Summary: | document signing should only make use of signing certificates | ||
---|---|---|---|
Product: | LibreOffice | Reporter: | Alexios Zavras (zvr) <zvr+freedesktop> |
Component: | framework | Assignee: | Not Assigned <libreoffice-bugs> |
Status: | NEEDINFO --- | QA Contact: | |
Severity: | major | ||
Priority: | medium | CC: | qubit |
Version: | 4.2.4.2 release | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
i915 platform: | i915 features: |
Description
Alexios Zavras (zvr)
2014-05-17 10:55:34 UTC
Only certificates with the nonRepudation key usage bit shall be used. Reference: http://tools.ietf.org/html/rfc5280#section-4.2.1.3 TESTING with LO 4.5 (In reply to Alexios Zavras (zvr) from comment #0) > When digitally signing a document, the user is presented with a list of > certificates to choose from. This list should not contain certificates that > have an express purpose of encryption (not signing). Sounds reasonable. Let's test. Repro Steps: - Make a certificate (valid for 2 days for example.com) Okay, gotta dig deep into the system for this one (why can't there just be a flag, openssl? *shakes head*) Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.bk (that'll make cleanup much easier) Now edit the original file. Find the entry for "keyUsage = " under the section "[ v3_req ]" and replace it with: keyUsage = nonRepudiation, digitalSignature, keyEncipherment Get out of /etc and into a test directory for the keys (I used /home/qubit/scratch/libreoffice/bugs/78820/) Generate the key that has signing capabilities: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-SIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_sign_fdo78820.pem \ -out testcert_sign_fdo78820.pem openssl pkcs12 -export -out testcert_sign_fdo78820.p12 \ -in testcert_sign_fdo78820.pem \ -name "Test Cert w/SIGNING fdo#78820" Generate the key that does NOT have signing capabilities: Edit /etc/ssl/openssl.cnf again and change the key usage line to: keyUsage = nonRepudiation, keyEncipherment Then back to the test directory: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-NOSIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_nosign_fdo78820.pem \ -out testcert_nosign_fdo78820.pem openssl pkcs12 -export -out testcert_nosign_fdo78820.p12 \ -in testcert_nosign_fdo78820.pem \ -name "Test Cert WITHOUT signing fdo#78820" Finally, restore the initial state of OpenSSL config by copying /etc/ssl/openssl.cnf.bk to /etc/ssl/openssl.cnf You can verify that the right values made it into the cert using something like this: openssl x509 -text -noout -in testcert_nosign_fdo78820.pem|grep -A1 'Key Usage' Some useful tips here as well: http://www.mytidbitz.com/?p=109 Okay, now we need to jam the certs into Firefox. - Use the GUI https://help.libreoffice.org/Common/Applying_Digital_Signatures#Managing_your_Certificates The instructions are a little out of date (bug 87313 is filed :-). I wasn't sure how to "edit the certificate. Enable the root certificate to be trusted at least for web and email access." Alexios: How did you get your certificates working? - I did find a command-line tool (not sure if that's applicable): pk12util -d /home/<username>/.mozilla/firefox/<some randomish-looking-chars>.default/ -i your-cert.p12 (In reply to Robinson Tryon (qubit) from comment #2) > > Alexios: How did you get your certificates working? Status -> NEEDINFO |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.