xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 723ecfa63f5218b2f06f0a807b56869b80a19fe2
Author: Miklos Vajna <vmik...@collabora.com>
AuthorDate: Tue Jan 28 16:38:10 2025 +0100
Commit: Xisco Fauli <xiscofa...@libreoffice.org>
CommitDate: Mon Feb 3 15:03:13 2025 +0100
tdf#161872 xmlsecurity nss: don't require trusted signing certs
Configure your signing cert in Firefox, (unusually) don't trust the CA
that you would use to issue your signing cert, try to sign a document,
error.
This is reportedly wrong since commit
bfd479abf0d1d8ce36c3b0dcc6c824216f88a95b (Update libxmlsec to 1.3.1,
2023-06-09), for some reason our usage of libxmlsec-1.2 didn't trigger
this problem.
Given that we already disable libxmlsec-side cert verify while
verifying a signature (and have our own logic there), it's consistent to
do the same while creating the signature, and that fixes the bug, too.
The Windows / MSCNG backend is not yet changed here.
Change-Id: I8a7adf06b9a26731f1a180a4f6257317084e414a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/180844
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmik...@collabora.com>
(cherry picked from commit 1817760f56b74e47120c1b4d7641fbaebcf378ad)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/180885
Reviewed-by: Moritz Duge <moritz.d...@allotropia.de>
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
index ce61942dda27..feb31594f5d4 100644
--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
@@ -150,6 +150,7 @@ SAL_CALL XMLSignature_NssImpl::generate(
}
//Sign the template
+ pDsigCtx->keyInfoReadCtx.flags |=
XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
if( xmlSecDSigCtxSign( pDsigCtx.get() , pNode ) == 0 )
{
if (pDsigCtx->status == xmlSecDSigStatusSucceeded)
