digest match"); - continue; - } m_aSignatureInfos.push_back(aInfo); } |