On 28 Mar, Dennis E. Hamilton wrote: > Commenting just on document signing ... > >> -----Original Message----- >> From: Pedro Giffuni [mailto:p...@apache.org] >> Sent: Monday, March 28, 2016 13:48 >> To: OOo Apache <dev@openoffice.apache.org> >> Subject: Re: Release Manager for 4.2.0? > [ ... ] >> >> [ ... ] I am unsure about what in OpenOffice >> uses the new cyphers. I think OpenSSL is used for signing documents: >> when we update OpenSSL will AOO automatically accept more signing >> options? I would expect browsers will bring their own SSL >> implementations. > [orcmid] > > The document signature support in Apache OpenOffice is based on XML > Digital Signatures Second Edition, > <http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/>. This has > nothing to do with communications via secure sockets of course. > Granted that OpenSSL provides library functions for more than that, > there is still very limited use for signing documents. > > X.509 digital certificates are employed. XadES extensions may be used > (impacting metadata information mainly and only implemented by > Microsoft in ODF as far as I know). Depending on the platform the > operating-system secure store for the signing key will usually be > employed, so there is operating-system integration. (This is > definitely true for Windows.)
OpenSSL also provides libcrypto which contains functions for creating, validating, and using certificates. It uses some of this functionality to verify that a secure socket connection is actually connected to the desired remote endpoint. I've used to the openssl command line tool to produce a certificate that was used to authenticate a connection from a local application to a remote service. There seems to be a standard place to store certificates under a user's home directory in the *nix world. A while back I signed up for a service that requires updates from me to be signed with a certificate that they created for me and that my browser downloaded and stashed away somewhere. When I tried signing a document with OpenOffice, it found this certificate and offered it as a choice for signing. Since OpenOffice also uses curl, which is used for downloading files, and curl uses OpenSSL, it looks like OpenOffice depends on OpenSSL for secure downloads. I don't know if it downloads anything other than extensions and updates. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
