https://bugs.documentfoundation.org/show_bug.cgi?id=146685
Bug ID: 146685
Summary: LibreOffice manages to use signing certificate without
knowing the certificate password.
Product: LibreOffice
Version: 7.1.8.1 release
Hardware: x86-64 (AMD64)
OS: Windows (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Writer
Assignee: [email protected]
Reporter: [email protected]
Description:
Seems LibreOffice can make a magical use of "protected" signing X.509
certificates in Windows certificate store. It can sign PDF documents without
knowing the actually necessary signing password.
I'm not even sure if this is a LO bug. Probably it is a Windows bug.
Steps to Reproduce:
1. Create a Writer document
2. Export the document to PDF with applying a digital signature (X.509)
3. Let the certificate password field be empty.
4. Export the PDF and enjoy a signed document.
Actual Results:
The document is signed without asking for a permission to use the X.509
certificate, although the certificate was imported into the Windows certificate
store as "ask for permission with a password".
Expected Results:
LibreOffice should not be able to sign the document until the certificate
password is filled in the field.
Reproducible: Always
User Profile Reset: No
Additional Info:
Version: 7.1.8.1 (x86) / LibreOffice Community
Build ID: e1f30c802c3269a1d052614453f260e49458c82c
CPU threads: 2; OS: Windows 10.0 Build 19043; UI render: Skia/Raster; VCL: win
Locale: de-DE (de_DE); UI: de-DE
Calc: CL
A previous version, LibreOffice 6.3.6.2 (x64) shows the same behaviour.
Respectively ability. :D
The PDF viewer says the signature is valid.
As said, I cannot understand why Windows allows the use of the certificate
without a password in this case. Other software must know a password to sign
with this certificate.
--
You are receiving this mail because:
You are the assignee for the bug.
