strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
office-gobmx/xmlsecurity
History
Miklos Vajna 12e5082537 cool#9992 lok doc sign, hash extract: initial getCommandValues('Signature') 
The trouble with signing via ca/cert/key PEM files is that usually the
CA is not trusted by the received of the signature. 3rd-party services
are available to do generate trusted signatures, but then you need to
share your document with them, which can be also problematic.

A middle-ground here is to sign the hash of the document by a 3rd-party,
something that's supported by e.g.
<https://docs.eideasy.com/electronic-signatures/api-flow-with-file-hashes-pdf.html>
(which itself aggregates a number of providers).

As a first step, add LOK API to get what would be the signature time
during signing -- but instead of actually signing, just return this
information. Once the same is done with the doc hash, this is supposed
to provide the same info than what the reference
<https://github.com/eideasy/eideasy-external-pades-digital-signatures>
app does.

This is only a start: incrementally replace XCertificate with
SignatureContext, which allows aborting the signing right before calling
into NSS, and also later it'll allow injecting the PKCS#7 object we get
from the 3rd-party.

Change-Id: I108564f047fdb4fb796240c7d18a584cd9044313
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176279
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2024-11-08 21:40:22 +01:00
..
doc
inc loplugin:passstuffbyref in ucb..xmlsecurity 2024-11-07 14:31:24 +01:00
qa cool#9992 lok doc sign, hash extract: initial getCommandValues('Signature') 2024-11-08 21:40:22 +01:00
source cool#9992 lok doc sign, hash extract: initial getCommandValues('Signature') 2024-11-08 21:40:22 +01:00
test_docs
uiconfig/ui
util
workben
AllLangMoTarget_xsc.mk
CppunitTest_qa_certext.mk
CppunitTest_xmlsecurity_dialogs_test.mk
CppunitTest_xmlsecurity_pdfsigning.mk
CppunitTest_xmlsecurity_signing.mk cool#9992 lok doc sign, hash extract: initial getCommandValues('Signature') 2024-11-08 21:40:22 +01:00
CppunitTest_xmlsecurity_signing2.mk
CppunitTest_xmlsecurity_xmlsec.mk
Executable_pdfverify.mk
IwyuFilter_xmlsecurity.yaml
Library_xmlsecurity.mk
Library_xsec_xmlsec.mk
Makefile
Module_xmlsecurity.mk
README.md
UIConfig_xmlsec.mk
UITest_xmlsecurity_gpg.mk

README.md

Document Signing

Introduction

This code provides dialogs, and infrastructure wrapping libxmlsec and gpgme that implements document signing.

For signing a document, a personal key pair is used, which consists of a private key and a public key, which is added to the document in addition to the digital signature of the document, when signing it.

The document signing can be done both for the source ODF/OOXML files and the exported PDF files. It is also possible to sign existing PDF files.

Module Contents

  • doc: OpenDocument workflow legacy information with some illustrations to have an idea of the workflow, for starters check doc/OpenDocumentSignatures-Workflow.odt.
  • inc: Headers to a subset of source files inside the module, parts like source/framework have headers inside the folder.
  • qa: Unit tests for signing and shell scripts for certificates creation for testing.
  • test_docs: Documents & certificates used for testing.
  • source: More on that below.
  • uiconfig: User interface configuration for different dialogs, it is recommended to navigate from relevant source file to the .ui file linked in the class which will be under uiconfig/ui.
  • util: UNO passive registration config for GPG/ NSS.

Source Primary Contents

  • component: Main implementation of DocumentDigitalSignatures where the interaction with security environment and certificates occur.
  • dialogs: Certificate & Signatures management dialogs.
    • certificatechooser: Dialog that allows you to find and choose certificates or signatures for encryption.
    • certificateviewer: More detailed information about each certificate.
    • digitalsignaturesdialog: Main window for signatures of the documents and the start point of signing document.
  • framework: Various elements for verifying signatures and running security engine.
  • gpg: The implementation of encrypting with GPG and security environment initialization.
  • helper: Some helper classes that include signatures manager and the helpers for PDF signing, UriBinding, and XML signatures. It also include helper tools for XSecurityEnvironment.
  • xmlsec: XML, NSS, MSCrypt encryption/ signing tools, more on the low-level side of actual implementation of algorithms.

PDF Testing

To test the signed PDFs, one can use the pdfverify in this way:

./bin/run pdfverify $PWD/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf

The file parameter should be an absolute path.

This is the output of pdfverify for 2good.pdf:

verifying signatures
found 2 signatures
signature #0: digest match? 1
signature #0: partial? 0
signature #1: digest match? 1
signature #1: partial? 0

References