AOO410/main/libxmlsec/xmlsec1-noverify.patch - openoffice - Git at Google

 --- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c	2009-06-25 22:53:18.000000000 +0200
 +++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c	2009-09-23 10:01:07.237316078 +0200
 @@ -567,9 +567,16 @@
              CertFreeCertificateContext(nextCert);
          }

 -        if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
 -            return(cert);
 -        }
 +        /* JL: OpenOffice.org implements its own certificate verification routine.
 +           The goal is to seperate validation of the signature
 +           and the certificate. For example, OOo could show that the document signature is valid,
 +           but the certificate could not be verified. If we do not prevent the verification of
 +           the certificate by libxmlsec and the verification fails, then the XML signature will not be
 +           verified. This would happen, for example, if the root certificate is not installed.
 +         */
 +/*      if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
 +        if (selected == 1)
 +            return cert;
      }

      return (NULL);
 --- misc/xmlsec1-1.2.14/src/nss/x509vfy.c	2009-09-23 10:06:52.989793254 +0200
 +++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c	2009-09-23 10:05:03.183042205 +0200
 @@ -191,13 +191,27 @@
  	    continue;
  	}

 -	status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
 -					cert, PR_FALSE,
 -					(SECCertificateUsage)0,
 -                			timeboundary , NULL, NULL, NULL);
 -	if (status == SECSuccess) {
 -	    break;
 -	}
 +
 +	/*
 +      JL: OpenOffice.org implements its own certificate verification routine.
 +      The goal is to seperate validation of the signature
 +      and the certificate. For example, OOo could show that the document signature is valid,
 +      but the certificate could not be verified. If we do not prevent the verification of
 +      the certificate by libxmlsec and the verification fails, then the XML signature may not be
 +      verified. This would happen, for example, if the root certificate is not installed.
 +
 +      status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
 +          cert, PR_FALSE,
 +          (SECCertificateUsage)0,
 +          timeboundary , NULL, NULL, NULL);
 +      if (status == SECSuccess) {
 +         break;
 +      }
 +
 +    */
 +	status = SECSuccess;
 +	break;
 +
      }

      if (status == SECSuccess) {
	--- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-06-25 22:53:18.000000000 +0200
	+++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-09-23 10:01:07.237316078 +0200
	@@ -567,9 +567,16 @@
	CertFreeCertificateContext(nextCert);
	}

	- if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
	- return(cert);
	- }
	+ /* JL: OpenOffice.org implements its own certificate verification routine.
	+ The goal is to seperate validation of the signature
	+ and the certificate. For example, OOo could show that the document signature is valid,
	+ but the certificate could not be verified. If we do not prevent the verification of
	+ the certificate by libxmlsec and the verification fails, then the XML signature will not be
	+ verified. This would happen, for example, if the root certificate is not installed.
	+ */
	+/* if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
	+ if (selected == 1)
	+ return cert;
	}

	return (NULL);
	--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:06:52.989793254 +0200
	+++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:05:03.183042205 +0200
	@@ -191,13 +191,27 @@
	continue;
	}

	- status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
	- cert, PR_FALSE,
	- (SECCertificateUsage)0,
	- timeboundary , NULL, NULL, NULL);
	- if (status == SECSuccess) {
	- break;
	- }
	+
	+ /*
	+ JL: OpenOffice.org implements its own certificate verification routine.
	+ The goal is to seperate validation of the signature
	+ and the certificate. For example, OOo could show that the document signature is valid,
	+ but the certificate could not be verified. If we do not prevent the verification of
	+ the certificate by libxmlsec and the verification fails, then the XML signature may not be
	+ verified. This would happen, for example, if the root certificate is not installed.
	+
	+ status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
	+ cert, PR_FALSE,
	+ (SECCertificateUsage)0,
	+ timeboundary , NULL, NULL, NULL);
	+ if (status == SECSuccess) {
	+ break;
	+ }
	+
	+ */
	+ status = SECSuccess;
	+ break;
	+
	}

	if (status == SECSuccess) {