summaryrefslogtreecommitdiffstats
path: root/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff740
1 files changed, 740 insertions, 0 deletions
diff --git a/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff b/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff
new file mode 100644
index 000000000..5e0a9d7ee
--- /dev/null
+++ b/debian/patches/xmlsecurity-ignore-elements-in-ds:Object-that-arent-signed.diff
@@ -0,0 +1,740 @@
+From 94ce59dd02fcfcaa1eb4f195b45a9a2edbd58242 Mon Sep 17 00:00:00 2001
+From: Michael Stahl <michael.stahl@allotropia.de>
+Date: Fri, 19 Feb 2021 17:56:21 +0100
+Subject: xmlsecurity: ignore elements in ds:Object that aren't signed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I2e4411f0907b89e7ad6e0185cee8f12b600515e8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111253
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit 2bfa00e6bf4b2a310a8b8f5060acec85b5f7a3ce)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111909
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+---
+ xmlsecurity/inc/xsecctl.hxx | 1 +
+ xmlsecurity/source/helper/xsecparser.cxx | 290 +++++++++++++++++++++----------
+ xmlsecurity/source/helper/xsecparser.hxx | 1 +
+ xmlsecurity/source/helper/xsecverify.cxx | 19 ++
+ 4 files changed, 221 insertions(+), 90 deletions(-)
+
+diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
+index 759a660d90ad..ec3669128d24 100644
+--- a/xmlsecurity/inc/xsecctl.hxx
++++ b/xmlsecurity/inc/xsecctl.hxx
+@@ -252,6 +252,7 @@ private:
+ /// Sets algorithm from <SignatureMethod Algorithm="...">.
+ void setSignatureMethod(svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+ void switchGpgSignature();
++ bool haveReferenceForId(OUString const& rId) const;
+ void addReference(
+ const OUString& ouUri,
+ sal_Int32 nDigestID,
+diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
+index 1418b7b43b46..f46277f96ea1 100644
+--- a/xmlsecurity/source/helper/xsecparser.cxx
++++ b/xmlsecurity/source/helper/xsecparser.cxx
+@@ -95,6 +95,42 @@ auto XSecParser::Context::CreateChildContext(
+ return std::make_unique<UnknownContext>(m_rParser, std::move(pOldNamespaceMap));
+ }
+
++/**
++note: anything in ds:Object should be trusted *only* if there is a ds:Reference
++ to it so it is signed (exception: the xades:EncapsulatedX509Certificate).
++ ds:SignedInfo precedes all ds:Object.
++
++ There may be multiple ds:Signature for purpose of counter-signatures
++ but the way XAdES describes these, only the ds:SignatureValue element
++ would be referenced, so requiring a ds:Reference for anything in
++ ds:Object shouldn't cause issues.
++ */
++class XSecParser::ReferencedContextImpl
++ : public XSecParser::Context
++{
++ protected:
++ bool m_isReferenced;
++
++ public:
++ ReferencedContextImpl(XSecParser & rParser,
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ , m_isReferenced(isReferenced)
++ {
++ }
++
++ OUString CheckIdAttrReferenced(css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs)
++ {
++ OUString const id(m_rParser.HandleIdAttr(xAttrs));
++ if (!id.isEmpty() && m_rParser.m_pXSecController->haveReferenceForId(id))
++ {
++ m_isReferenced = true;
++ }
++ return id;
++ }
++};
++
+ class XSecParser::LoPGPOwnerContext
+ : public XSecParser::Context
+ {
+@@ -228,21 +264,29 @@ class XSecParser::DsX509CertificateContext
+ };
+
+ class XSecParser::DsX509SerialNumberContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ DsX509SerialNumberContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setX509SerialNumber(m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setX509SerialNumber(m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509SerialNumber");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -252,21 +296,29 @@ class XSecParser::DsX509SerialNumberContext
+ };
+
+ class XSecParser::DsX509IssuerNameContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ DsX509IssuerNameContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setX509IssuerName(m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setX509IssuerName(m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned X509IssuerName");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -276,12 +328,13 @@ class XSecParser::DsX509IssuerNameContext
+ };
+
+ class XSecParser::DsX509IssuerSerialContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ DsX509IssuerSerialContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+@@ -291,11 +344,11 @@ class XSecParser::DsX509IssuerSerialContext
+ {
+ if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerName")
+ {
+- return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<DsX509IssuerNameContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_DS && rName == "X509SerialNumber")
+ {
+- return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<DsX509SerialNumberContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ // missing: ds:X509SKI, ds:X509SubjectName, ds:X509CRL
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+@@ -318,7 +371,8 @@ class XSecParser::DsX509DataContext
+ {
+ if (nNamespace == XML_NAMESPACE_DS && rName == "X509IssuerSerial")
+ {
+- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap));
++ // can't require KeyInfo to be signed so pass in *true*
++ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), true);
+ }
+ if (nNamespace == XML_NAMESPACE_DS && rName == "X509Certificate")
+ {
+@@ -787,21 +841,29 @@ class XSecParser::XadesUnsignedPropertiesContext
+ };
+
+ class XSecParser::LoSignatureLineIdContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ LoSignatureLineIdContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setSignatureLineId(m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setSignatureLineId(m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineId");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -811,21 +873,29 @@ class XSecParser::LoSignatureLineIdContext
+ };
+
+ class XSecParser::LoSignatureLineValidImageContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ LoSignatureLineValidImageContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setValidSignatureImage(m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setValidSignatureImage(m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineValidImage");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -835,21 +905,29 @@ class XSecParser::LoSignatureLineValidImageContext
+ };
+
+ class XSecParser::LoSignatureLineInvalidImageContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ LoSignatureLineInvalidImageContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setInvalidSignatureImage(m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setInvalidSignatureImage(m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureLineInvalidImage");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -859,12 +937,13 @@ class XSecParser::LoSignatureLineInvalidImageContext
+ };
+
+ class XSecParser::LoSignatureLineContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ LoSignatureLineContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+@@ -874,22 +953,22 @@ class XSecParser::LoSignatureLineContext
+ {
+ if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineId")
+ {
+- return std::make_unique<LoSignatureLineIdContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<LoSignatureLineIdContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineValidImage")
+ {
+- return std::make_unique<LoSignatureLineValidImageContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<LoSignatureLineValidImageContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLineInvalidImage")
+ {
+- return std::make_unique<LoSignatureLineInvalidImageContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<LoSignatureLineInvalidImageContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+ }
+ };
+
+ class XSecParser::XadesCertDigestContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+@@ -897,14 +976,22 @@ class XSecParser::XadesCertDigestContext
+
+ public:
+ XadesCertDigestContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setCertDigest(m_Value/* FIXME , m_nReferenceDigestID*/);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setCertDigest(m_Value/* FIXME , m_nReferenceDigestID*/);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned CertDigest");
++ }
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -924,12 +1011,13 @@ class XSecParser::XadesCertDigestContext
+ };
+
+ class XSecParser::XadesCertContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ XadesCertContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+@@ -939,23 +1027,24 @@ class XSecParser::XadesCertContext
+ {
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "CertDigest")
+ {
+- return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesCertDigestContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "IssuerSerial")
+ {
+- return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<DsX509IssuerSerialContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+ }
+ };
+
+ class XSecParser::XadesSigningCertificateContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ XadesSigningCertificateContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+@@ -965,28 +1054,36 @@ class XSecParser::XadesSigningCertificateContext
+ {
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "Cert")
+ {
+- return std::make_unique<XadesCertContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesCertContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+ }
+ };
+
+ class XSecParser::XadesSigningTimeContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ OUString m_Value;
+
+ public:
+ XadesSigningTimeContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void EndElement() override
+ {
+- m_rParser.m_pXSecController->setDate("", m_Value);
++ if (m_isReferenced)
++ {
++ m_rParser.m_pXSecController->setDate("", m_Value);
++ }
++ else
++ {
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SigningTime");
++ }
+ }
+
+ virtual void Characters(OUString const& rChars) override
+@@ -996,19 +1093,20 @@ class XSecParser::XadesSigningTimeContext
+ };
+
+ class XSecParser::XadesSignedSignaturePropertiesContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ XadesSignedSignaturePropertiesContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_rParser.HandleIdAttr(xAttrs);
++ CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -1017,15 +1115,15 @@ class XSecParser::XadesSignedSignaturePropertiesContext
+ {
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SigningTime")
+ {
+- return std::make_unique<XadesSigningTimeContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesSigningTimeContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SigningCertificate")
+ {
+- return std::make_unique<XadesSigningCertificateContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesSigningCertificateContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_LO_EXT && rName == "SignatureLine")
+ {
+- return std::make_unique<LoSignatureLineContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<LoSignatureLineContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ // missing: xades:SignaturePolicyIdentifier, xades:SignatureProductionPlace, xades:SignerRole
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+@@ -1033,19 +1131,20 @@ class XSecParser::XadesSignedSignaturePropertiesContext
+ };
+
+ class XSecParser::XadesSignedPropertiesContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ XadesSignedPropertiesContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_rParser.HandleIdAttr(xAttrs);
++ CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -1054,7 +1153,7 @@ class XSecParser::XadesSignedPropertiesContext
+ {
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SignedSignatureProperties")
+ {
+- return std::make_unique<XadesSignedSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesSignedSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ // missing: xades:SignedDataObjectProperties
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+@@ -1062,19 +1161,20 @@ class XSecParser::XadesSignedPropertiesContext
+ };
+
+ class XSecParser::XadesQualifyingPropertiesContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ XadesQualifyingPropertiesContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_rParser.HandleIdAttr(xAttrs);
++ CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -1083,7 +1183,7 @@ class XSecParser::XadesQualifyingPropertiesContext
+ {
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "SignedProperties")
+ {
+- return std::make_unique<XadesSignedPropertiesContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesSignedPropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "UnsignedProperties")
+ {
+@@ -1136,7 +1236,7 @@ class XSecParser::DcDescriptionContext
+ };
+
+ class XSecParser::DsSignaturePropertyContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ private:
+ enum class SignatureProperty { Unknown, Date, Description };
+@@ -1146,30 +1246,38 @@ class XSecParser::DsSignaturePropertyContext
+
+ public:
+ DsSignaturePropertyContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_Id = m_rParser.HandleIdAttr(xAttrs);
++ m_Id = CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual void EndElement() override
+ {
+- switch (m_Property)
++ if (m_isReferenced)
++ {
++ switch (m_Property)
++ {
++ case SignatureProperty::Unknown:
++ SAL_INFO("xmlsecurity.helper", "Unknown property in ds:Object ignored");
++ break;
++ case SignatureProperty::Date:
++ m_rParser.m_pXSecController->setDate(m_Id, m_Value);
++ break;
++ case SignatureProperty::Description:
++ m_rParser.m_pXSecController->setDescription(m_Id, m_Value);
++ break;
++ }
++ }
++ else
+ {
+- case SignatureProperty::Unknown:
+- SAL_INFO("xmlsecurity.helper", "Unknown property in ds:Object ignored");
+- break;
+- case SignatureProperty::Date:
+- m_rParser.m_pXSecController->setDate(m_Id, m_Value);
+- break;
+- case SignatureProperty::Description:
+- m_rParser.m_pXSecController->setDescription(m_Id, m_Value);
+- break;
++ SAL_INFO("xmlsecurity.helper", "ignoring unsigned SignatureProperty");
+ }
+ }
+
+@@ -1192,19 +1300,20 @@ class XSecParser::DsSignaturePropertyContext
+ };
+
+ class XSecParser::DsSignaturePropertiesContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ DsSignaturePropertiesContext(XSecParser & rParser,
+- std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++ bool const isReferenced)
++ : ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), isReferenced)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_rParser.HandleIdAttr(xAttrs);
++ CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -1213,26 +1322,27 @@ class XSecParser::DsSignaturePropertiesContext
+ {
+ if (nNamespace == XML_NAMESPACE_DS && rName == "SignatureProperty")
+ {
+- return std::make_unique<DsSignaturePropertyContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<DsSignaturePropertyContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+ }
+ };
+
+ class XSecParser::DsObjectContext
+- : public XSecParser::Context
++ : public XSecParser::ReferencedContextImpl
+ {
+ public:
+ DsObjectContext(XSecParser & rParser,
+ std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+- : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++ // init with "false" here - the Signature element can't be referenced by its child
++ : XSecParser::ReferencedContextImpl(rParser, std::move(pOldNamespaceMap), false)
+ {
+ }
+
+ virtual void StartElement(
+ css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+ {
+- m_rParser.HandleIdAttr(xAttrs);
++ CheckIdAttrReferenced(xAttrs);
+ }
+
+ virtual std::unique_ptr<Context> CreateChildContext(
+@@ -1241,11 +1351,11 @@ class XSecParser::DsObjectContext
+ {
+ if (nNamespace == XML_NAMESPACE_DS && rName == "SignatureProperties")
+ {
+- return std::make_unique<DsSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<DsSignaturePropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ if (nNamespace == XML_NAMESPACE_XADES132 && rName == "QualifyingProperties")
+ {
+- return std::make_unique<XadesQualifyingPropertiesContext>(m_rParser, std::move(pOldNamespaceMap));
++ return std::make_unique<XadesQualifyingPropertiesContext>(m_rParser, std::move(pOldNamespaceMap), m_isReferenced);
+ }
+ // missing: ds:Manifest
+ return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx
+index 7a0eb08bca28..7674bf28b84d 100644
+--- a/xmlsecurity/source/helper/xsecparser.hxx
++++ b/xmlsecurity/source/helper/xsecparser.hxx
+@@ -56,6 +56,7 @@ public:
+ class Context;
+ private:
+ class UnknownContext;
++ class ReferencedContextImpl;
+ class LoPGPOwnerContext;
+ class DsPGPKeyPacketContext;
+ class DsPGPKeyIDContext;
+diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
+index cdca811cc2cb..92ebfb6c72e8 100644
+--- a/xmlsecurity/source/helper/xsecverify.cxx
++++ b/xmlsecurity/source/helper/xsecverify.cxx
+@@ -143,6 +143,25 @@ void XSecController::switchGpgSignature()
+ #endif
+ }
+
++bool XSecController::haveReferenceForId(OUString const& rId) const
++{
++ if (m_vInternalSignatureInformations.empty())
++ {
++ SAL_INFO("xmlsecurity.helper","XSecController::haveReferenceForId: no signature");
++ return false;
++ }
++ InternalSignatureInformation const& rIsi(m_vInternalSignatureInformations.back());
++ for (SignatureReferenceInformation const& rSri : rIsi.signatureInfor.vSignatureReferenceInfors)
++ {
++ if (rSri.nType == SignatureReferenceType::SAMEDOCUMENT
++ && rSri.ouURI == rId) // ouUri has # stripped
++ {
++ return true;
++ }
++ }
++ return false;
++}
++
+ void XSecController::addReference( const OUString& ouUri, sal_Int32 nDigestID, const OUString& ouType )
+ {
+ if (m_vInternalSignatureInformations.empty())
+--
+cgit v1.2.1
+