external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 | 68 ++++++++++ external/xmlsec/UnpackedTarball_xmlsec.mk | 1 2 files changed, 69 insertions(+)
New commits: commit 166639226a9a8383a0cd58c0030982399c5d90e0 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Wed Apr 7 17:00:43 2021 +0200 Commit: Thorsten Behrens <thorsten.behr...@allotropia.de> CommitDate: Thu Apr 8 01:51:53 2021 +0200 xmlsec: fix signing documents on WNT Duplicate ds:X509Certificate elements cause: warn:xmlsecurity.comp:9604:3820:xmlsecurity/source/helper/xmlsignaturehelper.cxx:658: X509Data do not form a chain: certificate in cycle: (regression from 5af5ea893bcb8a8eb472ac11133da10e5a604e66) Change-Id: I3d319a2f74dbec17b73f1c7bb8f4efe4e335f0ac Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113746 Tested-by: Mike Kaganski <mike.kagan...@collabora.com> Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit ae08aa8a095832ae2a88eac14f9680ac8d3a13b6) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113752 Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de> diff --git a/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 b/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 new file mode 100644 index 000000000000..51607ca6ee73 --- /dev/null +++ b/external/xmlsec/0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 @@ -0,0 +1,68 @@ +From a39b110cb2c25680259a38b2f397b350151bc6e7 Mon Sep 17 00:00:00 2001 +From: Michael Stahl <michael.st...@allotropia.de> +Date: Wed, 7 Apr 2021 16:43:48 +0200 +Subject: [PATCH] xmlSecX509DataGetNodeContent(): don't return 0 for non-empty + elements + +LibreOffice wants to write the content of KeyInfo itself and thus writes +X509Certificate element with content. + +But then xmlSecMSCngKeyDataX509XmlWrite() writes a duplicate +X509Certificate element, which then makes a new additional consistency +check in LO unhappy. + +The duplicate is written because xmlSecX509DataGetNodeContent() returns +0 because it only checks for empty nodes; if there are only non-empty +nodes a fallback to XMLSEC_X509DATA_DEFAULT occurs in all backends. + +Change the return value to be non-0 without changing the signature of +the function, as it is apparently public. + +This doesn't happen in LO in the NSS backend due to another accident, +where the private key flag isn't set when the X509Certificate is read, +but otherwise the code is the same. +--- + src/x509.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/x509.c b/src/x509.c +index ed8788ae..dac8bd2b 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -60,22 +60,33 @@ xmlSecX509DataGetNodeContent (xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + if(xmlSecCheckNodeName(cur, xmlSecNodeX509Certificate, xmlSecDSigNs)) { + if(xmlSecIsEmptyNode(cur) == 1) { + content |= XMLSEC_X509DATA_CERTIFICATE_NODE; ++ } else { ++ /* ensure return value isn't 0 if there are non-empty elements */ ++ content |= (XMLSEC_X509DATA_CERTIFICATE_NODE << 16); + } + } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SubjectName, xmlSecDSigNs)) { + if(xmlSecIsEmptyNode(cur) == 1) { + content |= XMLSEC_X509DATA_SUBJECTNAME_NODE; ++ } else { ++ content |= (XMLSEC_X509DATA_SUBJECTNAME_NODE << 16); + } + } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerSerial, xmlSecDSigNs)) { + if(xmlSecIsEmptyNode(cur) == 1) { + content |= XMLSEC_X509DATA_ISSUERSERIAL_NODE; ++ } else { ++ content |= (XMLSEC_X509DATA_ISSUERSERIAL_NODE << 16); + } + } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SKI, xmlSecDSigNs)) { + if(xmlSecIsEmptyNode(cur) == 1) { + content |= XMLSEC_X509DATA_SKI_NODE; ++ } else { ++ content |= (XMLSEC_X509DATA_SKI_NODE << 16); + } + } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509CRL, xmlSecDSigNs)) { + if(xmlSecIsEmptyNode(cur) == 1) { + content |= XMLSEC_X509DATA_CRL_NODE; ++ } else { ++ content |= (XMLSEC_X509DATA_CRL_NODE << 16); + } + } else { + /* todo: fail on unknown child node? */ +-- +2.30.2 + diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk index e4d092bef019..76293fe31e42 100644 --- a/external/xmlsec/UnpackedTarball_xmlsec.mk +++ b/external/xmlsec/UnpackedTarball_xmlsec.mk @@ -8,6 +8,7 @@ # xmlsec_patches := +xmlsec_patches += 0001-xmlSecX509DataGetNodeContent-don-t-return-0-for-non-.patch.1 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec)) _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits