From 9413f2b39cb48417d75dfd3b5a28dac18541839e Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Fri, 21 Jun 2024 16:23:24 +0200 Subject: [PATCH] ucb: cmis: remove CertValidationHandler Bothering users with a dialog for a problematic TLS certificate just conditions them to click OK and compromise their security. WebDAV UCP already doesn't show such a dialog since LO 7.3, now remove the dialog from CMIS UCP too. Users can add any self-signed CAs they want to use to the operating system trusted CA store, for example with p11-kit's trust(1). Change-Id: Iedb8518923f9ac75c33a3b0df6ff795a7810a18a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169338 Tested-by: Jenkins Reviewed-by: Michael Stahl --- ucb/Library_ucpcmis1.mk | 1 - .../ucp/cmis/certvalidation_handler.cxx | 126 ------------------ .../ucp/cmis/certvalidation_handler.hxx | 46 ------- ucb/source/ucp/cmis/cmis_content.cxx | 6 - ucb/source/ucp/cmis/cmis_repo_content.cxx | 6 - 5 files changed, 185 deletions(-) delete mode 100644 ucb/source/ucp/cmis/certvalidation_handler.cxx delete mode 100644 ucb/source/ucp/cmis/certvalidation_handler.hxx diff --git a/ucb/Library_ucpcmis1.mk b/ucb/Library_ucpcmis1.mk index 707d9ff604a4..9392c86995ca 100644 --- a/ucb/Library_ucpcmis1.mk +++ b/ucb/Library_ucpcmis1.mk @@ -50,7 +50,6 @@ endif $(eval $(call gb_Library_add_exception_objects,ucpcmis1,\ ucb/source/ucp/cmis/auth_provider \ - ucb/source/ucp/cmis/certvalidation_handler \ ucb/source/ucp/cmis/cmis_content \ ucb/source/ucp/cmis/cmis_repo_content \ ucb/source/ucp/cmis/cmis_datasupplier \ diff --git a/ucb/source/ucp/cmis/certvalidation_handler.cxx b/ucb/source/ucp/cmis/certvalidation_handler.cxx deleted file mode 100644 index 0080df37a483..000000000000 --- a/ucb/source/ucp/cmis/certvalidation_handler.cxx +++ /dev/null @@ -1,126 +0,0 @@ -/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ -/* - * This file is part of the LibreOffice project. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * This file incorporates work covered by the following license notice: - * - */ - -#include -#include -#include -#include -#include - -#include -#include -#include - -#include "certvalidation_handler.hxx" - -#define STD_TO_OUSTR( str ) OUString( str.c_str(), str.length( ), RTL_TEXTENCODING_UTF8 ) - -using namespace com::sun::star; - -namespace cmis -{ - bool CertValidationHandler::validateCertificate( std::vector< std::string > aCertificates ) - { - bool bValidate = false; - if ( !aCertificates.empty() && m_xEnv.is() ) - { - uno::Reference< xml::crypto::XSEInitializer > xSEInitializer; - try - { - xSEInitializer = xml::crypto::SEInitializer::create( m_xContext ); - } - catch ( uno::Exception const & ) - { - } - - if ( xSEInitializer.is() ) - { - uno::Reference< xml::crypto::XXMLSecurityContext > xSecurityContext( - xSEInitializer->createSecurityContext( OUString() ) ); - - uno::Reference< xml::crypto::XSecurityEnvironment > xSecurityEnv( - xSecurityContext->getSecurityEnvironment() ); - - std::vector< std::string >::iterator pIt = aCertificates.begin(); - std::string sCert = *pIt; - // We need to get rid of the PEM header/footer lines - OUString sCleanCert = STD_TO_OUSTR( sCert ); - sCleanCert = sCleanCert.replaceAll( "-----BEGIN CERTIFICATE-----", "" ); - sCleanCert = sCleanCert.replaceAll( "-----END CERTIFICATE-----", "" ); - uno::Reference< security::XCertificate > xCert( - xSecurityEnv->createCertificateFromAscii( - sCleanCert ) ); - - uno::Reference< security::XCertificateContainer > xCertificateContainer; - try - { - xCertificateContainer = security::CertificateContainer::create( m_xContext ); - } - catch ( uno::Exception const & ) - { - } - - if ( xCertificateContainer.is( ) ) - { - security::CertificateContainerStatus status( - xCertificateContainer->hasCertificate( - m_sHostname, xCert->getSubjectName() ) ); - - if ( status != security::CertificateContainerStatus_NOCERT ) - return status == security::CertificateContainerStatus_TRUSTED; - } - - // If we had no certificate, ask what to do - std::vector< uno::Reference< security::XCertificate > > vecCerts; - - for ( ++pIt; pIt != aCertificates.end(); ++pIt ) - { - sCert = *pIt; - uno::Reference< security::XCertificate> xImCert( - xSecurityEnv->createCertificateFromAscii( - STD_TO_OUSTR( sCert ) ) ); - if ( xImCert.is() ) - vecCerts.push_back( xImCert ); - } - - sal_Int64 certValidity = xSecurityEnv->verifyCertificate( xCert, - ::comphelper::containerToSequence( vecCerts ) ); - - uno::Reference< task::XInteractionHandler > xIH( - m_xEnv->getInteractionHandler() ); - if ( xIH.is() ) - { - rtl::Reference< ucbhelper::SimpleCertificateValidationRequest > - xRequest( new ucbhelper::SimpleCertificateValidationRequest( - sal_Int32( certValidity ), xCert, m_sHostname ) ); - xIH->handle( xRequest ); - rtl::Reference< ucbhelper::InteractionContinuation > xSelection - = xRequest->getSelection(); - - if ( xSelection.is() ) - { - uno::Reference< task::XInteractionApprove > xApprove( - xSelection.get(), uno::UNO_QUERY ); - bValidate = xApprove.is(); - - // Store the decision in the container - xCertificateContainer->addCertificate( - m_sHostname, xCert->getSubjectName(), bValidate ); - } - } - } - } - return bValidate; - } -} - -/* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/ucb/source/ucp/cmis/certvalidation_handler.hxx b/ucb/source/ucp/cmis/certvalidation_handler.hxx deleted file mode 100644 index ae46c8397f3c..000000000000 --- a/ucb/source/ucp/cmis/certvalidation_handler.hxx +++ /dev/null @@ -1,46 +0,0 @@ -/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ -/* - * This file is part of the LibreOffice project. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * This file incorporates work covered by the following license notice: - * - */ -#pragma once - -#if defined __GNUC__ && !defined __clang__ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated" -#pragma GCC diagnostic ignored "-Wunused-but-set-parameter" -#endif -#include -#if defined __GNUC__ && !defined __clang__ -#pragma GCC diagnostic pop -#endif - -#include -#include - -namespace cmis -{ - class CertValidationHandler : public libcmis::CertValidationHandler - { - const css::uno::Reference< css::ucb::XCommandEnvironment>& m_xEnv; - const css::uno::Reference< css::uno::XComponentContext >& m_xContext; - OUString m_sHostname; - - public: - CertValidationHandler ( - const css::uno::Reference< css::ucb::XCommandEnvironment>& xEnv, - const css::uno::Reference< css::uno::XComponentContext>& xContext, - OUString sHostname ): - m_xEnv( xEnv ), m_xContext( xContext ), m_sHostname(std::move( sHostname )) { } - - bool validateCertificate( std::vector< std::string > certificates ) override; - }; -} - -/* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx index c1808f8bc492..6bd5146bb7bc 100644 --- a/ucb/source/ucp/cmis/cmis_content.cxx +++ b/ucb/source/ucp/cmis/cmis_content.cxx @@ -59,7 +59,6 @@ #include #include "auth_provider.hxx" -#include "certvalidation_handler.hxx" #include "cmis_content.hxx" #include "cmis_provider.hxx" #include "cmis_resultset.hxx" @@ -315,11 +314,6 @@ namespace cmis if ( nullptr == m_pSession ) { - // Set the SSL Validation handler - libcmis::CertValidationHandlerPtr certHandler( - new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) ); - libcmis::SessionFactory::setCertificateValidationHandler( certHandler ); - // init libcurl callback libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy); diff --git a/ucb/source/ucp/cmis/cmis_repo_content.cxx b/ucb/source/ucp/cmis/cmis_repo_content.cxx index 38c261cdf3b8..87742e14bf99 100644 --- a/ucb/source/ucp/cmis/cmis_repo_content.cxx +++ b/ucb/source/ucp/cmis/cmis_repo_content.cxx @@ -33,7 +33,6 @@ #include #include "auth_provider.hxx" -#include "certvalidation_handler.hxx" #include "cmis_content.hxx" #include "cmis_provider.hxx" #include "cmis_repo_content.hxx" @@ -128,11 +127,6 @@ namespace cmis if ( !m_aRepositories.empty() ) return; - // Set the SSL Validation handler - libcmis::CertValidationHandlerPtr certHandler( - new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) ); - libcmis::SessionFactory::setCertificateValidationHandler( certHandler ); - // init libcurl callback libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);