[Bug 740506]
Thanks Albert for merging it. Yes it's not finished and I'm intending to pick up last summer's work on the glib frontend part. I agree that we should close this bug and open specific ones to track the frontend development or any other issue we find with the core code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Thanks Albert for merging it. Yes it's not finished and I'm intending to pick up last summer's work on the glib frontend part. I agree that we should close this bug and open specific ones to track the frontend development or any other issue we find with the core code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
I'm in favour of Adrian's patch. It's an improvement with additional sanity checks on the ByteRange values. Indeed I tried to see if you could check if a given ByteRange covers the whole document and also found no easy way to do it with existing poppler functions/APIs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 120992 Load NSS root certs module This change is needed to actually do certificate validation, because as it is NSS is trying to load the module which contains all the builtin root certs from the Firefox profile directory where it is usually missing. This way it will load the module from a system library directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 120992 Load NSS root certs module This change is needed to actually do certificate validation, because as it is NSS is trying to load the module which contains all the builtin root certs from the Firefox profile directory where it is usually missing. This way it will load the module from a system library directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
I'm in favour of Adrian's patch. It's an improvement with additional sanity checks on the ByteRange values. Indeed I tried to see if you could check if a given ByteRange covers the whole document and also found no easy way to do it with existing poppler functions/APIs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 120434 Improve robustness of SignatureHandler::validateCertificate This patch adds additional NULL-checking in SignatureHandler::validateCertificate() which avoids segfault for some signatures like the one contained here: http://www.gpo.gov/fdsys/pkg/BUDGET-2015-BUD/pdf/BUDGET-2015-BUD.pdf It also removes a useless branch in validateCertificate() -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 120434 Improve robustness of SignatureHandler::validateCertificate This patch adds additional NULL-checking in SignatureHandler::validateCertificate() which avoids segfault for some signatures like the one contained here: http://www.gpo.gov/fdsys/pkg/BUDGET-2015-BUD/pdf/BUDGET-2015-BUD.pdf It also removes a useless branch in validateCertificate() -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 119283 Manpage improvement Here's an improvement to the manpage. Corrected a typo and added some missing context -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
(In reply to Adrian Johnson from comment #79) > + r_values[0] = r2.isInt64() ? r2.getInt64() : r2.getInt(); > + r_values[1] = r3.isInt64() ? r3.getInt64() : r3.getInt(); > + r_values[2] = r4.isInt64() ? r4.getInt64() : r4.getInt(); > > According the PDF Reference, the ByteRange array contains pairs of > (offset,length). > > Why do we ignore the first offset and later assume it is 0? Why do we assume > there are exactly two pairs. > > I only skimmed over the digital signatures section so maybe I missed > something. Actually the PDF spec allows for more than 2 pairs of values in /ByteRange but it would mean that there is more than one gap in the signed data apart from the signature itself. Quoting from ISO 32000-1 section 12.8.1: "This range should be the entire file, including the signature dictionary but excluding the signature value itself (the Contents entry). Other ranges may be used but since they do not check for all changes to the document, their use is not recommended." Obviously in a file with multiple signatures each signature should cover the latest revision present in the file when the signature was appended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 119283 Manpage improvement Here's an improvement to the manpage. Corrected a typo and added some missing context -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
(In reply to Adrian Johnson from comment #79) > + r_values[0] = r2.isInt64() ? r2.getInt64() : r2.getInt(); > + r_values[1] = r3.isInt64() ? r3.getInt64() : r3.getInt(); > + r_values[2] = r4.isInt64() ? r4.getInt64() : r4.getInt(); > > According the PDF Reference, the ByteRange array contains pairs of > (offset,length). > > Why do we ignore the first offset and later assume it is 0? Why do we assume > there are exactly two pairs. > > I only skimmed over the digital signatures section so maybe I missed > something. Actually the PDF spec allows for more than 2 pairs of values in /ByteRange but it would mean that there is more than one gap in the signed data apart from the signature itself. Quoting from ISO 32000-1 section 12.8.1: "This range should be the entire file, including the signature dictionary but excluding the signature value itself (the Contents entry). Other ranges may be used but since they do not check for all changes to the document, their use is not recommended." Obviously in a file with multiple signatures each signature should cover the latest revision present in the file when the signature was appended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118745 Incremental hashing + large file support With this patch I've implemented the incremental hashing plus the large file support. This is still untested with files larger than 2GB but is correct for all the regular test cases I gathered before. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118745 Incremental hashing + large file support With this patch I've implemented the incremental hashing plus the large file support. This is still untested with files larger than 2GB but is correct for all the regular test cases I gathered before. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118449 Support for adbe.pkcs7.sha1 signatures This patch, to be applied over the previous one, adds support for adbe.pkcs7.sha1 signatures so now we should have a more complete coverage of actual signed PDFs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118449 Support for adbe.pkcs7.sha1 signatures This patch, to be applied over the previous one, adds support for adbe.pkcs7.sha1 signatures so now we should have a more complete coverage of actual signed PDFs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118446 NSS conditional build This patch makes the NSS dependency optional in the CMake and Autotools build systems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118446 NSS conditional build This patch makes the NSS dependency optional in the CMake and Autotools build systems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
@Adrian Thanks for the tips on support for large files, progressive hashing and the NSS includes. We'll be posting our attempts to improve these issues as individual patches. I also thought of adding the feature to pdfinfo but it seems wrong to mix up something which performs various computations and relies on external state (NSS cert DB) to pdfinfo which just reads metadata from the file itself. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118398 Fix for Buffer overflow Regarding the illegal ByteRange values which would cause overflow this patch should fix it -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118398 Fix for Buffer overflow Regarding the illegal ByteRange values which would cause overflow this patch should fix it -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
@Adrian Thanks for the tips on support for large files, progressive hashing and the NSS includes. We'll be posting our attempts to improve these issues as individual patches. I also thought of adding the feature to pdfinfo but it seems wrong to mix up something which performs various computations and relies on external state (NSS cert DB) to pdfinfo which just reads metadata from the file itself. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
@Albert Thanks for the improvements. Regarding your 3 questions: 1- I've no objection to make the feature optional. I understand there are people building more minimal versions of poppler that dislike additional dependencies. 2- Yes we should. Our defaults are meant to take advantage of the already configured and implicitly trusted NSS cert DBs in Firefox but we shouldn't limit the user's options. 3- We're already looking into supporting adbe.pkcs7.sha1 signatures which we found are very widespread. In Portugal we found that several big companies are still using this kind of signatures in signed PDF invoices as of now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
@Albert Thanks for the improvements. Regarding your 3 questions: 1- I've no objection to make the feature optional. I understand there are people building more minimal versions of poppler that dislike additional dependencies. 2- Yes we should. Our defaults are meant to take advantage of the already configured and implicitly trusted NSS cert DBs in Firefox but we shouldn't limit the user's options. 3- We're already looking into supporting adbe.pkcs7.sha1 signatures which we found are very widespread. In Portugal we found that several big companies are still using this kind of signatures in signed PDF invoices as of now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118195 poppler nss signature support - v6 Sorry, there were still some missing NULL checks and a useless new(), here's a new one. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118193 poppler nss signature support - v5 - refactor Here's a new patch following Albert's recommendations. We've expanded the FormFieldSignature and FormFieldWidget classes to expose the signature method. We also added checking for non-supported signature types as we only support pkcs7.detached signatures at the moment. This patch only includes the changes to poppler core and the pdfsigverify utility, glib still needs changes to move the validation from poppler_document to poppler_form_field. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118195 poppler nss signature support - v6 Sorry, there were still some missing NULL checks and a useless new(), here's a new one. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118193 poppler nss signature support - v5 - refactor Here's a new patch following Albert's recommendations. We've expanded the FormFieldSignature and FormFieldWidget classes to expose the signature method. We also added checking for non-supported signature types as we only support pkcs7.detached signatures at the moment. This patch only includes the changes to poppler core and the pdfsigverify utility, glib still needs changes to move the validation from poppler_document to poppler_form_field. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 118036 poppler nss signature support - v3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 118036 poppler nss signature support - v3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Sorry for the succession of patches. This one fixes some remaining leaks in the new PDFDoc methods and improves the indentation -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Sorry for the succession of patches. This one fixes some remaining leaks in the new PDFDoc methods and improves the indentation -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Sorry for the long absence and here's another attempt at solving this issue. I just attached a patch developed by me and André Esser which adds signature verification support to poppler core and the glib frontend. It uses the NSS CMS API for the crypto operations (signature and certificate Validations). 4 new functions were added at the glib wrapper level: poppler_document_is_signed poppler_document_signature_validate poppler_document_signature_get_time poppler_document_signature_get_signername We added a new test utility for this feature in utils/pdfsigverify and exposed the number of signatures in poppler-glib-demo. The trusted certificate issue for Linux systems is tackled in the following way: we try to load the NSS certificate DB in the default Firefox profile and if that fails we try to load certificates from the standard directory /etc/pki/nssdb which may or may not be populated depending on the distro setup. We're obviously open to suggestions in this area. Current limitation: - The CMake changes we're not done yet so Autotools build is required for now (we couldn't find an easy/clean way to find the NSS dependency using CMake) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 117885 PDF signature verification using NSS -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Sorry for the long absence and here's another attempt at solving this issue. I just attached a patch developed by me and André Esser which adds signature verification support to poppler core and the glib frontend. It uses the NSS CMS API for the crypto operations (signature and certificate Validations). 4 new functions were added at the glib wrapper level: poppler_document_is_signed poppler_document_signature_validate poppler_document_signature_get_time poppler_document_signature_get_signername We added a new test utility for this feature in utils/pdfsigverify and exposed the number of signatures in poppler-glib-demo. The trusted certificate issue for Linux systems is tackled in the following way: we try to load the NSS certificate DB in the default Firefox profile and if that fails we try to load certificates from the standard directory /etc/pki/nssdb which may or may not be populated depending on the distro setup. We're obviously open to suggestions in this area. Current limitation: - The CMake changes we're not done yet so Autotools build is required for now (we couldn't find an easy/clean way to find the NSS dependency using CMake) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1085526]
Created attachment 117885 PDF signature verification using NSS -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1085526 Title: ubuntu pdf doc viewer will not let me sign a document To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1085526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
OK, NSS with shared DB is what I'll pursue from now on. Thanks everyone for the input. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
So if I understood correctly Qt is only using the dlopen approach to overcome restrictions to crypto exports but not (L)GPL incompatibilities, like stated here: http://qt-project.org/doc/qt-4.8/ssl.html Getting back to our point I'll need the definitive opinion from Poppler maintainers on using dlopen'ed openssl or replacing it with NSS. Both options are extra work but I'm willing to do the extra mile to get this accepted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Regarding the dlopen workaround I'll take a look at it this week. I'll try to minimize the pitfall of possible missing/different symbols by targeting only the last major version of openssl (1.0). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
What's missing in gnutls is a way to parse all the relevant components of the PKCS#7 object as present in a PDF signature. It seems that in gnutls they assume those objects can only contain certificates and CRLs as you can confirm if you go through the functions that take gnutls_pkcs7_t as argument. With openssl you can get the certificates, signature, and the digest of the signed content (these are the essential parts for detached signatures as used in PDF) as well as any optional timestamps or CRLs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
(In reply to comment #21) > (In reply to comment #19) > > I know that LibreOffice uses NSS as when I look at digital signatures my > certificates from Firefox is availble. However, I don't think the LibreOffice > Ubuntu packages require the whole Firefox to be installed. Yes it doesn't require Firefox or Thunderbird but if you didn't have any of them you wouldn't have any CA certs in LO. http://wiki.openoffice.org/wiki/Certificate_Detection -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Also I can see merit in Fedora's effort of consolidation around NSS but I think it's a really herculean effort to port over so many packages. http://fedoraproject.org/wiki/CryptoConsolidationScorecard -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
@Albert OK, I can see the problem for poppler in terms of licensing. A quick evaluation of the alternatives: gnutls seems to be unsuited for this because it doesn't have a decent PKCS7 API that would allow me to parse the signature and access each component. I've only found this in the docs: http://www.gnu.org/software/gnutls/manual/html_node/X509-certificate-API.html#X509-certificate-API NSS seems to be more promising as I've found example code for PKCS#7 validation in its source tarball: mozilla/security/nss/cmd/p7verify/p7verify.c The disadvantage I see with nss is that we won't be able to reuse the system certificate store usually in /etc/ssl/certs because it will need to use a particular Berkeley DB cert store as you can find in your Firefox/Thunderbird Profile. So we'd have an implicit dependency on .mozilla/... being present or worse we'll need to introduce our own cert store. I have no experience with gnutls or nss so if anyone can correct me or add something, feel free. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740506]
Created attachment 66786 PDF Signature verification support Here's an initial attempt at solving this issue. This patch adds signature verification support to poppler core. It uses OpenSSL PKCS7 API for the crypto operations (signature and certificate Validations). 4 new functions were added at the glib wrapper level: poppler_document_is_signed poppler_document_signature_validate poppler_document_signature_get_time poppler_document_signature_get_signername I've coordinated with Vasco Dias to expose this feature in Evince and his work is in the latest patches attached to this bug: https://bugzilla.gnome.org/show_bug.cgi?id=614929 As the additional dependency on OpenSSL couldn't possibly satisfy everyone I made it optional at build-time with --enable-openssl for Autotools and -DENABLE_OPENSSL=ON for cmake Current limitations: - Timestamps contained in the PKCS7 signature are not verified - the new functionality is not yet exposed in the qt4 wrapper as I prioritized the glib wrapper to support Evince. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/740506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 774991] Re: gtkguitune not start
This is caused by bug #983707. The workaround is to start gtkguitune from Terminal: running "padsp gtkguitune" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/774991 Title: gtkguitune not start To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtkguitune/+bug/774991/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
