Bug 78820 - document signing should only make use of signing certificates
Summary: document signing should only make use of signing certificates
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: framework (show other bugs)
(earliest affected) release
Hardware: All All
: medium major
Assignee: Not Assigned
Depends on:
Reported: 2014-05-17 10:55 UTC by Alexios Zavras (zvr)
Modified: 2015-09-04 03:00 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Note You need to log in before you can comment on or make changes to this bug.
Description Alexios Zavras (zvr) 2014-05-17 10:55:34 UTC
When digitally signing a document, the user is presented with a list of certificates to choose from. This list should not contain certificates that have an express purpose of encryption (not signing).

The bug seems to be in the function CertificateChooser::ImplInitialize() in xmlsecurity/source/dialogs/certificatechooser.cxx, which loops and inserts all the available certificates, without checking their purpose.

I apologize for not being familiar enough with the security::XCertificate framework to contribute a fix.
Comment 1 nuno.ponte 2014-09-23 09:18:40 UTC
Only certificates with the nonRepudation key usage bit shall be used.

Reference: http://tools.ietf.org/html/rfc5280#section-
Comment 2 Robinson Tryon (qubit) 2014-12-15 03:34:50 UTC
TESTING with LO 4.5

(In reply to Alexios Zavras (zvr) from comment #0)
> When digitally signing a document, the user is presented with a list of
> certificates to choose from. This list should not contain certificates that
> have an express purpose of encryption (not signing).

Sounds reasonable. Let's test.

Repro Steps:
- Make a certificate (valid for 2 days for example.com)

Okay, gotta dig deep into the system for this one (why can't there just be a flag, openssl? *shakes head*)

Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.bk (that'll make cleanup much easier)

Now edit the original file. Find the entry for "keyUsage = " under the section "[ v3_req ]" and replace it with:
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Get out of /etc and into a test directory for the keys (I used /home/qubit/scratch/libreoffice/bugs/78820/)

Generate the key that has signing capabilities:

openssl req \
  -x509 -nodes -days 2 \
  -subj '/C=US/ST=Montana/L=Butte/CN=www.example-SIGN.com' \
  -extensions v3_req \
  -newkey rsa:2048 -keyout testcert_sign_fdo78820.pem \
  -out testcert_sign_fdo78820.pem

openssl pkcs12 -export -out testcert_sign_fdo78820.p12 \
  -in testcert_sign_fdo78820.pem \
  -name "Test Cert w/SIGNING fdo#78820"

Generate the key that does NOT have signing capabilities:

Edit /etc/ssl/openssl.cnf again and change the key usage line to:
  keyUsage = nonRepudiation, keyEncipherment

Then back to the test directory:
openssl req \
  -x509 -nodes -days 2 \
  -subj '/C=US/ST=Montana/L=Butte/CN=www.example-NOSIGN.com' \
  -extensions v3_req \
  -newkey rsa:2048 -keyout testcert_nosign_fdo78820.pem \
  -out testcert_nosign_fdo78820.pem

openssl pkcs12 -export -out testcert_nosign_fdo78820.p12 \
  -in testcert_nosign_fdo78820.pem \
  -name "Test Cert WITHOUT signing fdo#78820"

Finally, restore the initial state of OpenSSL config by copying /etc/ssl/openssl.cnf.bk to /etc/ssl/openssl.cnf

You can verify that the right values made it into the cert using something like this:
  openssl x509 -text -noout -in testcert_nosign_fdo78820.pem|grep -A1 'Key Usage'

Some useful tips here as well:

Okay, now we need to jam the certs into Firefox.

- Use the GUI

The instructions are a little out of date (bug 87313 is filed :-).

I wasn't sure how to "edit the certificate. Enable the root certificate to be trusted at least for web and email access."

Alexios: How did you get your certificates working?

- I did find a command-line tool (not sure if that's applicable):

  pk12util -d /home/<username>/.mozilla/firefox/<some randomish-looking-chars>.default/ -i your-cert.p12
Comment 3 Robinson Tryon (qubit) 2014-12-29 05:36:08 UTC
(In reply to Robinson Tryon (qubit) from comment #2)
> Alexios: How did you get your certificates working?

Status -> NEEDINFO
Comment 4 QA Administrators 2015-07-18 17:35:15 UTC
Dear Bug Submitter,

This bug has been in NEEDINFO status with no change for at least 6 months. Please provide the requested information as soon as possible and mark the bug as UNCONFIRMED. Due to regular bug tracker maintenance, if the bug is still in NEEDINFO status with no change in 30 days the QA team will close the bug as INVALID due to lack of needed information.

For more information about our NEEDINFO policy please read the wiki located here: 

If you have already provided the requested information, please mark the bug as UNCONFIRMED so that the QA team knows that the bug is ready to be confirmed.

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

This NEEDINFO message was generated on: 2015-07-18
Comment 5 QA Administrators 2015-09-04 03:00:32 UTC
Dear Bug Submitter,

Please read this message in its entirety before proceeding.

Your bug report is being closed as INVALID due to inactivity and a lack of information which is needed in order to accurately reproduce and confirm the problem. We encourage you to retest your bug against the latest release. If the issue is still present in the latest stable release, we need the following information (please ignore any that you've already provided):

a) Provide details of your system including your operating system and the latest version of LibreOffice that you have confirmed the bug to be present

b) Provide easy to reproduce steps – the simpler the better

c) Provide any test case(s) which will help us confirm the problem

d) Provide screenshots of the problem if you think it might help

e) Read all comments and provide any requested information

Once all of this is done, please set the bug back to UNCONFIRMED and we will attempt to reproduce the issue. 
Please do not:
a) respond via email 
b) update the version field in the bug or any of the other details on the top section of FDO
Message generated on: 2015-09-03