Bug 129311 - Don't ask to add a trusted macro signature, if trusted macro signatures are read-only
Summary: Don't ask to add a trusted macro signature, if trusted macro signatures are r...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:6.5.0 target:6.4.0.2
Keywords:
Depends on:
Blocks: Digital-Signatures Macro 119507
  Show dependency treegraph
 
Reported: 2019-12-10 16:46 UTC by Jan-Marek Glogowski
Modified: 2019-12-19 18:56 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Attachments
Macro locking extension with LO unit test cert (2.47 KB, application/zip)
2019-12-10 17:23 UTC, Jan-Marek Glogowski
Details
Macro "trusted cert" list only locking extension with LO unit test cert (2.48 KB, application/zip)
2019-12-11 12:03 UTC, Jan-Marek Glogowski
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jan-Marek Glogowski 2019-12-10 16:46:57 UTC
Description:
An admin can lock the list of trusted authors / signatures by finalizing that configuration attribute like:

    <node oor:name="Security">
        <node oor:name="Scripting">
            <node oor:name="TrustedAuthors" oor:finalized="true">
                <node oor:name="a0" oor:op="replace">
                    <prop oor:name="RawData" oor:op="fuse"><value>[base64 encoded DER x509 cert}</value></prop>
                    <prop oor:name="SubjectName" oor:op="fuse"><value>test key - only signing &lt;libreoffice@lists.freedesktop.org&gt;</value></prop>
                    <prop oor:name="SerialNumber" oor:op="fuse"><value></value></prop>
                </node>
            </node>
            <prop oor:name="MacroSecurityLevel" oor:finalized="true"><value>2</value></prop>
        </node>
    </node>

This disables the modification of that list in the macro security dialog (Tools -> Options -> LibreOffice -> Security -> Macro security) and forces *High* macro security.

Still, at the macro security level *High*, the user is asked when opening a document with an unknown signature, if the signature should be added to the list of trusted signatures. But since the signature list is locked, nothing will actually be added. The result is some kind of "temporary trusted" certificate, until LO is restarted.

This seems at least inconsequential. From my POV it's a bug and not a feature, because an admin already locked the list of trusted signatures. Eventually that dialog would want a checkbox with a different text to explicitly allow a temporary trusted signature, with an additional option to explicitly enable that feature, if someone really wants this in general.

Steps to Reproduce:
1. Install the attached sample config extension
2. Check the Macro security settings to be level *High* (with a lock) and the LO trusted signatures to contain the LO unit test signature and isn't editable (the lock icon needs a fix here)
3. Open the attached document

Actual Results:
The user is asked to add the unknown signature to the trusted signature list.

Expected Results:
The document is opened without enabled macros. Eventually LO even displays some message box informing the user about the untrusted signature and the therefore disabled macros.


Reproducible: Always


User Profile Reset: No



Additional Info:
Comment 1 Jan-Marek Glogowski 2019-12-10 17:23:08 UTC
Created attachment 156461 [details]
Macro locking extension with LO unit test cert
Comment 2 Jan-Marek Glogowski 2019-12-10 17:39:08 UTC
As a failure test document, you can use the one attached to bug 42316: attachment 52829 [details].
Comment 3 Jan-Marek Glogowski 2019-12-10 18:06:15 UTC
There is now https://gerrit.libreoffice.org/84887. It fixes a whole bunch of problems I stumbled over and most had to fix, while I actually just wanted to fix the locked "trusted authors" handling. I think I'll at least split the UI and certificate exception handling from the "hard" functional change later.
Comment 4 Jan-Marek Glogowski 2019-12-11 12:03:41 UTC
Created attachment 156482 [details]
Macro "trusted cert" list only locking extension with LO unit test cert

While working on the proposed patch, I just realized, that the current patch will also prevent the user interaction in the macro security level (MSL) *Medium*, which is (obviously) wrong. Consequently this will need a change of the Macro warning dialog to hide the "Add to trusted sources" check box, if the list of trusted certificates is read-only.

To make testing easier, I updated the extension, so it won't lock or override the MSL anymore and just lock the list of trusted authors.
Comment 5 Commit Notification 2019-12-17 10:59:49 UTC
Jan-Marek Glogowski committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/71c6f438cecc3ce5e8060efe1df840652885701c

tdf#129311 don't allow temporary trusted certs

It will be available in 6.5.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2019-12-18 11:15:28 UTC
Jan-Marek Glogowski committed a patch related to this issue.
It has been pushed to "libreoffice-6-4":

https://git.libreoffice.org/core/commit/9cdb97cd93e60a0faf0a531949d94cff79e1aab9

tdf#129311 don't allow temporary trusted certs

It will be available in 6.4.0.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 7 Oliver Brinzing 2019-12-19 18:56:41 UTC
(In reply to Commit Notification from comment #6)
> The document is opened without enabled macros. Eventually LO even displays 
> some message box informing the user about the untrusted signature and the 
> therefore disabled macros.
> Affected users are encouraged to test the fix and report feedback.

checked with:

Version: 6.5.0.0.alpha0+ (x64)
Build ID: 4b7b6993134a48c850608c758f7b7283bed27fec
CPU threads: 4; OS: Windows 10.0 Build 18363; UI render: default; VCL: win; 
Locale: de-DE (de_DE); UI-Language: en-US
Calc: threaded

I was not able to make it work with the attached *.oxt (certificate did not appear in "Trusted Sources") but using an own certificate worked for me:

1. With macro Security "High" and MacroSecurityLevel finalized="true"

a) Macro enabled:
   - opened signed document/template
     Document changes will not affect macro signing as long as macro 
     itself is not changed. The signature of a modified macros is lost 
     when you save the document.

b) Macro disabled:
   - opened unsigned document
   - opened signed document (signed with an unknown certificate) *)

2. With macro Security "Medium"

a) Macro enabled:
   - opened signed document/template

b) User is able to enabled/disable macro:
   - opened unsigned document
   - opened signed document (signed with an unknown certificate) *)

*) With MacroSecurityLevel finalized="false" user is able to add the 
   unknown certificate to the "Trusted Source" list.