> -----Original Message----- > From: Damjan Jovanovic [mailto:dam...@apache.org] > Sent: Tuesday, March 29, 2016 02:30 > To: Apache OO <dev@openoffice.apache.org> > Subject: Re: Release Manager for 4.2.0? [ ... ] > > Let's rather research where AOO uses openssl instead of guessing. > > I find the use of openssl for document encryption and signing highly > unlikely, as NSS was used there to make use of Firefox's root CA > certificates, and allow configuring personal digital signatures using > the Firefox GUI. [orcmid]
I am confident that is not the case for Windows, where the OS certificate store is used for private keys and for managing them, such as choosing their email usage. Whether an NSS library is in the path in any manner is unclear. I operate on configurations that do not have Firefox installed. > > So which modules use openssl? > > $ grep openssl */prj/build.lst > oox/prj/build.lst:oox oox : vos cppu cppuhelper comphelper sal > offapi sax basegfx xmlscript tools vcl BOOST:boost OPENSSL:openssl > LIBXSLT:libxslt NULL > openssl/prj/build.lst:ssl openssl : soltools external EXPAT:expat > NULL > openssl/prj/build.lst:ssl openssl usr1 - all > ssl_mkout NULL > openssl/prj/build.lst:ssl openssl nmake - all > ssl_openssl NULL > python/prj/build.lst:py python : SO:so_prereq solenv > OPENSSL:openssl NULL > redland/prj/build.lst:rld redland : stlport soltools > LIBXML2:libxml2 LIBXSLT:libxslt OPENSSL:openssl NULL > ucb/prj/build.lst:uc ucb : cppuhelper CURL:curl OPENSSL:openssl > LIBXML2:libxml2 LIBXSLT:libxslt offapi sal salhelper ucbhelper udkapi > comphelper SERF:serf tools NULL > > Eliminating the openssl module itself from the above results, we have > dependencies to it in oox, python, redland, and ucb. > > Oox (used for OOXML, not ODF) uses it in the short > lclCheckEncryptionData() function to detect encryption. It uses it > exclusively for AES crypto. > > Python could use it for just about anything, but we don't care because > Python is itself optional. > > Redland is an RDF library. It is used by unoxml. Not sure for what. [orcmid] There are some manifest.rdf files included as boilerplate in ODF 1.2 packages. They are produced automatically. I don't think they are consumed in any manner, but they might be parsed anyhow [;<). They are included in signed packages and they are encrypted in encrypted packages. They have no dependency in the ODF specification. So far, they are there for mining of document metadata by external products. PS: Handling of external entities in XML files can lead to use of internet transport. Not certain what the use case might be. It is not something that would be done with AOO-created XML inside ODF. PPS: The access to external components from within ODF documents can involve Internet transport. Won't this exercise the dependency from CURL that Don Lewis mentions? > > Ucb apparently uses it for webdav. It doesn't call openssl APIs, but > links to openssl because it uses serf. [orcmid] WebDAV servers can require negotiation of HTTP authentication. That may be the reason for this. WebDAV protocol is atop HTTP. > > Serf needs openssl and is only used by ucb. > > Damjan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
