Bug 78820

Summary: document signing should only make use of signing certificates
Product: LibreOffice Reporter: Alexios Zavras (zvr) <zvr+freedesktop>
Component: frameworkAssignee: Not Assigned <libreoffice-bugs>
Status: NEEDINFO --- QA Contact:
Severity: major    
Priority: medium CC: qubit
Version: 4.2.4.2 release   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Alexios Zavras (zvr) 2014-05-17 10:55:34 UTC
When digitally signing a document, the user is presented with a list of certificates to choose from. This list should not contain certificates that have an express purpose of encryption (not signing).

The bug seems to be in the function CertificateChooser::ImplInitialize() in xmlsecurity/source/dialogs/certificatechooser.cxx, which loops and inserts all the available certificates, without checking their purpose.

I apologize for not being familiar enough with the security::XCertificate framework to contribute a fix.
Comment 1 nuno.ponte 2014-09-23 09:18:40 UTC
Only certificates with the nonRepudation key usage bit shall be used.

Reference: http://tools.ietf.org/html/rfc5280#section-4.2.1.3
Comment 2 Robinson Tryon (qubit) 2014-12-15 03:34:50 UTC
TESTING with LO 4.5

(In reply to Alexios Zavras (zvr) from comment #0)
> When digitally signing a document, the user is presented with a list of
> certificates to choose from. This list should not contain certificates that
> have an express purpose of encryption (not signing).

Sounds reasonable. Let's test.

Repro Steps:
- Make a certificate (valid for 2 days for example.com)

Okay, gotta dig deep into the system for this one (why can't there just be a flag, openssl? *shakes head*)

Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.bk (that'll make cleanup much easier)

Now edit the original file. Find the entry for "keyUsage = " under the section "[ v3_req ]" and replace it with:
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Get out of /etc and into a test directory for the keys (I used /home/qubit/scratch/libreoffice/bugs/78820/)

Generate the key that has signing capabilities:

openssl req \
  -x509 -nodes -days 2 \
  -subj '/C=US/ST=Montana/L=Butte/CN=www.example-SIGN.com' \
  -extensions v3_req \
  -newkey rsa:2048 -keyout testcert_sign_fdo78820.pem \
  -out testcert_sign_fdo78820.pem

openssl pkcs12 -export -out testcert_sign_fdo78820.p12 \
  -in testcert_sign_fdo78820.pem \
  -name "Test Cert w/SIGNING fdo#78820"

Generate the key that does NOT have signing capabilities:

Edit /etc/ssl/openssl.cnf again and change the key usage line to:
  keyUsage = nonRepudiation, keyEncipherment

Then back to the test directory:
openssl req \
  -x509 -nodes -days 2 \
  -subj '/C=US/ST=Montana/L=Butte/CN=www.example-NOSIGN.com' \
  -extensions v3_req \
  -newkey rsa:2048 -keyout testcert_nosign_fdo78820.pem \
  -out testcert_nosign_fdo78820.pem

openssl pkcs12 -export -out testcert_nosign_fdo78820.p12 \
  -in testcert_nosign_fdo78820.pem \
  -name "Test Cert WITHOUT signing fdo#78820"

Finally, restore the initial state of OpenSSL config by copying /etc/ssl/openssl.cnf.bk to /etc/ssl/openssl.cnf

You can verify that the right values made it into the cert using something like this:
  openssl x509 -text -noout -in testcert_nosign_fdo78820.pem|grep -A1 'Key Usage'

Some useful tips here as well:
http://www.mytidbitz.com/?p=109

Okay, now we need to jam the certs into Firefox.

- Use the GUI
https://help.libreoffice.org/Common/Applying_Digital_Signatures#Managing_your_Certificates

The instructions are a little out of date (bug 87313 is filed :-).

I wasn't sure how to "edit the certificate. Enable the root certificate to be trusted at least for web and email access."

Alexios: How did you get your certificates working?

- I did find a command-line tool (not sure if that's applicable):

  pk12util -d /home/<username>/.mozilla/firefox/<some randomish-looking-chars>.default/ -i your-cert.p12
Comment 3 Robinson Tryon (qubit) 2014-12-29 05:36:08 UTC
(In reply to Robinson Tryon (qubit) from comment #2)
> 
> Alexios: How did you get your certificates working?

Status -> NEEDINFO

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.