[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk xmlsecurity/CppunitTest_xmlsecurity_signing.mk xmlsecurity/qa

Tue, 19 Oct 2021 07:46:32 -0700 

 xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk |    8 ++++++++
 xmlsecurity/CppunitTest_xmlsecurity_signing.mk    |    8 ++++++++
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx     |   18 ++++++++++++++++++
 xmlsecurity/qa/unit/signing/signing.cxx           |   12 ++++++++++++
 4 files changed, 46 insertions(+)

New commits:
commit 611c10fe60d6312b6f5bf797dacc1f52c6525976
Author:     Michael Stahl <[email protected]>
AuthorDate: Fri Oct 15 20:52:47 2021 +0200
Commit:     Caolán McNamara <[email protected]>
CommitDate: Tue Oct 19 16:45:52 2021 +0200

    xmlsecurity: fix test failing because NSS policy forbids SHA1
    
    With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
    8 tests including testODFGood in CppunitTest/xmlsecurity_signing
    fail because the crypto policy disallows SHA1 for signatures.
    
    Apparently this particular policy bit was added in NSS 3.59:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
    
    For signatures, maybe it's not a good idea to override system policy
    for product builds, so do it locally in the tests, at least for now.
    
    If similar problems turn up for encrypted documents in the future,
    that should be fixed in product builds too of course, as encrypted
    documents must always be decryptable.
    
    Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123767
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <[email protected]>

diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
index 2441d47e046b..dbedd1a1f7c9 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
@@ -34,6 +34,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
     boost_headers \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
+    nss3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index 52cd621fe084..89a63730be57 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -37,6 +37,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_signing,\
     libxml2 \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
+    nss3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx 
b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 5f1e6a1286e7..803bfc8e5a5d 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -9,6 +9,12 @@
 
 #include <sal/config.h>
 
+#include <config_crypto.h>
+
+#if USE_CRYPTO_NSS
+#include <secoid.h>
+#endif
+
 #include <string_view>
 
 #include <com/sun/star/xml/crypto/SEInitializer.hpp>
@@ -66,6 +72,18 @@ void PDFSigningTest::setUp()
 {
     test::BootstrapFixture::setUp();
     MacrosTest::setUpNssGpg(m_directories, "xmlsecurity_pdfsigning");
+
+    uno::Reference<xml::crypto::XSEInitializer> xSEInitializer
+        = xml::crypto::SEInitializer::create(mxComponentContext);
+    uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext
+        = xSEInitializer->createSecurityContext(OUString());
+#if USE_CRYPTO_NSS
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void PDFSigningTest::tearDown()
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index 40e085349403..acc8dd96a26c 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -7,11 +7,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
+#include <config_crypto.h>
 #include <config_features.h>
 #include <config_gpgme.h>
 
 #include <sal/config.h>
 
+#if USE_CRYPTO_NSS
+#include <secoid.h>
+#endif
+
 #include <test/bootstrapfixture.hxx>
 #include <unotest/macros_test.hxx>
 #include <test/xmltesttools.hxx>
@@ -100,6 +105,13 @@ void SigningTest::setUp()
     mxDesktop.set(frame::Desktop::create(mxComponentContext));
     mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
     mxSecurityContext = mxSEInitializer->createSecurityContext(OUString());
+#if USE_CRYPTO_NSS
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void SigningTest::tearDown()

Reply via email to