strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
office-gobmx/unotest
History
Michael Stahl 7d664ec788 xmlsecurity: fix new tests on WNT 
Tests added in commit 40d70d427e don't
actually run on WNT but that wasn't obvious because commit
149df1fec6 prevented running them in
Jenkins on master, they failed only in the libreoffice-7-1 backport.

  xmlsecurity/qa/unit/signing/signing.cxx(631) : error : Assertion
  Test name: testODFDoubleX509Certificate::TestBody
  assertion failed
  - Expression: (nActual == SignatureState::NOTVALIDATED || nActual == SignatureState::OK)
  - 2

This is an oddity where NSS claims the signature in the document is
valid but CryptoAPI claims it is invalid; the hashes passed into the
validation functions are the same.  Just allow BROKEN as an additional
result value on WNT.

  xmlsecurity/qa/unit/signing/signing.cxx(550) : error : Assertion
  Test name: testODFX509CertificateChain::TestBody
  equality assertion failed
  - Expected: 0
  - Actual  : 1

The problem here is that with NSS the tests use a custom NSS database
in test/signing-keys so we need to make these certificates available for
CryptoAPI too.

The following one-liner converts the NSS database to a PKCS#7 that can
be loaded by CrytpAPI:

> openssl crl2pkcs7 -nocrl -certfile <(certutil -d sql:test/signing-keys -L | awk '/^[^ ].*,[^ ]*,/ { printf "%s", $1; for (i = 2; i < NF; i++) { printf " %s", $i; } printf "\n"; }' | while read name; do certutil -L -d sql:test/signing-keys -a -n "${name}" ; done) > test/signing-keys/test.p7b

Then one might naively assume that something like this would allow these
certificates to be added temporarily as trusted CAs:

+                HCERTSTORE hRoot = CertOpenSystemStoreW( 0, L"Root" ) ;
+                HCERTSTORE const hExtra = CertOpenStore(
+                        CERT_STORE_PROV_FILENAME_A,
+                        PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
+                        NULL,
+                        CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG,
+                        path);
+                if (hExtra != NULL && hRoot != NULL)
+                {
+                    BOOL ret = CertAddStoreToCollection(
+                        hRoot,
+                        hExtra,
+                        CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
+                        0);
+                    SAL_DEBUG("XXX hExtra done " << ret);
+                }

There is no error from this, but it doesn't work.

Instead, check if CertGetCertificateChain() sets the
CERT_TRUST_IS_UNTRUSTED_ROOT flag and then look up the certificate
manually in the extra PKCS#7 store.

Change-Id: Ic9865e0b5783211c2128ce0327c4583b7784ff62
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123667
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2021-10-18 08:28:25 +02:00
..
source xmlsecurity: fix new tests on WNT 2021-10-18 08:28:25 +02:00
IwyuFilter_unotest.yaml
Jar_test-tools.mk
Jar_test.mk
Library_unobootstrapprotector.mk
Library_unoexceptionprotector.mk
Library_unotest.mk
Makefile
Module_unotest.mk
README.md

README.md

Tests for UNO

Contains tests for UNO