When digitally signing a document, the user is presented with a list of certificates to choose from. This list should not contain certificates that have an express purpose of encryption (not signing). The bug seems to be in the function CertificateChooser::ImplInitialize() in xmlsecurity/source/dialogs/certificatechooser.cxx, which loops and inserts all the available certificates, without checking their purpose. I apologize for not being familiar enough with the security::XCertificate framework to contribute a fix.
Only certificates with the nonRepudation key usage bit shall be used. Reference: http://tools.ietf.org/html/rfc5280#section-4.2.1.3
TESTING with LO 4.5 (In reply to Alexios Zavras (zvr) from comment #0) > When digitally signing a document, the user is presented with a list of > certificates to choose from. This list should not contain certificates that > have an express purpose of encryption (not signing). Sounds reasonable. Let's test. Repro Steps: - Make a certificate (valid for 2 days for example.com) Okay, gotta dig deep into the system for this one (why can't there just be a flag, openssl? *shakes head*) Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.bk (that'll make cleanup much easier) Now edit the original file. Find the entry for "keyUsage = " under the section "[ v3_req ]" and replace it with: keyUsage = nonRepudiation, digitalSignature, keyEncipherment Get out of /etc and into a test directory for the keys (I used /home/qubit/scratch/libreoffice/bugs/78820/) Generate the key that has signing capabilities: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-SIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_sign_fdo78820.pem \ -out testcert_sign_fdo78820.pem openssl pkcs12 -export -out testcert_sign_fdo78820.p12 \ -in testcert_sign_fdo78820.pem \ -name "Test Cert w/SIGNING fdo#78820" Generate the key that does NOT have signing capabilities: Edit /etc/ssl/openssl.cnf again and change the key usage line to: keyUsage = nonRepudiation, keyEncipherment Then back to the test directory: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-NOSIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_nosign_fdo78820.pem \ -out testcert_nosign_fdo78820.pem openssl pkcs12 -export -out testcert_nosign_fdo78820.p12 \ -in testcert_nosign_fdo78820.pem \ -name "Test Cert WITHOUT signing fdo#78820" Finally, restore the initial state of OpenSSL config by copying /etc/ssl/openssl.cnf.bk to /etc/ssl/openssl.cnf You can verify that the right values made it into the cert using something like this: openssl x509 -text -noout -in testcert_nosign_fdo78820.pem|grep -A1 'Key Usage' Some useful tips here as well: http://www.mytidbitz.com/?p=109 Okay, now we need to jam the certs into Firefox. - Use the GUI https://help.libreoffice.org/Common/Applying_Digital_Signatures#Managing_your_Certificates The instructions are a little out of date (bug 87313 is filed :-). I wasn't sure how to "edit the certificate. Enable the root certificate to be trusted at least for web and email access." Alexios: How did you get your certificates working? - I did find a command-line tool (not sure if that's applicable): pk12util -d /home/<username>/.mozilla/firefox/<some randomish-looking-chars>.default/ -i your-cert.p12
(In reply to Robinson Tryon (qubit) from comment #2) > > Alexios: How did you get your certificates working? Status -> NEEDINFO
Dear Bug Submitter, This bug has been in NEEDINFO status with no change for at least 6 months. Please provide the requested information as soon as possible and mark the bug as UNCONFIRMED. Due to regular bug tracker maintenance, if the bug is still in NEEDINFO status with no change in 30 days the QA team will close the bug as INVALID due to lack of needed information. For more information about our NEEDINFO policy please read the wiki located here: https://wiki.documentfoundation.org/QA/FDO/NEEDINFO If you have already provided the requested information, please mark the bug as UNCONFIRMED so that the QA team knows that the bug is ready to be confirmed. Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team This NEEDINFO message was generated on: 2015-07-18
Dear Bug Submitter, Please read this message in its entirety before proceeding. Your bug report is being closed as INVALID due to inactivity and a lack of information which is needed in order to accurately reproduce and confirm the problem. We encourage you to retest your bug against the latest release. If the issue is still present in the latest stable release, we need the following information (please ignore any that you've already provided): a) Provide details of your system including your operating system and the latest version of LibreOffice that you have confirmed the bug to be present b) Provide easy to reproduce steps – the simpler the better c) Provide any test case(s) which will help us confirm the problem d) Provide screenshots of the problem if you think it might help e) Read all comments and provide any requested information Once all of this is done, please set the bug back to UNCONFIRMED and we will attempt to reproduce the issue. Please do not: a) respond via email b) update the version field in the bug or any of the other details on the top section of FDO Message generated on: 2015-09-03