[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-10-29 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

Xisco FaulĂ­  changed:

   What|Removed |Added

   Keywords||filter:pdf
 Blocks||103378


Referenced Bugs:

https://bugs.documentfoundation.org/show_bug.cgi?id=103378
[Bug 103378] [META] PDF export bugs and enhancements
-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-08-03 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #11 from Daniel Miranda  ---
By the way, it does not seem to be an issue specific do PDF/A, but to all
signed PDF exports.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-08-03 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #10 from Daniel Miranda  ---
Hi, I am seeing the same problem here and the culprit seems to be this line in
LibreOffice's source code:

https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7188


The following line:
 aSignerInfo.HashAlgorithm.pszObjId = const_cast(szOID_RSA_SHA1RSA);
Should probably read:
 aSignerInfo.HashAlgorithm.pszObjId = const_cast(szOID_OIWSEC_sha1);


I have traced that path from the pdfexport.cxx code, which creates an aContext
structure and creates a pPDFWriter object at:

https://cgit.freedesktop.org/libreoffice/core/tree/filter/source/pdf/pdfexport.cxx#n787

The implementation of the code that does the actual signing is in
pdfwriter_impl.cxx and creates the aSignerInfo structure of type
CMSG_SIGNER_ENCODE_INFO, documented in

https://msdn.microsoft.com/pt-br/library/aa925156.aspx

The specific field that is set is aSignerInfo.HashAlgorithm.pszObjId, which is
documented at:

https://msdn.microsoft.com/pt-br/library/office/aa381133.aspx.

The value currently in the code is:
 szOID_RSA_SHA1RSA
 "1.2.840.113549.1.1.5"
 which is NOT a digest algorithm, but an encryption and signing algorithn.

The likely value for that should be:
 szOID_OIWSEC_sha1
 "1.3.14.3.2.26"

Or, while we are at that, upgrade the algorithm to a more modern one not
relying on sha1. It should have minor performance impact:
 szOID_NIST_sha256
 "2.16.840.1.101.3.4.2.1"
 or
 szOID_NIST_sha512
 "2.16.840.1.101.3.4.2.3" 


Other parts of the file should also be updated:

https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7159
 (although it seems the aPara structure is not actually being used anywhere
else)

CAVEAT:
  1. I am not familiar with LibreOffice's codebase, please check if these two
lines are really all it takes.
  2. The digest algorithm upgrade seems to be a bit more complex than a fix for
this bug, it requires changes in other parts of the file. Nonetheless, I think
this is a wonderful time to do it, since sha1 is showing it's age. Bruce
Scheiner blogged in 2005 - 11 years ago - that it was no longer safe even then.
See https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #9 from Luis C. Serpa  ---
Ok, thanx in advance. 
No problem it's only the pub key, to show that the algorithm field looks ok.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

Tor Lillqvist  changed:

   What|Removed |Added

 Status|NEEDINFO|NEW

--- Comment #8 from Tor Lillqvist  ---
Thanks. No promises when I (or somebody) will have time to take a look, but the
new information seems useful. If that is your real certificate, are you sure
you should make that publicly available?

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #7 from Luis C. Serpa  ---
I attached some adsitional files; hope it will help to identify the problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

Luis C. Serpa  changed:

   What|Removed |Added

 Attachment #124365|0   |1
is obsolete||

--- Comment #6 from Luis C. Serpa  ---
Created attachment 125809
  --> https://bugs.documentfoundation.org/attachment.cgi?id=125809=edit
Certificate

The certification I used. This is a Brazilian official CA (www.serpro.gov.br)  
issued certificate, used on many other applications w/o a problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #5 from Luis C. Serpa  ---
Created attachment 125806
  --> https://bugs.documentfoundation.org/attachment.cgi?id=125806=edit
The same PDF/A signed by our internal java signer.

The same PDF/A file, exported unsigned and signed by our internal java signer.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #4 from Luis C. Serpa  ---
Created attachment 125805
  --> https://bugs.documentfoundation.org/attachment.cgi?id=125805=edit
The signed PDF/A file.

The signed PDF/A file exported by LO that causes the problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #3 from Luis C. Serpa  ---
Created attachment 125804
  --> https://bugs.documentfoundation.org/attachment.cgi?id=125804=edit
A snapshot of Acrobat Reader warnings

A snapshot of Acrobat Reader DC showing a page modification warning on the same
PDF/A signed (and untouched) file.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #2 from Luis C. Serpa  ---
Created attachment 125803
  --> https://bugs.documentfoundation.org/attachment.cgi?id=125803=edit
java error messages displayed on our internal document system

The java error messages displayed on our internal document system when I upload
any LO exported PDF/A file with my signature.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

2016-06-21 Thread bugzilla-daemon 
https://bugs.documentfoundation.org/show_bug.cgi?id=99327

Tor Lillqvist  changed:

   What|Removed |Added

 Status|UNCONFIRMED |NEEDINFO
 Ever confirmed|0   |1

--- Comment #1 from Tor Lillqvist  ---
Where do you see the SBA1WITHRSA? And do you have some comparable PDF signed by
some other application where you instead see SHA1?

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs