Commenting just on document signing ... > -----Original Message----- > From: Pedro Giffuni [mailto:p...@apache.org] > Sent: Monday, March 28, 2016 13:48 > To: OOo Apache <dev@openoffice.apache.org> > Subject: Re: Release Manager for 4.2.0? [ ... ] > > [ ... ] I am unsure about what in OpenOffice > uses the new cyphers. I think OpenSSL is used for signing documents: > when we update OpenSSL will AOO automatically accept more signing > options? I would expect browsers will bring their own SSL > implementations. [orcmid]
The document signature support in Apache OpenOffice is based on XML Digital Signatures Second Edition, <http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/>. This has nothing to do with communications via secure sockets of course. Granted that OpenSSL provides library functions for more than that, there is still very limited use for signing documents. X.509 digital certificates are employed. XadES extensions may be used (impacting metadata information mainly and only implemented by Microsoft in ODF as far as I know). Depending on the platform the operating-system secure store for the signing key will usually be employed, so there is operating-system integration. (This is definitely true for Windows.) Basically, SHA-1 digests of each part within the ODF package (a Zip) are incorporated in the signature file in a <SignedInfo> element. That element is effectively what is signed using method RSA-SHA1. The <SignatureValue> element provides the encrypted details by which the <SignedInfo> can be verified. This information can be decrypted and checked using the public key certificate of the signer that is included in the signature file. (These certificates have their own cryptographic verification.) There are no other methods for the signature data and its signing. PS. The encryption of ODF files is very different and independent of the signature mechanism. It is password-based and it uses Blowfish 8-bit CFB mode by default, encrypting each part of the ODF package separately. Signing of encrypted files is done after encryption. There is an optional AES-256 usage as well. That is not produced by Apache OpenOffice. > > TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it > further because the newer versions have more code but also more > vulnerabilities, therefore the expected maintenance cost would be > higher. The FreeBSD 9.x updates are only a temporary workaround. > Now that upstream is not maintaining the older 0.9.8 version > it probably makes sense to reconsider upgrading. > > Pedro. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org