From 267c6f2ac71f92999e969232431ba04678e7437e Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 15 Apr 2024 07:54:39 +0200
Subject: Adding upstream version 4:24.2.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 xmlsecurity/inc/UriBindingHelper.hxx               |  51 +++
 xmlsecurity/inc/biginteger.hxx                     |  51 +++
 xmlsecurity/inc/bitmaps.hlst                       |  21 ++
 xmlsecurity/inc/certificate.hxx                    |  43 +++
 xmlsecurity/inc/certificatechooser.hxx             | 117 ++++++
 xmlsecurity/inc/certificateviewer.hxx              | 159 ++++++++
 xmlsecurity/inc/digitalsignaturesdialog.hxx        | 124 +++++++
 xmlsecurity/inc/documentsignaturehelper.hxx        | 104 ++++++
 xmlsecurity/inc/documentsignaturemanager.hxx       | 136 +++++++
 xmlsecurity/inc/framework/saxeventkeeperimpl.hxx   | 290 +++++++++++++++
 xmlsecurity/inc/framework/securityengine.hxx       | 142 +++++++
 xmlsecurity/inc/framework/signaturecreatorimpl.hxx |  96 +++++
 xmlsecurity/inc/framework/signatureengine.hxx      | 116 ++++++
 .../inc/framework/signatureverifierimpl.hxx        |  88 +++++
 .../inc/framework/xmlsignaturetemplateimpl.hxx     |  95 +++++
 xmlsecurity/inc/gpg/SEInitializer.hxx              |  47 +++
 xmlsecurity/inc/gpg/xmlsignature_gpgimpl.hxx       |  77 ++++
 xmlsecurity/inc/macrosecurity.hxx                  | 126 +++++++
 xmlsecurity/inc/pch/precompiled_xmlsecurity.cxx    |  12 +
 xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx    | 200 ++++++++++
 xmlsecurity/inc/pch/precompiled_xsec_xmlsec.cxx    |  12 +
 xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx    | 149 ++++++++
 xmlsecurity/inc/pdfsignaturehelper.hxx             |  73 ++++
 xmlsecurity/inc/resourcemanager.hxx                |  26 ++
 xmlsecurity/inc/strings.hrc                        |  68 ++++
 xmlsecurity/inc/xmlsec-wrapper.h                   |  43 +++
 xmlsecurity/inc/xmlsec/errorcallback.hxx           |  30 ++
 xmlsecurity/inc/xmlsec/saxhelper.hxx               |  86 +++++
 .../inc/xmlsec/xmldocumentwrapper_xmlsecimpl.hxx   | 208 +++++++++++
 xmlsecurity/inc/xmlsec/xmlsec_init.hxx             |  17 +
 xmlsecurity/inc/xmlsec/xmlstreamio.hxx             |  39 ++
 xmlsecurity/inc/xmlsecuritydllapi.h                |  20 +
 xmlsecurity/inc/xmlsignaturehelper.hxx             | 176 +++++++++
 xmlsecurity/inc/xsecctl.hxx                        | 408 +++++++++++++++++++++
 xmlsecurity/inc/xsecxmlsecdllapi.h                 |  20 +
 35 files changed, 3470 insertions(+)
 create mode 100644 xmlsecurity/inc/UriBindingHelper.hxx
 create mode 100644 xmlsecurity/inc/biginteger.hxx
 create mode 100644 xmlsecurity/inc/bitmaps.hlst
 create mode 100644 xmlsecurity/inc/certificate.hxx
 create mode 100644 xmlsecurity/inc/certificatechooser.hxx
 create mode 100644 xmlsecurity/inc/certificateviewer.hxx
 create mode 100644 xmlsecurity/inc/digitalsignaturesdialog.hxx
 create mode 100644 xmlsecurity/inc/documentsignaturehelper.hxx
 create mode 100644 xmlsecurity/inc/documentsignaturemanager.hxx
 create mode 100644 xmlsecurity/inc/framework/saxeventkeeperimpl.hxx
 create mode 100644 xmlsecurity/inc/framework/securityengine.hxx
 create mode 100644 xmlsecurity/inc/framework/signaturecreatorimpl.hxx
 create mode 100644 xmlsecurity/inc/framework/signatureengine.hxx
 create mode 100644 xmlsecurity/inc/framework/signatureverifierimpl.hxx
 create mode 100644 xmlsecurity/inc/framework/xmlsignaturetemplateimpl.hxx
 create mode 100644 xmlsecurity/inc/gpg/SEInitializer.hxx
 create mode 100644 xmlsecurity/inc/gpg/xmlsignature_gpgimpl.hxx
 create mode 100644 xmlsecurity/inc/macrosecurity.hxx
 create mode 100644 xmlsecurity/inc/pch/precompiled_xmlsecurity.cxx
 create mode 100644 xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx
 create mode 100644 xmlsecurity/inc/pch/precompiled_xsec_xmlsec.cxx
 create mode 100644 xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx
 create mode 100644 xmlsecurity/inc/pdfsignaturehelper.hxx
 create mode 100644 xmlsecurity/inc/resourcemanager.hxx
 create mode 100644 xmlsecurity/inc/strings.hrc
 create mode 100644 xmlsecurity/inc/xmlsec-wrapper.h
 create mode 100644 xmlsecurity/inc/xmlsec/errorcallback.hxx
 create mode 100644 xmlsecurity/inc/xmlsec/saxhelper.hxx
 create mode 100644 xmlsecurity/inc/xmlsec/xmldocumentwrapper_xmlsecimpl.hxx
 create mode 100644 xmlsecurity/inc/xmlsec/xmlsec_init.hxx
 create mode 100644 xmlsecurity/inc/xmlsec/xmlstreamio.hxx
 create mode 100644 xmlsecurity/inc/xmlsecuritydllapi.h
 create mode 100644 xmlsecurity/inc/xmlsignaturehelper.hxx
 create mode 100644 xmlsecurity/inc/xsecctl.hxx
 create mode 100644 xmlsecurity/inc/xsecxmlsecdllapi.h

(limited to 'xmlsecurity/inc')

diff --git a/xmlsecurity/inc/UriBindingHelper.hxx b/xmlsecurity/inc/UriBindingHelper.hxx
new file mode 100644
index 0000000000..67c9ae69f8
--- /dev/null
+++ b/xmlsecurity/inc/UriBindingHelper.hxx
@@ -0,0 +1,51 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <rtl/ustring.hxx>
+
+#include <cppuhelper/implbase.hxx>
+
+#include <com/sun/star/xml/crypto/XUriBinding.hpp>
+
+namespace com::sun::star {
+    namespace io { class XInputStream; }
+    namespace embed { class XStorage; }
+}
+
+// XUriBinding
+
+class UriBindingHelper final : public cppu::WeakImplHelper< css::xml::crypto::XUriBinding >
+{
+private:
+    css::uno::Reference < css::embed::XStorage > mxStorage;
+
+public:
+    UriBindingHelper();
+    explicit UriBindingHelper( const css::uno::Reference < css::embed::XStorage >& rxStorage );
+
+    void SAL_CALL setUriBinding( const OUString& uri, const css::uno::Reference< css::io::XInputStream >& aInputStream ) override;
+
+    css::uno::Reference< css::io::XInputStream > SAL_CALL getUriBinding( const OUString& uri ) override;
+
+    static css::uno::Reference < css::io::XInputStream > OpenInputStream( const css::uno::Reference < css::embed::XStorage >& rxStore, const OUString& rURI );
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/biginteger.hxx b/xmlsecurity/inc/biginteger.hxx
new file mode 100644
index 0000000000..fc99320c7e
--- /dev/null
+++ b/xmlsecurity/inc/biginteger.hxx
@@ -0,0 +1,51 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <sal/config.h>
+
+#include <string_view>
+
+#include <rtl/ustring.hxx>
+
+#include <com/sun/star/uno/Sequence.h>
+
+#include "xsecxmlsecdllapi.h"
+
+namespace xmlsecurity
+{
+XSECXMLSEC_DLLPUBLIC OUString bigIntegerToNumericString(const css::uno::Sequence<sal_Int8>& serial);
+XSECXMLSEC_DLLPUBLIC css::uno::Sequence<sal_Int8>
+numericStringToBigInteger(std::u16string_view serialNumber);
+
+// DNs read as strings from XML files may need to be mangled for compatibility
+// as NSS and MS CryptoAPI have different string serialisations; if the DN is
+// from an XCertificate it's "native" already and doesn't need to be mangled.
+enum EqualMode
+{
+    NOCOMPAT,
+    COMPAT_2ND,
+    COMPAT_BOTH
+};
+XSECXMLSEC_DLLPUBLIC bool EqualDistinguishedNames(std::u16string_view rName1,
+                                                  std::u16string_view rName2, EqualMode eMode);
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/bitmaps.hlst b/xmlsecurity/inc/bitmaps.hlst
new file mode 100644
index 0000000000..4224881839
--- /dev/null
+++ b/xmlsecurity/inc/bitmaps.hlst
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+inline constexpr OUString BMP_STATE_NOT_VALIDATED = u"xmlecurity/res/notcertificate_40x56.png"_ustr;
+
+#define BMP_CERT_OK                     "xmlsecurity/res/certificate_16.png"
+#define BMP_CERT_NOT_OK                 "xmlsecurity/res/notcertificate_16.png"
+
+inline constexpr OUString BMP_SIG_VALID = u"xmlsecurity/res/signet_11x16.png"_ustr;
+inline constexpr OUString BMP_SIG_INVALID = u"svx/res/caution_11x16.png"_ustr;
+inline constexpr OUString BMP_SIG_NOT_VALIDATED = u"xmlsecurity/res/notcertificate_16.png"_ustr;
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
diff --git a/xmlsecurity/inc/certificate.hxx b/xmlsecurity/inc/certificate.hxx
new file mode 100644
index 0000000000..8357f50651
--- /dev/null
+++ b/xmlsecurity/inc/certificate.hxx
@@ -0,0 +1,43 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <sal/types.h>
+
+#include <com/sun/star/uno/Sequence.hxx>
+
+namespace svl
+{
+namespace crypto
+{
+enum class SignatureMethodAlgorithm;
+}
+}
+
+namespace xmlsecurity
+{
+/// Extension of css::security::XCertificate for module-internal purposes.
+class SAL_NO_VTABLE SAL_DLLPUBLIC_RTTI SAL_LOPLUGIN_ANNOTATE("crosscast") Certificate
+{
+public:
+    /// Returns the SHA-256 thumbprint.
+    ///
+    /// @throws css::uno::RuntimeException
+    virtual css::uno::Sequence<sal_Int8> getSHA256Thumbprint() = 0;
+
+    /// Same as getSubjectPublicKeyAlgorithm(), but returns an ID, not a string.
+    virtual svl::crypto::SignatureMethodAlgorithm getSignatureMethodAlgorithm() = 0;
+
+protected:
+    ~Certificate() noexcept = default;
+};
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/certificatechooser.hxx b/xmlsecurity/inc/certificatechooser.hxx
new file mode 100644
index 0000000000..12303fbf1c
--- /dev/null
+++ b/xmlsecurity/inc/certificatechooser.hxx
@@ -0,0 +1,117 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/uno/Sequence.hxx>
+#include <vcl/weld.hxx>
+#include <unotools/resmgr.hxx>
+#include <unotools/useroptions.hxx>
+#include <unordered_map>
+
+namespace com::sun::star {
+    namespace security { class XCertificate; }
+    namespace xml::crypto {
+        class XSecurityEnvironment;
+    }
+}
+
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+
+struct UserData
+{
+    css::uno::Reference<css::security::XCertificate> xCertificate;
+    css::uno::Reference<css::xml::crypto::XXMLSecurityContext> xSecurityContext;
+    css::uno::Reference<css::xml::crypto::XSecurityEnvironment> xSecurityEnvironment;
+};
+
+enum class UserAction
+{
+    Sign,
+    SelectSign, // Select signing certificate
+    Encrypt
+};
+
+class CertificateChooser final : public weld::GenericDialogController
+{
+private:
+    static inline CertificateChooser* mxInstance = nullptr;
+
+    std::vector< css::uno::Reference< css::xml::crypto::XXMLSecurityContext > > mxSecurityContexts;
+    std::vector<std::shared_ptr<UserData>> mvUserData;
+
+    bool                    mbInitialized;
+    UserAction const        meAction;
+    OUString                msPreferredKey;
+    css::uno::Reference<css::security::XCertificate> mxEncryptToSelf;
+
+    std::unique_ptr<weld::Label>    m_xFTSign;
+    std::unique_ptr<weld::Label>    m_xFTEncrypt;
+    std::unique_ptr<weld::TreeView> m_xCertLB;
+    std::unique_ptr<weld::Button>   m_xViewBtn;
+    std::unique_ptr<weld::Button>   m_xOKBtn;
+    std::unique_ptr<weld::Label>    m_xFTDescription;
+    std::unique_ptr<weld::Entry>    m_xDescriptionED;
+    std::unique_ptr<weld::Entry>    m_xSearchBox;
+    std::unique_ptr<weld::Button>   m_xReloadBtn;
+
+    std::unordered_map<css::uno::Reference< css::xml::crypto::XXMLSecurityContext>,
+        css::uno::Sequence< css::uno::Reference< css::security::XCertificate > > > xMemCerts;
+
+    DECL_LINK(ReloadButtonHdl, weld::Button&, void);
+    DECL_LINK(ViewButtonHdl, weld::Button&, void);
+    DECL_LINK(CertificateHighlightHdl, weld::TreeView&, void);
+    DECL_LINK(CertificateSelectHdl, weld::TreeView&, bool);
+    DECL_LINK(SearchModifyHdl, weld::Entry&, void);
+
+    void ImplShowCertificateDetails();
+    void ImplInitialize(bool mbSearch = false);
+    void ImplReloadCertificates();
+    static void HandleOneUsageBit(OUString& string, int& bits, int bit, TranslateId name);
+
+public:
+    CertificateChooser(weld::Window* pParent,
+                       std::vector< css::uno::Reference< css::xml::crypto::XXMLSecurityContext > > && rxSecurityContexts,
+                       UserAction eAction);
+    virtual ~CertificateChooser() override;
+
+    static CertificateChooser* getInstance(weld::Window* _pParent,
+                        std::vector< css::uno::Reference< css::xml::crypto::XXMLSecurityContext > > && rxSecurityContexts,
+                        UserAction eAction) {
+        if (!mxInstance)
+        {
+            mxInstance = new CertificateChooser(_pParent, std::move(rxSecurityContexts), eAction);
+        }
+        return mxInstance;
+    }
+
+    short run() override;
+
+    css::uno::Sequence<css::uno::Reference< css::security::XCertificate > > GetSelectedCertificates();
+    css::uno::Reference< css::xml::crypto::XXMLSecurityContext > GetSelectedSecurityContext() const;
+    /// Gets the description string provided when selecting the certificate.
+    OUString GetDescription() const;
+
+    /// Returns the usage string of the selected certificate, if any.
+    OUString GetUsageText();
+
+    static OUString UsageInClearText(int bits);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/certificateviewer.hxx b/xmlsecurity/inc/certificateviewer.hxx
new file mode 100644
index 0000000000..2db66ddba2
--- /dev/null
+++ b/xmlsecurity/inc/certificateviewer.hxx
@@ -0,0 +1,159 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <utility>
+#include <vcl/weld.hxx>
+
+namespace com::sun::star {
+    namespace security { class XCertificate; }
+    namespace xml::crypto { class XSecurityEnvironment; }
+}
+
+class CertificateViewerGeneralTP;
+class CertificateViewerDetailsTP;
+class CertificateViewerCertPathTP;
+class CertificateChooser;
+
+class CertificateViewer final : public weld::GenericDialogController
+{
+private:
+    friend class CertificateViewerGeneralTP;
+    friend class CertificateViewerDetailsTP;
+    friend class CertificateViewerCertPathTP;
+
+    bool const          mbCheckForPrivateKey;
+
+    css::uno::Reference< css::xml::crypto::XSecurityEnvironment > mxSecurityEnvironment;
+    css::uno::Reference< css::security::XCertificate > mxCert;
+
+    CertificateChooser* mpParentChooser;
+
+    std::unique_ptr<weld::Notebook> mxTabCtrl;
+
+    std::unique_ptr<CertificateViewerGeneralTP> mxGeneralPage;
+    std::unique_ptr<CertificateViewerDetailsTP> mxDetailsPage;
+    std::unique_ptr<CertificateViewerCertPathTP> mxPathId;
+
+    DECL_LINK(ActivatePageHdl, const OUString&, void);
+
+public:
+    CertificateViewer(weld::Window* pParent, const css::uno::Reference< css::xml::crypto::XSecurityEnvironment >& rxSecurityEnvironment, const css::uno::Reference< css::security::XCertificate >& rXCert, bool bCheckForPrivateKey, CertificateChooser* pParentChooser);
+    CertificateChooser* GetParentChooser() { return mpParentChooser; }
+};
+
+class CertificateViewerTP
+{
+protected:
+    std::unique_ptr<weld::Builder> mxBuilder;
+    std::unique_ptr<weld::Container> mxContainer;
+    CertificateViewer* mpDlg;
+
+public:
+    CertificateViewerTP(weld::Container* pParent, const OUString& rUIXMLDescription,
+                        const OUString& rID, CertificateViewer* pDlg);
+};
+
+class CertificateViewerGeneralTP : public CertificateViewerTP
+{
+private:
+    std::unique_ptr<weld::Image> m_xCertImg;
+    std::unique_ptr<weld::Label> m_xHintNotTrustedFT;
+    std::unique_ptr<weld::Label> m_xIssuedToLabelFT;
+    std::unique_ptr<weld::Label> m_xIssuedToFT;
+    std::unique_ptr<weld::Label> m_xIssuedByLabelFT;
+    std::unique_ptr<weld::Label> m_xIssuedByFT;
+    std::unique_ptr<weld::Label> m_xValidFromDateFT;
+    std::unique_ptr<weld::Label> m_xValidToDateFT;
+    std::unique_ptr<weld::Image> m_xKeyImg;
+    std::unique_ptr<weld::Label> m_xHintCorrespPrivKeyFT;
+
+public:
+    CertificateViewerGeneralTP(weld::Container* pParent, CertificateViewer* pDlg);
+};
+
+struct Details_UserDatat
+{
+    OUString const  maTxt;
+    bool const      mbFixedWidthFont;
+
+    Details_UserDatat(OUString aTxt, bool bFixedWidthFont)
+        : maTxt(std::move(aTxt))
+        , mbFixedWidthFont(bFixedWidthFont)
+    {
+    }
+};
+
+class CertificateViewerDetailsTP : public CertificateViewerTP
+{
+private:
+    std::vector<std::unique_ptr<Details_UserDatat>> m_aUserData;
+
+    std::unique_ptr<weld::TreeView> m_xElementsLB;
+    std::unique_ptr<weld::TextView> m_xValueDetails;
+
+    DECL_LINK(ElementSelectHdl, weld::TreeView&, void);
+    void                InsertElement(const OUString& rField, const OUString& rValue,
+                                      const OUString& rDetails, bool bFixedWidthFont = false);
+public:
+    CertificateViewerDetailsTP(weld::Container* pParent, CertificateViewer* pDlg);
+};
+
+struct CertPath_UserData
+{
+    css::uno::Reference< css::security::XCertificate > mxCert;
+    bool const mbValid;
+
+    CertPath_UserData(css::uno::Reference<css::security::XCertificate> xCert, bool bValid)
+        : mxCert(std::move(xCert))
+        , mbValid(bValid)
+    {
+    }
+};
+
+class CertificateViewerCertPathTP : public CertificateViewerTP
+{
+private:
+    CertificateViewer*  mpParent;
+    bool                mbFirstActivateDone;
+
+    std::vector<std::unique_ptr<CertPath_UserData>> maUserData;
+    std::shared_ptr<CertificateViewer> mxCertificateViewer;
+
+    std::unique_ptr<weld::TreeView> mxCertPathLB;
+    std::unique_ptr<weld::TreeIter> mxScratchIter;
+    std::unique_ptr<weld::Button> mxViewCertPB;
+    std::unique_ptr<weld::TextView> mxCertStatusML;
+    std::unique_ptr<weld::Label> mxCertOK;
+    std::unique_ptr<weld::Label> mxCertNotValidated;
+
+    DECL_LINK(ViewCertHdl, weld::Button&, void);
+    DECL_LINK(CertSelectHdl, weld::TreeView&, void);
+    void                InsertCert(const weld::TreeIter* pParent, const OUString& _rName,
+                                   const css::uno::Reference< css::security::XCertificate >& rxCert,
+                                   bool bValid);
+
+public:
+    CertificateViewerCertPathTP(weld::Container* pParent, CertificateViewer* pDlg);
+    ~CertificateViewerCertPathTP();
+    void ActivatePage();
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/digitalsignaturesdialog.hxx b/xmlsecurity/inc/digitalsignaturesdialog.hxx
new file mode 100644
index 0000000000..08db226fb8
--- /dev/null
+++ b/xmlsecurity/inc/digitalsignaturesdialog.hxx
@@ -0,0 +1,124 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <vcl/weld.hxx>
+#include <com/sun/star/beans/PropertyValue.hpp>
+
+#include "documentsignaturehelper.hxx"
+#include "xmlsignaturehelper.hxx"
+#include "documentsignaturemanager.hxx"
+
+#include <vector>
+
+namespace com::sun::star {
+    namespace lang { class XMultiServiceFactory; }
+    namespace io { class XStream; }
+    namespace embed { class XStorage; }
+    namespace xml::dom { class XDocumentBuilder; }
+}
+
+
+class HeaderBar;
+class CertificateViewer;
+
+class DigitalSignaturesDialog final : public weld::GenericDialogController
+{
+private:
+    DocumentSignatureManager maSignatureManager;
+    bool                    mbVerifySignatures;
+    bool                    mbSignaturesChanged;
+
+    OUString const m_sODFVersion;
+    //Signals if the document contains already a document signature. This is only
+    //important when we are signing macros and if the value is true.
+    bool const m_bHasDocumentSignature;
+    bool m_bWarningShowSignMacro;
+
+    bool m_bAdESCompliant = true;
+
+    std::unique_ptr<weld::Label>       m_xHintDocFT;
+    std::unique_ptr<weld::Label>       m_xHintBasicFT;
+    std::unique_ptr<weld::Label>       m_xHintPackageFT;
+    std::unique_ptr<weld::TreeView>    m_xSignaturesLB;
+    std::unique_ptr<weld::Image>       m_xSigsValidImg;
+    std::unique_ptr<weld::Label>       m_xSigsValidFI;
+    std::unique_ptr<weld::Image>       m_xSigsInvalidImg;
+    std::unique_ptr<weld::Label>       m_xSigsInvalidFI;
+    std::unique_ptr<weld::Image>       m_xSigsNotvalidatedImg;
+    std::unique_ptr<weld::Label>       m_xSigsNotvalidatedFI;
+    std::unique_ptr<weld::Image>       m_xSigsOldSignatureImg;
+    std::unique_ptr<weld::Label>       m_xSigsOldSignatureFI;
+    std::unique_ptr<weld::Button>      m_xViewBtn;
+    std::unique_ptr<weld::Button>      m_xAddBtn;
+    std::unique_ptr<weld::Button>      m_xRemoveBtn;
+    std::unique_ptr<weld::Button>      m_xStartCertMgrBtn;
+    std::unique_ptr<weld::Button>      m_xCloseBtn;
+
+    std::shared_ptr<CertificateViewer> m_xViewer;
+    std::shared_ptr<weld::MessageDialog> m_xInfoBox;
+
+    DECL_LINK(ViewButtonHdl, weld::Button&, void);
+    DECL_LINK(AddButtonHdl, weld::Button&, void);
+    DECL_LINK(RemoveButtonHdl, weld::Button&, void);
+    DECL_LINK(SignatureHighlightHdl, weld::TreeView&, void);
+    DECL_LINK(SignatureSelectHdl, weld::TreeView&, bool);
+    DECL_LINK(StartVerifySignatureHdl, LinkParamNone*, bool);
+    DECL_LINK(OKButtonHdl, weld::Button&, void);
+    DECL_LINK(CertMgrButtonHdl, weld::Button&, void);
+
+    void                ImplGetSignatureInformations(bool bUseTempStream, bool bCacheLastSignature);
+    void                ImplFillSignaturesBox();
+    void                ImplShowSignaturesDetails();
+
+    css::uno::Reference<css::security::XCertificate> getCertificate(const SignatureInformation& rInfo);
+    css::uno::Reference<css::xml::crypto::XSecurityEnvironment> getSecurityEnvironmentForCertificate(
+        const css::uno::Reference<css::security::XCertificate>& xCert);
+
+    //Checks if adding is allowed.
+    //See the spec at specs/www/appwide/security/Electronic_Signatures_and_Security.sxw
+    //(6.6.2)Behaviour with regard to ODF 1.2
+    bool canAdd();
+    bool canRemove();
+
+    bool canAddRemove();
+
+public:
+    DigitalSignaturesDialog(weld::Window* pParent, const css::uno::Reference<
+        css::uno::XComponentContext >& rxCtx, DocumentSignatureMode eMode,
+        bool bReadOnly, OUString sODFVersion, bool bHasDocumentSignature);
+    virtual ~DigitalSignaturesDialog() override;
+
+    // Initialize the dialog and the security environment, returns TRUE on success
+    bool    Init();
+
+            // Set the storage which should be signed or verified
+    void    SetStorage( const css::uno::Reference < css::embed::XStorage >& rxStore );
+    void    SetSignatureStream( const css::uno::Reference < css::io::XStream >& rxStream );
+
+    // Execute the dialog...
+    void    beforeRun();
+    short   run() override;
+
+                // Did signatures change?
+    bool    SignaturesChanged() const { return mbSignaturesChanged; }
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/documentsignaturehelper.hxx b/xmlsecurity/inc/documentsignaturehelper.hxx
new file mode 100644
index 0000000000..eb50b37614
--- /dev/null
+++ b/xmlsecurity/inc/documentsignaturehelper.hxx
@@ -0,0 +1,104 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/uno/Reference.h>
+#include <rtl/ustring.hxx>
+#include <svl/sigstruct.hxx>
+
+#include <vector>
+
+namespace com::sun::star {
+    namespace io { class XStream; }
+    namespace embed { class XStorage; }
+}
+
+namespace com::sun::star::xml::sax { class XDocumentHandler; }
+
+enum class DocumentSignatureMode
+{
+    Content,
+    Macros,
+    Package
+};
+
+enum class DocumentSignatureAlgorithm
+{
+    OOo2,
+    OOo3_0,
+    OOo3_2
+};
+
+struct SignatureStreamHelper
+{
+    css::uno::Reference < css::embed::XStorage >    xSignatureStorage;
+    css::uno::Reference < css::io::XStream >        xSignatureStream;
+    /// If this is embed::StorageFormats::OFOPXML, then it's expected that xSignatureStream is an empty reference.
+    sal_Int32 nStorageFormat;
+
+    SignatureStreamHelper()
+        : nStorageFormat(0)
+    {
+    }
+};
+
+namespace DocumentSignatureHelper
+{
+    SignatureStreamHelper OpenSignatureStream(
+        const css::uno::Reference < css::embed::XStorage >& rxStore, sal_Int32 nOpenMode,
+        DocumentSignatureMode eDocSigMode );
+
+    std::vector< OUString > CreateElementList(
+        const css::uno::Reference < css::embed::XStorage >& rxStore,
+        DocumentSignatureMode eMode,
+        const DocumentSignatureAlgorithm mode);
+
+    bool isODFPre_1_2(std::u16string_view sODFVersion);
+    bool isOOo3_2_Signature(const SignatureInformation & sigInfo);
+
+    DocumentSignatureAlgorithm getDocumentAlgorithm(
+        std::u16string_view sODFVersion, const SignatureInformation & sigInfo);
+
+    bool CanSignWithGPG(const css::uno::Reference < css::embed::XStorage >& rxStore,
+                        std::u16string_view sOdfVersion);
+
+    bool checkIfAllFilesAreSigned( const ::std::vector< OUString > & sElementList,
+        const SignatureInformation & sigInfo, const DocumentSignatureAlgorithm alg);
+
+    bool equalsReferenceUriManifestPath(
+        std::u16string_view rUri, std::u16string_view rPath);
+
+    OUString GetDocumentContentSignatureDefaultStreamName();
+    OUString GetScriptingContentSignatureDefaultStreamName();
+    OUString GetPackageSignatureDefaultStreamName();
+
+    /// In case the storage is OOXML, prepend a leading '/' and append content type to the element URIs.
+    void AppendContentTypes(const css::uno::Reference<css::embed::XStorage>& xStorage, std::vector<OUString>& rElements);
+
+    void writeDigestMethod(
+        const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler);
+    void writeSignedProperties(
+        const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler,
+        const SignatureInformation& signatureInfo,
+        const OUString& sDate,
+        const bool bWriteSignatureLineData);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/documentsignaturemanager.hxx b/xmlsecurity/inc/documentsignaturemanager.hxx
new file mode 100644
index 0000000000..ab89e5b966
--- /dev/null
+++ b/xmlsecurity/inc/documentsignaturemanager.hxx
@@ -0,0 +1,136 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include "xmlsecuritydllapi.h"
+
+#include <memory>
+
+#include <svl/sigstruct.hxx>
+#include "xmlsignaturehelper.hxx"
+#include "documentsignaturehelper.hxx"
+
+#include <com/sun/star/xml/crypto/XSEInitializer.hpp>
+#include <unotools/tempfile.hxx>
+
+namespace com::sun::star
+{
+namespace beans
+{
+struct PropertyValue;
+}
+namespace embed
+{
+class XStorage;
+}
+namespace frame
+{
+class XModel;
+}
+namespace graphic
+{
+class XGraphic;
+}
+namespace uno
+{
+class XComponentContext;
+}
+}
+class PDFSignatureHelper;
+
+/// Manages signatures (addition, removal), used by DigitalSignaturesDialog.
+class XMLSECURITY_DLLPUBLIC DocumentSignatureManager
+{
+private:
+    css::uno::Reference<css::uno::XComponentContext> mxContext;
+    css::uno::Reference<css::embed::XStorage> mxStore;
+    XMLSignatureHelper maSignatureHelper;
+    std::unique_ptr<PDFSignatureHelper> mpPDFSignatureHelper;
+    SignatureInformations maCurrentSignatureInformations;
+    DocumentSignatureMode const meSignatureMode;
+    css::uno::Sequence<css::uno::Sequence<css::beans::PropertyValue>> m_manifest;
+    css::uno::Reference<css::io::XStream> mxSignatureStream;
+    css::uno::Reference<css::frame::XModel> mxModel;
+    rtl::Reference<utl::TempFileFastService> mxTempSignatureStream;
+    /// Storage containing all OOXML signatures, unused for ODF.
+    css::uno::Reference<css::embed::XStorage> mxTempSignatureStorage;
+    css::uno::Reference<css::xml::crypto::XSEInitializer> mxSEInitializer;
+    css::uno::Reference<css::xml::crypto::XXMLSecurityContext> mxSecurityContext;
+    css::uno::Reference<css::xml::crypto::XSEInitializer> mxGpgSEInitializer;
+    css::uno::Reference<css::xml::crypto::XXMLSecurityContext> mxGpgSecurityContext;
+
+public:
+    DocumentSignatureManager(const css::uno::Reference<css::uno::XComponentContext>& xContext,
+                             DocumentSignatureMode eMode);
+    ~DocumentSignatureManager();
+
+    /**
+     * Checks if a particular stream is a valid xml stream. Those are treated
+     * differently when they are signed (c14n transformation)
+     */
+    bool isXML(std::u16string_view rURI);
+    bool readManifest();
+
+    SignatureStreamHelper ImplOpenSignatureStream(sal_Int32 nStreamOpenMode, bool bTempStream);
+    /// Add a new signature, using xCert as a signing certificate, and rDescription as description.
+    bool add(const css::uno::Reference<css::security::XCertificate>& xCert,
+             const css::uno::Reference<css::xml::crypto::XXMLSecurityContext>& xSecurityContext,
+             const OUString& rDescription, sal_Int32& nSecurityId, bool bAdESCompliant,
+             const OUString& rSignatureLineId = OUString(),
+             const css::uno::Reference<css::graphic::XGraphic>& xValidGraphic
+             = css::uno::Reference<css::graphic::XGraphic>(),
+             const css::uno::Reference<css::graphic::XGraphic>& xInvalidGraphic
+             = css::uno::Reference<css::graphic::XGraphic>());
+    /// Remove signature at nPosition.
+    void remove(sal_uInt16 nPosition);
+    /// Read signatures from either a temp stream or the real storage.
+    void read(bool bUseTempStream, bool bCacheLastSignature = true);
+    /// Write signatures back to the persistent storage.
+    void write(bool bXAdESCompliantIfODF);
+    /// Lazy creation of PDF helper.
+    PDFSignatureHelper& getPDFSignatureHelper();
+#if 0
+    // Checks if the document is a kind where it is relevant to distinguish between using XAdES or not
+    bool IsXAdESRelevant();
+#endif
+    /// Attempts to initialize the platform-specific crypto.
+    bool init();
+    /// Get the security environment.
+    css::uno::Reference<css::xml::crypto::XSecurityEnvironment> getSecurityEnvironment();
+    css::uno::Reference<css::xml::crypto::XSecurityEnvironment> getGpgSecurityEnvironment();
+    css::uno::Reference<css::xml::crypto::XXMLSecurityContext> const& getSecurityContext() const;
+    css::uno::Reference<css::xml::crypto::XXMLSecurityContext> const& getGpgSecurityContext() const;
+    void setStore(const css::uno::Reference<css::embed::XStorage>& xStore) { mxStore = xStore; }
+    XMLSignatureHelper& getSignatureHelper() { return maSignatureHelper; }
+    bool hasPDFSignatureHelper() const { return bool(mpPDFSignatureHelper); }
+    void setSignatureStream(const css::uno::Reference<css::io::XStream>& xSignatureStream)
+    {
+        mxSignatureStream = xSignatureStream;
+    }
+    void setModel(const css::uno::Reference<css::frame::XModel>& xModel);
+    const css::uno::Reference<css::embed::XStorage>& getStore() const { return mxStore; }
+    DocumentSignatureMode getSignatureMode() const { return meSignatureMode; }
+    SignatureInformations& getCurrentSignatureInformations()
+    {
+        return maCurrentSignatureInformations;
+    }
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/saxeventkeeperimpl.hxx b/xmlsecurity/inc/framework/saxeventkeeperimpl.hxx
new file mode 100644
index 0000000000..161b9a9361
--- /dev/null
+++ b/xmlsecurity/inc/framework/saxeventkeeperimpl.hxx
@@ -0,0 +1,290 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/crypto/sax/XSecuritySAXEventKeeper.hpp>
+#include <com/sun/star/xml/crypto/sax/XReferenceResolvedBroadcaster.hpp>
+#include <com/sun/star/xml/crypto/sax/XSAXEventKeeperStatusChangeBroadcaster.hpp>
+#include <com/sun/star/xml/sax/XDocumentHandler.hpp>
+#include <com/sun/star/lang/XInitialization.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <xmlsecuritydllapi.h>
+#include <cppuhelper/implbase.hxx>
+#include <vector>
+#include <memory>
+
+class BufferNode;
+class ElementMark;
+class ElementCollector;
+namespace com::sun::star::xml::crypto::sax { class XSAXEventKeeperStatusChangeListener; }
+namespace com::sun::star::xml::csax { class XCompressedDocumentHandler; }
+namespace com::sun::star::xml::wrapper { class XXMLDocumentWrapper; }
+
+
+class SAXEventKeeperImpl final : public cppu::WeakImplHelper
+<
+    css::xml::crypto::sax::XSecuritySAXEventKeeper,
+    css::xml::crypto::sax::XReferenceResolvedBroadcaster,
+    css::xml::crypto::sax::XSAXEventKeeperStatusChangeBroadcaster,
+    css::xml::sax::XDocumentHandler,
+    css::lang::XInitialization,
+    css::lang::XServiceInfo
+>
+/****** SAXEventKeeperImpl.hxx/CLASS SAXEventKeeperImpl ***********************
+ *
+ *   NAME
+ *  SAXEventKeeperImpl -- SAX events buffer controller
+ *
+ *   FUNCTION
+ *  Controls SAX events to be buffered, and controls buffered SAX events
+ *  to be released.
+ ******************************************************************************/
+{
+private:
+    /*
+     * the XMLDocumentWrapper component which maintains all buffered SAX
+     * in DOM format.
+     */
+    css::uno::Reference< css::xml::wrapper::XXMLDocumentWrapper >
+        m_xXMLDocument;
+
+    /*
+     * the document handler provided by the XMLDocumentWrapper component.
+     */
+    css::uno::Reference< css::xml::sax::XDocumentHandler > m_xDocumentHandler;
+
+    /*
+     * the compressed document handler provided by the XMLDocumentWrapper
+     * component, the handler has more efficient method definition that the
+     * normal document handler.
+     */
+    css::uno::Reference< css::xml::csax::XCompressedDocumentHandler >
+        m_xCompressedDocumentHandler;
+
+    /*
+     * a listener which receives this SAXEventKeeper's status change
+     * notification.
+     * Based on the status changes, the listener can decide whether the
+     * SAXEventKeeper should chain on/chain off the SAX chain, or whether
+     * the SAXEventKeeper is useless any long.
+     */
+    css::uno::Reference< css::xml::crypto::sax::XSAXEventKeeperStatusChangeListener >
+        m_xSAXEventKeeperStatusChangeListener;
+
+    /*
+     * the root node of the BufferNode tree.
+     * the BufferNode tree is used to keep track of all buffered elements,
+     * it has the same structure with the document which maintains those
+     * elements physically.
+     */
+    std::unique_ptr<BufferNode>  m_pRootBufferNode;
+
+    /*
+     * the current active BufferNode.
+     * this is used to keep track the current location in the BufferNode tree,
+     * the next generated BufferNode will become a child BufferNode of it.
+     */
+    BufferNode*  m_pCurrentBufferNode;
+
+    /*
+     * the next Id for a coming ElementMark.
+     * the variable is increased by 1 when a new ElementMark is generated,
+     * in this way, we can promise the Id of any ElementMark is unique.
+     */
+    sal_Int32    m_nNextElementMarkId;
+
+    /*
+     * maintains a collection of all ElementMarks.
+     */
+    std::vector<std::unique_ptr<const ElementMark>> m_vElementMarkBuffers;
+
+    /*
+     * maintains a list of new ElementCollectors that will be created
+     * on the element represented by the next incoming startElement SAX
+     * event.
+     * The reason that such the m_vNewElementCollectors is necessary
+     * is: when an ElementCollector is asked to create, it can't be
+     * created completely at once, because the BufferNode it will be
+     * working on has not been created until the next startElement
+     * SAX event comes.
+     */
+    std::vector< const ElementCollector* > m_vNewElementCollectors;
+
+    /*
+     * maintains the new Blocker that will be created
+     * on the element represented by the next incoming startElement SAX
+     * event.
+     */
+    ElementMark* m_pNewBlocker;
+
+    /*
+     * the document handler to which all received SAX events will be
+     * forwarded.
+     */
+    css::uno::Reference< css::xml::sax::XDocumentHandler > m_xNextHandler;
+
+    /*
+     * the current BufferNode which prevents the SAX events to be
+     * forwarded to the m_xNextHandler.
+     */
+    BufferNode*  m_pCurrentBlockingBufferNode;
+
+    /*
+     * maintains a list of ElementMark that has been asked to release.
+     * Because during processing a request of releasing an ElementMark,
+     * another releasing ElementMark request can be invoked. To avoid
+     * reentering the same method, a such request only add that ElementMark
+     * into this ElementMark list, then all ElementMarks will be processed in
+     * order.
+     */
+    std::vector< sal_Int32 > m_vReleasedElementMarkBuffers;
+
+    /*
+     * a flag to indicate whether the ElementMark releasing process is running.
+     * When a releasing request comes, the assigned ElementMark is added to
+     * the m_vReleasedElementMarkBuffers first, then this flag is checked.
+     * If the ElementMark releasing process is not running, then call that
+     * method.
+     */
+    bool     m_bIsReleasing;
+
+    /*
+     * a flag to indicate whether it is the "Forwarding" mode now.
+     * A "Forwarding" mode means that all received SAX events are from the
+     * XMLDocumentWrapper component, instead of up-stream component in the
+     * SAX chain.
+     * The difference between "Forwarding" mode and normal mode is that:
+     * no SAX events need to be transferred to the XMLDocumentWrapper component
+     * again even if a buffer request happens.
+     */
+    bool     m_bIsForwarding;
+
+    void setCurrentBufferNode(BufferNode* pBufferNode);
+
+    BufferNode* addNewElementMarkBuffers();
+
+    ElementMark* findElementMarkBuffer(sal_Int32 nId) const;
+
+    void removeElementMarkBuffer(sal_Int32 nId);
+
+    OUString printBufferNode(
+        BufferNode const * pBufferNode, sal_Int32 nIndent) const;
+
+    static css::uno::Sequence< css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > >
+        collectChildWorkingElement(BufferNode const * pBufferNode);
+
+    void smashBufferNode(
+        BufferNode* pBufferNode, bool bClearRoot) const;
+
+    static BufferNode* findNextBlockingBufferNode(
+        BufferNode* pStartBufferNode);
+
+    static void diffuse(BufferNode* pBufferNode);
+
+    void releaseElementMarkBuffer();
+
+    void markElementMarkBuffer(sal_Int32 nId);
+
+    sal_Int32 createElementCollector(
+        css::xml::crypto::sax::ElementMarkPriority nPriority,
+        bool bModifyElement,
+        const css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener>& xReferenceResolvedListener);
+
+    sal_Int32 createBlocker();
+
+public:
+    SAXEventKeeperImpl();
+    virtual ~SAXEventKeeperImpl() override;
+
+    SAXEventKeeperImpl(const SAXEventKeeperImpl&) = delete;
+    SAXEventKeeperImpl& operator=(const SAXEventKeeperImpl&) = delete;
+
+    /* XSAXEventKeeper */
+    virtual sal_Int32 SAL_CALL addElementCollector(  ) override;
+    virtual void SAL_CALL removeElementCollector( sal_Int32 id ) override;
+    virtual sal_Int32 SAL_CALL addBlocker(  ) override;
+    virtual void SAL_CALL removeBlocker( sal_Int32 id ) override;
+    virtual sal_Bool SAL_CALL isBlocking(  ) override;
+    virtual css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > SAL_CALL
+        getElement( sal_Int32 id ) override;
+    virtual void SAL_CALL setElement(
+        sal_Int32 id,
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& aElement ) override;
+    virtual css::uno::Reference<
+        css::xml::sax::XDocumentHandler > SAL_CALL
+        setNextHandler( const css::uno::Reference<
+            css::xml::sax::XDocumentHandler >& xNewHandler ) override;
+    virtual OUString SAL_CALL printBufferNodeTree() override;
+    virtual css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > SAL_CALL
+        getCurrentBlockingNode() override;
+
+    /* XSecuritySAXEventKeeper */
+    virtual sal_Int32 SAL_CALL addSecurityElementCollector(
+        css::xml::crypto::sax::ElementMarkPriority priority,
+        sal_Bool modifyElement ) override;
+    virtual void SAL_CALL setSecurityId( sal_Int32 id, sal_Int32 securityId ) override;
+
+    /* XReferenceResolvedBroadcaster */
+    virtual void SAL_CALL addReferenceResolvedListener(
+        sal_Int32 referenceId,
+        const css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener >& listener ) override;
+    virtual void SAL_CALL removeReferenceResolvedListener(
+        sal_Int32 referenceId,
+        const css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener >& listener ) override;
+
+    /* XSAXEventKeeperStatusChangeBroadcaster */
+    virtual void SAL_CALL addSAXEventKeeperStatusChangeListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSAXEventKeeperStatusChangeListener >& listener ) override;
+    virtual void SAL_CALL removeSAXEventKeeperStatusChangeListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSAXEventKeeperStatusChangeListener >& listener ) override;
+
+    /* XDocumentHandler */
+    virtual void SAL_CALL startDocument(  ) override;
+    virtual void SAL_CALL endDocument(  ) override;
+    virtual void SAL_CALL startElement(
+        const OUString& aName,
+        const css::uno::Reference< css::xml::sax::XAttributeList >&
+        xAttribs ) override;
+    virtual void SAL_CALL endElement( const OUString& aName ) override;
+    virtual void SAL_CALL characters( const OUString& aChars ) override;
+    virtual void SAL_CALL ignorableWhitespace( const OUString& aWhitespaces ) override;
+    virtual void SAL_CALL processingInstruction(
+        const OUString& aTarget, const OUString& aData ) override;
+    virtual void SAL_CALL setDocumentLocator(
+        const css::uno::Reference< css::xml::sax::XLocator >& xLocator ) override;
+
+    /* XInitialization */
+    virtual void SAL_CALL initialize(
+        const css::uno::Sequence< css::uno::Any >& aArguments ) override;
+
+    /* XServiceInfo */
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+
+/// @throws css::uno::RuntimeException
+OUString SAXEventKeeperImpl_getImplementationName();
+
+/// @throws css::uno::RuntimeException
+css::uno::Sequence< OUString > SAXEventKeeperImpl_getSupportedServiceNames(  );
+
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/securityengine.hxx b/xmlsecurity/inc/framework/securityengine.hxx
new file mode 100644
index 0000000000..bebf07306b
--- /dev/null
+++ b/xmlsecurity/inc/framework/securityengine.hxx
@@ -0,0 +1,142 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/crypto/sax/XReferenceResolvedListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XReferenceResolvedBroadcaster.hpp>
+#include <com/sun/star/xml/crypto/sax/XKeyCollector.hpp>
+#include <com/sun/star/xml/crypto/sax/XMissionTaker.hpp>
+#include <com/sun/star/xml/crypto/sax/XSAXEventKeeper.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+
+#include <cppuhelper/implbase.hxx>
+
+#include <xmlsecuritydllapi.h>
+
+class SAL_DLLPUBLIC_RTTI SecurityEngine : public cppu::WeakImplHelper
+<
+    css::xml::crypto::sax::XReferenceResolvedListener,
+    css::xml::crypto::sax::XKeyCollector,
+    css::xml::crypto::sax::XMissionTaker
+>
+/****** securityengine.hxx/CLASS SecurityEngine *******************************
+ *
+ *   NAME
+ *  SecurityEngine -- Base class of SignatureEngine and EncryptionEngine
+ *
+ *   FUNCTION
+ *  Maintains common members and methods related with security engine
+ *  operation.
+ ******************************************************************************/
+{
+protected:
+
+    /*
+     * A SAXEventKeeper internally maintains all resources that a security
+     * operation needs. The m_xSAXEventKeeper member is used to release
+     * those resources when the security operation finishes.
+     */
+    css::uno::Reference< css::xml::crypto::sax::XSAXEventKeeper > m_xSAXEventKeeper;
+
+    /*
+     * the id of ElementCollector of the template element.
+     * For a signature, the template element is the Signature element,
+     * for an encryption, the EncryptedData/EncryptedKey element is.
+     */
+    sal_Int32 m_nIdOfTemplateEC;
+
+    /*
+     * remembers how many referenced elements have been buffered completely,
+     * including the key element, template element, and referenced element of
+     * signature.
+     */
+    sal_Int32 m_nNumOfResolvedReferences;
+
+    /*
+     * the id of ElementCollector of the key element.
+     * If a Signature element or EncryptedData/EncryptedKey element has
+     * an internal key sub-element, then this member should be -1
+     */
+    sal_Int32 m_nIdOfKeyEC;
+
+    /*
+     * remembers whether the current operation has finished.
+     */
+    bool      m_bMissionDone;
+
+    /*
+     * the Id of the security entity, a signature or encryption, which is used for
+     * the result listener to identify the entity.
+     */
+    sal_Int32 m_nSecurityId;
+
+    /*
+     * the status of the operation
+     */
+    css::xml::crypto::SecurityOperationStatus m_nStatus;
+
+    /*
+     * the result listener, which will receives the security operation result.
+     */
+    css::uno::Reference< css::uno::XInterface > m_xResultListener;
+
+protected:
+    explicit SecurityEngine();
+    virtual ~SecurityEngine() override {};
+
+    /*
+     * perform the security operation.
+     * Any derived class will implement this method respectively.
+     */
+    /// @throws css::uno::Exception
+    /// @throws css::uno::RuntimeException
+    virtual void tryToPerform( ){};
+
+    /*
+     * clear up all resources used by this operation.
+     * This method is called after the operation finishes, or a End-Your-Mission
+     * message is received.
+     * Any derived class will implement this method respectively.
+     */
+    virtual void clearUp( ) const {};
+
+        /*
+         * notifies any possible result listener.
+         * When verify a signature or conduct a decryption, the operation result will
+         * be transferred to a listener by this method.
+     * Any derived class will implement this method respectively.
+         */
+    /// @throws css::uno::Exception
+    /// @throws css::uno::RuntimeException
+    virtual void notifyResultListener() const
+        {};
+
+public:
+    /* XReferenceResolvedListener */
+    virtual void SAL_CALL referenceResolved( sal_Int32 referenceId ) override;
+
+    /* XKeyCollector */
+    virtual void SAL_CALL setKeyId( sal_Int32 id ) override;
+
+        /* XMissionTaker */
+        virtual sal_Bool SAL_CALL endMission(  ) override;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/signaturecreatorimpl.hxx b/xmlsecurity/inc/framework/signaturecreatorimpl.hxx
new file mode 100644
index 0000000000..d0fc1dc333
--- /dev/null
+++ b/xmlsecurity/inc/framework/signaturecreatorimpl.hxx
@@ -0,0 +1,96 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/crypto/sax/XBlockerMonitor.hpp>
+#include <com/sun/star/xml/crypto/sax/XSignatureCreationResultBroadcaster.hpp>
+#include <com/sun/star/lang/XInitialization.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <cppuhelper/implbase.hxx>
+
+#include <framework/signatureengine.hxx>
+
+namespace com::sun::star::xml::crypto { class XSecurityEnvironment; }
+namespace com::sun::star::xml::crypto::sax { class XSignatureCreationResultListener;}
+
+typedef cppu::ImplInheritanceHelper
+<
+    SignatureEngine,
+    css::xml::crypto::sax::XBlockerMonitor,
+    css::xml::crypto::sax::XSignatureCreationResultBroadcaster,
+    css::lang::XInitialization,
+    css::lang::XServiceInfo
+> SignatureCreatorImpl_Base;
+
+class SignatureCreatorImpl final : public SignatureCreatorImpl_Base
+/****** SignatureCreatorImpl.hxx/CLASS SignatureCreatorImpl *******************
+ *
+ *   NAME
+ *  SignatureCreatorImpl -- generates a signature
+ *
+ *   FUNCTION
+ *  Collects all resources for a signature generation, then generates the
+ *  signature by invoking a xmlsec-based signature bridge component.
+ ******************************************************************************/
+{
+private:
+    /*
+     * the Id of template blocker.
+     */
+    sal_Int32 m_nIdOfBlocker;
+
+    css::uno::Reference< css::xml::crypto::XSecurityEnvironment > m_xSecurityEnvironment;
+
+    virtual void notifyResultListener() const override;
+    virtual void clearUp( ) const override;
+    virtual void startEngine( const rtl::Reference<XMLSignatureTemplateImpl>& xSignatureTemplate) override;
+
+public:
+    explicit SignatureCreatorImpl();
+    virtual ~SignatureCreatorImpl() override;
+
+    /* XBlockerMonitor */
+    virtual void SAL_CALL setBlockerId( sal_Int32 id ) override;
+
+    /* XSignatureCreationResultBroadcaster */
+    void SAL_CALL addSignatureCreationResultListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSignatureCreationResultListener >& listener ) override;
+
+    void SAL_CALL removeSignatureCreationResultListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSignatureCreationResultListener >& listener ) override;
+
+    /* XInitialization */
+    virtual void SAL_CALL initialize(
+        const css::uno::Sequence< css::uno::Any >& aArguments ) override;
+
+    /* XServiceInfo */
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+
+/// @throws css::uno::RuntimeException
+OUString SignatureCreatorImpl_getImplementationName();
+
+/// @throws css::uno::RuntimeException
+css::uno::Sequence< OUString > SignatureCreatorImpl_getSupportedServiceNames(  );
+
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/signatureengine.hxx b/xmlsecurity/inc/framework/signatureengine.hxx
new file mode 100644
index 0000000000..6446c2f367
--- /dev/null
+++ b/xmlsecurity/inc/framework/signatureengine.hxx
@@ -0,0 +1,116 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/crypto/sax/XReferenceResolvedListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XReferenceCollector.hpp>
+#include <com/sun/star/xml/crypto/sax/XKeyCollector.hpp>
+#include <com/sun/star/xml/crypto/sax/XMissionTaker.hpp>
+#include <com/sun/star/xml/crypto/XUriBinding.hpp>
+
+#include <cppuhelper/implbase.hxx>
+
+#include <xmlsecuritydllapi.h>
+#include <framework/securityengine.hxx>
+
+#include <vector>
+
+namespace com::sun::star::io { class XInputStream; }
+namespace com::sun::star::xml::crypto { class XXMLSignature; }
+namespace rtl { template <class reference_type> class Reference; }
+
+class XMLSignatureTemplateImpl;
+
+class SignatureEngine : public cppu::ImplInheritanceHelper
+<
+    SecurityEngine,
+    css::xml::crypto::sax::XReferenceCollector,
+    css::xml::crypto::XUriBinding
+>
+/****** signatureengine.hxx/CLASS SignatureEngine *****************************
+ *
+ *   NAME
+ *  SignatureEngine -- Base class of SignatureCreator and SignatureVerifier
+ *
+ *   FUNCTION
+ *  Maintains common members and methods related with signature operation.
+ ******************************************************************************/
+{
+protected:
+
+    /*
+     * the Signature bridge component, which performs signature generation
+     * and verification based on xmlsec library.
+     */
+    css::uno::Reference< css::xml::crypto::XXMLSignature > m_xXMLSignature;
+
+    /*
+     * a collection of ElementCollector's ids. Each ElementCollector
+     * represents one element signed by this signature.
+     */
+    std::vector< sal_Int32 > m_vReferenceIds;
+
+    /*
+     * remembers how many references this signature has.
+     */
+    sal_Int32 m_nTotalReferenceNumber;
+
+    /*
+     * a collection of Uri binding.
+     *
+     * the m_vUris is used to hold the Uri strings, and the m_vXInputStreams is used
+     * to hold corresponding bound XInputStream interface.
+     */
+    std::vector< OUString > m_vUris;
+    std::vector< css::uno::Reference< css::io::XInputStream > > m_vXInputStreams;
+
+protected:
+    explicit SignatureEngine();
+    virtual ~SignatureEngine() override {};
+
+    virtual void tryToPerform( ) override;
+    virtual void clearUp( ) const override;
+    bool checkReady() const;
+
+    /*
+     * starts the main function. This method will be implemented by any sub-class.
+     * For a SignatureCreator, it performs signing operation;
+     * for a SignatureVerifier, verification operation is performed.
+     */
+    /// @throws css::uno::Exception
+    /// @throws css::uno::RuntimeException
+    virtual void startEngine( const rtl::Reference<XMLSignatureTemplateImpl>&)
+        {};
+
+public:
+    /* XReferenceCollector */
+    virtual void SAL_CALL setReferenceCount( sal_Int32 count ) override;
+
+    virtual void SAL_CALL setReferenceId( sal_Int32 id ) override;
+
+    /* XUriBinding */
+    virtual void SAL_CALL setUriBinding(
+        const OUString& uri,
+        const css::uno::Reference< css::io::XInputStream >& aInputStream ) override;
+    virtual css::uno::Reference< css::io::XInputStream >
+        SAL_CALL getUriBinding( const OUString& uri ) override;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/signatureverifierimpl.hxx b/xmlsecurity/inc/framework/signatureverifierimpl.hxx
new file mode 100644
index 0000000000..15c79643e0
--- /dev/null
+++ b/xmlsecurity/inc/framework/signatureverifierimpl.hxx
@@ -0,0 +1,88 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/crypto/sax/XSignatureVerifyResultBroadcaster.hpp>
+#include <com/sun/star/lang/XInitialization.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <cppuhelper/implbase.hxx>
+
+#include <xmlsecuritydllapi.h>
+#include <framework/signatureengine.hxx>
+
+namespace com::sun::star::xml::crypto::sax { class XSignatureVerifyResultListener; }
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+
+typedef cppu::ImplInheritanceHelper
+<
+    SignatureEngine,
+    css::xml::crypto::sax::XSignatureVerifyResultBroadcaster,
+    css::lang::XInitialization,
+    css::lang::XServiceInfo
+> SignatureVerifierImpl_Base;
+
+class SignatureVerifierImpl final : public SignatureVerifierImpl_Base
+/****** SignatureVerifier.hxx/CLASS SignatureVerifierImpl *********************
+ *
+ *   NAME
+ *  SignatureVerifierImpl -- verifies a signature
+ *
+ *   FUNCTION
+ *  Collects all resources for a signature verification, then verifies the
+ *  signature by invoking a xmlsec-based signature bridge component.
+ ******************************************************************************/
+{
+private:
+    css::uno::Reference< css::xml::crypto::XXMLSecurityContext > m_xXMLSecurityContext;
+
+    virtual void notifyResultListener() const override;
+    virtual void startEngine( const rtl::Reference<XMLSignatureTemplateImpl>& xSignatureTemplate) override;
+
+public:
+    explicit SignatureVerifierImpl();
+    virtual ~SignatureVerifierImpl() override;
+
+    /* XSignatureVerifyResultBroadcaster */
+    virtual void SAL_CALL addSignatureVerifyResultListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSignatureVerifyResultListener >& listener ) override;
+    virtual void SAL_CALL removeSignatureVerifyResultListener(
+        const css::uno::Reference< css::xml::crypto::sax::XSignatureVerifyResultListener >& listener ) override;
+
+    /* XInitialization */
+    virtual void SAL_CALL initialize(
+        const css::uno::Sequence< css::uno::Any >& aArguments ) override;
+
+    /* XServiceInfo */
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+
+    void updateSignature( const css::uno::Reference< css::xml::crypto::XXMLSignature >& xSignature,
+                          const css::uno::Reference< css::xml::crypto::XXMLSecurityContext >& xContext ) { m_xXMLSignature = xSignature; m_xXMLSecurityContext = xContext; }
+};
+
+/// @throws css::uno::RuntimeException
+OUString SignatureVerifierImpl_getImplementationName();
+
+/// @throws css::uno::RuntimeException
+css::uno::Sequence< OUString > SignatureVerifierImpl_getSupportedServiceNames(  );
+
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/framework/xmlsignaturetemplateimpl.hxx b/xmlsecurity/inc/framework/xmlsignaturetemplateimpl.hxx
new file mode 100644
index 0000000000..c0dee1173b
--- /dev/null
+++ b/xmlsecurity/inc/framework/xmlsignaturetemplateimpl.hxx
@@ -0,0 +1,95 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <sal/config.h>
+#include <rtl/ustring.hxx>
+#include <cppuhelper/implbase.hxx>
+
+#include <com/sun/star/uno/Reference.hxx>
+
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignatureTemplate.hpp>
+
+#include <vector>
+
+namespace com::sun::star::lang { class XMultiServiceFactory; }
+namespace com::sun::star::xml::wrapper { class XXMLElementWrapper; }
+
+class XMLSignatureTemplateImpl final : public ::cppu::WeakImplHelper<
+    css::xml::crypto::XXMLSignatureTemplate ,
+    css::lang::XServiceInfo >
+{
+    private:
+        css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > m_xTemplate ;
+        std::vector< css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > > targets;
+        css::uno::Reference< css::xml::crypto::XUriBinding > m_xUriBinding;
+        css::xml::crypto::SecurityOperationStatus m_nStatus;
+
+    public:
+        explicit XMLSignatureTemplateImpl();
+        virtual ~XMLSignatureTemplateImpl() override;
+
+        //Methods from XXMLSignatureTemplate
+        virtual void SAL_CALL setTemplate(
+            const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& aXmlElement
+            ) override;
+
+        virtual css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > SAL_CALL getTemplate(
+        ) override;
+
+        virtual void SAL_CALL setTarget(
+            const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& aXmlElement
+        ) override;
+
+        virtual css::uno::Sequence< css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > > SAL_CALL getTargets(
+        ) override;
+
+        virtual void SAL_CALL setBinding(
+            const css::uno::Reference< css::xml::crypto::XUriBinding >& aUriBinding ) override;
+        virtual css::uno::Reference< css::xml::crypto::XUriBinding >
+            SAL_CALL getBinding(  ) override;
+
+        virtual void SAL_CALL setStatus(
+            css::xml::crypto::SecurityOperationStatus status ) override;
+        virtual css::xml::crypto::SecurityOperationStatus
+            SAL_CALL getStatus(  ) override;
+
+        //Methods from XServiceInfo
+        virtual OUString SAL_CALL getImplementationName() override ;
+
+        virtual sal_Bool SAL_CALL supportsService(
+            const OUString& ServiceName
+        ) override ;
+
+        virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames() override ;
+
+        //Helper for XServiceInfo
+        static css::uno::Sequence< OUString > impl_getSupportedServiceNames() ;
+
+        /// @throws css::uno::RuntimeException
+        static OUString impl_getImplementationName() ;
+
+        //Helper for registry
+        /// @throws css::uno::RuntimeException
+        static css::uno::Reference< css::uno::XInterface > impl_createInstance( const css::uno::Reference< css::lang::XMultiServiceFactory >& aServiceManager ) ;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/gpg/SEInitializer.hxx b/xmlsecurity/inc/gpg/SEInitializer.hxx
new file mode 100644
index 0000000000..e4da22029c
--- /dev/null
+++ b/xmlsecurity/inc/gpg/SEInitializer.hxx
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <com/sun/star/uno/Reference.hxx>
+#include <com/sun/star/uno/Sequence.hxx>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/xml/crypto/XSEInitializer.hpp>
+
+#include <xsecxmlsecdllapi.h>
+#include <cppuhelper/implbase.hxx>
+
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+
+class XSECXMLSEC_DLLPUBLIC SEInitializerGpg final : public cppu::WeakImplHelper
+<
+    css::xml::crypto::XSEInitializer,
+    css::lang::XServiceInfo
+>
+{
+public:
+    SEInitializerGpg();
+    virtual ~SEInitializerGpg() override;
+
+    /* XSEInitializer */
+    virtual css::uno::Reference< css::xml::crypto::XXMLSecurityContext >
+        SAL_CALL createSecurityContext( const OUString& ) override;
+
+    virtual void SAL_CALL freeSecurityContext( const css::uno::Reference<
+        css::xml::crypto::XXMLSecurityContext >& securityContext ) override;
+
+    /* XServiceInfo */
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/gpg/xmlsignature_gpgimpl.hxx b/xmlsecurity/inc/gpg/xmlsignature_gpgimpl.hxx
new file mode 100644
index 0000000000..906a51d19c
--- /dev/null
+++ b/xmlsecurity/inc/gpg/xmlsignature_gpgimpl.hxx
@@ -0,0 +1,77 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <sal/config.h>
+#include <rtl/ustring.hxx>
+#include <xsecxmlsecdllapi.h>
+
+#include <cppuhelper/implbase.hxx>
+
+#include <com/sun/star/uno/Reference.hxx>
+
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+
+namespace com::sun::star::xml::crypto { class XXMLSignatureTemplate; }
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+namespace com::sun::star::lang { class XMultiServiceFactory; }
+
+
+class XSECXMLSEC_DLLPUBLIC XMLSignature_GpgImpl final : public ::cppu::WeakImplHelper<
+    css::xml::crypto::XXMLSignature ,
+    css::lang::XServiceInfo >
+{
+    public:
+        explicit XMLSignature_GpgImpl();
+        virtual ~XMLSignature_GpgImpl() override ;
+
+        //Methods from XXMLSignature
+        virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL generate(
+            const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
+            const css::uno::Reference< css::xml::crypto::XSecurityEnvironment >& aEnvironment
+        ) override ;
+
+        virtual css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate > SAL_CALL validate(
+            const css::uno::Reference< css::xml::crypto::XXMLSignatureTemplate >& aTemplate ,
+            const css::uno::Reference< css::xml::crypto::XXMLSecurityContext >& aContext
+        ) override;
+
+        //Methods from XServiceInfo
+        virtual OUString SAL_CALL getImplementationName() override ;
+
+        virtual sal_Bool SAL_CALL supportsService(
+            const OUString& ServiceName
+        ) override ;
+
+        virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames() override ;
+
+        //Helper for XServiceInfo
+        static css::uno::Sequence< OUString > impl_getSupportedServiceNames() ;
+
+        /// @throws css::uno::RuntimeException
+        static OUString impl_getImplementationName() ;
+
+        //Helper for registry
+        /// @throws css::uno::RuntimeException
+        static css::uno::Reference< css::uno::XInterface > impl_createInstance( const css::uno::Reference< css::lang::XMultiServiceFactory >& aServiceManager ) ;
+} ;
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/macrosecurity.hxx b/xmlsecurity/inc/macrosecurity.hxx
new file mode 100644
index 0000000000..5d9feb94c8
--- /dev/null
+++ b/xmlsecurity/inc/macrosecurity.hxx
@@ -0,0 +1,126 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <vcl/weld.hxx>
+#include <unotools/securityoptions.hxx>
+
+namespace com::sun::star::xml::crypto { class XSecurityEnvironment; }
+class MacroSecurityTP;
+
+class MacroSecurity final : public weld::GenericDialogController
+{
+private:
+    friend class MacroSecurityLevelTP;
+    friend class MacroSecurityTrustedSourcesTP;
+
+    css::uno::Reference<css::xml::crypto::XSecurityEnvironment> m_xSecurityEnvironment;
+
+    std::unique_ptr<weld::Notebook> m_xTabCtrl;
+    std::unique_ptr<weld::Button> m_xOkBtn;
+    std::unique_ptr<weld::Button> m_xResetBtn;
+
+    std::unique_ptr<MacroSecurityTP> m_xLevelTP;
+    std::unique_ptr<MacroSecurityTP> m_xTrustSrcTP;
+
+    DECL_LINK(ActivatePageHdl, const OUString&, void);
+    DECL_LINK(OkBtnHdl, weld::Button&, void);
+public:
+    MacroSecurity(weld::Window* pParent,
+        css::uno::Reference<css::xml::crypto::XSecurityEnvironment> xSecurityEnvironment);
+
+    void EnableReset(bool bEnable = true)
+    {
+        m_xResetBtn->set_sensitive(bEnable);
+    }
+};
+
+class MacroSecurityTP
+{
+protected:
+    std::unique_ptr<weld::Builder> m_xBuilder;
+    std::unique_ptr<weld::Container> m_xContainer;
+
+    MacroSecurity* m_pDlg;
+public:
+    MacroSecurityTP(weld::Container* pParent, const OUString& rUIXMLDescription,
+                    const OUString& rID, MacroSecurity* pDlg);
+    virtual ~MacroSecurityTP();
+
+    virtual void ActivatePage();
+    virtual void ClosePage() = 0;
+};
+
+class MacroSecurityLevelTP : public MacroSecurityTP
+{
+private:
+    sal_uInt16   mnCurLevel;
+
+    std::unique_ptr<weld::RadioButton> m_xVeryHighRB;
+    std::unique_ptr<weld::RadioButton> m_xHighRB;
+    std::unique_ptr<weld::RadioButton> m_xMediumRB;
+    std::unique_ptr<weld::RadioButton> m_xLowRB;
+    std::unique_ptr<weld::Widget> m_xVHighImg;
+    std::unique_ptr<weld::Widget> m_xHighImg;
+    std::unique_ptr<weld::Widget> m_xMedImg;
+    std::unique_ptr<weld::Widget> m_xLowImg;
+
+    DECL_LINK(RadioButtonHdl, weld::Toggleable&, void);
+public:
+    MacroSecurityLevelTP(weld::Container* pParent, MacroSecurity* pDlg);
+    virtual void ClosePage() override;
+};
+
+class MacroSecurityTrustedSourcesTP : public MacroSecurityTP
+{
+private:
+    std::vector< SvtSecurityOptions::Certificate > m_aTrustedAuthors;
+
+    bool          mbAuthorsReadonly;
+    bool          mbURLsReadonly;
+
+    std::unique_ptr<weld::Image> m_xTrustCertROFI;
+    std::unique_ptr<weld::TreeView> m_xTrustCertLB;
+    std::unique_ptr<weld::Button> m_xViewCertPB;
+    std::unique_ptr<weld::Button> m_xRemoveCertPB;
+    std::unique_ptr<weld::Image> m_xTrustFileROFI;
+    std::unique_ptr<weld::TreeView>  m_xTrustFileLocLB;
+    std::unique_ptr<weld::Button> m_xAddLocPB;
+    std::unique_ptr<weld::Button> m_xRemoveLocPB;
+
+    DECL_LINK(ViewCertPBHdl, weld::Button&, void);
+    DECL_LINK(RemoveCertPBHdl, weld::Button&, void);
+    DECL_LINK(AddLocPBHdl, weld::Button&, void);
+    DECL_LINK(RemoveLocPBHdl, weld::Button&, void);
+    DECL_LINK(TrustCertLBSelectHdl, weld::TreeView&, void);
+    DECL_LINK(TrustFileLocLBSelectHdl, weld::TreeView&, void);
+
+    void FillCertLB(const bool bShowWarnings = false);
+    void ImplCheckButtons();
+    void ShowBrokenCertificateError(std::u16string_view rData);
+
+public:
+    MacroSecurityTrustedSourcesTP(weld::Container* pParent, MacroSecurity* pDlg);
+
+    virtual void        ActivatePage() override;
+    virtual void        ClosePage() override;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/pch/precompiled_xmlsecurity.cxx b/xmlsecurity/inc/pch/precompiled_xmlsecurity.cxx
new file mode 100644
index 0000000000..16ace305fc
--- /dev/null
+++ b/xmlsecurity/inc/pch/precompiled_xmlsecurity.cxx
@@ -0,0 +1,12 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include "precompiled_xmlsecurity.hxx"
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx b/xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx
new file mode 100644
index 0000000000..bf9c9025a7
--- /dev/null
+++ b/xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx
@@ -0,0 +1,200 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ This file has been autogenerated by update_pch.sh. It is possible to edit it
+ manually (such as when an include file has been moved/renamed/removed). All such
+ manual changes will be rewritten by the next run of update_pch.sh (which presumably
+ also fixes all possible problems, so it's usually better to use it).
+
+ Generated on 2021-04-11 19:48:55 using:
+ ./bin/update_pch xmlsecurity xmlsecurity --cutoff=6 --exclude:system --include:module --include:local
+
+ If after updating build fails, use the following command to locate conflicting headers:
+ ./bin/update_pch_bisect ./xmlsecurity/inc/pch/precompiled_xmlsecurity.hxx "make xmlsecurity.build" --find-conflicts
+*/
+
+#include <sal/config.h>
+#if PCH_LEVEL >= 1
+#include <algorithm>
+#include <assert.h>
+#include <cassert>
+#include <chrono>
+#include <cmath>
+#include <cstddef>
+#include <cstdlib>
+#include <cstring>
+#include <float.h>
+#include <functional>
+#include <initializer_list>
+#include <iomanip>
+#include <limits.h>
+#include <limits>
+#include <math.h>
+#include <memory>
+#include <new>
+#include <ostream>
+#include <set>
+#include <stddef.h>
+#include <string.h>
+#include <string>
+#include <string_view>
+#include <type_traits>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+#endif // PCH_LEVEL >= 1
+#if PCH_LEVEL >= 2
+#include <osl/diagnose.h>
+#include <osl/doublecheckedlocking.h>
+#include <osl/endian.h>
+#include <osl/file.hxx>
+#include <osl/getglobalmutex.hxx>
+#include <osl/interlck.h>
+#include <osl/mutex.h>
+#include <osl/mutex.hxx>
+#include <osl/thread.h>
+#include <osl/time.h>
+#include <rtl/alloc.h>
+#include <rtl/instance.hxx>
+#include <rtl/locale.h>
+#include <rtl/math.h>
+#include <rtl/ref.hxx>
+#include <rtl/strbuf.hxx>
+#include <rtl/string.h>
+#include <rtl/string.hxx>
+#include <rtl/stringconcat.hxx>
+#include <rtl/stringutils.hxx>
+#include <rtl/textcvt.h>
+#include <rtl/textenc.h>
+#include <rtl/uri.hxx>
+#include <rtl/ustrbuf.hxx>
+#include <rtl/ustring.h>
+#include <rtl/ustring.hxx>
+#include <rtl/uuid.h>
+#include <sal/log.hxx>
+#include <sal/macros.h>
+#include <sal/saldllapi.h>
+#include <sal/types.h>
+#include <sal/typesizes.h>
+#include <vcl/BinaryDataContainer.hxx>
+#include <vcl/Scanline.hxx>
+#include <vcl/alpha.hxx>
+#include <vcl/bitmap.hxx>
+#include <vcl/bitmap/BitmapTypes.hxx>
+#include <vcl/bitmapex.hxx>
+#include <vcl/checksum.hxx>
+#include <vcl/dllapi.h>
+#include <comphelper/errcode.hxx>
+#include <vcl/fntstyle.hxx>
+#include <vcl/font.hxx>
+#include <vcl/mapmod.hxx>
+#include <vcl/region.hxx>
+#include <vcl/task.hxx>
+#include <vcl/uitest/factory.hxx>
+#include <vcl/vclenum.hxx>
+#include <vcl/vclptr.hxx>
+#endif // PCH_LEVEL >= 2
+#if PCH_LEVEL >= 3
+#include <basegfx/basegfxdllapi.h>
+#include <basegfx/color/bcolor.hxx>
+#include <basegfx/numeric/ftools.hxx>
+#include <basegfx/point/b2dpoint.hxx>
+#include <basegfx/point/b2ipoint.hxx>
+#include <basegfx/polygon/b2dpolygon.hxx>
+#include <basegfx/polygon/b2dpolypolygon.hxx>
+#include <basegfx/range/b2drange.hxx>
+#include <basegfx/range/b2irange.hxx>
+#include <basegfx/range/basicrange.hxx>
+#include <basegfx/tuple/b2dtuple.hxx>
+#include <basegfx/tuple/b2i64tuple.hxx>
+#include <basegfx/tuple/b2ituple.hxx>
+#include <basegfx/tuple/b3dtuple.hxx>
+#include <basegfx/utils/common.hxx>
+#include <basegfx/vector/b2dvector.hxx>
+#include <basegfx/vector/b2enums.hxx>
+#include <basegfx/vector/b2ivector.hxx>
+#include <com/sun/star/accessibility/XAccessible.hpp>
+#include <com/sun/star/accessibility/XAccessibleRelationSet.hpp>
+#include <com/sun/star/embed/ElementModes.hpp>
+#include <com/sun/star/embed/StorageFormats.hpp>
+#include <com/sun/star/embed/XStorage.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/lang/XTypeProvider.hpp>
+#include <com/sun/star/uno/Any.h>
+#include <com/sun/star/uno/Any.hxx>
+#include <com/sun/star/uno/Reference.h>
+#include <com/sun/star/uno/Reference.hxx>
+#include <com/sun/star/uno/RuntimeException.hpp>
+#include <com/sun/star/uno/Sequence.h>
+#include <com/sun/star/uno/Sequence.hxx>
+#include <com/sun/star/uno/Type.h>
+#include <com/sun/star/uno/Type.hxx>
+#include <com/sun/star/uno/TypeClass.hdl>
+#include <com/sun/star/uno/XInterface.hpp>
+#include <com/sun/star/uno/XWeak.hpp>
+#include <com/sun/star/uno/genfunc.h>
+#include <com/sun/star/uno/genfunc.hxx>
+#include <com/sun/star/util/Date.hpp>
+#include <com/sun/star/util/DateTime.hpp>
+#include <com/sun/star/util/XCloneable.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
+#include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+#include <com/sun/star/xml/crypto/sax/XReferenceResolvedBroadcaster.hpp>
+#include <com/sun/star/xml/sax/XFastAttributeList.hpp>
+#include <com/sun/star/xml/sax/XFastTokenHandler.hpp>
+#include <comphelper/comphelperdllapi.h>
+#include <cppu/cppudllapi.h>
+#include <cppu/unotype.hxx>
+#include <cppuhelper/cppuhelperdllapi.h>
+#include <cppuhelper/implbase.hxx>
+#include <cppuhelper/implbase_ex.hxx>
+#include <cppuhelper/implbase_ex_post.hxx>
+#include <cppuhelper/implbase_ex_pre.hxx>
+#include <cppuhelper/supportsservice.hxx>
+#include <cppuhelper/weak.hxx>
+#include <i18nlangtag/lang.h>
+#include <o3tl/cow_wrapper.hxx>
+#include <o3tl/strong_int.hxx>
+#include <o3tl/typed_flags_set.hxx>
+#include <o3tl/underlyingenumvalue.hxx>
+#include <salhelper/salhelperdllapi.h>
+#include <salhelper/simplereferenceobject.hxx>
+#include <sax/saxdllapi.h>
+#include <svl/sigstruct.hxx>
+#include <tools/color.hxx>
+#include <tools/date.hxx>
+#include <tools/degree.hxx>
+#include <tools/fldunit.hxx>
+#include <tools/fontenum.hxx>
+#include <tools/gen.hxx>
+#include <tools/link.hxx>
+#include <tools/long.hxx>
+#include <tools/mapunit.hxx>
+#include <tools/solar.h>
+#include <tools/toolsdllapi.h>
+#include <typelib/typeclass.h>
+#include <typelib/typedescription.h>
+#include <typelib/uik.h>
+#include <uno/any2.h>
+#include <uno/data.h>
+#include <uno/sequence2.h>
+#include <unotools/datetime.hxx>
+#include <unotools/options.hxx>
+#include <unotools/unotoolsdllapi.h>
+#include <xmloff/dllapi.h>
+#endif // PCH_LEVEL >= 3
+#if PCH_LEVEL >= 4
+#include <biginteger.hxx>
+#include <xmlsecuritydllapi.h>
+#include <xsecctl.hxx>
+#endif // PCH_LEVEL >= 4
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.cxx b/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.cxx
new file mode 100644
index 0000000000..74123c2f14
--- /dev/null
+++ b/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.cxx
@@ -0,0 +1,12 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include "precompiled_xsec_xmlsec.hxx"
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx b/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx
new file mode 100644
index 0000000000..d69f3120e0
--- /dev/null
+++ b/xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx
@@ -0,0 +1,149 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ This file has been autogenerated by update_pch.sh. It is possible to edit it
+ manually (such as when an include file has been moved/renamed/removed). All such
+ manual changes will be rewritten by the next run of update_pch.sh (which presumably
+ also fixes all possible problems, so it's usually better to use it).
+
+ Generated on 2021-04-08 13:57:49 using:
+ ./bin/update_pch xmlsecurity xsec_xmlsec --cutoff=2 --exclude:system --include:module --include:local
+
+ If after updating build fails, use the following command to locate conflicting headers:
+ ./bin/update_pch_bisect ./xmlsecurity/inc/pch/precompiled_xsec_xmlsec.hxx "make xmlsecurity.build" --find-conflicts
+*/
+
+#include <sal/config.h>
+#if PCH_LEVEL >= 1
+#include <algorithm>
+#include <cassert>
+#include <chrono>
+#include <cstddef>
+#include <cstdlib>
+#include <initializer_list>
+#include <iomanip>
+#include <limits>
+#include <memory>
+#include <new>
+#include <ostream>
+#ifdef XMLSEC_CRYPTO_NSS
+#include <pk11pub.h>
+#endif
+#include <stddef.h>
+#include <string.h>
+#include <string>
+#include <string_view>
+#include <type_traits>
+#include <utility>
+#include <vector>
+#endif // PCH_LEVEL >= 1
+#if PCH_LEVEL >= 2
+#include <osl/diagnose.h>
+#include <osl/doublecheckedlocking.h>
+#include <osl/file.h>
+#include <osl/file.hxx>
+#include <osl/getglobalmutex.hxx>
+#include <osl/interlck.h>
+#include <osl/mutex.h>
+#include <osl/mutex.hxx>
+#include <osl/thread.h>
+#include <osl/time.h>
+#include <rtl/alloc.h>
+#include <rtl/bootstrap.h>
+#include <rtl/bootstrap.hxx>
+#include <rtl/instance.hxx>
+#include <rtl/malformeduriexception.hxx>
+#include <rtl/random.h>
+#include <rtl/ref.hxx>
+#include <rtl/string.h>
+#include <rtl/string.hxx>
+#include <rtl/stringconcat.hxx>
+#include <rtl/stringutils.hxx>
+#include <rtl/textcvt.h>
+#include <rtl/textenc.h>
+#include <rtl/uri.h>
+#include <rtl/uri.hxx>
+#include <rtl/ustring.h>
+#include <rtl/ustring.hxx>
+#include <rtl/uuid.h>
+#include <sal/log.hxx>
+#include <sal/macros.h>
+#include <sal/saldllapi.h>
+#include <sal/types.h>
+#include <sal/typesizes.h>
+#include <vcl/dllapi.h>
+#include <comphelper/errcode.hxx>
+#endif // PCH_LEVEL >= 2
+#if PCH_LEVEL >= 3
+#include <com/sun/star/lang/DisposedException.hpp>
+#include <com/sun/star/lang/IllegalArgumentException.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <com/sun/star/lang/XTypeProvider.hpp>
+#include <com/sun/star/lang/XUnoTunnel.hpp>
+#include <com/sun/star/uno/Any.h>
+#include <com/sun/star/uno/Any.hxx>
+#include <com/sun/star/uno/Exception.hpp>
+#include <com/sun/star/uno/Reference.h>
+#include <com/sun/star/uno/RuntimeException.hpp>
+#include <com/sun/star/uno/Sequence.h>
+#include <com/sun/star/uno/Sequence.hxx>
+#include <com/sun/star/uno/Type.h>
+#include <com/sun/star/uno/Type.hxx>
+#include <com/sun/star/uno/TypeClass.hdl>
+#include <com/sun/star/uno/XComponentContext.hpp>
+#include <com/sun/star/uno/XInterface.hpp>
+#include <com/sun/star/uno/XWeak.hpp>
+#include <com/sun/star/uno/genfunc.h>
+#include <com/sun/star/uno/genfunc.hxx>
+#include <com/sun/star/util/XCloneable.hpp>
+#include <com/sun/star/xml/csax/XCompressedDocumentHandler.hpp>
+#include <com/sun/star/xml/sax/XAttributeList.hpp>
+#include <com/sun/star/xml/wrapper/XXMLDocumentWrapper.hpp>
+#include <comphelper/servicehelper.hxx>
+#include <cppu/cppudllapi.h>
+#include <cppu/unotype.hxx>
+#include <cppuhelper/cppuhelperdllapi.h>
+#include <cppuhelper/exc_hlp.hxx>
+#include <cppuhelper/implbase.hxx>
+#include <cppuhelper/implbase_ex.hxx>
+#include <cppuhelper/implbase_ex_post.hxx>
+#include <cppuhelper/implbase_ex_pre.hxx>
+#include <cppuhelper/supportsservice.hxx>
+#include <cppuhelper/weak.hxx>
+#include <libxml/tree.h>
+#include <o3tl/typed_flags_set.hxx>
+#include <o3tl/underlyingenumvalue.hxx>
+#include <salhelper/singletonref.hxx>
+#include <tools/lineend.hxx>
+#include <tools/long.hxx>
+#include <tools/ref.hxx>
+#include <tools/stream.hxx>
+#include <tools/toolsdllapi.h>
+#include <typelib/typeclass.h>
+#include <typelib/typedescription.h>
+#include <typelib/uik.h>
+#include <uno/any2.h>
+#include <uno/data.h>
+#include <uno/sequence2.h>
+#include <unotools/unotoolsdllapi.h>
+#include <xmloff/dllapi.h>
+#endif // PCH_LEVEL >= 3
+#if PCH_LEVEL >= 4
+#include <xmlsec-wrapper.h>
+#include <xsecxmlsecdllapi.h>
+#endif // PCH_LEVEL >= 4
+
+// Cleanup windows header macro pollution.
+#if defined(_WIN32) && defined(WINAPI)
+#include <postwin.h>
+#undef RGB
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/pdfsignaturehelper.hxx b/xmlsecurity/inc/pdfsignaturehelper.hxx
new file mode 100644
index 0000000000..ea24685d2a
--- /dev/null
+++ b/xmlsecurity/inc/pdfsignaturehelper.hxx
@@ -0,0 +1,73 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ */
+
+#pragma once
+
+#include "xmlsecuritydllapi.h"
+
+#include <svl/sigstruct.hxx>
+
+namespace com::sun::star
+{
+namespace frame
+{
+class XModel;
+}
+namespace io
+{
+class XInputStream;
+}
+namespace security
+{
+class XCertificate;
+}
+namespace security
+{
+struct DocumentSignatureInformation;
+}
+namespace xml::crypto
+{
+class XSecurityEnvironment;
+}
+}
+class SvStream;
+
+/// Handles signatures of a PDF file.
+class XMLSECURITY_DLLPUBLIC PDFSignatureHelper
+{
+    SignatureInformations m_aSignatureInfos;
+
+    css::uno::Reference<css::security::XCertificate> m_xCertificate;
+    OUString m_aDescription;
+
+public:
+    PDFSignatureHelper();
+    bool ReadAndVerifySignature(const css::uno::Reference<css::io::XInputStream>& xInputStream);
+    bool ReadAndVerifySignatureSvStream(SvStream& rStream);
+    css::uno::Sequence<css::security::DocumentSignatureInformation>
+    GetDocumentSignatureInformations(
+        const css::uno::Reference<css::xml::crypto::XSecurityEnvironment>& xSecEnv) const;
+    SignatureInformations const& GetSignatureInformations() const;
+
+    /// Return the ID of the next created signature.
+    sal_Int32 GetNewSecurityId() const;
+    /// Certificate to be used next time signing is performed.
+    void SetX509Certificate(const css::uno::Reference<css::security::XCertificate>& xCertificate);
+    /// Comment / reason to be used next time signing is performed.
+    void SetDescription(const OUString& rDescription);
+    /// Append a new signature at the end of xInputStream.
+    bool Sign(const css::uno::Reference<css::frame::XModel>& xModel,
+              const css::uno::Reference<css::io::XInputStream>& xInputStream, bool bAdES);
+    /// Remove the signature at nPosition (and all dependent signatures) from xInputStream.
+    static bool RemoveSignature(const css::uno::Reference<css::io::XInputStream>& xInputStream,
+                                sal_uInt16 nPosition);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/resourcemanager.hxx b/xmlsecurity/inc/resourcemanager.hxx
new file mode 100644
index 0000000000..1dc5b29874
--- /dev/null
+++ b/xmlsecurity/inc/resourcemanager.hxx
@@ -0,0 +1,26 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <unotools/resmgr.hxx>
+
+inline OUString XsResId(TranslateId aId) { return Translate::get(aId, Translate::Create("xsc")); }
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/strings.hrc b/xmlsecurity/inc/strings.hrc
new file mode 100644
index 0000000000..7e99a58d52
--- /dev/null
+++ b/xmlsecurity/inc/strings.hrc
@@ -0,0 +1,68 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#define NC_(Context, String) TranslateId(Context, u8##String)
+
+#define STR_CERTIFICATE_NOT_VALIDATED               NC_("STR_CERTIFICATE_NOT_VALIDATED", "The certificate could not be validated.")
+#define STR_VERSION                                 NC_("STR_VERSION", "Version")
+#define STR_SERIALNUM                               NC_("STR_SERIALNUM", "Serial Number")
+#define STR_ISSUER                                  NC_("STR_ISSUER", "Issuer")
+#define STR_VALIDFROM                               NC_("STR_VALIDFROM", "Valid From")
+#define STR_VALIDTO                                 NC_("STR_VALIDTO", "Valid to")
+#define STR_SUBJECT                                 NC_("STR_SUBJECT", "Subject")
+#define STR_SUBJECT_PUBKEY_ALGO                     NC_("STR_SUBJECT_PUBKEY_ALGO", "Subject Algorithm")
+#define STR_SUBJECT_PUBKEY_VAL                      NC_("STR_SUBJECT_PUBKEY_VAL", "Public Key")
+#define STR_SIGNATURE_ALGO                          NC_("STR_SIGNATURE_ALGO", "Signature Algorithm")
+#define STR_USE                                     NC_("STR_USE", "Certificate Use")
+#define STR_THUMBPRINT_SHA1                         NC_("STR_THUMBPRINT_SHA1", "Thumbprint SHA1")
+#define STR_THUMBPRINT_MD5                          NC_("STR_THUMBPRINT_MD5", "Thumbprint MD5")
+
+#define STR_XMLSECDLG_OPENED_CRTMGR                 NC_("STR_XMLSECDLG_OPENED_CRTMGR", "You have opened the certificate manager at\n")
+#define STR_XMLSECDLG_OLD_ODF_FORMAT                NC_("STR_XMLSECDLG_OLD_ODF_FORMAT", "This document contains signatures in ODF 1.1 (OpenOffice.org 2.x) format. " \
+                                                       "Signing documents in %PRODUCTNAME %PRODUCTVERSION requires ODF 1.2 format version. " \
+                                                       "Thus no signatures can be added or removed to this document.\n\n" \
+                                                       "Save document in ODF 1.2 format and add all desired signatures again.")
+#define STR_XMLSECDLG_QUERY_REMOVEDOCSIGNBEFORESIGN NC_("STR_XMLSECDLG_QUERY_REMOVEDOCSIGNBEFORESIGN", "Adding or removing a macro signature will remove all document signatures.\n" \
+                                                       "Do you really want to continue?")
+#define STR_XMLSECDLG_QUERY_REALLYREMOVE            NC_("STR_XMLSECDLG_QUERY_REALLYREMOVE", "Document signature cannot be restored, once removed.\n" \
+                                                       "Do you really want to remove selected signature?")
+
+#define STR_XMLSECDLG_SIGNING_FAILED                NC_("STR_XMLSECDLG_SIGNING_FAILED", "An error occurred while adding the signature.")
+#define STR_XMLSECDLG_NO_CERT_MANAGER               NC_("STR_XMLSECDLG_NO_CERT_MANAGER", "Could not find any certificate manager.")
+#define STR_XMLSECDLG_NO_CERT_FOUND                 NC_("STR_XMLSECDLG_NO_CERT_FOUND", "Could not find the certificate.")
+
+#define RID_XMLSECWB_NO_MOZILLA_PROFILE             NC_("RID_XMLSECWB_NO_MOZILLA_PROFILE", "Digital signatures functionality could not be used, because no Mozilla user profile was found. Please check the Mozilla installation.")
+
+#define STR_DIGITAL_SIGNATURE                       NC_("selectcertificatedialog|STR_DIGITAL_SIGNATURE", "Digital signature")
+#define STR_NON_REPUDIATION                         NC_("selectcertificatedialog|STR_NON_REPUDIATION", "Non-repudiation")
+#define STR_KEY_ENCIPHERMENT                        NC_("selectcertificatedialog|STR_KEY_ENCIPHERMENT", "Key encipherment")
+#define STR_DATA_ENCIPHERMENT                       NC_("selectcertificatedialog|STR_DATA_ENCIPHERMENT", "Data encipherment")
+#define STR_KEY_AGREEMENT                           NC_("selectcertificatedialog|STR_KEY_AGREEMENT", "Key Agreement")
+#define STR_KEY_CERT_SIGN                           NC_("selectcertificatedialog|STR_KEY_CERT_SIGN", "Certificate signature verification")
+#define STR_CRL_SIGN                                NC_("selectcertificatedialog|STR_CRL_SIGN", "CRL signature verification")
+#define STR_ENCIPHER_ONLY                           NC_("selectcertificatedialog|STR_ENCIPHER_ONLY", "Only for encipherment")
+#define STR_SIGN                                    NC_("selectcertificatedialog|str_sign", "Sign")
+#define STR_SELECTSIGN                              NC_("selectcertificatedialog|str_selectsign", "Select")
+#define STR_ENCRYPT                                 NC_("selectcertificatedialog|str_encrypt", "Encrypt")
+
+#define STR_BROKEN_MACRO_CERTIFICATE_DATA           NC_("STR_BROKEN_MACRO_CERTIFICATE_DATA", "Macro security problem!\n\nBroken certificate data: %{data}")
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
new file mode 100644
index 0000000000..3ad705400c
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -0,0 +1,43 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <sal/config.h>
+
+#include <sal/types.h>
+
+#include <libxml/parser.h>
+#include <xmlsec/base64.h>
+#include <xmlsec/bn.h>
+#include <xmlsec/errors.h>
+#include <xmlsec/io.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/strings.h>
+#include <xmlsec/xmldsig.h>
+#include <xmlsec/xmlenc.h>
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#ifdef XMLSEC_CRYPTO_NSS
+#include <xmlsec/nss/app.h>
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/pkikeys.h>
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec/errorcallback.hxx b/xmlsecurity/inc/xmlsec/errorcallback.hxx
new file mode 100644
index 0000000000..80ba564e9b
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec/errorcallback.hxx
@@ -0,0 +1,30 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <xsecxmlsecdllapi.h>
+
+// Only used for logging
+void setErrorRecorder();
+//ToDo
+//void setErrorRecorder(const css::uno::Reference< css::xml::crypto::XXMLEncryptionTemplate >& xTemplate);
+void clearErrorRecorder();
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec/saxhelper.hxx b/xmlsecurity/inc/xmlsec/saxhelper.hxx
new file mode 100644
index 0000000000..a5863ffd0e
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec/saxhelper.hxx
@@ -0,0 +1,86 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <sal/config.h>
+
+#include <string_view>
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+
+#include <rtl/ustring.hxx>
+
+namespace com::sun::star::xml::csax { struct XMLAttribute; }
+namespace com::sun::star::uno { template <typename > class Sequence; }
+
+/** This class represents a SAX handler which simply forwards to
+    the corresponding libxml API and translates parameter if necessary.
+*/
+class SAXHelper final
+{
+    private:
+        xmlParserCtxtPtr m_pParserCtxt ;
+        xmlSAXHandlerPtr m_pSaxHandler ;
+
+    public:
+        SAXHelper( ) ;
+        ~SAXHelper() ;
+
+        xmlNodePtr getCurrentNode() { return m_pParserCtxt->node;}
+        void setCurrentNode(const xmlNodePtr pNode);
+        xmlDocPtr getDocument() { return m_pParserCtxt->myDoc;}
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void startDocument() ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void endDocument() ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void startElement(
+            std::u16string_view aName ,
+            const css::uno::Sequence<
+                css::xml::csax::XMLAttribute >& aAttributes ) ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void endElement( std::u16string_view aName ) ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void characters( std::u16string_view aChars ) ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void ignorableWhitespace( std::u16string_view aWhitespaces ) ;
+
+        /// @throws css::xml::sax::SAXException
+        /// @throws css::uno::RuntimeException
+        void processingInstruction(
+            std::u16string_view aTarget ,
+            std::u16string_view aData ) ;
+
+} ;
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec/xmldocumentwrapper_xmlsecimpl.hxx b/xmlsecurity/inc/xmlsec/xmldocumentwrapper_xmlsecimpl.hxx
new file mode 100644
index 0000000000..8f5695d10d
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec/xmldocumentwrapper_xmlsecimpl.hxx
@@ -0,0 +1,208 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <com/sun/star/xml/wrapper/XXMLDocumentWrapper.hpp>
+#include <com/sun/star/xml/csax/XCompressedDocumentHandler.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+#include <cppuhelper/implbase.hxx>
+
+#include <xmlsec/saxhelper.hxx>
+#include <xsecxmlsecdllapi.h>
+
+#define NODEPOSITION_NORMAL        1
+#define NODEPOSITION_STARTELEMENT  2
+#define NODEPOSITION_ENDELEMENT    3
+
+#include <libxml/tree.h>
+
+class XSECXMLSEC_DLLPUBLIC XMLDocumentWrapper_XmlSecImpl final : public cppu::WeakImplHelper
+<
+    css::xml::wrapper::XXMLDocumentWrapper,
+    css::xml::sax::XDocumentHandler,
+    css::xml::csax::XCompressedDocumentHandler,
+    css::lang::XServiceInfo
+>
+/**
+ *   NAME
+ *  XMLDocumentWrapper_XmlSecImpl -- Class to manipulate a libxml2
+ *  document
+ *
+ *   FUNCTION
+ *  Converts SAX events into a libxml2 document, converts the document back
+ *  into SAX event stream, and manipulate nodes in the document.
+ ******************************************************************************/
+{
+private:
+    /* the sax helper */
+    SAXHelper saxHelper;
+
+    /* the document used to convert SAX events to */
+    xmlDocPtr m_pDocument;
+
+    /* the root element */
+    xmlNodePtr m_pRootElement;
+
+    /*
+     * the current active element. The next incoming SAX event will be
+     * appended to this element
+     */
+    xmlNodePtr m_pCurrentElement;
+
+    /*
+     * This variable is used when converting the document or part of it into
+     * SAX events. See getNextSAXEvent method.
+     */
+    sal_Int32 m_nCurrentPosition;
+
+    /*
+     * used for recursive deletion. See recursiveDelete method
+     */
+    xmlNodePtr m_pStopAtNode;
+    xmlNodePtr m_pCurrentReservedNode;
+    css::uno::Sequence< css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > > m_aReservedNodes;
+    sal_Int32 m_nReservedNodeIndex;
+
+private:
+    void getNextSAXEvent();
+
+    /// @throws css::xml::sax::SAXException
+    static void sendStartElement(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler,
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler2,
+        const xmlNodePtr pNode);
+
+    /// @throws css::xml::sax::SAXException
+    static void sendEndElement(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler,
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler2,
+        const xmlNodePtr pNode);
+
+    /// @throws css::xml::sax::SAXException
+    static void sendNode(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler,
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xHandler2,
+        const xmlNodePtr pNode);
+
+    static OString getNodeQName(const xmlNodePtr pNode);
+
+    sal_Int32 recursiveDelete( const xmlNodePtr pNode);
+
+    void getNextReservedNode();
+
+    void removeNode( const xmlNodePtr pNode) const;
+
+    static xmlNodePtr checkElement(
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& xXMLElement);
+
+    void buildIDAttr( xmlNodePtr pNode ) const;
+    void rebuildIDLink( xmlNodePtr pNode ) const;
+
+public:
+    XMLDocumentWrapper_XmlSecImpl();
+    virtual ~XMLDocumentWrapper_XmlSecImpl() override;
+
+    /* css::xml::wrapper::XXMLDocumentWrapper */
+    virtual css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > SAL_CALL getCurrentElement(  ) override;
+
+    virtual void SAL_CALL setCurrentElement( const css::uno::Reference<
+        css::xml::wrapper::XXMLElementWrapper >& element ) override;
+
+    virtual void SAL_CALL removeCurrentElement(  ) override;
+
+    virtual sal_Bool SAL_CALL isCurrent( const css::uno::Reference<
+        css::xml::wrapper::XXMLElementWrapper >& node ) override;
+
+    virtual sal_Bool SAL_CALL isCurrentElementEmpty(  ) override;
+
+    virtual OUString SAL_CALL getNodeName( const css::uno::Reference<
+        css::xml::wrapper::XXMLElementWrapper >& node ) override;
+
+    virtual void SAL_CALL clearUselessData(
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& node,
+        const css::uno::Sequence< css::uno::Reference< css::xml::wrapper::XXMLElementWrapper > >& reservedDescendants,
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& stopAtNode ) override;
+
+    virtual void SAL_CALL collapse( const css::uno::Reference<
+        css::xml::wrapper::XXMLElementWrapper >& node ) override;
+
+    virtual void SAL_CALL generateSAXEvents(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& handler,
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xEventKeeperHandler,
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& startNode,
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& endNode ) override;
+
+    virtual void SAL_CALL getTree(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& handler ) override;
+
+    virtual void SAL_CALL rebuildIDLink(
+        const css::uno::Reference< css::xml::wrapper::XXMLElementWrapper >& node ) override;
+
+    /* css::xml::sax::XDocumentHandler */
+    virtual void SAL_CALL startDocument(  ) override;
+
+    virtual void SAL_CALL endDocument(  ) override;
+
+    virtual void SAL_CALL startElement(
+        const OUString& aName,
+        const css::uno::Reference< css::xml::sax::XAttributeList >& xAttribs ) override;
+
+    virtual void SAL_CALL endElement( const OUString& aName ) override;
+
+    virtual void SAL_CALL characters( const OUString& aChars ) override;
+
+    virtual void SAL_CALL ignorableWhitespace( const OUString& aWhitespaces ) override;
+
+    virtual void SAL_CALL processingInstruction( const OUString& aTarget, const OUString& aData ) override;
+
+    virtual void SAL_CALL setDocumentLocator( const css::uno::Reference< css::xml::sax::XLocator >& xLocator ) override;
+
+    /* css::xml::csax::XCompressedDocumentHandler */
+    virtual void SAL_CALL compressedStartDocument(  ) override;
+
+    virtual void SAL_CALL compressedEndDocument(  ) override;
+
+    virtual void SAL_CALL compressedStartElement(
+        const OUString& aName,
+        const css::uno::Sequence< css::xml::csax::XMLAttribute >& aAttributes ) override;
+
+    virtual void SAL_CALL compressedEndElement( const OUString& aName ) override;
+
+    virtual void SAL_CALL compressedCharacters( const OUString& aChars ) override;
+
+    virtual void SAL_CALL compressedIgnorableWhitespace( const OUString& aWhitespaces ) override;
+
+    virtual void SAL_CALL compressedProcessingInstruction( const OUString& aTarget, const OUString& aData ) override;
+
+    virtual void SAL_CALL compressedSetDocumentLocator(
+        sal_Int32 columnNumber,
+        sal_Int32 lineNumber,
+        const OUString& publicId,
+        const OUString& systemId ) override;
+
+    /* css::lang::XServiceInfo */
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec/xmlsec_init.hxx b/xmlsecurity/inc/xmlsec/xmlsec_init.hxx
new file mode 100644
index 0000000000..417acd288b
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec/xmlsec_init.hxx
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <xsecxmlsecdllapi.h>
+
+XSECXMLSEC_DLLPUBLIC void initXmlSec();
+XSECXMLSEC_DLLPUBLIC void deInitXmlSec();
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsec/xmlstreamio.hxx b/xmlsecurity/inc/xmlsec/xmlstreamio.hxx
new file mode 100644
index 0000000000..6e3d506a4d
--- /dev/null
+++ b/xmlsecurity/inc/xmlsec/xmlstreamio.hxx
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <xsecxmlsecdllapi.h>
+
+namespace com::sun::star::xml::crypto
+{
+class XUriBinding;
+}
+namespace com::sun::star::uno
+{
+template <typename> class Reference;
+}
+
+int xmlEnableStreamInputCallbacks();
+void xmlDisableStreamInputCallbacks();
+int xmlRegisterStreamInputCallbacks(
+    css::uno::Reference<css::xml::crypto::XUriBinding> const& aUriBinding);
+int xmlUnregisterStreamInputCallbacks();
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsecuritydllapi.h b/xmlsecurity/inc/xmlsecuritydllapi.h
new file mode 100644
index 0000000000..7f31e6f8f4
--- /dev/null
+++ b/xmlsecurity/inc/xmlsecuritydllapi.h
@@ -0,0 +1,20 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <sal/types.h>
+
+#if defined(XMLSECURITY_DLLIMPLEMENTATION)
+#define XMLSECURITY_DLLPUBLIC SAL_DLLPUBLIC_EXPORT
+#else
+#define XMLSECURITY_DLLPUBLIC SAL_DLLPUBLIC_IMPORT
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsignaturehelper.hxx
new file mode 100644
index 0000000000..d6e2b90eeb
--- /dev/null
+++ b/xmlsecurity/inc/xmlsignaturehelper.hxx
@@ -0,0 +1,176 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <tools/link.hxx>
+#include <rtl/ustring.hxx>
+#include <rtl/ref.hxx>
+#include <svl/sigstruct.hxx>
+#include "xmlsecuritydllapi.h"
+#include "xmlsignaturehelper.hxx"
+#include "xsecctl.hxx"
+
+#include <com/sun/star/security/XCertificate.hpp>
+#include <com/sun/star/xml/crypto/XSecurityEnvironment.hpp>
+
+class DateTime;
+class UriBindingHelper;
+
+namespace com::sun::star {
+    namespace io {
+        class XOutputStream;
+        class XInputStream;
+    }
+    namespace embed { class XStorage; }
+}
+
+namespace com::sun::star::graphic { class XGraphic; }
+namespace com::sun::star::uno { class XComponentContext; }
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+namespace com::sun::star::xml::sax { class XDocumentHandler; }
+namespace com::sun::star::xml::sax { class XWriter; }
+
+/**********************************************************
+ XMLSignatureHelper
+
+ Helper class for the XML Security framework
+
+ Functions:
+ 1. help to create a security context;
+ 2. help to listen signature creation result;
+ 3. help to listen signature verify result;
+ 4. help to indicate which signature to verify.
+
+ **********************************************************/
+
+class XMLSECURITY_DLLPUBLIC XMLSignatureHelper
+{
+private:
+    css::uno::Reference< css::uno::XComponentContext > mxCtx;
+    rtl::Reference<UriBindingHelper> mxUriBinding;
+
+    rtl::Reference<XSecController> mpXSecController;
+    bool                        mbError;
+    bool mbODFPre1_2;
+    Link<LinkParamNone*,bool>   maStartVerifySignatureHdl;
+
+private:
+    XMLSignatureHelper(const XMLSignatureHelper&) = delete;
+
+public:
+    XMLSignatureHelper(const css::uno::Reference< css::uno::XComponentContext >& mrCtx );
+    ~XMLSignatureHelper();
+
+    void StartVerifySignatureElement();
+
+    // Set the storage which should be used by the default UriBinding
+    // Must be set before StartMission().
+    //sODFVersion indicates  the ODF version
+    void        SetStorage( const css::uno::Reference < css::embed::XStorage >& rxStorage, std::u16string_view sODFVersion );
+
+                // Argument for the Link is a uno::Reference< xml::sax::XAttributeList >*
+                // Return 1 to verify, 0 to skip.
+                // Default handler will verify all.
+    void        SetStartVerifySignatureHdl( const Link<LinkParamNone*,bool>& rLink );
+
+                // After signing/verifying, get information about signatures
+    SignatureInformation  GetSignatureInformation( sal_Int32 nSecurityId ) const;
+    SignatureInformations GetSignatureInformations() const;
+    /// ImplVerifySignature calls this to figure out which X509Data is the
+    /// signing certificate and update the internal state with the result.
+    /// @return
+    ///    A sequence with the signing certificate at the back on success.
+    ///    An empty sequence on failure.
+    std::vector<css::uno::Reference<css::security::XCertificate>>
+    CheckAndUpdateSignatureInformation(
+        css::uno::Reference<css::xml::crypto::XSecurityEnvironment> const& xSecEnv,
+        SignatureInformation const& rInfo);
+
+                // See XSecController for documentation
+    void        StartMission(const css::uno::Reference<css::xml::crypto::XXMLSecurityContext>& xSecurityContext);
+    void        EndMission();
+    sal_Int32   GetNewSecurityId();
+    /** sets data that describes the certificate.
+
+        It is absolutely necessary that the parameter ouX509IssuerName is set. It contains
+        the base64 encoded certificate, which is DER encoded. The XMLSec needs it to find
+        the private key. Although issuer name and certificate should be sufficient to identify
+        the certificate the implementation in XMLSec is broken, both for Windows and mozilla.
+        The reason is that they use functions to find the certificate which take as parameter
+        the DER encoded ASN.1 issuer name. The issuer name is a DName, where most attributes
+        are of type DirectoryName, which is a choice of 5 string types. This information is
+        not contained in the issuer string and while it is converted to the ASN.1 name the
+        conversion function must assume a particular type, which is often wrong. For example,
+        the Windows function CertStrToName will use a T.61 string if the string does not contain
+        special characters. So if the certificate uses simple characters but encodes the
+        issuer attributes in Utf8, then CertStrToName will use T.61. The resulting DER encoded
+        ASN.1 name now contains different bytes which indicate the string type. The functions
+        for finding the certificate apparently use memcmp - hence they fail to find the
+        certificate.
+     */
+    void SetX509Certificate(sal_Int32 nSecurityId, const OUString& ouX509IssuerName,
+        const OUString& ouX509SerialNumber, const OUString& ouX509Cert, const OUString& ouX509CertDigest,
+        svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+
+    void AddEncapsulatedX509Certificate(const OUString& ouEncapsulatedX509Certificate);
+
+    void SetGpgCertificate(sal_Int32 nSecurityId, const OUString& ouGpgCertDigest,
+        const OUString& ouGpgCert, const OUString& ouGpgOwner);
+
+    void        SetDateTime( sal_Int32 nSecurityId, const DateTime& rDateTime );
+    void SetDescription(sal_Int32 nSecurityId, const OUString& rDescription);
+    void SetSignatureLineId(sal_Int32 nSecurityId, const OUString& rSignatureLineId);
+    void
+    SetSignatureLineValidGraphic(sal_Int32 nSecurityId,
+                                 const css::uno::Reference<css::graphic::XGraphic>& xValidGraphic);
+    void SetSignatureLineInvalidGraphic(
+        sal_Int32 nSecurityId, const css::uno::Reference<css::graphic::XGraphic>& xInvalidGraphic);
+
+    void        AddForSigning( sal_Int32 securityId, const OUString& uri, bool bBinary, bool bXAdESCompliantIfODF );
+    void        CreateAndWriteSignature( const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler, bool bXAdESCompliantIfODF );
+    bool        ReadAndVerifySignature( const css::uno::Reference< css::io::XInputStream >& xInputStream );
+
+    // MT: ??? I think only for adding/removing, not for new signatures...
+    // MM: Yes, but if you want to insert a new signature into an existing signature file, those function
+    //     will be very useful, see Mission 3 in the new "multisigdemo" program   :-)
+    css::uno::Reference< css::xml::sax::XWriter> CreateDocumentHandlerWithHeader( const css::uno::Reference< css::io::XOutputStream >& xOutputStream );
+    static void CloseDocumentHandler( const css::uno::Reference< css::xml::sax::XDocumentHandler>& xDocumentHandler );
+    static void ExportSignature(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
+        const SignatureInformation& signatureInfo,
+        bool bXAdESCompliantIfODF );
+
+    /// Read and verify OOXML signatures.
+    bool ReadAndVerifySignatureStorage(const css::uno::Reference<css::embed::XStorage>& xStorage, bool bCacheLastSignature = true);
+    /// Read and verify a single OOXML signature.
+    bool ReadAndVerifySignatureStorageStream(const css::uno::Reference<css::io::XInputStream>& xInputStream);
+    /// Adds or removes an OOXML digital signature relation to _rels/.rels if there wasn't any before.
+    void EnsureSignaturesRelation(const css::uno::Reference<css::embed::XStorage>& xStorage, bool bAdd);
+    /// Given that xStorage is an OOXML _xmlsignatures storage, create origin.sigs and its relations.
+    void ExportSignatureRelations(const css::uno::Reference<css::embed::XStorage>& xStorage, int nSignatureCount);
+    /// Given that xSignatureStorage is an OOXML _xmlsignatures storage, create and write a new signature.
+    void CreateAndWriteOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::embed::XStorage>& xSignatureStorage, int nSignatureIndex);
+    /// Similar to CreateAndWriteOOXMLSignature(), but used to write the signature to the persistent storage, not the temporary one.
+    void ExportOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::embed::XStorage>& xSignatureStorage, const SignatureInformation& rInformation, int nSignatureIndex);
+    /// Given that xStorage is an OOXML root storage, advertise signatures in its [Content_Types].xml stream.
+    void ExportSignatureContentTypes(const css::uno::Reference<css::embed::XStorage>& xStorage, int nSignatureCount);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
new file mode 100644
index 0000000000..558301a796
--- /dev/null
+++ b/xmlsecurity/inc/xsecctl.hxx
@@ -0,0 +1,408 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <svl/sigstruct.hxx>
+
+#include <com/sun/star/xml/crypto/sax/XSAXEventKeeperStatusChangeListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XSignatureCreationResultListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XSignatureVerifyResultListener.hpp>
+
+#include <rtl/ref.hxx>
+#include <cppuhelper/implbase.hxx>
+
+#include <vector>
+
+#include "UriBindingHelper.hxx"
+
+namespace com::sun::star::embed { class XStorage; }
+namespace com::sun::star::graphic { class XGraphic; }
+namespace com::sun::star::io { class XInputStream; }
+namespace com::sun::star::lang { class XInitialization; }
+namespace com::sun::star::uno { class XComponentContext; }
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+namespace com::sun::star::xml::crypto { class XXMLSignature; }
+namespace com::sun::star::xml::crypto:: sax { class XReferenceResolvedListener; }
+namespace com::sun::star::xml::sax { class XDocumentHandler; }
+
+inline constexpr OUString NS_XMLDSIG = u"http://www.w3.org/2000/09/xmldsig#"_ustr;
+inline constexpr OUString NS_DC = u"http://purl.org/dc/elements/1.1/"_ustr;
+inline constexpr OUString NS_XD = u"http://uri.etsi.org/01903/v1.3.2#"_ustr;
+inline constexpr OUString NS_MDSSI = u"http://schemas.openxmlformats.org/package/2006/digital-signature"_ustr;
+inline constexpr OUString NS_LOEXT = u"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0"_ustr;
+
+inline constexpr OUString ALGO_C14N = u"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"_ustr;
+inline constexpr OUString ALGO_RSASHA1 = u"http://www.w3.org/2000/09/xmldsig#rsa-sha1"_ustr;
+inline constexpr OUString ALGO_RSASHA256 = u"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"_ustr;
+inline constexpr OUString ALGO_RSASHA512 = u"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"_ustr;
+inline constexpr OUString ALGO_ECDSASHA1 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"_ustr;
+inline constexpr OUString ALGO_ECDSASHA256 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"_ustr;
+inline constexpr OUString ALGO_ECDSASHA512 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"_ustr;
+inline constexpr OUString ALGO_XMLDSIGSHA1 = u"http://www.w3.org/2000/09/xmldsig#sha1"_ustr;
+inline constexpr OUString ALGO_XMLDSIGSHA256 = u"http://www.w3.org/2001/04/xmlenc#sha256"_ustr;
+inline constexpr OUString ALGO_XMLDSIGSHA512 = u"http://www.w3.org/2001/04/xmlenc#sha512"_ustr;
+inline constexpr OUString ALGO_RELATIONSHIP = u"http://schemas.openxmlformats.org/package/2006/RelationshipTransform"_ustr;
+
+class XMLDocumentWrapper_XmlSecImpl;
+class SAXEventKeeperImpl;
+class XMLSignatureHelper;
+namespace svl::crypto { enum class SignatureMethodAlgorithm; }
+
+class InternalSignatureInformation
+{
+public:
+    SignatureInformation signatureInfor;
+
+    css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > xReferenceResolvedListener;
+
+    ::std::vector< sal_Int32 > vKeeperIds;
+
+    InternalSignatureInformation(
+        sal_Int32 nId,
+        css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > const & xListener)
+        :signatureInfor(nId)
+    {
+        xReferenceResolvedListener = xListener;
+    }
+
+    void addReference( SignatureReferenceType type, sal_Int32 digestID, const OUString& uri, sal_Int32 keeperId, const OUString& rType )
+    {
+        signatureInfor.vSignatureReferenceInfors.push_back(
+                SignatureReferenceInformation(type, digestID, uri, rType));
+        vKeeperIds.push_back( keeperId );
+    }
+};
+
+class XSecController final : public cppu::WeakImplHelper
+<
+    css::xml::crypto::sax::XSAXEventKeeperStatusChangeListener,
+    css::xml::crypto::sax::XSignatureCreationResultListener,
+    css::xml::crypto::sax::XSignatureVerifyResultListener
+>
+/****** XSecController.hxx/CLASS XSecController *******************************
+ *
+ *   NAME
+ *  XSecController -- the xml security framework controller
+ *
+ *   FUNCTION
+ *  Controls the whole xml security framework to create signatures or to
+ *  verify signatures.
+ *
+ ******************************************************************************/
+{
+    friend class XSecParser;
+    friend class OOXMLSecParser;
+
+private:
+    css::uno::Reference< css::uno::XComponentContext> mxCtx;
+
+    /*
+     * used to buffer SAX events
+     */
+    rtl::Reference<XMLDocumentWrapper_XmlSecImpl> m_xXMLDocumentWrapper;
+
+    /*
+     * the SAX events keeper
+     */
+    rtl::Reference<SAXEventKeeperImpl> m_xSAXEventKeeper;
+
+    /*
+     * the bridge component which creates/verifies signature
+     */
+    css::uno::Reference< css::xml::crypto::XXMLSignature > m_xXMLSignature;
+
+    /*
+     * the Security Context
+     */
+    css::uno::Reference< css::xml::crypto::XXMLSecurityContext > m_xSecurityContext;
+
+    /*
+     * the security id incrementer, in order to make any security id unique
+     * to the SAXEventKeeper.
+     * Because each XSecController has its own SAXEventKeeper, so this variable
+     * is not necessary to be static.
+     */
+    sal_Int32 m_nNextSecurityId;
+
+    /*
+     * Signature information
+     */
+    std::vector< InternalSignatureInformation > m_vInternalSignatureInformations;
+
+    /*
+     * the previous node on the SAX chain.
+     * The reason that use a Reference<XInterface> type variable
+     * is that the previous components are different when exporting
+     * and importing, and there is no other common interface they
+     * can provided.
+     */
+    css::uno::Reference< css::uno::XInterface > m_xPreviousNodeOnSAXChain;
+    /*
+     * whether the previous node can provide an XInitialize interface,
+     * use this variable in order to typecast the XInterface to the
+     * correct interface type.
+     */
+    bool m_bIsPreviousNodeInitializable;
+
+    /*
+     * a flag representing whether the SAXEventKeeper is now on the
+     * SAX chain.
+     */
+    bool m_bIsSAXEventKeeperConnected;
+
+    /*
+     * a flag representing whether it is collecting some element,
+     * which means that the SAXEventKeeper can't be chained off the
+     * SAX chain.
+     */
+    bool m_bIsCollectingElement;
+
+    /*
+     * a flag representing whether the SAX event stream is blocking,
+     * which also means that the SAXEventKeeper can't be chained off
+     * the SAX chain.
+     */
+    bool m_bIsBlocking;
+
+    /*
+     * a flag representing the current status of security related
+     * components.
+     */
+
+    /*
+     * status of security related components
+     */
+    enum class InitializationState { UNINITIALIZED, INITIALIZED, FAILTOINITIALIZED } m_eStatusOfSecurityComponents;
+
+    /*
+     * a flag representing whether the SAXEventKeeper need to be
+     * on the SAX chain all the time.
+     * This flag is used to the situation when creating signature.
+     */
+    bool m_bIsSAXEventKeeperSticky;
+
+    /*
+     * the XSecParser which is used to parse the signature stream
+     */
+    css::uno::Reference<css::xml::sax::XDocumentHandler> m_xSecParser;
+
+    /*
+     * the caller assigned signature id for the next signature in the
+     * signature stream
+     */
+    sal_Int32 m_nReservedSignatureId;
+
+    /*
+     * representing whether to verify the current signature
+     */
+    bool m_bVerifyCurrentSignature;
+
+    /*
+     * An xUriBinding is provided to map Uris to XInputStream interfaces.
+     */
+    rtl::Reference<UriBindingHelper> m_xUriBinding;
+
+private:
+
+    /*
+     * Common methods
+     */
+    void createXSecComponent( );
+    int findSignatureInfor( sal_Int32 nSecurityId ) const;
+    bool chainOn();
+    void chainOff();
+    void checkChainingStatus();
+    void initializeSAXChain();
+
+    css::uno::Reference< css::io::XInputStream > getObjectInputStream( const OUString& objectURL );
+
+        //sal_Int32 getFastPropertyIndex(sal_Int32 nHandle) const;
+
+    /*
+     * For signature generation
+     */
+    static OUString createId();
+    css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > prepareSignatureToWrite(
+        InternalSignatureInformation& signatureInfo,
+        sal_Int32 nStorageFormat,
+        bool bXAdESCompliantIfODF );
+
+    /*
+     * For signature verification
+     */
+    void addSignature();
+    /// Sets algorithm from <SignatureMethod Algorithm="...">.
+    void setSignatureMethod(svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+    void switchGpgSignature();
+    bool haveReferenceForId(std::u16string_view rId) const;
+    void addReference(
+        const OUString& ouUri,
+        sal_Int32 nDigestID,
+        const OUString& ouType );
+    void addStreamReference(
+        const OUString& ouUri,
+        bool isBinary,
+        sal_Int32 nDigestID );
+    void setReferenceCount() const;
+
+    void setX509Data(
+        std::vector<std::pair<OUString, OUString>> & rX509IssuerSerials,
+        std::vector<OUString> const& rX509Certificates);
+    void setX509CertDigest(
+        OUString const& rCertDigest, sal_Int32 const nReferenceDigestID,
+        std::u16string_view const& rX509IssuerName, std::u16string_view const& rX509SerialNumber);
+
+    void setSignatureValue( OUString const & ouSignatureValue );
+    void setDigestValue( sal_Int32 nDigestID, OUString const & ouDigestValue );
+    void setGpgKeyID( OUString const & ouKeyID );
+    void setGpgCertificate( OUString const & ouGpgCert );
+    void setGpgOwner( OUString const & ouGpgOwner );
+
+    void setDate(OUString const& rId, OUString const& ouDate);
+    void setDescription(OUString const& rId, OUString const& rDescription);
+    void setValidSignatureImage(std::u16string_view rValidSigImg);
+    void setInvalidSignatureImage(std::u16string_view rInvalidSigImg);
+    void setSignatureLineId(const OUString& rSignatureLineId);
+
+public:
+    void setSignatureBytes(const css::uno::Sequence<sal_Int8>& rBytes);
+
+private:
+    void setId( OUString const & ouId );
+
+    css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > prepareSignatureToRead(
+        sal_Int32 nSecurityId );
+
+public:
+    explicit XSecController(css::uno::Reference<css::uno::XComponentContext> xCtx);
+    virtual ~XSecController() override;
+
+    sal_Int32 getNewSecurityId(  );
+
+    void startMission(const rtl::Reference<UriBindingHelper>& xUriBinding, const css::uno::Reference<css::xml::crypto::XXMLSecurityContext>& xSecurityContext);
+
+    void setSAXChainConnector(const css::uno::Reference< css::lang::XInitialization >& xInitialization);
+
+    void clearSAXChainConnector();
+    void endMission();
+
+    SignatureInformation    getSignatureInformation( sal_Int32 nSecurityId ) const;
+    SignatureInformations   getSignatureInformations() const;
+    /// only verify can figure out which X509Data is the signing certificate
+    void UpdateSignatureInformation(sal_Int32 nSecurityId,
+            std::vector<SignatureInformation::X509Data> && rDatas);
+
+    static void exportSignature(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
+        const SignatureInformation& signatureInfo,
+        bool bXAdESCompliantIfODF );
+
+
+    /*
+     * For signature generation
+     */
+    void signAStream( sal_Int32 securityId, const OUString& uri, bool isBinary, bool bXAdESCompliantIfODF);
+
+
+    /** sets data that describes the certificate.
+
+        It is absolutely necessary that the parameter ouX509IssuerName is set. It contains
+        the base64 encoded certificate, which is DER encoded. The XMLSec needs it to find
+        the private key. Although issuer name and certificate should be sufficient to identify
+        the certificate the implementation in XMLSec is broken, both for Windows and mozilla.
+        The reason is that they use functions to find the certificate which take as parameter
+        the DER encoded ASN.1 issuer name. The issuer name is a DName, where most attributes
+        are of type DirectoryName, which is a choice of 5 string types. This information is
+        not contained in the issuer string and while it is converted to the ASN.1 name the
+        conversion function must assume a particular type, which is often wrong. For example,
+        the Windows function CertStrToName will use a T.61 string if the string does not contain
+        special characters. So if the certificate uses simple characters but encodes the
+        issuer attributes in Utf8, then CertStrToName will use T.61. The resulting DER encoded
+        ASN.1 name now contains different bytes which indicate the string type. The functions
+        for finding the certificate apparently use memcmp - hence they fail to find the
+        certificate.
+     */
+    void setX509Certificate(
+        sal_Int32 nSecurityId,
+        const OUString& ouX509IssuerName,
+        const OUString& ouX509SerialNumber,
+        const OUString& ouX509Cert,
+        const OUString& ouX509CertDigest,
+        svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+
+    void addEncapsulatedX509Certificate(const OUString& rEncapsulatedX509Certificate);
+
+    void setGpgCertificate(
+        sal_Int32 nSecurityId,
+        const OUString& ouCertDigest,
+        const OUString& ouCert,
+        const OUString& ouOwner);
+
+    void setDate(
+        sal_Int32 nSecurityId,
+        const css::util::DateTime& rDateTime );
+    void setDescription(sal_Int32 nSecurityId, const OUString& rDescription);
+    void setSignatureLineId(sal_Int32 nSecurityId, const OUString& rSignatureLineId);
+    void
+    setSignatureLineValidGraphic(sal_Int32 nSecurityId,
+                                 const css::uno::Reference<css::graphic::XGraphic>& xValidGraphic);
+    void setSignatureLineInvalidGraphic(
+        sal_Int32 nSecurityId, const css::uno::Reference<css::graphic::XGraphic>& xInvalidGraphic);
+
+    bool WriteSignature(
+        const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
+        bool bXAdESCompliantIfODF);
+
+    /*
+     * For signature verification
+     */
+    void collectToVerify( std::u16string_view referenceId );
+    void addSignature( sal_Int32 nSignatureId );
+    css::uno::Reference< css::xml::sax::XDocumentHandler > const & createSignatureReader(XMLSignatureHelper& rXMLSignatureHelper, sal_Int32 nType = 0);
+    void releaseSignatureReader();
+
+public:
+    /* Interface methods */
+
+    /*
+     * XSAXEventKeeperStatusChangeListener
+     */
+    virtual void SAL_CALL blockingStatusChanged( sal_Bool isBlocking ) override;
+    virtual void SAL_CALL collectionStatusChanged(
+        sal_Bool isInsideCollectedElement ) override;
+    virtual void SAL_CALL bufferStatusChanged( sal_Bool isBufferEmpty ) override;
+
+    /*
+     * XSignatureCreationResultListener
+     */
+    virtual void SAL_CALL signatureCreated( sal_Int32 securityId, css::xml::crypto::SecurityOperationStatus nResult ) override;
+
+    /*
+     * XSignatureVerifyResultListener
+     */
+    virtual void SAL_CALL signatureVerified( sal_Int32 securityId, css::xml::crypto::SecurityOperationStatus nResult ) override;
+
+    /// Writes XML elements inside a single OOXML signature's <Signature> element.
+    bool WriteOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler);
+    /// Exports an OOXML signature, called by WriteOOXMLSignature().
+    void exportOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler, const SignatureInformation& rInformation);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/xmlsecurity/inc/xsecxmlsecdllapi.h b/xmlsecurity/inc/xsecxmlsecdllapi.h
new file mode 100644
index 0000000000..36f8ad52ac
--- /dev/null
+++ b/xmlsecurity/inc/xsecxmlsecdllapi.h
@@ -0,0 +1,20 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <sal/types.h>
+
+#if defined(XSECXMLSEC_DLLIMPLEMENTATION)
+#define XSECXMLSEC_DLLPUBLIC SAL_DLLPUBLIC_EXPORT
+#else
+#define XSECXMLSEC_DLLPUBLIC SAL_DLLPUBLIC_IMPORT
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
-- 
cgit v1.2.3