diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff | 740 |
1 files changed, 740 insertions, 0 deletions
diff --git a/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff b/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff new file mode 100644 index 000000000..5e0a9d7ee --- /dev/null +++ b/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff @@ -0,0 +1,740 @@ +From 94ce59dd02fcfcaa1eb4f195b45a9a2edbd58242 Mon Sep 17 00:00:00 2001 +From: Michael Stahl <michael.stahl@allotropia.de> +Date: Fri, 19 Feb 2021 17:56:21 +0100 +Subject: xmlsecurity: ignore elements in ds:Object that aren't signed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I2e4411f0907b89e7ad6e0185cee8f12b600515e8 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111253 +Tested-by: Jenkins +Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> +(cherry picked from commit 2bfa00e6bf4b2a310a8b8f5060acec85b5f7a3ce) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111909 +Reviewed-by: Caolán McNamara <caolanm@redhat.com> +--- + xmlsecurity/inc/xsecctl.hxx | 1 + + xmlsecurity/source/helper/xsecparser.cxx | 290 +++++++++++++++++++++---------- + xmlsecurity/source/helper/xsecparser.hxx | 1 + + xmlsecurity/source/helper/xsecverify.cxx | 19 ++ + 4 files changed, 221 insertions(+), 90 deletions(-) + +diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx +index 759a660d90ad..ec3669128d24 100644 +--- a/xmlsecurity/inc/xsecctl.hxx ++++ b/xmlsecurity/inc/xsecctl.hxx +@@ -252,6 +252,7 @@ private: + /// Sets algorithm from <SignatureMethod Algorithm="...">. + void setSignatureMethod(svl::crypto::SignatureMethodAlgorithm eAlgorithmID); + void switchGpgSignature(); ++ bool haveReferenceForId(OUString const& rId) const; + void addReference( + const OUString& ouUri, + sal_Int32 nDigestID, +diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx +index 1418b7b43b46..f46277f96ea1 100644 +--- a/xmlsecurity/source/helper/xsecparser.cxx ++++ b/xmlsecurity/source/helper/xsecparser.cxx +@@ -95,6 +95,42 @@ auto XSecParser::Context::CreateChildContext( + return std::make_unique<UnknownContext>(m_rParser, std::move(pOldNamespaceMap)); + } + ++/** ++note: anything in ds:Object should be trusted *only* if there is a ds:Reference ++ to it so it is signed (exception: the xades:EncapsulatedX509Certificate). ++ ds:SignedInfo precedes all ds:Object. ++ ++ There may be multiple ds:Signature for purpose of counter-signatures ++ but the way XAdES describes these, only the ds:SignatureValue element ++ would be referenced, so requiring a ds:Reference for anything in ++ ds:Object shouldn't cause issues. ++ */ ++class XSecParser::ReferencedContextImpl ++ : public XSecParser::Context ++{ ++ protected: ++ bool m_isReferenced; ++ ++ public: ++ ReferencedContextImpl(XSecParser & rParser, ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ , m_isReferenced(isReferenced) ++ { ++ } ++ ++ OUString CheckIdAttrReferenced(css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) ++ { ++ OUString const id(m_rParser.HandleIdAttr(xAttrs)); ++ if (!id.isEmpty() && m_rParser.m_pXSecController->haveReferenceForId(id)) ++ { ++ m_isReferenced = true; ++ } ++ return id; ++ } ++}; ++ + class XSecParser::LoPGPOwnerContext + : public XSecParser::Context + { +@@ -228,21 +264,29 @@ class XSecParser::DsX509CertificateContext + }; + + class XSecParser::DsX509SerialNumberContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + DsX509SerialNumberContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setX509SerialNumber(m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setX509SerialNumber(m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509SerialNumber"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -252,21 +296,29 @@ class XSecParser::DsX509SerialNumberContext + }; + + class XSecParser::DsX509IssuerNameContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + DsX509IssuerNameContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setX509IssuerName(m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setX509IssuerName(m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509IssuerName"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -276,12 +328,13 @@ class XSecParser::DsX509IssuerNameContext + }; + + class XSecParser::DsX509IssuerSerialContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + DsX509IssuerSerialContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + +@@ -291,11 +344,11 @@ class XSecParser::DsX509IssuerSerialContext + { + if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerName") + { +- return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_DS && rName == "X509SerialNumber") + { +- return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + // missing: ds:X509SKI, ds:X509SubjectName, ds:X509CRL + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); +@@ -318,7 +371,8 @@ class XSecParser::DsX509DataContext + { + if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerSerial") + { +- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap)); ++ // can't require KeyInfo to be signed so pass in *true* ++ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), true); + } + if (nNamespace == XML_NAMESPACE_DS && rName == "X509Certificate") + { +@@ -787,21 +841,29 @@ class XSecParser::XadesUnsignedPropertiesContext + }; + + class XSecParser::LoSignatureLineIdContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + LoSignatureLineIdContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setSignatureLineId(m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setSignatureLineId(m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineId"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -811,21 +873,29 @@ class XSecParser::LoSignatureLineIdContext + }; + + class XSecParser::LoSignatureLineValidImageContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + LoSignatureLineValidImageContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setValidSignatureImage(m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setValidSignatureImage(m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineValidImage"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -835,21 +905,29 @@ class XSecParser::LoSignatureLineValidImageContext + }; + + class XSecParser::LoSignatureLineInvalidImageContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + LoSignatureLineInvalidImageContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setInvalidSignatureImage(m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setInvalidSignatureImage(m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineInvalidImage"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -859,12 +937,13 @@ class XSecParser::LoSignatureLineInvalidImageContext + }; + + class XSecParser::LoSignatureLineContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + LoSignatureLineContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + +@@ -874,22 +953,22 @@ class XSecParser::LoSignatureLineContext + { + if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineId") + { +- return std::make_unique<LoSignatureLineIdContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<LoSignatureLineIdContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineValidImage") + { +- return std::make_unique<LoSignatureLineValidImageContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<LoSignatureLineValidImageContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineInvalidImage") + { +- return std::make_unique<LoSignatureLineInvalidImageContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<LoSignatureLineInvalidImageContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); + } + }; + + class XSecParser::XadesCertDigestContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; +@@ -897,14 +976,22 @@ class XSecParser::XadesCertDigestContext + + public: + XadesCertDigestContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setCertDigest(m_Value/* FIXME , m_nReferenceDigestID*/); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setCertDigest(m_Value/* FIXME , m_nReferenceDigestID*/); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned CertDigest"); ++ } + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -924,12 +1011,13 @@ class XSecParser::XadesCertDigestContext + }; + + class XSecParser::XadesCertContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + XadesCertContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + +@@ -939,23 +1027,24 @@ class XSecParser::XadesCertContext + { + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "CertDigest") + { +- return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "IssuerSerial") + { +- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); + } + }; + + class XSecParser::XadesSigningCertificateContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + XadesSigningCertificateContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + +@@ -965,28 +1054,36 @@ class XSecParser::XadesSigningCertificateContext + { + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "Cert") + { +- return std::make_unique<XadesCertContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesCertContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); + } + }; + + class XSecParser::XadesSigningTimeContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + OUString m_Value; + + public: + XadesSigningTimeContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void EndElement() override + { +- m_rParser.m_pXSecController->setDate("", m_Value); ++ if (m_isReferenced) ++ { ++ m_rParser.m_pXSecController->setDate("", m_Value); ++ } ++ else ++ { ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SigningTime"); ++ } + } + + virtual void Characters(OUString const& rChars) override +@@ -996,19 +1093,20 @@ class XSecParser::XadesSigningTimeContext + }; + + class XSecParser::XadesSignedSignaturePropertiesContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + XadesSignedSignaturePropertiesContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_rParser.HandleIdAttr(xAttrs); ++ CheckIdAttrReferenced(xAttrs); + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -1017,15 +1115,15 @@ class XSecParser::XadesSignedSignaturePropertiesContext + { + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SigningTime") + { +- return std::make_unique<XadesSigningTimeContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesSigningTimeContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SigningCertificate") + { +- return std::make_unique<XadesSigningCertificateContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesSigningCertificateContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLine") + { +- return std::make_unique<LoSignatureLineContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<LoSignatureLineContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + // missing: xades:SignaturePolicyIdentifier, xades:SignatureProductionPlace, xades:SignerRole + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); +@@ -1033,19 +1131,20 @@ class XSecParser::XadesSignedSignaturePropertiesContext + }; + + class XSecParser::XadesSignedPropertiesContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + XadesSignedPropertiesContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_rParser.HandleIdAttr(xAttrs); ++ CheckIdAttrReferenced(xAttrs); + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -1054,7 +1153,7 @@ class XSecParser::XadesSignedPropertiesContext + { + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SignedSignatureProperties") + { +- return std::make_unique<XadesSignedSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesSignedSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + // missing: xades:SignedDataObjectProperties + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); +@@ -1062,19 +1161,20 @@ class XSecParser::XadesSignedPropertiesContext + }; + + class XSecParser::XadesQualifyingPropertiesContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + XadesQualifyingPropertiesContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_rParser.HandleIdAttr(xAttrs); ++ CheckIdAttrReferenced(xAttrs); + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -1083,7 +1183,7 @@ class XSecParser::XadesQualifyingPropertiesContext + { + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SignedProperties") + { +- return std::make_unique<XadesSignedPropertiesContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesSignedPropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "UnsignedProperties") + { +@@ -1136,7 +1236,7 @@ class XSecParser::DcDescriptionContext + }; + + class XSecParser::DsSignaturePropertyContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + private: + enum class SignatureProperty { Unknown, Date, Description }; +@@ -1146,30 +1246,38 @@ class XSecParser::DsSignaturePropertyContext + + public: + DsSignaturePropertyContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_Id = m_rParser.HandleIdAttr(xAttrs); ++ m_Id = CheckIdAttrReferenced(xAttrs); + } + + virtual void EndElement() override + { +- switch (m_Property) ++ if (m_isReferenced) ++ { ++ switch (m_Property) ++ { ++ case SignatureProperty::Unknown: ++ SAL_INFO("xmlsecurity.helper", "Unknown property in ds:Object ignored"); ++ break; ++ case SignatureProperty::Date: ++ m_rParser.m_pXSecController->setDate(m_Id, m_Value); ++ break; ++ case SignatureProperty::Description: ++ m_rParser.m_pXSecController->setDescription(m_Id, m_Value); ++ break; ++ } ++ } ++ else + { +- case SignatureProperty::Unknown: +- SAL_INFO("xmlsecurity.helper", "Unknown property in ds:Object ignored"); +- break; +- case SignatureProperty::Date: +- m_rParser.m_pXSecController->setDate(m_Id, m_Value); +- break; +- case SignatureProperty::Description: +- m_rParser.m_pXSecController->setDescription(m_Id, m_Value); +- break; ++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureProperty"); + } + } + +@@ -1192,19 +1300,20 @@ class XSecParser::DsSignaturePropertyContext + }; + + class XSecParser::DsSignaturePropertiesContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + DsSignaturePropertiesContext(XSecParser & rParser, +- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap, ++ bool const isReferenced) ++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_rParser.HandleIdAttr(xAttrs); ++ CheckIdAttrReferenced(xAttrs); + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -1213,26 +1322,27 @@ class XSecParser::DsSignaturePropertiesContext + { + if (nNamespace == XML_NAMESPACE_DS && rName == "SignatureProperty") + { +- return std::make_unique<DsSignaturePropertyContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<DsSignaturePropertyContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); + } + }; + + class XSecParser::DsObjectContext +- : public XSecParser::Context ++ : public XSecParser::ReferencedContextImpl + { + public: + DsObjectContext(XSecParser & rParser, + std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap) +- : XSecParser::Context(rParser, std::move(pOldNamespaceMap)) ++ // init with "false" here - the Signature element can't be referenced by its child ++ : XSecParser::ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), false) + { + } + + virtual void StartElement( + css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override + { +- m_rParser.HandleIdAttr(xAttrs); ++ CheckIdAttrReferenced(xAttrs); + } + + virtual std::unique_ptr<Context> CreateChildContext( +@@ -1241,11 +1351,11 @@ class XSecParser::DsObjectContext + { + if (nNamespace == XML_NAMESPACE_DS && rName == "SignatureProperties") + { +- return std::make_unique<DsSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<DsSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + if (nNamespace == XML_NAMESPACE_XADES132 && rName == "QualifyingProperties") + { +- return std::make_unique<XadesQualifyingPropertiesContext>(m_rParser, std::move(pOldNamespaceMap)); ++ return std::make_unique<XadesQualifyingPropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced); + } + // missing: ds:Manifest + return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName); +diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx +index 7a0eb08bca28..7674bf28b84d 100644 +--- a/xmlsecurity/source/helper/xsecparser.hxx ++++ b/xmlsecurity/source/helper/xsecparser.hxx +@@ -56,6 +56,7 @@ public: + class Context; + private: + class UnknownContext; ++ class ReferencedContextImpl; + class LoPGPOwnerContext; + class DsPGPKeyPacketContext; + class DsPGPKeyIDContext; +diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx +index cdca811cc2cb..92ebfb6c72e8 100644 +--- a/xmlsecurity/source/helper/xsecverify.cxx ++++ b/xmlsecurity/source/helper/xsecverify.cxx +@@ -143,6 +143,25 @@ void XSecController::switchGpgSignature() + #endif + } + ++bool XSecController::haveReferenceForId(OUString const& rId) const ++{ ++ if (m_vInternalSignatureInformations.empty()) ++ { ++ SAL_INFO("xmlsecurity.helper","XSecController::haveReferenceForId: no signature"); ++ return false; ++ } ++ InternalSignatureInformation const& rIsi(m_vInternalSignatureInformations.back()); ++ for (SignatureReferenceInformation const& rSri : rIsi.signatureInfor.vSignatureReferenceInfors) ++ { ++ if (rSri.nType == SignatureReferenceType::SAMEDOCUMENT ++ && rSri.ouURI == rId) // ouUri has # stripped ++ { ++ return true; ++ } ++ } ++ return false; ++} ++ + void XSecController::addReference( const OUString& ouUri, sal_Int32 nDigestID, const OUString& ouType ) + { + if (m_vInternalSignatureInformations.empty()) +-- +cgit v1.2.1 + |