strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ucb: cmis: remove CertValidationHandler

Browse source 
Bothering users with a dialog for a problematic TLS certificate just
conditions them to click OK and compromise their security.

WebDAV UCP already doesn't show such a dialog since LO 7.3, now remove
the dialog from CMIS UCP too.

Users can add any self-signed CAs they want to use to the operating
system trusted CA store, for example with p11-kit's trust(1).

Change-Id: Iedb8518923f9ac75c33a3b0df6ff795a7810a18a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169338
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
This commit is contained in:
Michael Stahl 2024-06-21 16:23:24 +02:00
parent 62529d1eee
commit 9413f2b39c
5 changed files with 0 additions and 185 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ucb/Library_ucpcmis1.mk
View file

@ -50,7 +50,6 @@ endif
$(eval $(call gb_Library_add_exception_objects,ucpcmis1,\
ucb/source/ucp/cmis/auth_provider \
ucb/source/ucp/cmis/certvalidation_handler \
ucb/source/ucp/cmis/cmis_content \
ucb/source/ucp/cmis/cmis_repo_content \
ucb/source/ucp/cmis/cmis_datasupplier \

126
ucb/source/ucp/cmis/certvalidation_handler.cxx
View file

@ -1,126 +0,0 @@
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This file is part of the LibreOffice project.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* This file incorporates work covered by the following license notice:
*
*/
#include <com/sun/star/security/CertificateContainer.hpp>
#include <com/sun/star/security/XCertificate.hpp>
#include <com/sun/star/security/XCertificateContainer.hpp>
#include <com/sun/star/xml/crypto/SEInitializer.hpp>
#include <com/sun/star/xml/crypto/XSecurityEnvironment.hpp>
#include <rtl/ref.hxx>
#include <comphelper/sequence.hxx>
#include <ucbhelper/simplecertificatevalidationrequest.hxx>
#include "certvalidation_handler.hxx"
#define STD_TO_OUSTR( str ) OUString( str.c_str(), str.length( ), RTL_TEXTENCODING_UTF8 )
using namespace com::sun::star;
namespace cmis
{
bool CertValidationHandler::validateCertificate( std::vector< std::string > aCertificates )
{
bool bValidate = false;
if ( !aCertificates.empty() && m_xEnv.is() )
{
uno::Reference< xml::crypto::XSEInitializer > xSEInitializer;
try
{
xSEInitializer = xml::crypto::SEInitializer::create( m_xContext );
}
catch ( uno::Exception const & )
{
}
if ( xSEInitializer.is() )
{
uno::Reference< xml::crypto::XXMLSecurityContext > xSecurityContext(
xSEInitializer->createSecurityContext( OUString() ) );
uno::Reference< xml::crypto::XSecurityEnvironment > xSecurityEnv(
xSecurityContext->getSecurityEnvironment() );
std::vector< std::string >::iterator pIt = aCertificates.begin();
std::string sCert = *pIt;
// We need to get rid of the PEM header/footer lines
OUString sCleanCert = STD_TO_OUSTR( sCert );
sCleanCert = sCleanCert.replaceAll( "-----BEGIN CERTIFICATE-----", "" );
sCleanCert = sCleanCert.replaceAll( "-----END CERTIFICATE-----", "" );
uno::Reference< security::XCertificate > xCert(
xSecurityEnv->createCertificateFromAscii(
sCleanCert ) );
uno::Reference< security::XCertificateContainer > xCertificateContainer;
try
{
xCertificateContainer = security::CertificateContainer::create( m_xContext );
}
catch ( uno::Exception const & )
{
}
if ( xCertificateContainer.is( ) )
{
security::CertificateContainerStatus status(
xCertificateContainer->hasCertificate(
m_sHostname, xCert->getSubjectName() ) );
if ( status != security::CertificateContainerStatus_NOCERT )
return status == security::CertificateContainerStatus_TRUSTED;
}
// If we had no certificate, ask what to do
std::vector< uno::Reference< security::XCertificate > > vecCerts;
for ( ++pIt; pIt != aCertificates.end(); ++pIt )
{
sCert = *pIt;
uno::Reference< security::XCertificate> xImCert(
xSecurityEnv->createCertificateFromAscii(
STD_TO_OUSTR( sCert ) ) );
if ( xImCert.is() )
vecCerts.push_back( xImCert );
}
sal_Int64 certValidity = xSecurityEnv->verifyCertificate( xCert,
::comphelper::containerToSequence( vecCerts ) );
uno::Reference< task::XInteractionHandler > xIH(
m_xEnv->getInteractionHandler() );
if ( xIH.is() )
{
rtl::Reference< ucbhelper::SimpleCertificateValidationRequest >
xRequest( new ucbhelper::SimpleCertificateValidationRequest(
sal_Int32( certValidity ), xCert, m_sHostname ) );
xIH->handle( xRequest );
rtl::Reference< ucbhelper::InteractionContinuation > xSelection
= xRequest->getSelection();
if ( xSelection.is() )
{
uno::Reference< task::XInteractionApprove > xApprove(
xSelection.get(), uno::UNO_QUERY );
bValidate = xApprove.is();
// Store the decision in the container
xCertificateContainer->addCertificate(
m_sHostname, xCert->getSubjectName(), bValidate );
}
}
}
}
return bValidate;
}
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */

46
ucb/source/ucp/cmis/certvalidation_handler.hxx
View file

@ -1,46 +0,0 @@
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This file is part of the LibreOffice project.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* This file incorporates work covered by the following license notice:
*
*/
#pragma once
#if defined __GNUC__ && !defined __clang__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated"
#pragma GCC diagnostic ignored "-Wunused-but-set-parameter"
#endif
#include <libcmis/libcmis.hxx>
#if defined __GNUC__ && !defined __clang__
#pragma GCC diagnostic pop
#endif
#include <com/sun/star/ucb/XCommandEnvironment.hpp>
#include <utility>
namespace cmis
{
class CertValidationHandler : public libcmis::CertValidationHandler
{
const css::uno::Reference< css::ucb::XCommandEnvironment>& m_xEnv;
const css::uno::Reference< css::uno::XComponentContext >& m_xContext;
OUString m_sHostname;
public:
CertValidationHandler (
const css::uno::Reference< css::ucb::XCommandEnvironment>& xEnv,
const css::uno::Reference< css::uno::XComponentContext>& xContext,
OUString sHostname ):
m_xEnv( xEnv ), m_xContext( xContext ), m_sHostname(std::move( sHostname )) { }
bool validateCertificate( std::vector< std::string > certificates ) override;
};
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */

6
ucb/source/ucp/cmis/cmis_content.cxx
View file

@ -59,7 +59,6 @@
#include <utility>
#include "auth_provider.hxx"
#include "certvalidation_handler.hxx"
#include "cmis_content.hxx"
#include "cmis_provider.hxx"
#include "cmis_resultset.hxx"
@ -315,11 +314,6 @@ namespace cmis
if ( nullptr == m_pSession )
{
// Set the SSL Validation handler
libcmis::CertValidationHandlerPtr certHandler(
new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
libcmis::SessionFactory::setCertificateValidationHandler( certHandler );
// init libcurl callback
libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);

6
ucb/source/ucp/cmis/cmis_repo_content.cxx
View file

@ -33,7 +33,6 @@
#include <ucbhelper/macros.hxx>
#include "auth_provider.hxx"
#include "certvalidation_handler.hxx"
#include "cmis_content.hxx"
#include "cmis_provider.hxx"
#include "cmis_repo_content.hxx"
@ -128,11 +127,6 @@ namespace cmis
if ( !m_aRepositories.empty() )
return;
// Set the SSL Validation handler
libcmis::CertValidationHandlerPtr certHandler(
new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
libcmis::SessionFactory::setCertificateValidationHandler( certHandler );
// init libcurl callback
libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);