[Libreoffice-bugs] [Bug 99327] Wrong hash algorithm informed on signed PDF/A export

Wed, 03 Aug 2016 14:02:53 -0700 

https://bugs.documentfoundation.org/show_bug.cgi?id=99327

--- Comment #10 from Daniel Miranda <daniel_a_mira...@yahoo.com.br> ---
Hi, I am seeing the same problem here and the culprit seems to be this line in
LibreOffice's source code:

https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7188


The following line:
 aSignerInfo.HashAlgorithm.pszObjId = const_cast<LPSTR>(szOID_RSA_SHA1RSA);
Should probably read:
 aSignerInfo.HashAlgorithm.pszObjId = const_cast<LPSTR>(szOID_OIWSEC_sha1);


I have traced that path from the pdfexport.cxx code, which creates an aContext
structure and creates a pPDFWriter object at:

https://cgit.freedesktop.org/libreoffice/core/tree/filter/source/pdf/pdfexport.cxx#n787

The implementation of the code that does the actual signing is in
pdfwriter_impl.cxx and creates the aSignerInfo structure of type
CMSG_SIGNER_ENCODE_INFO, documented in

https://msdn.microsoft.com/pt-br/library/aa925156.aspx

The specific field that is set is aSignerInfo.HashAlgorithm.pszObjId, which is
documented at:

https://msdn.microsoft.com/pt-br/library/office/aa381133.aspx.

The value currently in the code is:
 szOID_RSA_SHA1RSA
 "1.2.840.113549.1.1.5"
 which is NOT a digest algorithm, but an encryption and signing algorithn.

The likely value for that should be:
 szOID_OIWSEC_sha1
 "1.3.14.3.2.26"

Or, while we are at that, upgrade the algorithm to a more modern one not
relying on sha1. It should have minor performance impact:
 szOID_NIST_sha256
 "2.16.840.1.101.3.4.2.1"
 or
 szOID_NIST_sha512
 "2.16.840.1.101.3.4.2.3" 


Other parts of the file should also be updated:

https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/gdi/pdfwriter_impl.cxx#n7159
 (although it seems the aPara structure is not actually being used anywhere
else)

CAVEAT:
  1. I am not familiar with LibreOffice's codebase, please check if these two
lines are really all it takes.
  2. The digest algorithm upgrade seems to be a bit more complex than a fix for
this bug, it requires changes in other parts of the file. Nonetheless, I think
this is a wonderful time to do it, since sha1 is showing it's age. Bruce
Scheiner blogged in 2005 - 11 years ago - that it was no longer safe even then.
See https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

Reply via email to