[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 Xisco FaulĂchanged: What|Removed |Added Keywords||filter:pdf Blocks||103378 Referenced Bugs: https://bugs.documentfoundation.org/show_bug.cgi?id=103378 [Bug 103378] [META] PDF export bugs and enhancements -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #11 from Daniel Miranda--- By the way, it does not seem to be an issue specific do PDF/A, but to all signed PDF exports. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #10 from Daniel Miranda--- Hi, I am seeing the same problem here and the culprit seems to be this line in LibreOffice's source code: https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7188 The following line: aSignerInfo.HashAlgorithm.pszObjId = const_cast(szOID_RSA_SHA1RSA); Should probably read: aSignerInfo.HashAlgorithm.pszObjId = const_cast(szOID_OIWSEC_sha1); I have traced that path from the pdfexport.cxx code, which creates an aContext structure and creates a pPDFWriter object at: https://cgit.freedesktop.org/libreoffice/core/tree/filter/source/pdf/pdfexport.cxx#n787 The implementation of the code that does the actual signing is in pdfwriter_impl.cxx and creates the aSignerInfo structure of type CMSG_SIGNER_ENCODE_INFO, documented in https://msdn.microsoft.com/pt-br/library/aa925156.aspx The specific field that is set is aSignerInfo.HashAlgorithm.pszObjId, which is documented at: https://msdn.microsoft.com/pt-br/library/office/aa381133.aspx. The value currently in the code is: szOID_RSA_SHA1RSA "1.2.840.113549.1.1.5" which is NOT a digest algorithm, but an encryption and signing algorithn. The likely value for that should be: szOID_OIWSEC_sha1 "1.3.14.3.2.26" Or, while we are at that, upgrade the algorithm to a more modern one not relying on sha1. It should have minor performance impact: szOID_NIST_sha256 "2.16.840.1.101.3.4.2.1" or szOID_NIST_sha512 "2.16.840.1.101.3.4.2.3" Other parts of the file should also be updated: https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7159 (although it seems the aPara structure is not actually being used anywhere else) CAVEAT: 1. I am not familiar with LibreOffice's codebase, please check if these two lines are really all it takes. 2. The digest algorithm upgrade seems to be a bit more complex than a fix for this bug, it requires changes in other parts of the file. Nonetheless, I think this is a wonderful time to do it, since sha1 is showing it's age. Bruce Scheiner blogged in 2005 - 11 years ago - that it was no longer safe even then. See https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #9 from Luis C. Serpa--- Ok, thanx in advance. No problem it's only the pub key, to show that the algorithm field looks ok. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 Tor Lillqvistchanged: What|Removed |Added Status|NEEDINFO|NEW --- Comment #8 from Tor Lillqvist --- Thanks. No promises when I (or somebody) will have time to take a look, but the new information seems useful. If that is your real certificate, are you sure you should make that publicly available? -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #7 from Luis C. Serpa--- I attached some adsitional files; hope it will help to identify the problem. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 Luis C. Serpachanged: What|Removed |Added Attachment #124365|0 |1 is obsolete|| --- Comment #6 from Luis C. Serpa --- Created attachment 125809 --> https://bugs.documentfoundation.org/attachment.cgi?id=125809=edit Certificate The certification I used. This is a Brazilian official CA (www.serpro.gov.br) issued certificate, used on many other applications w/o a problem. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #5 from Luis C. Serpa--- Created attachment 125806 --> https://bugs.documentfoundation.org/attachment.cgi?id=125806=edit The same PDF/A signed by our internal java signer. The same PDF/A file, exported unsigned and signed by our internal java signer. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #4 from Luis C. Serpa--- Created attachment 125805 --> https://bugs.documentfoundation.org/attachment.cgi?id=125805=edit The signed PDF/A file. The signed PDF/A file exported by LO that causes the problem. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #3 from Luis C. Serpa--- Created attachment 125804 --> https://bugs.documentfoundation.org/attachment.cgi?id=125804=edit A snapshot of Acrobat Reader warnings A snapshot of Acrobat Reader DC showing a page modification warning on the same PDF/A signed (and untouched) file. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 --- Comment #2 from Luis C. Serpa--- Created attachment 125803 --> https://bugs.documentfoundation.org/attachment.cgi?id=125803=edit java error messages displayed on our internal document system The java error messages displayed on our internal document system when I upload any LO exported PDF/A file with my signature. -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export
https://bugs.documentfoundation.org/show_bug.cgi?id=99327 Tor Lillqvistchanged: What|Removed |Added Status|UNCONFIRMED |NEEDINFO Ever confirmed|0 |1 --- Comment #1 from Tor Lillqvist --- Where do you see the SBA1WITHRSA? And do you have some comparable PDF signed by some other application where you instead see SHA1? -- You are receiving this mail because: You are the assignee for the bug.___ Libreoffice-bugs mailing list Libreoffice-bugs@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs