Dear Maintainer, tried to have another look with the original input file. In my minimal test VM I came again across the segfault I described in message #10, which is not the problem Wesley hit and got sumitted in #926404 too. So I had to start firefox once to have a profile in the home directory.
Then I could successfully reproduce the crash, see the backtrace below with debug information. For this I could not find a upstream bug report. But upstream commit [1] changed method SignatureInfo::setSubjectDN to avoid it. Therefore tried to build with this patch and found that it touches the same area as [2] from message #10, therefore included that too before. With both applied pdfsig gives information for this file without crashing, with or without a .mozilla directory. Kind regards, Bernhard #926404 https://bugs.debian.org/926404 [1] https://gitlab.freedesktop.org/poppler/poppler/commit/7486e4995d66f1a8676f3e65e408e8cdab049f6b [2] https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb (gdb) bt #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x00007ffff7a1bfee in __GI___strdup (s=s@entry=0x0) at strdup.c:41 #2 0x00007ffff7e8340d in SignatureInfo::setSubjectDN (this=this@entry=0x5555555a3e80, subjectDN=0x0) at ./poppler/SignatureInfo.cc:127 #3 0x00007ffff7df3e19 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5555555a07f0) at ./poppler/Form.cc:1749 #4 FormFieldSignature::validateSignature (this=0x5555555a07f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689 #5 0x0000555555556a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979 (gdb) list SignatureInfo.cc:124,128 124 void SignatureInfo::setSubjectDN(const char *subjectDN) 125 { 126 free(subject_dn); 127 subject_dn = strdup(subjectDN); 128 }
>From a85c2ed8f4359341adb94887c4b551a761244fdb Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aa...@kde.org> Date: Sat, 17 Nov 2018 19:29:16 +0100 Subject: [PATCH] Be more stubborn looking for a nssdb Fixes issue #669 (Bernhard Ãbelacker: Adapted to match debian package 0.71.0, https://bugs.debian.org/924050 ) --- poppler/SignatureHandler.cc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc index a98e3f7..a49d34a 100644 --- a/poppler/SignatureHandler.cc +++ b/poppler/SignatureHandler.cc @@ -114,10 +114,19 @@ GooString *SignatureHandler::getDefaultFirefoxCertDB_Linux() void SignatureHandler::init_nss() { GooString *certDBPath = getDefaultFirefoxCertDB_Linux(); + bool initSuccess = false; if (certDBPath == nullptr) { - NSS_Init("sql:/etc/pki/nssdb"); + initSuccess = (NSS_Init("sql:/etc/pki/nssdb") == SECSuccess); } else { - NSS_Init(certDBPath->getCString()); + initSuccess = (NSS_Init(certDBPath->getCString()) == SECSuccess); + } + if (!initSuccess) { + GooString homeNssDb(getenv("HOME")); + homeNssDb.append("/.pki/nssdb"); + initSuccess = (NSS_Init(homeNssDb.getCString()) == SECSuccess); + if (!initSuccess) { + NSS_NoDB_Init(nullptr); + } } //Make sure NSS root certificates module is loaded SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0); -- 2.20.1
>From 7486e4995d66f1a8676f3e65e408e8cdab049f6b Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aa...@kde.org> Date: Wed, 16 Jan 2019 22:56:42 +0100 Subject: [PATCH] pdfsig: add -nssdir option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Contains code inspired in code by Hans-Ulrich Jüttner and Adrian Johnson (Bernhard Ãbelacker: Adapted to match debian package 0.71.0, https://bugs.debian.org/924050 ) --- poppler/SignatureHandler.cc | 56 +++++++++++++++++++++++++------------ poppler/SignatureHandler.h | 9 ++++-- poppler/SignatureInfo.cc | 4 +-- utils/pdfsig.1 | 15 ++++++++-- utils/pdfsig.cc | 12 ++++++-- 5 files changed, 68 insertions(+), 28 deletions(-) diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc index a57e9c3..49f91bd 100644 --- a/poppler/SignatureHandler.cc +++ b/poppler/SignatureHandler.cc @@ -41,7 +41,7 @@ unsigned int SignatureHandler::digestLength(SECOidTag digestAlgId) char *SignatureHandler::getSignerName() { - if (!CMSSignerInfo) + if (!CMSSignerInfo || !NSS_IsInitialized()) return nullptr; CERTCertificate *cert = NSS_CMSSignerInfo_GetSigningCertificate(CMSSignerInfo, CERT_GetDefaultCertDB()); @@ -78,8 +78,7 @@ time_t SignatureHandler::getSigningTime() return static_cast<time_t>(sTime/1000000); } - -GooString *SignatureHandler::getDefaultFirefoxCertDB_Linux() +static GooString *getDefaultFirefoxCertDB_Linux() { GooString * finalPath = nullptr; DIR *toSearchIn; @@ -111,27 +110,45 @@ GooString *SignatureHandler::getDefaultFirefoxCertDB_Linux() /** * Initialise NSS */ -void SignatureHandler::init_nss() +void SignatureHandler::setNSSDir(const GooString &nssDir) { - GooString *certDBPath = getDefaultFirefoxCertDB_Linux(); + static bool setNssDirCalled = false; + + if (NSS_IsInitialized() && nssDir.getLength() > 0) { + error(errInternal, 0, "You need to call setNSSDir before signature validation related operations happen"); + return; + } + + if (setNssDirCalled) + return; + + setNssDirCalled = true; + bool initSuccess = false; - if (certDBPath == nullptr) { - initSuccess = (NSS_Init("sql:/etc/pki/nssdb") == SECSuccess); + if (nssDir.getLength() > 0) { + initSuccess = (NSS_Init(nssDir.getCString()) == SECSuccess); } else { - initSuccess = (NSS_Init(certDBPath->getCString()) == SECSuccess); - } - if (!initSuccess) { - GooString homeNssDb(getenv("HOME")); - homeNssDb.append("/.pki/nssdb"); - initSuccess = (NSS_Init(homeNssDb.getCString()) == SECSuccess); + GooString *certDBPath = getDefaultFirefoxCertDB_Linux(); + if (certDBPath == nullptr) { + initSuccess = (NSS_Init("sql:/etc/pki/nssdb") == SECSuccess); + } else { + initSuccess = (NSS_Init(certDBPath->getCString()) == SECSuccess); + } if (!initSuccess) { - NSS_NoDB_Init(nullptr); + GooString homeNssDb(getenv("HOME")); + homeNssDb.append("/.pki/nssdb"); + initSuccess = (NSS_Init(homeNssDb.getCString()) == SECSuccess); + if (!initSuccess) { + NSS_NoDB_Init(nullptr); + } } + delete certDBPath; } - //Make sure NSS root certificates module is loaded - SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0); - delete certDBPath; + if (initSuccess) { + //Make sure NSS root certificates module is loaded + SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0); + } } @@ -142,7 +159,7 @@ SignatureHandler::SignatureHandler(unsigned char *p7, int p7_length) CMSSignerInfo(nullptr), temp_certs(nullptr) { - init_nss(); + setNSSDir({}); CMSitem.data = p7; CMSitem.len = p7_length; CMSMessage = CMS_MessageCreate(&CMSitem); @@ -252,6 +269,9 @@ NSSCMSVerificationStatus SignatureHandler::validateSignature() if (!CMSSignedData) return NSSCMSVS_MalformedSignature; + if (!NSS_IsInitialized()) + return NSSCMSVS_ProcessingError; + digest_buffer = (unsigned char *)PORT_Alloc(hash_length); unsigned int result_len = 0; diff --git a/poppler/SignatureHandler.h b/poppler/SignatureHandler.h index 3b2f62b..96b11e1 100644 --- a/poppler/SignatureHandler.h +++ b/poppler/SignatureHandler.h @@ -49,13 +49,16 @@ public: static SignatureValidationStatus NSS_SigTranslate(NSSCMSVerificationStatus nss_code); static CertificateValidationStatus NSS_CertTranslate(SECErrorCodes nss_code); + // Initializes the NSS dir with the custom given directory + // calling it with an empty string means use the default firefox db, /etc/pki/nssdb, ~/.pki/nssdb + // If you don't want a custom NSS dir and the default entries are fine for you, not calling this function is fine + // If wanted, this has to be called before doing signature validation calls + static void setNSSDir(const GooString &nssDir); + private: SignatureHandler(const SignatureHandler &); SignatureHandler& operator=(const SignatureHandler &); - void init_nss(); - - GooString * getDefaultFirefoxCertDB_Linux(); unsigned int digestLength(SECOidTag digestAlgId); NSSCMSMessage *CMS_MessageCreate(SECItem * cms_item); NSSCMSSignedData *CMS_SignedDataCreate(NSSCMSMessage * cms_msg); diff --git a/poppler/SignatureInfo.cc b/poppler/SignatureInfo.cc index 11e47e5..7bdaf97 100644 --- a/poppler/SignatureInfo.cc +++ b/poppler/SignatureInfo.cc @@ -7,7 +7,7 @@ // Copyright 2015 André Guerreiro <aguerreiro1...@gmail.com> // Copyright 2015 André Esser <bepan...@hotmail.com> // Copyright 2017 Hans-Ulrich Jüttner <h...@froreich-bioscientia.de> -// Copyright 2017, 2018 Albert Astals Cid <aa...@kde.org> +// Copyright 2017-2019 Albert Astals Cid <aa...@kde.org> // Copyright 2018 Chinmoy Ranjan Pradhan <chinmoyr...@protonmail.com> // //======================================================================== @@ -124,7 +124,7 @@ void SignatureInfo::setSignerName(char *signerName) void SignatureInfo::setSubjectDN(const char *subjectDN) { free(subject_dn); - subject_dn = strdup(subjectDN); + subject_dn = subjectDN ? strdup(subjectDN) : nullptr; } void SignatureInfo::setLocation(const char *loc) diff --git a/utils/pdfsig.1 b/utils/pdfsig.1 index 0a5cc62..3567e96 100644 --- a/utils/pdfsig.1 +++ b/utils/pdfsig.1 @@ -15,13 +15,23 @@ the time and date of the signature, the hash algorithm used for signing, the type of the signature as stated in the PDF and the signed ranges with a statement wether the total document is signed. .PP -The signer certificate validation uses the trusted certificates stored in the following locations: +The signer certificate validation uses the trusted certificates stored in the +Network Security Services (NSS) Database. The NSS Database is searched for in the following locations: .IP \(bu -The NSS Certificate database in the default Firefox profile. +If the \-nssdir option is specified, the directory specified by this option. +.IP \(bu +The NSS Certificate database in the default Firefox profile. i.e. $HOME/.mozilla/firefox/*.default. .IP \(bu The NSS Certificate database in /etc/pki/nssdb. .SH OPTIONS .TP +.B \-nssdir "[prefix]directory" +Specify the database directory containing the certificate and key +database files. See certutil(1) -d option for details of the +prefix. If not specified the other search locations described in +.B DESCRIPTION +are used. +.TP .B \-nocert Do not validate the certificate. .TP @@ -52,3 +62,4 @@ and copyright 2005-2015 The Poppler Developers - http://poppler.freedesktop.org .BR pdftotext (1) .BR pdfseparate (1), .BR pdfunite (1) +.BR certutil (1) diff --git a/utils/pdfsig.cc b/utils/pdfsig.cc index b0e40e7..529ad0d 100644 --- a/utils/pdfsig.cc +++ b/utils/pdfsig.cc @@ -6,10 +6,10 @@ // // Copyright 2015 André Guerreiro <aguerreiro1...@gmail.com> // Copyright 2015 André Esser <bepan...@hotmail.com> -// Copyright 2015, 2017, 2018 Albert Astals Cid <aa...@kde.org> +// Copyright 2015, 2017-2019 Albert Astals Cid <aa...@kde.org> // Copyright 2016 Markus KilÃ¥s <digi...@markuspage.com> -// Copyright 2017 Hans-Ulrich Jüttner <h...@froreich-bioscientia.de> -// Copyright 2017 Adrian Johnson <ajohn...@redneon.com> +// Copyright 2017, 2019 Hans-Ulrich Jüttner <h...@froreich-bioscientia.de> +// Copyright 2017, 2019 Adrian Johnson <ajohn...@redneon.com> // Copyright 2018 Chinmoy Ranjan Pradhan <chinmoyr...@protonmail.com> // //======================================================================== @@ -32,6 +32,7 @@ #include "PDFDocFactory.h" #include "Error.h" #include "GlobalParams.h" +#include "SignatureHandler.h" #include "SignatureInfo.h" #include "Win32Console.h" #include "numberofcharacters.h" @@ -116,12 +117,15 @@ static void dumpSignature(int sig_num, int sigCount, FormWidgetSignature *sig_wi delete path; } +static GooString nssDir; static bool printVersion = false; static bool printHelp = false; static bool dontVerifyCert = false; static bool dumpSignatures = false; static const ArgDesc argDesc[] = { + {"-nssdir", argGooString, &nssDir, 0, + "path to directory of libnss3 database"}, {"-nocert", argFlag, &dontVerifyCert, 0, "don't perform certificate validation"}, {"-dump", argFlag, &dumpSignatures, 0, @@ -169,6 +173,8 @@ int main(int argc, char *argv[]) fileName = new GooString(argv[argc - 1]); + SignatureHandler::setNSSDir(nssDir); + // open PDF file doc = PDFDocFactory().createPDFDoc(*fileName, nullptr, nullptr); -- 2.20.1
# Buster amd64 qemu VM 2019-04-16 apt update apt dist-upgrade apt install dpkg-dev devscripts systemd-coredump mc colordiff gdb poppler-utils poppler-utils-dbgsym libpoppler82-dbgsym libnss3-dbgsym apt build-dep poppler mkdir /tmp/source/poppler/orig -p cd /tmp/source/poppler/orig apt source poppler cd wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=924050;filename=bar.pdf;msg=27"; -O bar.pdf gdb -q --args /usr/bin/pdfsig bar.pdf set width 0 set pagination off directory /tmp/source/poppler/orig/poppler-0.71.0 run ######### benutzer@debian:~$ gdb -q --args /usr/bin/pdfsig bar.pdf Reading symbols from /usr/bin/pdfsig...Reading symbols from /usr/lib/debug/.build-id/5f/ce5695b347676a643ad15d59bd7cd19e30360d.debug...done. done. (gdb) set width 0 (gdb) set pagination off (gdb) directory /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap Warning: /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap: Datei oder Verzeichnis nicht gefunden. Source directories searched: /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap:$cdir:$cwd (gdb) run Starting program: /usr/bin/pdfsig bar.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Digital Signature Info of: bar.pdf Internal Error (0): couldn't find default Firefox Folder Program received signal SIGSEGV, Segmentation fault. 0x00007ffff731bc84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847 847 pk11util.c: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 0x00007ffff731bc84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847 #1 0x00007ffff731c1fc in SECMOD_AddModule (newModule=0x5555555ca6b0) at pk11util.c:541 #2 SECMOD_AddModule (newModule=0x5555555ca6b0) at pk11util.c:519 #3 0x00007ffff731c2a0 in SECMOD_AddNewModuleEx (moduleName=0x7ffff7f46e7d "Root Certs", dllPath=0x7ffff7f46e6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695 #4 0x00007ffff7efb199 in SignatureHandler::SignatureHandler (this=0x7fffffffe1b0, p7=0x5555555bdc20 "\232\375\240\067\060\031\022\313\301:\227_\260\251\302Ή", p7_length=13680) at ./poppler/SignatureHandler.cc:136 #5 0x00007ffff7df5b16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5555555a07f0) at ./poppler/Form.cc:1722 #6 FormFieldSignature::validateSignature (this=0x5555555a07f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689 #7 0x0000555555556a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979 ########## apt install xserver-xorg lightdm openbox firefox-esr systemctl start lightdm export DISPLAY=:0 firefox& # and open it, now ".mozilla" exists ########## benutzer@debian:~$ strace -f /usr/bin/pdfsig bar.pdf 2>&1 | grep -E "/etc|\.mozilla" | grep -v ENOENT openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/home/benutzer/.mozilla/firefox/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/home/benutzer/.mozilla/firefox/fcj3gzah.default/pkcs11.txt", O_RDONLY) = 4 stat("/etc/passwd", {st_mode=S_IFREG|0644, st_size=1540, ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 4 access("/home/benutzer/.mozilla/firefox/fcj3gzah.default/cert9.db", F_OK) = 0 lstat("/home/benutzer/.mozilla/firefox/fcj3gzah.default/cert9.db", {st_mode=S_IFREG|0600, st_size=28672, ...}) = 0 openat(AT_FDCWD, "/home/benutzer/.mozilla/firefox/fcj3gzah.default/cert9.db", O_RDONLY|O_CLOEXEC) = 4 stat("/home/benutzer/.mozilla/firefox/fcj3gzah.default/cert9.db", {st_mode=S_IFREG|0600, st_size=28672, ...}) = 0 statfs("/home/benutzer/.mozilla/firefox/fcj3gzah.default/cert9.db", {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=4869796, f_bfree=4251199, f_bavail=3998067, f_files=1245184, f_ffree=1159260, f_fsid={val=[1006509210, 1119322840]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0 access("/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", F_OK) = 0 lstat("/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", {st_mode=S_IFREG|0600, st_size=36864, ...}) = 0 stat("/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", {st_mode=S_IFREG|0600, st_size=36864, ...}) = 0 openat(AT_FDCWD, "/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", O_RDONLY|O_CLOEXEC) = 5 stat("/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", {st_mode=S_IFREG|0600, st_size=36864, ...}) = 0 statfs("/home/benutzer/.mozilla/firefox/fcj3gzah.default/key4.db", {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=4869796, f_bfree=4251199, f_bavail=3998067, f_files=1245184, f_ffree=1159260, f_fsid={val=[1006509210, 1119322840]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 6 ########## benutzer@debian:~$ gdb -q --args /usr/bin/pdfsig bar.pdf Reading symbols from /usr/bin/pdfsig...Reading symbols from /usr/lib/debug/.build-id/5f/ce5695b347676a643ad15d59bd7cd19e30360d.debug...done. done. (gdb) set width 0 (gdb) set pagination off (gdb) directory /tmp/source/poppler/orig/poppler-0.71.0 Source directories searched: /tmp/source/poppler/orig/poppler-0.71.0:$cdir:$cwd (gdb) run Starting program: /usr/bin/pdfsig bar.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Digital Signature Info of: bar.pdf Internal Error (0): Input couldn't be parsed as a CMS signature Program received signal SIGSEGV, Segmentation fault. __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 120 ../sysdeps/x86_64/multiarch/../strlen.S: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x00007ffff7a1bfee in __GI___strdup (s=s@entry=0x0) at strdup.c:41 #2 0x00007ffff7e8340d in SignatureInfo::setSubjectDN (this=this@entry=0x5555555a3e80, subjectDN=0x0) at ./poppler/SignatureInfo.cc:127 #3 0x00007ffff7df3e19 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5555555a07f0) at ./poppler/Form.cc:1749 #4 FormFieldSignature::validateSignature (this=0x5555555a07f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689 #5 0x0000555555556a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979 (gdb) list SignatureInfo.cc:124,128 124 void SignatureInfo::setSubjectDN(const char *subjectDN) 125 { 126 free(subject_dn); 127 subject_dn = strdup(subjectDN); 128 } (gdb) print subjectDN $1 = 0x0 (gdb) print subject_dn $2 = 0x0 (gdb) up #3 0x00007ffff7df3e19 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5555555a07f0) at ./poppler/Form.cc:1749 1749 signature_info->setSubjectDN(signature_handler.getSignerSubjectDN()); (gdb) list Form.cc:1689,1766 1689 SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime) 1690 { 1691 #ifdef ENABLE_NSS3 1692 if (!signature_info->isSubfilterSupported()) { 1693 error(errUnimplemented, 0, "Unable to validate this type of signature"); 1694 return signature_info; 1695 } 1696 1697 if (signature_info->getSignatureValStatus() != SIGNATURE_NOT_VERIFIED && !forceRevalidation) { 1698 return signature_info; 1699 } 1700 1701 if (signature == nullptr) { 1702 error(errSyntaxError, 0, "Invalid or missing Signature string"); 1703 return signature_info; 1704 } 1705 1706 if (!byte_range.isArray()) { 1707 error(errSyntaxError, 0, "Invalid or missing ByteRange array"); 1708 return signature_info; 1709 } 1710 1711 int arrayLen = byte_range.arrayGetLength(); 1712 if (arrayLen < 2) { 1713 error(errSyntaxError, 0, "Too few elements in ByteRange array"); 1714 return signature_info; 1715 } 1716 1717 NSSCMSVerificationStatus sig_val_state; 1718 SECErrorCodes cert_val_state; 1719 const int signature_len = signature->getLength(); 1720 unsigned char *signatureuchar = (unsigned char *)gmalloc(signature_len); 1721 memcpy(signatureuchar, signature->getCString(), signature_len); 1722 SignatureHandler signature_handler(signatureuchar, signature_len); 1723 1724 Goffset fileLength = doc->getBaseStream()->getLength(); 1725 for (int i = 0; i < arrayLen/2; i++) { 1726 Object offsetObj = byte_range.arrayGet(i*2); 1727 Object lenObj = byte_range.arrayGet(i*2+1); 1728 1729 if (!offsetObj.isIntOrInt64() || !lenObj.isIntOrInt64()) { 1730 error(errSyntaxError, 0, "Illegal values in ByteRange array"); 1731 return signature_info; 1732 } 1733 1734 Goffset offset = offsetObj.getIntOrInt64(); 1735 Goffset len = lenObj.getIntOrInt64(); 1736 1737 if (offset < 0 || offset >= fileLength || len < 0 || len > fileLength || offset + len > fileLength) { 1738 error(errSyntaxError, 0, "Illegal values in ByteRange array"); 1739 return signature_info; 1740 } 1741 1742 doc->getBaseStream()->setPos(offset); 1743 hashSignedDataBlock(&signature_handler, len); 1744 } 1745 1746 sig_val_state = signature_handler.validateSignature(); 1747 signature_info->setSignatureValStatus(SignatureHandler::NSS_SigTranslate(sig_val_state)); 1748 signature_info->setSignerName(signature_handler.getSignerName()); 1749 signature_info->setSubjectDN(signature_handler.getSignerSubjectDN()); 1750 signature_info->setHashAlgorithm(signature_handler.getHashAlgorithm()); 1751 1752 // verify if signature contains a 'signing time' attribute 1753 if (signature_handler.getSigningTime() != 0) { 1754 signature_info->setSigningTime(signature_handler.getSigningTime()); 1755 } 1756 1757 if (sig_val_state != NSSCMSVS_GoodSignature || !doVerifyCert) { 1758 return signature_info; 1759 } 1760 1761 cert_val_state = signature_handler.validateCertificate(validationTime); 1762 signature_info->setCertificateValStatus(SignatureHandler::NSS_CertTranslate(cert_val_state)); 1763 1764 #endif 1765 return signature_info; 1766 } https://gitlab.freedesktop.org/poppler/poppler/commit/7486e4995d66f1a8676f3e65e408e8cdab049f6b ######### cd /tmp/source/poppler cp orig try1 -a cd try1 wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=924050;filename=a85c2ed8f4359341adb94887c4b551a761244fdb-adapted-to-debian.patch;msg=10"; -O a85c2ed8f4359341adb94887c4b551a761244fdb-adapted-to-debian.patch wget "https://gitlab.freedesktop.org/poppler/poppler/commit/7486e4995d66f1a8676f3e65e408e8cdab049f6b.patch"; -O 7486e4995d66f1a8676f3e65e408e8cdab049f6b.patch cd poppler-0.71.0 git init git config user.name "..." git config user.email "..." git add . git commit -m "Initial commit" ... cd /tmp/source/poppler cp orig try1 -a cd try4/poppler-0.71.0 patch -p1 < ../../try1/a85c2ed8f4359341adb94887c4b551a761244fdb-adapted-to-debian.patch patch -p1 < ../../try1/7486e4995d66f1a8676f3e65e408e8cdab049f6b-adapted-to-debian.patch dpkg-buildpackage -b dpkg -i /tmp/source/poppler/try4/{libpoppler82,libpoppler82-dbgsym,poppler-utils,poppler-utils-dbgsym}_0.71.0-3_amd64.deb benutzer@debian:~$ /usr/bin/pdfsig bar.pdf Digital Signature Info of: bar.pdf Internal Error (0): Input couldn't be parsed as a CMS signature Signature #1: - Signer Certificate Common Name: (null) - Signer full Distinguished Name: (null) - Signing Time: Mar 08 2019 11:10:19 - Signing Hash Algorithm: unknown - Signature Type: adbe.pkcs7.detached - Signed Ranges: [0 - 12877], [40303 - 123158] - Total document signed - Signature Validation: Unknown Validation Failure.
