xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 1 xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 1 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 5 xmlsecurity/qa/unit/signing/signing.cxx | 136 +++++++++++++++++++++- 4 files changed, 141 insertions(+), 2 deletions(-)
New commits: commit 00458c35c179a9f6f9b2af54b32b6dcf6cd98104 Author: Thorsten Behrens <[email protected]> AuthorDate: Tue Dec 17 16:07:41 2024 +0100 Commit: Thorsten Behrens <[email protected]> CommitDate: Tue Dec 17 16:07:41 2024 +0100 Revert "Disable macro signature tests temporarily" This reverts commit 730d068ea892f00e953cc090077ba95349a887c9. diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index 28f889b53ff0..07ccfd572e3f 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -1363,6 +1363,137 @@ CPPUNIT_TEST_FIXTURE(SigningTest, testPreserveMacroTemplateSignature12_ODF) } } +/// Test if a macro signature from an OTT 1.0 is dropped for ODT 1.2 +CPPUNIT_TEST_FIXTURE(SigningTest, testDropMacroTemplateSignature) +{ + const OUString aURL(createFileURL(u"tdf42316.ott")); + const OUString sLoadMessage = "loading failed: " + aURL; + + // load the template as-is to validate signatures + mxComponent = loadFromDesktop( + aURL, OUString(), comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + + // we are a template, and have a non-invalid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + // create new document from template + load(aURL); + CPPUNIT_ASSERT_MESSAGE(OUStringToOString(sLoadMessage, RTL_TEXTENCODING_UTF8).getStr(), + mxComponent.is()); + + // we are somehow a template (?), and have just a valid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + // save as new ODT document + saveAndReload(u"writer8"_ustr); + + // the loaded document is a 1.2 ODT without any signatures + assertDocument(CPPUNIT_SOURCELINE(), u"writer8"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOSIGNATURES, ODFVER_013_TEXT); + + // load the template as-is to validate signatures + mxComponent->dispose(); + mxComponent = loadFromDesktop( + aURL, OUString(), comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + + // we are a template, and have a non-invalid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + // save as new OTT template + save(u"writer8_template"_ustr); + + // load the template as-is to validate signatures + mxComponent->dispose(); + mxComponent + = loadFromDesktop(maTempFile.GetURL(), OUString(), + comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + + // the loaded document is a 1.2 OTT without any signatures + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOSIGNATURES, ODFVER_013_TEXT); +} + +/// Test if a macro signature from a OTT 1.0 template is preserved for ODT 1.0 +CPPUNIT_TEST_FIXTURE(SigningTest, testPreserveMacroTemplateSignature10) +{ + // set ODF version 1.0 / 1.1 as default + Resetter _([]() { + std::shared_ptr<comphelper::ConfigurationChanges> pBatch( + comphelper::ConfigurationChanges::create()); + officecfg::Office::Common::Save::ODF::DefaultVersion::set(3, pBatch); + return pBatch->commit(); + }); + std::shared_ptr<comphelper::ConfigurationChanges> pBatch( + comphelper::ConfigurationChanges::create()); + officecfg::Office::Common::Save::ODF::DefaultVersion::set(2, pBatch); + pBatch->commit(); + + const OUString aFormats[] = { u"writer8"_ustr, u"writer8_template"_ustr }; + + for (OUString const& sFormat : aFormats) + { + const OUString aURL(createFileURL(u"tdf42316.ott")); + const OUString sLoadMessage = "loading failed: " + aURL; + + // load the template as-is to validate signatures + mxComponent = loadFromDesktop( + aURL, OUString(), + comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + + // we are a template, and have a non-invalid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + // create new document from template + load(aURL); + CPPUNIT_ASSERT_MESSAGE(OUStringToOString(sLoadMessage, RTL_TEXTENCODING_UTF8).getStr(), + mxComponent.is()); + + // we are somehow a template (?), and have just a valid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + // FIXME: Error: element "manifest:manifest" is missing "version" attribute + skipValidation(); + + if (sFormat == "writer8") + // save as new ODT document + saveAndReload(sFormat); + else + { + // save as new OTT template + save(u"writer8_template"_ustr); + + // load the saved OTT template as-is to validate signatures + mxComponent->dispose(); + mxComponent = loadFromDesktop( + maTempFile.GetURL(), OUString(), + comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + } + + assertDocument(CPPUNIT_SOURCELINE(), sFormat, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + save(u"writer8_template"_ustr); + + // load the template as-is to validate signatures + mxComponent->dispose(); + mxComponent = loadFromDesktop( + maTempFile.GetURL(), OUString(), + comphelper::InitPropertySequence({ { "AsTemplate", uno::Any(false) } })); + + // the loaded document is a OTT with a non-invalid macro signature + assertDocument(CPPUNIT_SOURCELINE(), u"writer8_template"_ustr, SignatureState::NOSIGNATURES, + SignatureState::NOTVALIDATED, OUString()); + + mxComponent->dispose(); + mxComponent.clear(); + } +} + #endif void SigningTest::registerNamespaces(xmlXPathContextPtr& pXmlXpathCtx) commit 12877265533836aa52ab55568960a85feb3de92f Author: Michael Stahl <[email protected]> AuthorDate: Tue Dec 17 13:41:33 2024 +0100 Commit: Thorsten Behrens <[email protected]> CommitDate: Tue Dec 17 16:06:57 2024 +0100 xmlsecurity: fix tests to run with system NSS on Fedora 40 testDropMacroTemplateSignature fails printing this: warn:xmlsecurity.xmlsec:3511616:3511616:xmlsecurity/source/xmlsec/errorcallback.cxx:53: signatures.c:599: xmlSecNssSignatureSetKey() 'rsa-sha1' 'VFY_CreateContext' 4 'NSS error: -8011' because policy sets NSS_RSA_MIN_KEY_SIZE to 2048. testPDFGood fails printing this: warn:svl.crypto:3587940:3587940:svl/source/crypto/cryptosign.cxx:1941: ValidateSignature: message is not signed warn:xmlsecurity.helper:3587940:3587940:xmlsecurity/source/helper/pdfsignaturehelper.cxx:482: failed to determine digest match because enabling SEC_OID_SHA1 for NSS_USE_ALG_IN_ANY_SIGNATURE doesn't enable it for SMIME signatures, so smime_allowed_by_policy() fails - obviously one has to use NSS_USE_ALG_IN_SIGNATURE to enable it in any signature. Change-Id: I59ffaf0994eee6b51362fd3296f61465d0fc7903 (cherry picked from commit a7b7b00b78426bff8607c77106ea62dd213f0821) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178663 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index 667acc97e3e1..67ba9ec124fa 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -38,6 +38,7 @@ ifneq ($(OS),WNT) ifneq (,$(ENABLE_NSS)) $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ nssutil3 \ + nss3 \ )) endif endif diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 37d1c2a7dea7..87dae0916902 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -43,6 +43,7 @@ ifneq ($(OS),WNT) ifneq (,$(ENABLE_NSS)) $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ nssutil3 \ + nss3 \ )) endif endif diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index 9d774735d30c..6f0636a9e5e1 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -13,6 +13,7 @@ #if USE_CRYPTO_NSS #include <secoid.h> +#include <nss.h> #endif #include <string_view> @@ -80,7 +81,9 @@ void PDFSigningTest::setUp() #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE // policy may disallow using SHA1 for signatures but unit test documents // have such existing signatures (call this after createSecurityContext!) - NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0); + // the minimum is 2048 in Fedora 40 + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024); #endif #endif } diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index f624aa52a31f..28f889b53ff0 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -15,6 +15,7 @@ #if USE_CRYPTO_NSS #include <secoid.h> +#include <nss.h> #endif #include <test/unoapixml_test.hxx> @@ -104,7 +105,9 @@ void SigningTest::setUp() #ifdef NSS_USE_ALG_IN_ANY_SIGNATURE // policy may disallow using SHA1 for signatures but unit test documents // have such existing signatures (call this after createSecurityContext!) - NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SIGNATURE, 0); + // the minimum is 2048 in Fedora 40 + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024); #endif #endif }
