summaryrefslogtreecommitdiffstats
path: root/xmlsecurity/inc/xsecctl.hxx
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:06:44 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:06:44 +0000
commited5640d8b587fbcfed7dd7967f3de04b37a76f26 (patch)
tree7a5f7c6c9d02226d7471cb3cc8fbbf631b415303 /xmlsecurity/inc/xsecctl.hxx
parentInitial commit. (diff)
downloadlibreoffice-ed5640d8b587fbcfed7dd7967f3de04b37a76f26.tar.xz
libreoffice-ed5640d8b587fbcfed7dd7967f3de04b37a76f26.zip
Adding upstream version 4:7.4.7.upstream/4%7.4.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'xmlsecurity/inc/xsecctl.hxx')
-rw-r--r--xmlsecurity/inc/xsecctl.hxx408
1 files changed, 408 insertions, 0 deletions
diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
new file mode 100644
index 000000000..adfd251b1
--- /dev/null
+++ b/xmlsecurity/inc/xsecctl.hxx
@@ -0,0 +1,408 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed
+ * with this work for additional information regarding copyright
+ * ownership. The ASF licenses this file to you under the Apache
+ * License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#pragma once
+
+#include <svl/sigstruct.hxx>
+
+#include <com/sun/star/xml/crypto/sax/XSAXEventKeeperStatusChangeListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XSignatureCreationResultListener.hpp>
+#include <com/sun/star/xml/crypto/sax/XSignatureVerifyResultListener.hpp>
+
+#include <rtl/ref.hxx>
+#include <cppuhelper/implbase.hxx>
+
+#include <vector>
+
+#include "UriBindingHelper.hxx"
+
+namespace com::sun::star::embed { class XStorage; }
+namespace com::sun::star::graphic { class XGraphic; }
+namespace com::sun::star::io { class XInputStream; }
+namespace com::sun::star::lang { class XInitialization; }
+namespace com::sun::star::uno { class XComponentContext; }
+namespace com::sun::star::xml::crypto { class XXMLSecurityContext; }
+namespace com::sun::star::xml::crypto { class XXMLSignature; }
+namespace com::sun::star::xml::crypto:: sax { class XReferenceResolvedListener; }
+namespace com::sun::star::xml::sax { class XDocumentHandler; }
+
+inline constexpr OUStringLiteral NS_XMLDSIG = u"http://www.w3.org/2000/09/xmldsig#";
+inline constexpr OUStringLiteral NS_DC = u"http://purl.org/dc/elements/1.1/";
+inline constexpr OUStringLiteral NS_XD = u"http://uri.etsi.org/01903/v1.3.2#";
+inline constexpr OUStringLiteral NS_MDSSI = u"http://schemas.openxmlformats.org/package/2006/digital-signature";
+inline constexpr OUStringLiteral NS_LOEXT = u"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0";
+
+inline constexpr OUStringLiteral ALGO_C14N = u"http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
+inline constexpr OUStringLiteral ALGO_RSASHA1 = u"http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+inline constexpr OUStringLiteral ALGO_RSASHA256 = u"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+inline constexpr OUStringLiteral ALGO_RSASHA512 = u"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
+inline constexpr OUStringLiteral ALGO_ECDSASHA1 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
+inline constexpr OUStringLiteral ALGO_ECDSASHA256 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+inline constexpr OUStringLiteral ALGO_ECDSASHA512 = u"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";
+inline constexpr OUStringLiteral ALGO_XMLDSIGSHA1 = u"http://www.w3.org/2000/09/xmldsig#sha1";
+inline constexpr OUStringLiteral ALGO_XMLDSIGSHA256 = u"http://www.w3.org/2001/04/xmlenc#sha256";
+inline constexpr OUStringLiteral ALGO_XMLDSIGSHA512 = u"http://www.w3.org/2001/04/xmlenc#sha512";
+inline constexpr OUStringLiteral ALGO_RELATIONSHIP = u"http://schemas.openxmlformats.org/package/2006/RelationshipTransform";
+
+class XMLDocumentWrapper_XmlSecImpl;
+class SAXEventKeeperImpl;
+class XMLSignatureHelper;
+namespace svl::crypto { enum class SignatureMethodAlgorithm; }
+
+class InternalSignatureInformation
+{
+public:
+ SignatureInformation signatureInfor;
+
+ css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > xReferenceResolvedListener;
+
+ ::std::vector< sal_Int32 > vKeeperIds;
+
+ InternalSignatureInformation(
+ sal_Int32 nId,
+ css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > const & xListener)
+ :signatureInfor(nId)
+ {
+ xReferenceResolvedListener = xListener;
+ }
+
+ void addReference( SignatureReferenceType type, sal_Int32 digestID, const OUString& uri, sal_Int32 keeperId, const OUString& rType )
+ {
+ signatureInfor.vSignatureReferenceInfors.push_back(
+ SignatureReferenceInformation(type, digestID, uri, rType));
+ vKeeperIds.push_back( keeperId );
+ }
+};
+
+class XSecController final : public cppu::WeakImplHelper
+<
+ css::xml::crypto::sax::XSAXEventKeeperStatusChangeListener,
+ css::xml::crypto::sax::XSignatureCreationResultListener,
+ css::xml::crypto::sax::XSignatureVerifyResultListener
+>
+/****** XSecController.hxx/CLASS XSecController *******************************
+ *
+ * NAME
+ * XSecController -- the xml security framework controller
+ *
+ * FUNCTION
+ * Controls the whole xml security framework to create signatures or to
+ * verify signatures.
+ *
+ ******************************************************************************/
+{
+ friend class XSecParser;
+ friend class OOXMLSecParser;
+
+private:
+ css::uno::Reference< css::uno::XComponentContext> mxCtx;
+
+ /*
+ * used to buffer SAX events
+ */
+ rtl::Reference<XMLDocumentWrapper_XmlSecImpl> m_xXMLDocumentWrapper;
+
+ /*
+ * the SAX events keeper
+ */
+ rtl::Reference<SAXEventKeeperImpl> m_xSAXEventKeeper;
+
+ /*
+ * the bridge component which creates/verifies signature
+ */
+ css::uno::Reference< css::xml::crypto::XXMLSignature > m_xXMLSignature;
+
+ /*
+ * the Security Context
+ */
+ css::uno::Reference< css::xml::crypto::XXMLSecurityContext > m_xSecurityContext;
+
+ /*
+ * the security id incrementer, in order to make any security id unique
+ * to the SAXEventKeeper.
+ * Because each XSecController has its own SAXEventKeeper, so this variable
+ * is not necessary to be static.
+ */
+ sal_Int32 m_nNextSecurityId;
+
+ /*
+ * Signature information
+ */
+ std::vector< InternalSignatureInformation > m_vInternalSignatureInformations;
+
+ /*
+ * the previous node on the SAX chain.
+ * The reason that use a Reference<XInterface> type variable
+ * is that the previous components are different when exporting
+ * and importing, and there is no other common interface they
+ * can provided.
+ */
+ css::uno::Reference< css::uno::XInterface > m_xPreviousNodeOnSAXChain;
+ /*
+ * whether the previous node can provide an XInitialize interface,
+ * use this variable in order to typecast the XInterface to the
+ * correct interface type.
+ */
+ bool m_bIsPreviousNodeInitializable;
+
+ /*
+ * a flag representing whether the SAXEventKeeper is now on the
+ * SAX chain.
+ */
+ bool m_bIsSAXEventKeeperConnected;
+
+ /*
+ * a flag representing whether it is collecting some element,
+ * which means that the SAXEventKeeper can't be chained off the
+ * SAX chain.
+ */
+ bool m_bIsCollectingElement;
+
+ /*
+ * a flag representing whether the SAX event stream is blocking,
+ * which also means that the SAXEventKeeper can't be chained off
+ * the SAX chain.
+ */
+ bool m_bIsBlocking;
+
+ /*
+ * a flag representing the current status of security related
+ * components.
+ */
+
+ /*
+ * status of security related components
+ */
+ enum class InitializationState { UNINITIALIZED, INITIALIZED, FAILTOINITIALIZED } m_eStatusOfSecurityComponents;
+
+ /*
+ * a flag representing whether the SAXEventKeeper need to be
+ * on the SAX chain all the time.
+ * This flag is used to the situation when creating signature.
+ */
+ bool m_bIsSAXEventKeeperSticky;
+
+ /*
+ * the XSecParser which is used to parse the signature stream
+ */
+ css::uno::Reference<css::xml::sax::XDocumentHandler> m_xSecParser;
+
+ /*
+ * the caller assigned signature id for the next signature in the
+ * signature stream
+ */
+ sal_Int32 m_nReservedSignatureId;
+
+ /*
+ * representing whether to verify the current signature
+ */
+ bool m_bVerifyCurrentSignature;
+
+ /*
+ * An xUriBinding is provided to map Uris to XInputStream interfaces.
+ */
+ rtl::Reference<UriBindingHelper> m_xUriBinding;
+
+private:
+
+ /*
+ * Common methods
+ */
+ void createXSecComponent( );
+ int findSignatureInfor( sal_Int32 nSecurityId ) const;
+ bool chainOn();
+ void chainOff();
+ void checkChainingStatus();
+ void initializeSAXChain();
+
+ css::uno::Reference< css::io::XInputStream > getObjectInputStream( const OUString& objectURL );
+
+ //sal_Int32 getFastPropertyIndex(sal_Int32 nHandle) const;
+
+ /*
+ * For signature generation
+ */
+ static OUString createId();
+ css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > prepareSignatureToWrite(
+ InternalSignatureInformation& signatureInfo,
+ sal_Int32 nStorageFormat,
+ bool bXAdESCompliantIfODF );
+
+ /*
+ * For signature verification
+ */
+ void addSignature();
+ /// Sets algorithm from <SignatureMethod Algorithm="...">.
+ void setSignatureMethod(svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+ void switchGpgSignature();
+ bool haveReferenceForId(std::u16string_view rId) const;
+ void addReference(
+ const OUString& ouUri,
+ sal_Int32 nDigestID,
+ const OUString& ouType );
+ void addStreamReference(
+ const OUString& ouUri,
+ bool isBinary,
+ sal_Int32 nDigestID );
+ void setReferenceCount() const;
+
+ void setX509Data(
+ std::vector<std::pair<OUString, OUString>> & rX509IssuerSerials,
+ std::vector<OUString> const& rX509Certificates);
+ void setX509CertDigest(
+ OUString const& rCertDigest, sal_Int32 const nReferenceDigestID,
+ std::u16string_view const& rX509IssuerName, std::u16string_view const& rX509SerialNumber);
+
+ void setSignatureValue( OUString const & ouSignatureValue );
+ void setDigestValue( sal_Int32 nDigestID, OUString const & ouDigestValue );
+ void setGpgKeyID( OUString const & ouKeyID );
+ void setGpgCertificate( OUString const & ouGpgCert );
+ void setGpgOwner( OUString const & ouGpgOwner );
+
+ void setDate(OUString const& rId, OUString const& ouDate);
+ void setDescription(OUString const& rId, OUString const& rDescription);
+ void setValidSignatureImage(std::u16string_view rValidSigImg);
+ void setInvalidSignatureImage(std::u16string_view rInvalidSigImg);
+ void setSignatureLineId(const OUString& rSignatureLineId);
+
+public:
+ void setSignatureBytes(const css::uno::Sequence<sal_Int8>& rBytes);
+
+private:
+ void setId( OUString const & ouId );
+
+ css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > prepareSignatureToRead(
+ sal_Int32 nSecurityId );
+
+public:
+ explicit XSecController(const css::uno::Reference<css::uno::XComponentContext>& rxCtx);
+ virtual ~XSecController() override;
+
+ sal_Int32 getNewSecurityId( );
+
+ void startMission(const rtl::Reference<UriBindingHelper>& xUriBinding, const css::uno::Reference<css::xml::crypto::XXMLSecurityContext>& xSecurityContext);
+
+ void setSAXChainConnector(const css::uno::Reference< css::lang::XInitialization >& xInitialization);
+
+ void clearSAXChainConnector();
+ void endMission();
+
+ SignatureInformation getSignatureInformation( sal_Int32 nSecurityId ) const;
+ SignatureInformations getSignatureInformations() const;
+ /// only verify can figure out which X509Data is the signing certificate
+ void UpdateSignatureInformation(sal_Int32 nSecurityId,
+ std::vector<SignatureInformation::X509Data> && rDatas);
+
+ static void exportSignature(
+ const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
+ const SignatureInformation& signatureInfo,
+ bool bXAdESCompliantIfODF );
+
+
+ /*
+ * For signature generation
+ */
+ void signAStream( sal_Int32 securityId, const OUString& uri, bool isBinary, bool bXAdESCompliantIfODF);
+
+
+ /** sets data that describes the certificate.
+
+ It is absolutely necessary that the parameter ouX509IssuerName is set. It contains
+ the base64 encoded certificate, which is DER encoded. The XMLSec needs it to find
+ the private key. Although issuer name and certificate should be sufficient to identify
+ the certificate the implementation in XMLSec is broken, both for Windows and mozilla.
+ The reason is that they use functions to find the certificate which take as parameter
+ the DER encoded ASN.1 issuer name. The issuer name is a DName, where most attributes
+ are of type DirectoryName, which is a choice of 5 string types. This information is
+ not contained in the issuer string and while it is converted to the ASN.1 name the
+ conversion function must assume a particular type, which is often wrong. For example,
+ the Windows function CertStrToName will use a T.61 string if the string does not contain
+ special characters. So if the certificate uses simple characters but encodes the
+ issuer attributes in Utf8, then CertStrToName will use T.61. The resulting DER encoded
+ ASN.1 name now contains different bytes which indicate the string type. The functions
+ for finding the certificate apparently use memcmp - hence they fail to find the
+ certificate.
+ */
+ void setX509Certificate(
+ sal_Int32 nSecurityId,
+ const OUString& ouX509IssuerName,
+ const OUString& ouX509SerialNumber,
+ const OUString& ouX509Cert,
+ const OUString& ouX509CertDigest,
+ svl::crypto::SignatureMethodAlgorithm eAlgorithmID);
+
+ void addEncapsulatedX509Certificate(const OUString& rEncapsulatedX509Certificate);
+
+ void setGpgCertificate(
+ sal_Int32 nSecurityId,
+ const OUString& ouCertDigest,
+ const OUString& ouCert,
+ const OUString& ouOwner);
+
+ void setDate(
+ sal_Int32 nSecurityId,
+ const css::util::DateTime& rDateTime );
+ void setDescription(sal_Int32 nSecurityId, const OUString& rDescription);
+ void setSignatureLineId(sal_Int32 nSecurityId, const OUString& rSignatureLineId);
+ void
+ setSignatureLineValidGraphic(sal_Int32 nSecurityId,
+ const css::uno::Reference<css::graphic::XGraphic>& xValidGraphic);
+ void setSignatureLineInvalidGraphic(
+ sal_Int32 nSecurityId, const css::uno::Reference<css::graphic::XGraphic>& xInvalidGraphic);
+
+ bool WriteSignature(
+ const css::uno::Reference< css::xml::sax::XDocumentHandler >& xDocumentHandler,
+ bool bXAdESCompliantIfODF);
+
+ /*
+ * For signature verification
+ */
+ void collectToVerify( std::u16string_view referenceId );
+ void addSignature( sal_Int32 nSignatureId );
+ css::uno::Reference< css::xml::sax::XDocumentHandler > const & createSignatureReader(XMLSignatureHelper& rXMLSignatureHelper, sal_Int32 nType = 0);
+ void releaseSignatureReader();
+
+public:
+ /* Interface methods */
+
+ /*
+ * XSAXEventKeeperStatusChangeListener
+ */
+ virtual void SAL_CALL blockingStatusChanged( sal_Bool isBlocking ) override;
+ virtual void SAL_CALL collectionStatusChanged(
+ sal_Bool isInsideCollectedElement ) override;
+ virtual void SAL_CALL bufferStatusChanged( sal_Bool isBufferEmpty ) override;
+
+ /*
+ * XSignatureCreationResultListener
+ */
+ virtual void SAL_CALL signatureCreated( sal_Int32 securityId, css::xml::crypto::SecurityOperationStatus nResult ) override;
+
+ /*
+ * XSignatureVerifyResultListener
+ */
+ virtual void SAL_CALL signatureVerified( sal_Int32 securityId, css::xml::crypto::SecurityOperationStatus nResult ) override;
+
+ /// Writes XML elements inside a single OOXML signature's <Signature> element.
+ bool WriteOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler);
+ /// Exports an OOXML signature, called by WriteOOXMLSignature().
+ void exportOOXMLSignature(const css::uno::Reference<css::embed::XStorage>& xRootStorage, const css::uno::Reference<css::xml::sax::XDocumentHandler>& xDocumentHandler, const SignatureInformation& rInformation);
+};
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */