Bug 116937 - Provide per-user certificate store
Summary: Provide per-user certificate store
Status: RESOLVED INSUFFICIENTDATA
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
6.0.3.1 rc
Hardware: x86-64 (AMD64) Linux (All)
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2018-04-11 10:53 UTC by mycae
Modified: 2019-01-11 15:26 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mycae 2018-04-11 10:53:52 UTC
Description:
Currently, there is no clear way to provide a self-signed p12 file, with x509 certificate in libreoffice. 

The use case here is to be able to perform round-trip confirmation of documents. I wish to emit documents, and then in the case that the need arises (query over whether the document is genuine), I can manually verify a document that has been returned to me.

Network based man-in-the middle is not a concern, as this will be performed using USB keys to transfer files, and only to provide negative verification (document is not valid), rather than positive.

It should be possible for me to install, on whichever machines are needed, without the use of third-party software, a certificate in libreoffice that can be used to sign outgoing ODT/PDF documents. 

Currently my (non-working) workflow is to:
* Create a pem file pair.
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

* Rebind these back into a p12 file (to work around a bug in firefox/thunderbird)
https://security.stackexchange.com/questions/163199/firefox-certificate-can-t-be-installed

* Install this as a personal certificate

* ??

* Have the certificate appear in libreoffice's certificate selection.

The current method of needing to use third party software to manage which certificates are available is understandable from a central-certificate point of view, but not so from a user perspective.

If there is some way to allow the user to either manually provide a pem/p12 file from the filesystem, OR to have an import system within libreoffice to manage certificates only for libreoffice, that would be great.

PDF might be a bit tricky, as if the store is specific to libreoffice, then PDF viewers will not respect this.



Steps to Reproduce:
1. Attempt to digitally sign a document
2. See that you dont have any certificates available
3. Run internet searches to find a way to make it available
4. Give up after an hour or so.

Actual Results:  
Document cannot be signed, as no certificates are available

Expected Results:
1. Attempt to digitally sign a document
2. Be prompted for your signature file, or allowed to import it
3. Sign document


Reproducible: Always


User Profile Reset: No



Additional Info:
I've managed to import gpg files, but this cannot be used to sign a PDF. Selecting "sign" using a GPG RSA key pair allows you to select the GPG key for signing, but simply dumps you back to the PDF dialog with no actual signing or certificate details being provided (It seems to error out with no user feedback).


User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0
Comment 1 Xisco Faulí 2018-06-04 09:45:07 UTC
@Thorsten, do you have any opinion wrt to this ticket ?
Comment 2 Thorsten Behrens (CIB) 2018-06-05 22:35:48 UTC
That should be doable on linux now out of the box, with gpg4libre / GPG keys. With Debian/Ubuntu, you'll very likely have everything you need for that installed already on a stock system.

As you state, that does not currently work for PDF. It is possibly (though not implemented), to store X509 keys also in the gpg keystore.

Would that address your use case? Beyond that, duplicating elsewhere-available crypto UI inside LibreOffice does neither appear useful, nor sustainable to me.
Comment 3 QA Administrators 2018-12-03 13:13:42 UTC Comment hidden (obsolete)
Comment 4 QA Administrators 2019-01-11 15:26:50 UTC
Dear Bug Submitter,

Please read this message in its entirety before proceeding.

Your bug report is being closed as INSUFFICIENTDATA due to inactivity and
a lack of information which is needed in order to accurately
reproduce and confirm the problem. We encourage you to retest
your bug against the latest release. If the issue is still
present in the latest stable release, we need the following
information (please ignore any that you've already provided):

a) Provide details of your system including your operating
   system and the latest version of LibreOffice that you have
   confirmed the bug to be present

b) Provide easy to reproduce steps – the simpler the better

c) Provide any test case(s) which will help us confirm the problem

d) Provide screenshots of the problem if you think it might help

e) Read all comments and provide any requested information

Once all of this is done, please set the bug back to UNCONFIRMED
and we will attempt to reproduce the issue. Please do not:

a) respond via email 

b) update the version field in the bug or any of the other details
   on the top section of our bug tracker

Warm Regards,
QA Team

MassPing-NeedInfo-20190111