mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tdf#161872 xmlsecurity nss: don't require trusted signing certs

Browse Source 
Configure your signing cert in Firefox, (unusually) don't trust the CA
that you would use to issue your signing cert, try to sign a document,
error.

This is reportedly wrong since commit
bfd479abf0d1d8ce36c3b0dcc6c824216f88a95b (Update libxmlsec to 1.3.1,
2023-06-09), for some reason our usage of libxmlsec-1.2 didn't trigger
this problem.

Given that we already disable libxmlsec-side cert verify while
verifying a signature (and have our own logic there), it's consistent to
do the same while creating the signature, and that fixes the bug, too.

The Windows / MSCNG backend is not yet changed here.

Change-Id: I8a7adf06b9a26731f1a180a4f6257317084e414a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/180844
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
This commit is contained in:
Miklos Vajna 2025-01-28 16:38:10 +01:00
parent 6ca82a321f
commit 1817760f56
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
View File

@ -150,6 +150,7 @@ SAL_CALL XMLSignature_NssImpl::generate(
}
//Sign the template
pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
if( xmlSecDSigCtxSign( pDsigCtx.get() , pNode ) == 0 )
{
if (pDsigCtx->status == xmlSecDSigStatusSucceeded)