| xmlsec1-noverify.patch (cdf0e10c) | xmlsec1-noverify.patch (a893be29) |
|---|---|
| 1--- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-06-25 22:53:18.000000000 +0200 2+++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-09-23 10:01:07.237316078 +0200 3@@ -567,9 +567,16 @@ 4 CertFreeCertificateContext(nextCert); 5 } 6 7- if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { 8- return(cert); 9- } 10+ /* JL: OpenOffice.org implements its own certificate verification routine. | 1--- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-06-25 22:53:18.000000000 +0200 2+++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-09-23 10:01:07.237316078 +0200 3@@ -567,9 +567,16 @@ 4 CertFreeCertificateContext(nextCert); 5 } 6 7- if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { 8- return(cert); 9- } 10+ /* JL: OpenOffice.org implements its own certificate verification routine. |
| 11+ The goal is to seperate validation of the signature | 11+ The goal is to separate validation of the signature |
| 12+ and the certificate. For example, OOo could show that the document signature is valid, 13+ but the certificate could not be verified. If we do not prevent the verification of 14+ the certificate by libxmlsec and the verification fails, then the XML signature will not be 15+ verified. This would happen, for example, if the root certificate is not installed. 16+ */ 17+/* if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */ 18+ if (selected == 1) 19+ return cert; --- 11 unchanged lines hidden (view full) --- 31- (SECCertificateUsage)0, 32- timeboundary , NULL, NULL, NULL); 33- if (status == SECSuccess) { 34- break; 35- } 36+ 37+ /* 38+ JL: OpenOffice.org implements its own certificate verification routine. | 12+ and the certificate. For example, OOo could show that the document signature is valid, 13+ but the certificate could not be verified. If we do not prevent the verification of 14+ the certificate by libxmlsec and the verification fails, then the XML signature will not be 15+ verified. This would happen, for example, if the root certificate is not installed. 16+ */ 17+/* if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */ 18+ if (selected == 1) 19+ return cert; --- 11 unchanged lines hidden (view full) --- 31- (SECCertificateUsage)0, 32- timeboundary , NULL, NULL, NULL); 33- if (status == SECSuccess) { 34- break; 35- } 36+ 37+ /* 38+ JL: OpenOffice.org implements its own certificate verification routine. |
| 39+ The goal is to seperate validation of the signature | 39+ The goal is to separate validation of the signature |
| 40+ and the certificate. For example, OOo could show that the document signature is valid, 41+ but the certificate could not be verified. If we do not prevent the verification of 42+ the certificate by libxmlsec and the verification fails, then the XML signature may not be 43+ verified. This would happen, for example, if the root certificate is not installed. 44+ 45+ status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 46+ cert, PR_FALSE, 47+ (SECCertificateUsage)0, --- 12 unchanged lines hidden --- | 40+ and the certificate. For example, OOo could show that the document signature is valid, 41+ but the certificate could not be verified. If we do not prevent the verification of 42+ the certificate by libxmlsec and the verification fails, then the XML signature may not be 43+ verified. This would happen, for example, if the root certificate is not installed. 44+ 45+ status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 46+ cert, PR_FALSE, 47+ (SECCertificateUsage)0, --- 12 unchanged lines hidden --- |