forked from amazingfate/loongoffice
f0167eced7
Obsoletes xmlsec1-win32-fix-undeclared.patch.1. Change-Id: I11cd52aebbe5ab224de9ab00b74c02abb46296f6 Reviewed-on: https://gerrit.libreoffice.org/30539 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
79 lines
3.0 KiB
Groff
79 lines
3.0 KiB
Groff
From 06564ccc3e2484553a23a2595d48b0ef3445497b Mon Sep 17 00:00:00 2001
|
|
From: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Date: Fri, 4 Mar 2016 16:10:16 +0100
|
|
Subject: [PATCH] xmlsec1-noverify.patch
|
|
|
|
Conflicts:
|
|
src/nss/x509vfy.c
|
|
---
|
|
src/mscrypto/x509vfy.c | 13 ++++++++++---
|
|
src/nss/x509vfy.c | 28 +++++++++++++++++++++-------
|
|
2 files changed, 31 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c
|
|
index 899cb6e..cf4cbb7 100644
|
|
--- a/src/mscrypto/x509vfy.c
|
|
+++ b/src/mscrypto/x509vfy.c
|
|
@@ -560,9 +560,16 @@ xmlSecMSCryptoX509StoreVerify(xmlSecKeyDataStorePtr store, HCERTSTORE certs,
|
|
CertFreeCertificateContext(nextCert);
|
|
}
|
|
|
|
- if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
|
|
- return(cert);
|
|
- }
|
|
+ /* JL: OpenOffice.org implements its own certificate verification routine.
|
|
+ The goal is to separate validation of the signature
|
|
+ and the certificate. For example, OOo could show that the document signature is valid,
|
|
+ but the certificate could not be verified. If we do not prevent the verification of
|
|
+ the certificate by libxmlsec and the verification fails, then the XML signature will not be
|
|
+ verified. This would happen, for example, if the root certificate is not installed.
|
|
+ */
|
|
+/* if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
|
|
+ if (selected == 1)
|
|
+ return cert;
|
|
}
|
|
|
|
return (NULL);
|
|
diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
|
|
index 9e957fe..0edaa2d 100644
|
|
--- a/src/nss/x509vfy.c
|
|
+++ b/src/nss/x509vfy.c
|
|
@@ -211,13 +211,27 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
|
|
continue;
|
|
}
|
|
|
|
- status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
|
|
- cert, PR_FALSE,
|
|
- (SECCertificateUsage)0,
|
|
- timeboundary , NULL, NULL, NULL);
|
|
- if (status == SECSuccess) {
|
|
- break;
|
|
- }
|
|
+
|
|
+ /*
|
|
+ JL: OpenOffice.org implements its own certificate verification routine.
|
|
+ The goal is to separate validation of the signature
|
|
+ and the certificate. For example, OOo could show that the document signature is valid,
|
|
+ but the certificate could not be verified. If we do not prevent the verification of
|
|
+ the certificate by libxmlsec and the verification fails, then the XML signature may not be
|
|
+ verified. This would happen, for example, if the root certificate is not installed.
|
|
+
|
|
+ status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
|
|
+ cert, PR_FALSE,
|
|
+ (SECCertificateUsage)0,
|
|
+ timeboundary , NULL, NULL, NULL);
|
|
+ if (status == SECSuccess) {
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ */
|
|
+ status = SECSuccess;
|
|
+ break;
|
|
+
|
|
}
|
|
|
|
if (status == SECSuccess) {
|
|
--
|
|
2.6.6
|
|
|