[Libreoffice-commits] core.git: Branch 'libreoffice-7-1' - xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk xmlsecurity/CppunitTest_xmlsecurity_signing.mk xmlsecurity/qa

Tue, 19 Oct 2021 07:45:13 -0700 

 xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk |    8 ++++++++
 xmlsecurity/CppunitTest_xmlsecurity_signing.mk    |    8 ++++++++
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx     |   16 ++++++++++++++++
 xmlsecurity/qa/unit/signing/signing.cxx           |   11 +++++++++++
 4 files changed, 43 insertions(+)

New commits:
commit 51e82016e8783a452fe5f7921d12c1bf20bfd6b5
Author:     Michael Stahl <[email protected]>
AuthorDate: Fri Oct 15 20:52:47 2021 +0200
Commit:     Caolán McNamara <[email protected]>
CommitDate: Tue Oct 19 16:44:33 2021 +0200

    xmlsecurity: fix test failing because NSS policy forbids SHA1
    
    With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
    8 tests including testODFGood in CppunitTest/xmlsecurity_signing
    fail because the crypto policy disallows SHA1 for signatures.
    
    Apparently this particular policy bit was added in NSS 3.59:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
    
    For signatures, maybe it's not a good idea to override system policy
    for product builds, so do it locally in the tests, at least for now.
    
    If similar problems turn up for encrypted documents in the future,
    that should be fixed in product builds too of course, as encrypted
    documents must always be decryptable.
    
    Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123768
    Tested-by: Jenkins
    Tested-by: Caolán McNamara <[email protected]>
    Reviewed-by: Caolán McNamara <[email protected]>

diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
index 2441d47e046b..dbedd1a1f7c9 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
@@ -34,6 +34,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
     boost_headers \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
+    nss3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index a3cdc25e6d7d..8ab2d3014657 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -38,6 +38,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_signing,\
     $(if $(filter PDFIUM,$(BUILD_TYPE)),pdfium) \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
+    nss3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx 
b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index f6bdfce9c050..a4b9a51bf034 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -10,6 +10,10 @@
 #include <sal/config.h>
 #include <config_features.h>
 
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
 #include <string_view>
 
 #include <com/sun/star/xml/crypto/SEInitializer.hpp>
@@ -67,6 +71,18 @@ void PDFSigningTest::setUp()
 {
     test::BootstrapFixture::setUp();
     MacrosTest::setUpNssGpg(m_directories, "xmlsecurity_pdfsigning");
+
+    uno::Reference<xml::crypto::XSEInitializer> xSEInitializer
+        = xml::crypto::SEInitializer::create(mxComponentContext);
+    uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext
+        = xSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void PDFSigningTest::tearDown()
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index b040f8861600..c5c323e246af 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -12,6 +12,10 @@
 
 #include <sal/config.h>
 
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
 #include <test/bootstrapfixture.hxx>
 #include <unotest/macros_test.hxx>
 #include <test/xmltesttools.hxx>
@@ -105,6 +109,13 @@ void SigningTest::setUp()
     mxDesktop.set(frame::Desktop::create(mxComponentContext));
     mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
     mxSecurityContext = mxSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void SigningTest::tearDown()

Reply via email to