From fae1eb775d44438a2193ba1ec07261ea0a94fef4 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Tue, 17 Dec 2024 13:41:33 +0100 Subject: [PATCH] xmlsecurity: fix tests to run with system NSS on Fedora 40 testDropMacroTemplateSignature fails printing this: warn:xmlsecurity.xmlsec:3511616:3511616:xmlsecurity/source/xmlsec/errorcallback.cxx:53: signatures.c:599: xmlSecNssSignatureSetKey() 'rsa-sha1' 'VFY_CreateContext' 4 'NSS error: -8011' because policy sets NSS_RSA_MIN_KEY_SIZE to 2048. testPDFGood fails printing this: warn:svl.crypto:3587940:3587940:svl/source/crypto/cryptosign.cxx:1941: ValidateSignature: message is not signed warn:xmlsecurity.helper:3587940:3587940:xmlsecurity/source/helper/pdfsignaturehelper.cxx:482: failed to determine digest match because enabling SEC_OID_SHA1 for NSS_USE_ALG_IN_ANY_SIGNATURE doesn't enable it for SMIME signatures, so smime_allowed_by_policy() fails - obviously one has to use NSS_USE_ALG_IN_SIGNATURE to enable it in any signature. Change-Id: I59ffaf0994eee6b51362fd3296f61465d0fc7903 (cherry picked from commit a7b7b00b78426bff8607c77106ea62dd213f0821) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178663 Tested-by: Jenkins Reviewed-by: Michael Stahl --- xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 1 + xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 1 + xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 5 ++++- xmlsecurity/qa/unit/signing/signing.cxx | 5 ++++- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index faf6944a0773..02544bc54c92 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -39,6 +39,7 @@ ifneq ($(OS),WNT) ifneq (,$(ENABLE_NSS)) $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ nssutil3 \ + nss3 \ )) endif endif diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 91613c06046e..6345c1f23aa8 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -44,6 +44,7 @@ ifneq ($(OS),WNT) ifneq (,$(ENABLE_NSS)) $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ nssutil3 \ + nss3 \ )) endif endif diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index 36a5a3d19a9b..5762bae5415d 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -13,6 +13,7 @@ #if USE_CRYPTO_NSS #include +#include #endif #include @@ -81,7 +82,9 @@ void PDFSigningTest::setUp() #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE // policy may disallow using SHA1 for signatures but unit test documents // have such existing signatures (call this after createSecurityContext!) - NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0); + // the minimum is 2048 in Fedora 40 + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024); #endif #endif } diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index 0a22681fb9a0..e6c20316face 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -15,6 +15,7 @@ #if USE_CRYPTO_NSS #include +#include #endif #include @@ -104,7 +105,9 @@ void SigningTest::setUp() #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE // policy may disallow using SHA1 for signatures but unit test documents // have such existing signatures (call this after createSecurityContext!) - NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0); + // the minimum is 2048 in Fedora 40 + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024); #endif #endif }