xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 8 ++++++++ xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 8 ++++++++ xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 18 ++++++++++++++++++ xmlsecurity/qa/unit/signing/signing.cxx | 12 ++++++++++++ 4 files changed, 46 insertions(+)
New commits: commit ff572d9222ec16ffd679ae907a0bf4a8900265e1 Author: Michael Stahl <[email protected]> AuthorDate: Fri Oct 15 20:52:47 2021 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Tue Oct 19 15:32:56 2021 +0200 xmlsecurity: fix test failing because NSS policy forbids SHA1 With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that 8 tests including testODFGood in CppunitTest/xmlsecurity_signing fail because the crypto policy disallows SHA1 for signatures. Apparently this particular policy bit was added in NSS 3.59: https://bugzilla.mozilla.org/show_bug.cgi?id=1670835 For signatures, maybe it's not a good idea to override system policy for product builds, so do it locally in the tests, at least for now. Another option would be to set NSS_HASH_ALG_SUPPORT environmental variable to something like "+SHA-1". If similar problems turn up for encrypted documents in the future, that should be fixed in product builds too of course, as encrypted documents must always be decryptable. Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123678 Tested-by: Michael Stahl <[email protected]> Reviewed-by: Michael Stahl <[email protected]> diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index 2441d47e046b..dbedd1a1f7c9 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ boost_headers \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ + nss3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 323c5c1bb37e..126427fdada0 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -37,6 +37,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ libxml2 \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ + nss3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index db3ac9b3d663..f9e2cab1b365 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -9,6 +9,12 @@ #include <sal/config.h> +#include <config_crypto.h> + +#if USE_CRYPTO_NSS +#include <secoid.h> +#endif + #include <string_view> #include <com/sun/star/xml/crypto/SEInitializer.hpp> @@ -66,6 +72,18 @@ void PDFSigningTest::setUp() { test::BootstrapFixture::setUp(); MacrosTest::setUpNssGpg(m_directories, "xmlsecurity_pdfsigning"); + + uno::Reference<xml::crypto::XSEInitializer> xSEInitializer + = xml::crypto::SEInitializer::create(mxComponentContext); + uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext + = xSEInitializer->createSecurityContext(OUString()); +#if USE_CRYPTO_NSS +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void PDFSigningTest::tearDown() diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index 32dba85f951b..109287c93fe1 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -7,11 +7,16 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include <config_crypto.h> #include <config_features.h> #include <config_gpgme.h> #include <sal/config.h> +#if USE_CRYPTO_NSS +#include <secoid.h> +#endif + #include <test/bootstrapfixture.hxx> #include <unotest/macros_test.hxx> #include <test/xmltesttools.hxx> @@ -100,6 +105,13 @@ void SigningTest::setUp() mxDesktop.set(frame::Desktop::create(mxComponentContext)); mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext); mxSecurityContext = mxSEInitializer->createSecurityContext(OUString()); +#if USE_CRYPTO_NSS +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void SigningTest::tearDown()
