tdf#108828 Prevent leaking keys from previous signing sessions

Usuccessful signing sessions (e.g. abort when password is requested) left their key in the context. On the next try, the former key would also be used to sign. Change-Id: I55b9201df229cae40863a0a19b238029607d1848 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170388 Reviewed-by: Samuel Mehrbrodt <samuel.mehrbrodt@allotropia.de> Tested-by: Jenkins
2024-07-11 23:15:26 +02:00
parent d16ac2a8ed
commit 0e1592094e
1 changed files with 2 additions and 0 deletions
--- a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
@@ -197,6 +197,8 @@ SAL_CALL XMLSignature_GpgImpl::generate(
    int nRet = xmlSecBase64Decode_ex(pKey, reinterpret_cast<xmlSecByte*>(pKey), xmlStrlen(pKey), &nWritten);
    if(nRet < 0)
        throw RuntimeException(u"The GpgME library failed to initialize for the OpenPGP protocol."_ustr);
+
+    rCtx.clearSigningKeys(); // tdf#108828 Clear keys from previous unsuccessful sessions
    if( rCtx.addSigningKey(
            rCtx.key(
                reinterpret_cast<char*>(pKey), err, true)) )