136821 – Wrong "Signed By" Information on Digital Signature Information Dialog

Bug 136821 - Wrong "Signed By" Information on Digital Signature Information Dialog

Summary: Wrong "Signed By" Information on Digital Signature Information Dialog

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	6.4.6.2 release
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-16 22:13 UTC by Diego Garzón
Modified:	2021-07-26 15:26 UTC (History)
CC List:	1 user (show)

See Also:
Crash report or crash signature:

Attachments
Screenshots of Word and Libreoffice to compare (137.28 KB, application/vnd.oasis.opendocument.text) 2020-09-16 22:16 UTC, Diego Garzón	Details
Signed Example file (59.81 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document) 2020-09-16 22:17 UTC, Diego Garzón	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Garzón 2020-09-16 22:13:44 UTC

Description:
When I add a new digital signature to a docx file using an external tool and  then add another digital certificate to the signature xml file (apart from the signer's certificate) Libreoffice apparently shows the last certificate's owner information in the signed by field instead of the actual signer's information. Please check screenshots attached.

Steps to Reproduce:
1. Add a digital signature to an existing docx file.
2. Open the file with an archive file manager (in my case winrar)
3. Modify the sig1.xml file located on _xmlsignatures folder by adding a new <X509Certificate> tag with any base64 encoded digital certificate
4. Open the edited file on Libreoffice
5. Open the signature details dialog


Actual Results:
You will see the signed by column populated with the information from the last certificate added manually. This shouldn't happen or else anyone can impersonate a valid user .

Expected Results:
You should see the signed by column populated with the information from the actual signer.The software should search for the signer certificate and when found populate this information on the signed by column


Reproducible: Always


User Profile Reset: No



Additional Info:
Versión: 6.4.6.2 (x64)
Id. de compilación: 0ce51a4fd21bff07a5c061082cc82c5ed232f115
Subprocs. CPU: 12; SO: Windows 10.0 Build 17763; Repres. IU: predet.; VCL: win; 
Configuración regional: es-CO (es_CO); Idioma de IU: es-ES
Calc: threaded

Comment 1 Diego Garzón 2020-09-16 22:16:38 UTC

Created attachment 165586 [details]
Screenshots of Word and Libreoffice to compare

Screenshots of Word and Libreoffice to compare

Comment 2 Diego Garzón 2020-09-16 22:17:22 UTC

Created attachment 165587 [details]
Signed Example file

Signed Example file

Comment 3 Buovjaga 2021-07-26 12:11:44 UTC

For me, the signed by and issued by fields are shown blank

NixOS
Version: 7.3.0.0.alpha0+ / LibreOffice Community
Build ID: 67e47070a7580a17804adce812cc2f98bfe7b51f
CPU threads: 16; OS: Linux 5.13; UI render: default; VCL: x11
Locale: fi-FI (fi_FI.UTF-8); UI: en-US
Calc: threaded

Comment 4 Buovjaga 2021-07-26 12:36:11 UTC

I got a comment in the dev chat that my result is the correct and intended one. Diego: can you re-test with 7.1.5 or newer?

Comment 5 Diego Garzón 2021-07-26 15:16:24 UTC

Hi Buovjaga:

I just tested it with 7.1.5 and now for me also the fields are shown blank. However I think it should show the correct signer information instead of blank. What do you think?

Comment 6 Buovjaga 2021-07-26 15:26:21 UTC

(In reply to Diego Garzón from comment #5)
> Hi Buovjaga:
> 
> I just tested it with 7.1.5 and now for me also the fields are shown blank.
> However I think it should show the correct signer information instead of
> blank. What do you think?

The change was intentional, so I trust the developers.