[Libreoffice-bugs] [Bug 83939] New: LibreOffice creates invalid signature when creating digitally signed PDF

Tue, 16 Sep 2014 10:02:33 -0700 

https://bugs.freedesktop.org/show_bug.cgi?id=83939

          Priority: medium
            Bug ID: 83939
          Assignee: [email protected]
           Summary: LibreOffice creates invalid signature when creating
                    digitally signed PDF
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: [email protected]
          Hardware: Other
            Status: UNCONFIRMED
           Version: 4.4.0.0.alpha0+ Master
         Component: Printing and PDF export
           Product: LibreOffice

This report is a follow up to bug 66701. See there for the steps that lead
here.

When creating digitally signed PDFs, LO sometimes creates PDF with invalid
signatures. The conditions under which this happens are unclear.

This was originally reported in bug 66701. The PDF that was attached there
(attachment 82188) shows that instead of the digital signature LO had embedded
a long row (16394) of zeroes (line 198).

The same also happened in bug 83937, where LO was run unter valgrind when
producing the signed PDF (as it would crash otherwise). The resulting PDF from
that case is in attachment 106382), Same amount of zeroes, line 290.

It is unknown what caused the error in the first bug. But in the second one,
the sequence that lead to the corrupt signature seems to have been the
following (without having looked at the code)

...0) LO selects the key in the token from NSS list
1) LO asks for storage location
2) LO sends data to sign to the token via NSS function 
3) PKCS# library (libcvP11) gets called from NSS
4) PKCS# library starts external helper program to ask user for PIN
5) External helper program crashes (segfault)
6) Somehow that does not create an error condition that LO detects
7) Signature (all zeroes) is written into PDF

It may be worth noting that the ODF file itself can be successfully signed (see
attachment 106381) with the very same key/certificate from the very same token
(also in the same session) via File->Digital Signatures (if not run under
valgrind)

-- 
You are receiving this mail because:
You are the assignee for the bug.

_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

Reply via email to