You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openoffice.apache.org by bu...@apache.org on 2014/04/17 15:13:54 UTC
[Issue 124701] New: signing of documents/macros are broken on non
windows platforms
https://issues.apache.org/ooo/show_bug.cgi?id=124701
Issue ID: 124701
Issue Type: DEFECT
Summary: signing of documents/macros are broken on non windows
platforms
Product: General
Version: 4.1.0-dev
Hardware: All
OS: All
Status: CONFIRMED
Severity: normal
Priority: P3
Component: code
Assignee: issues@openoffice.apache.org
Reporter: jsc@apache.org
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
Kay <ks...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kschenk@apache.org
--- Comment #12 from Kay <ks...@apache.org> ---
Are we using rev. AOO410m17(Build:9763) - Rev. 1586357
RC3 to test?
No joy for me yet with putting the Linux env variable in quotes or not. Still
can not find my cert.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
jsc@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #83214|0 |1
is obsolete| |
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
hdu@apache.org <hd...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hdu@apache.org
--- Comment #8 from hdu@apache.org <hd...@apache.org> ---
Setting the environment variable MOZILLA_CERTIFICATE_FOLDER to the currently
active Mozilla/Thunderbird/Firefox/etc. profile works around the problem.
E.g. on Linux setting the environment variable could look like
MOZILLA_CERTIFICATE_FOLDER=sql:/home/xxx/.mozilla/firefox/23d7j.default
and on Mac it could look like
MOZILLA_CERTIFICATE_FOLDER="sql:/Users/xxx/Library/Application
Support/Firefox/Profiles/23d7j.default"
Note the "sql:" before the directory name to indicate that the stores are in
database file formats.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
Andrea Pescetti <pe...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pescetti@apache.org
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #13 from Ariel Constenla-Haile <ar...@apache.org> ---
(In reply to hdu@apache.org from comment #9)
> From a code perspective a better fix could/should be in the
> getMozillaCurrentProfile()
> function in
> main/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
>
> If there is only one relevant profile from in the user's
> Thunderbird/Mozilla/Firefox/Iceweasel/Icedove/etc. home or application
> support directory then choosing that directory automatically would be the
> right thing to do. Of course the directory name would have to be prepended
> by "sql:" too.
IMO it would be better to bring mozbootstrap back (see attachment 83226) that
already has some logic to discover profiles; by the way, it is a UNO component
that implements publilshed API (with the mozilla removal the css.mozilla module
should have been marked as @deprecated and then be removed in the next major
version).
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #7 from jsc@apache.org ---
added 2 test document, one signed document and one signed macro. And a file
containing 2 self-signed test certificates usable for more detailed testing.
For signing you have to import the pk12 file in your Firefox/Mozilla cert
store. For verification or making the cert visible importing the cer file is
enough. On Windows in your cert management console. For validation copy it as
trusted root authority. Be careful and make this only of you know what are you
doing.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #3 from jsc@apache.org ---
Created attachment 83214
--> https://issues.apache.org/ooo/attachment.cgi?id=83214&action=edit
signed macro
simple sample document, containing a signed macro. Signed with a self-signed
root certificate
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
jsc@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #83213|0 |1
is obsolete| |
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #21 from Kay <ks...@apache.org> ---
sorry -- one slight change to my posting yesterday
correct variable definition should be:
export MOZILLA_CERTIFICATE_FOLDER=sql:$HOME/.pki/nssdb
instead of:
export MOZILLA_CERTIFICATE_FOLDER='sql:$HOME/.pki/nssdb'
no single quotes
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #6 from jsc@apache.org ---
Created attachment 83218
--> https://issues.apache.org/ooo/attachment.cgi?id=83218&action=edit
2 self-signed test certificates
2 self-signed test certificates
OpenOffice QA 1 pw: openofficeqa1
OpenOffice QA 2 pw: openofficeqa2
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #11 from Ariel Constenla-Haile <ar...@apache.org> ---
Created attachment 83226
--> https://issues.apache.org/ooo/attachment.cgi?id=83226&action=edit
Patch to bring back mozbootstrap in its minimal profile discovery version
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
jsc@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #17 from jsc@apache.org ---
patch for bringing moz bootstrap reviewed and integrated. We have now the same
behaviour as before, still not optimal because the dependency to mozilla
certificate stores.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #23 from Kay <ks...@apache.org> ---
Changes have now been made to:
https://wiki.openoffice.org/wiki/How_to_use_digital_Signatures
https://wiki.openoffice.org/wiki/Certificate_Detection
but, needs help with Macintosh areas. (will post to dev)
Also, inline help needs to be changed at some as well to reference these wiki
pages due to additional changes that may take place.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #1 from jsc@apache.org ---
we currently have an issue with digital signing on non Windows
platforms. The whole problem was introduced with the drop of some very
old Mozilla stuff that made always problems.
Feature description (simplified)
Digital signing of document and/or macros is a feature to increase the
integrity in a workflow where documents are exchanged and to build a
trusted environment.
1. document signatures
With a valid certificate it is possible to sign a document after it is
saved. It is comparable with a seal. Other users loading this document
will see a signature icon in the status bar that shows that this
document is signed. Double click on this icon opens a dialog where the
user can view the certificate. Two status are possible, the first one is
that the certificate can be validated and is marked as trusted. The
second (identified with the same icon + a yellow triangle warning sign)
is where the certificate can't be validated automatically.
2. macro signatures
Similar to documents the user can sign macros in the same way. When a
user load a document with signed macros a dialog is opened to enable
macros or not. In this dialog the user get also information that the
macro is signed and is able to view the certificate. It is also possible
to trust this certificate always and the next time the macro is accepted
automatically.
Problem
This functionality was tightly coupled to Mozilla and made use of the
Mozilla certificate store. At least on Linux and MacOS where as on
Windows system certificate store was used directly.
Current situation is that it still works on Windows but is partly broken
on Linux and MacOS. Signing of new document or macros is not possible at
all because no certificate store is available or better accessible.
Signed documents can be loaded but the cert can't be validated. Signed
macros can be loaded/enabled and executed. It is also possible to add an
exception to trust this cert always to prevent the macro dialog in the
future.
General
This feature heavily depends on the Mozilla certificate store which
seems to be not optimal. For example on Mac the user would have to
install Mozilla to make use of this feature. Standard browser for most
users is Safari.
A further observation is why I can't accept a cert for document
signatures but for macro signatures. For example if I know where it
comes from and know that it is a self signed cert why I can't trust this
cert.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #10 from Ariel Constenla-Haile <ar...@apache.org> ---
Signing documents has an erratic behaviour, with the same certifcate sometimes
it wors, but sometimes not, a non-pro build shows:
Error: libxml2 error:
func=xmlSecIORegisterCallbacks:file=io.c:line=239:obj=unknown:subj=xmlSecPtrListAdd:error=1:xmlsec
library function failed: ;last nss error=0 (0x00000000)
From File
/build/aoo/src/playground/trunk/main/unoxml/source/xpath/xpathapi.cxx at Line
312
4.0 does not display this erratic behaviour.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
jsc@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |regression
Target Milestone|--- |4.1.0
Flags| |4.1.0_release_blocker+
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #19 from Metztli <jo...@metztli-it.com> ---
Created attachment 83266
--> https://issues.apache.org/ooo/attachment.cgi?id=83266&action=edit
ApacheOO 4.1.0 RC3 sample .odt document digitally signed with valid certificate
Don't rock the boat...
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #16 from SVN Robot <sv...@dev.null.org> ---
"jsc" committed SVN revision 1589052 into branches/AOO410:
#124701# merge from trunk, bring moz bootstrap back to find profiles
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
Metztli <jo...@metztli-it.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jose.r.r@metztli-it.com
--- Comment #18 from Metztli <jo...@metztli-it.com> ---
Niltze!
I don't understand why people insist on the sql prefix and/or quotes, "Apache
OpenOffice Wiki: Certificate Detection" clearly explains that below statement
is what should be, either typed before executing ApacheOO from the shell, or
inserted in a file such as .bashrc at a user's home:
export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/<your_user_profile>
Attaching digitally signed ODT with a 'valid' certificate created under
ApacheOO 4.1.0 RC3: apacheOO-4.1.0_RC3_valid-crt.odt
-Jose
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #15 from SVN Robot <sv...@dev.null.org> ---
"jsc" committed SVN revision 1589050 into trunk:
#124701# bring back moz bootstrap to find profile
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
4.1.0_release_blocker granted: [Issue 124701] signing of
documents/macros are broken on non windows platforms
Posted by bu...@apache.org.
jsc@apache.org has granted 4.1.0_release_blocker:
Issue 124701: signing of documents/macros are broken on non windows platforms
https://issues.apache.org/ooo/show_bug.cgi?id=124701
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #2 from jsc@apache.org ---
Created attachment 83213
--> https://issues.apache.org/ooo/attachment.cgi?id=83213&action=edit
signed document
simple sample document, signed with self-signed root certificate
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #5 from jsc@apache.org ---
Created attachment 83217
--> https://issues.apache.org/ooo/attachment.cgi?id=83217&action=edit
signed macro with a test certificate
simple sample document, containing a macro. Signed with self-signed root
certificate "OpenOffice Qa1", see test-cert.zip
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #20 from Kay <ks...@apache.org> ---
Hello again -- New info and SUCCESS! from me.
It seems, at least according to this article from archlinux wiki --
https://wiki.archlinux.org/index.php/Network_Security_Services
that for Linux, Mozilla/nss cert info is now located in $HOME/.pki/nssdb, which
is true in my case with opensuse as well.
So, including the following in a .bashrc file (or whatever the typical
"profile" settings file is for your distro)--
export MOZILLA_CERTIFICATE_FOLDER='sql:$HOME/.pki/nssdb'
should work for all Linux users. It did for me. And yes, the 'sql' prefix is
needed.
When I removed this, I was back to AOO not finding my certificate.
I will be happy to add this tidbit to the Release Notes and/or wiki information
on the subject.
HTH!
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #9 from hdu@apache.org <hd...@apache.org> ---
>From a code perspective a better fix could/should be in the
getMozillaCurrentProfile()
function in
main/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
If there is only one relevant profile from in the user's
Thunderbird/Mozilla/Firefox/Iceweasel/Icedove/etc. home or application support
directory then choosing that directory automatically would be the right thing
to do. Of course the directory name would have to be prepended by "sql:" too.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #4 from jsc@apache.org ---
Created attachment 83216
--> https://issues.apache.org/ooo/attachment.cgi?id=83216&action=edit
signed doc with test cert
simple sample document, signed with a self-signed root certificate "OpenOffice
QA 1", see test-cert.zip
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #14 from Kay <ks...@apache.org> ---
OK, here's some more detailed information on what I've done.
1) obtained a 25 day trial certificate from Symantec (in truth it isn't
behaving all that well, but it is showing up in my Firefox and Thunderbird cert
stores)
2) Added --
export MOZILLA_CERTIFICATE_FOLDER='sql:<my home directory
path>/.mozilla/firefox/t207ahin.default'
to
.bashrc
.profile
.xinitrc
I used the single quote because this is what I saw in another file that uses
certs on my system
(I have had problems in the past with adding items to my .bashrc and my X
session doesn't pick them up so that's why I put it in there as well.)
Still no acknowledgment by OpenOffice that this certificate even exists.
I'm on openSUSE 12.3 w/ KDE 4.10
Before I got back into this today, I did some "googling" of this issue, and, it
seems it been around and a problem *for a while* -- as early as 2008 for Linux
folks along with various suggestions on what to do about it.
Then I came across this bit from LO's BZ --
https://bugs.freedesktop.org/show_bug.cgi?id=66158
in which the UI now allows for explictly setting the cert path. I have NO idea
how quick or easy this would be. I would have included it in the Paths options
myself, but, a matter for discussion.
Meanwhile, I have contacted Symantec about problems with the certificate
itself. Maybe this is causing the hang-up though Thunderbird lets me use it in
it's flawed state.
I'm sorry I don't have better news.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 124701] signing of documents/macros are broken on non windows
platforms
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=124701
--- Comment #22 from hdu@apache.org <hd...@apache.org> ---
(In reply to Kay from comment #20)
> It seems, at least according to this article from archlinux wiki --
> https://wiki.archlinux.org/index.php/Network_Security_Services
>
> that for Linux, Mozilla/nss cert info is now located in $HOME/.pki/nssdb,
> which is true in my case with opensuse as well.
Thanks for identifying the problem on these platforms!
> So, including the following in a .bashrc file (or whatever the typical
> "profile" settings file is for your distro)--
>
> export MOZILLA_CERTIFICATE_FOLDER='sql:$HOME/.pki/nssdb'
>
> should work for all Linux users. It did for me. And yes, the 'sql' prefix is
> needed.
It doesn't work for ALL Linux users yet (e.g. some RHEL, Debian, SuSE versions)
but according to [1] all Linux platforms will eventually converge to this.
[1] https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX
> I will be happy to add this tidbit to the Release Notes and/or wiki
> information on the subject.
Great! Please do so.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.