ucb/Library_ucpcmis1.mk | 1
ucb/source/ucp/cmis/certvalidation_handler.cxx | 126 -------------------------
ucb/source/ucp/cmis/certvalidation_handler.hxx | 46 ---------
ucb/source/ucp/cmis/cmis_content.cxx | 6 -
ucb/source/ucp/cmis/cmis_repo_content.cxx | 6 -
5 files changed, 185 deletions(-)
New commits:
commit 9413f2b39cb48417d75dfd3b5a28dac18541839e
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Jun 21 16:23:24 2024 +0200
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Jun 24 12:38:52 2024 +0200
ucb: cmis: remove CertValidationHandler
Bothering users with a dialog for a problematic TLS certificate just
conditions them to click OK and compromise their security.
WebDAV UCP already doesn't show such a dialog since LO 7.3, now remove
the dialog from CMIS UCP too.
Users can add any self-signed CAs they want to use to the operating
system trusted CA store, for example with p11-kit's trust(1).
Change-Id: Iedb8518923f9ac75c33a3b0df6ff795a7810a18a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169338
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk
index 707d9ff604a4..9392c86995ca 100644
--- a/ucb/Library_ucpcmis1.mk
+++ b/ucb/Library_ucpcmis1.mk
@@ -50,7 +50,6 @@ endif
$(eval $(call gb_Library_add_exception_objects,ucpcmis1,\
ucb/source/ucp/cmis/auth_provider \
- ucb/source/ucp/cmis/certvalidation_handler \
ucb/source/ucp/cmis/cmis_content \
ucb/source/ucp/cmis/cmis_repo_content \
ucb/source/ucp/cmis/cmis_datasupplier \
diff --git a/ucb/source/ucp/cmis/certvalidation_handler.cxx
b/ucb/source/ucp/cmis/certvalidation_handler.cxx
deleted file mode 100644
index 0080df37a483..000000000000
--- a/ucb/source/ucp/cmis/certvalidation_handler.cxx
+++ /dev/null
@@ -1,126 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-/*
- * This file is part of the LibreOffice project.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * This file incorporates work covered by the following license notice:
- *
- */
-
-#include <com/sun/star/security/CertificateContainer.hpp>
-#include <com/sun/star/security/XCertificate.hpp>
-#include <com/sun/star/security/XCertificateContainer.hpp>
-#include <com/sun/star/xml/crypto/SEInitializer.hpp>
-#include <com/sun/star/xml/crypto/XSecurityEnvironment.hpp>
-
-#include <rtl/ref.hxx>
-#include <comphelper/sequence.hxx>
-#include <ucbhelper/simplecertificatevalidationrequest.hxx>
-
-#include "certvalidation_handler.hxx"
-
-#define STD_TO_OUSTR( str ) OUString( str.c_str(), str.length( ),
RTL_TEXTENCODING_UTF8 )
-
-using namespace com::sun::star;
-
-namespace cmis
-{
- bool CertValidationHandler::validateCertificate( std::vector< std::string
> aCertificates )
- {
- bool bValidate = false;
- if ( !aCertificates.empty() && m_xEnv.is() )
- {
- uno::Reference< xml::crypto::XSEInitializer > xSEInitializer;
- try
- {
- xSEInitializer = xml::crypto::SEInitializer::create(
m_xContext );
- }
- catch ( uno::Exception const & )
- {
- }
-
- if ( xSEInitializer.is() )
- {
- uno::Reference< xml::crypto::XXMLSecurityContext >
xSecurityContext(
- xSEInitializer->createSecurityContext( OUString() ) );
-
- uno::Reference< xml::crypto::XSecurityEnvironment >
xSecurityEnv(
- xSecurityContext->getSecurityEnvironment() );
-
- std::vector< std::string >::iterator pIt =
aCertificates.begin();
- std::string sCert = *pIt;
- // We need to get rid of the PEM header/footer lines
- OUString sCleanCert = STD_TO_OUSTR( sCert );
- sCleanCert = sCleanCert.replaceAll( "-----BEGIN
CERTIFICATE-----", "" );
- sCleanCert = sCleanCert.replaceAll( "-----END
CERTIFICATE-----", "" );
- uno::Reference< security::XCertificate > xCert(
- xSecurityEnv->createCertificateFromAscii(
- sCleanCert ) );
-
- uno::Reference< security::XCertificateContainer >
xCertificateContainer;
- try
- {
- xCertificateContainer =
security::CertificateContainer::create( m_xContext );
- }
- catch ( uno::Exception const & )
- {
- }
-
- if ( xCertificateContainer.is( ) )
- {
- security::CertificateContainerStatus status(
- xCertificateContainer->hasCertificate(
- m_sHostname, xCert->getSubjectName() ) );
-
- if ( status != security::CertificateContainerStatus_NOCERT
)
- return status ==
security::CertificateContainerStatus_TRUSTED;
- }
-
- // If we had no certificate, ask what to do
- std::vector< uno::Reference< security::XCertificate > >
vecCerts;
-
- for ( ++pIt; pIt != aCertificates.end(); ++pIt )
- {
- sCert = *pIt;
- uno::Reference< security::XCertificate> xImCert(
- xSecurityEnv->createCertificateFromAscii(
- STD_TO_OUSTR( sCert ) ) );
- if ( xImCert.is() )
- vecCerts.push_back( xImCert );
- }
-
- sal_Int64 certValidity = xSecurityEnv->verifyCertificate(
xCert,
- ::comphelper::containerToSequence( vecCerts ) );
-
- uno::Reference< task::XInteractionHandler > xIH(
- m_xEnv->getInteractionHandler() );
- if ( xIH.is() )
- {
- rtl::Reference<
ucbhelper::SimpleCertificateValidationRequest >
- xRequest( new
ucbhelper::SimpleCertificateValidationRequest(
- sal_Int32( certValidity ), xCert,
m_sHostname ) );
- xIH->handle( xRequest );
- rtl::Reference< ucbhelper::InteractionContinuation >
xSelection
- = xRequest->getSelection();
-
- if ( xSelection.is() )
- {
- uno::Reference< task::XInteractionApprove > xApprove(
- xSelection.get(), uno::UNO_QUERY );
- bValidate = xApprove.is();
-
- // Store the decision in the container
- xCertificateContainer->addCertificate(
- m_sHostname, xCert->getSubjectName(), bValidate );
- }
- }
- }
- }
- return bValidate;
- }
-}
-
-/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/ucb/source/ucp/cmis/certvalidation_handler.hxx
b/ucb/source/ucp/cmis/certvalidation_handler.hxx
deleted file mode 100644
index ae46c8397f3c..000000000000
--- a/ucb/source/ucp/cmis/certvalidation_handler.hxx
+++ /dev/null
@@ -1,46 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-/*
- * This file is part of the LibreOffice project.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * This file incorporates work covered by the following license notice:
- *
- */
-#pragma once
-
-#if defined __GNUC__ && !defined __clang__
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wdeprecated"
-#pragma GCC diagnostic ignored "-Wunused-but-set-parameter"
-#endif
-#include <libcmis/libcmis.hxx>
-#if defined __GNUC__ && !defined __clang__
-#pragma GCC diagnostic pop
-#endif
-
-#include <com/sun/star/ucb/XCommandEnvironment.hpp>
-#include <utility>
-
-namespace cmis
-{
- class CertValidationHandler : public libcmis::CertValidationHandler
- {
- const css::uno::Reference< css::ucb::XCommandEnvironment>& m_xEnv;
- const css::uno::Reference< css::uno::XComponentContext >& m_xContext;
- OUString m_sHostname;
-
- public:
- CertValidationHandler (
- const css::uno::Reference<
css::ucb::XCommandEnvironment>& xEnv,
- const css::uno::Reference<
css::uno::XComponentContext>& xContext,
- OUString sHostname ):
- m_xEnv( xEnv ), m_xContext( xContext ), m_sHostname(std::move(
sHostname )) { }
-
- bool validateCertificate( std::vector< std::string > certificates
) override;
- };
-}
-
-/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/ucb/source/ucp/cmis/cmis_content.cxx
b/ucb/source/ucp/cmis/cmis_content.cxx
index c1808f8bc492..6bd5146bb7bc 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -59,7 +59,6 @@
#include <utility>
#include "auth_provider.hxx"
-#include "certvalidation_handler.hxx"
#include "cmis_content.hxx"
#include "cmis_provider.hxx"
#include "cmis_resultset.hxx"
@@ -315,11 +314,6 @@ namespace cmis
if ( nullptr == m_pSession )
{
- // Set the SSL Validation handler
- libcmis::CertValidationHandlerPtr certHandler(
- new CertValidationHandler( xEnv, m_xContext,
aBindingUrl.GetHost( ) ) );
- libcmis::SessionFactory::setCertificateValidationHandler(
certHandler );
-
// init libcurl callback
libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
diff --git a/ucb/source/ucp/cmis/cmis_repo_content.cxx
b/ucb/source/ucp/cmis/cmis_repo_content.cxx
index 38c261cdf3b8..87742e14bf99 100644
--- a/ucb/source/ucp/cmis/cmis_repo_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_repo_content.cxx
@@ -33,7 +33,6 @@
#include <ucbhelper/macros.hxx>
#include "auth_provider.hxx"
-#include "certvalidation_handler.hxx"
#include "cmis_content.hxx"
#include "cmis_provider.hxx"
#include "cmis_repo_content.hxx"
@@ -128,11 +127,6 @@ namespace cmis
if ( !m_aRepositories.empty() )
return;
- // Set the SSL Validation handler
- libcmis::CertValidationHandlerPtr certHandler(
- new CertValidationHandler( xEnv, m_xContext,
aBindingUrl.GetHost( ) ) );
- libcmis::SessionFactory::setCertificateValidationHandler( certHandler
);
-
// init libcurl callback
libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
