[Libreoffice-commits] core.git: Branch 'feature/cib_contract57d' - 20 commits - drawinglayer/source hwpfilter/source lotuswordpro/source RepositoryExternal.mk sc/source shell/source sw/qa sw/source vcl/source writerfilter/source xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk xmlsecurity/CppunitTest_xmlsecurity_signing.mk xmlsecurity/inc xmlsecurity/qa xmlsecurity/source

[Caolán McNamara (via logerrit)]

 RepositoryExternal.mk                                                          
   |   26 
 dev/null                                                                       
   |binary
 drawinglayer/source/tools/emfphelperdata.cxx                                   
   |   31 
 hwpfilter/source/hwpfile.cxx                                                   
   |    2 
 hwpfilter/source/hwpfile.h                                                     
   |    4 
 lotuswordpro/source/filter/lwpdrawobj.cxx                                      
   |   79 --
 sc/source/filter/lotus/op.cxx                                                  
   |   11 
 shell/source/win32/SysShExec.cxx                                               
   |    2 
 sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf                              
   |  347 ++++++++++
 sw/qa/extras/layout/layout.cxx                                                 
   |    3 
 sw/source/core/layout/tabfrm.cxx                                               
   |    1 
 sw/source/filter/ww8/wrtw8sty.cxx                                              
   |   28 
 sw/source/filter/ww8/wrtww8.hxx                                                
   |    4 
 vcl/source/fontsubset/sft.cxx                                                  
   |    2 
 vcl/source/gdi/svmconverter.cxx                                                
   |   20 
 writerfilter/source/dmapper/DomainMapperTableManager.cxx                       
   |    2 
 xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk                              
   |    8 
 xmlsecurity/CppunitTest_xmlsecurity_signing.mk                                 
   |    9 
 xmlsecurity/inc/biginteger.hxx                                                 
   |   11 
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx                                  
   |   32 
 
xmlsecurity/qa/unit/signing/data/02_doc_macros_signed_by_attacker_manipulated.odt
 |binary
 xmlsecurity/qa/unit/signing/data/02_doc_signed_by_attacker_manipulated.odt     
   |binary
 xmlsecurity/qa/unit/signing/data/02_doc_signed_by_attacker_manipulated2.odt    
   |binary
 
xmlsecurity/qa/unit/signing/data/02_doc_signed_by_attacker_manipulated_triple.odt
 |binary
 
xmlsecurity/qa/unit/signing/data/02_doc_signed_by_trusted_person_manipulated.odt
  |binary
 xmlsecurity/qa/unit/signing/data/cert9.db                                      
   |binary
 xmlsecurity/qa/unit/signing/data/key4.db                                       
   |binary
 xmlsecurity/qa/unit/signing/data/pkcs11.txt                                    
   |    5 
 xmlsecurity/qa/unit/signing/data/signed_with_x509certificate_chain.odt         
   |binary
 xmlsecurity/qa/unit/signing/data/test.p7b                                      
   |  249 +++++++
 xmlsecurity/qa/unit/signing/signing.cxx                                        
   |  170 ++++
 xmlsecurity/source/component/documentdigitalsignatures.cxx                     
   |   15 
 xmlsecurity/source/helper/xmlsignaturehelper.cxx                               
   |    5 
 xmlsecurity/source/helper/xsecverify.cxx                                       
   |    6 
 xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx          
   |   63 +
 xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx              
   |   92 ++
 xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx                      
   |   95 ++
 37 files changed, 1202 insertions(+), 120 deletions(-)

New commits:
commit daa2b51b1ba58148f7c2a72a5e7272bac6067423
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Mar 4 10:38:50 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:51:13 2022 +0200

    clamp and add some logging like SvmReader
    
    LIBREOFFICE-OWMTGGWJ
    
    Change-Id: I8f744e1ab2684a0f0995abcc3e753a684a3b970a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130982
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 19add15932e579c931480eed42eeea52d0551897)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131369
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 8727f47611af8dfb5ac186cc47e7b38741ccfb76)

diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index 71c7c5c7b26f..6721ceb9df8a 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -239,6 +239,23 @@ namespace
             nFollowingActionCount = remainingActions;
         return std::min(remainingActions, nFollowingActionCount);
     }
+
+    void ClampRange(const OUString& rStr, sal_Int32& rIndex, sal_Int32& 
rLength)
+    {
+        const sal_Int32 nStrLength = rStr.getLength();
+
+        if (rIndex < 0 || rIndex > nStrLength)
+        {
+            SAL_WARN("vcl.gdi", "inconsistent offset");
+            rIndex = nStrLength;
+        }
+
+        if (rLength < 0 || rLength > nStrLength - rIndex)
+        {
+            SAL_WARN("vcl.gdi", "inconsistent len");
+            rLength = nStrLength - rIndex;
+        }
+    }
 }
 
 #define LF_FACESIZE 32
@@ -680,6 +697,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, 
GDIMetaFile& rMtf )
                     OUString aStr(OStringToOUString(aByteStr, eActualCharSet));
                     if ( nUnicodeCommentActionNumber == i )
                         ImplReadUnicodeComment( nUnicodeCommentStreamPos, 
rIStm, aStr );
+                    ClampRange(aStr, nIndex, nLen);
                     rMtf.AddAction( new MetaTextAction( aPt, aStr, nIndex, 
nLen ) );
                 }
 
@@ -770,6 +788,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, 
GDIMetaFile& rMtf )
                     }
                     if ( nUnicodeCommentActionNumber == i )
                         ImplReadUnicodeComment( nUnicodeCommentStreamPos, 
rIStm, aStr );
+                    ClampRange(aStr, nIndex, nLen);
                     rMtf.AddAction( new MetaTextArrayAction( aPt, aStr, 
pDXAry.get(), nIndex, nLen ) );
                 }
 
@@ -795,6 +814,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, 
GDIMetaFile& rMtf )
                     OUString aStr(OStringToOUString(aByteStr, eActualCharSet));
                     if ( nUnicodeCommentActionNumber == i )
                         ImplReadUnicodeComment( nUnicodeCommentStreamPos, 
rIStm, aStr );
+                    ClampRange(aStr, nIndex, nLen);
                     rMtf.AddAction( new MetaStretchTextAction( aPt, nWidth, 
aStr, nIndex, nLen ) );
                 }
 
commit 33bdd829823c68715edbefc6acb6d3e6d833e4bb
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 11:45:23 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:51:01 2022 +0200

    protect frame from triggering deleting itself
    
    LIBREOFFICE-N4LA0OHZ
    
    Change-Id: I0d24277665a317f047b286fe0f0878b3814ded65
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130766
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit ee2a192923bf709d05c174848e7054cd411b205a)
    (cherry picked from commit 3d3c6462eeef581af2b936071c3ef432858b04a5)
    (cherry picked from commit 503d84cabb68233a12a3a9602253f4345be86ad7)

diff --git a/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf 
b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
new file mode 100755
index 000000000000..47d284aa5753
--- /dev/null
+++ b/sw/qa/extras/layout/data/LIBREOFFICE-N4LA0OHZ.rtf
@@ -0,0 +1,347 @@
+{\rtf1\ansi\ansicpg1252\deff0
+{\fontttbl
+\f0\froman\fcharset0 Times;
+\f1\fswiss\fcharset0 Helvetica;
+\f2\fmodern\fcharset0 Courier;
+\f3\ftech\fcharset2 S�mbol;
+}
+{]colortbl
+;
+\red127\green255\blue212;
+\red0\green0\blue0;
+\red0\green0\blue255;
+\red25\green0\blue255;
+\red190\green190\blue190;
+\red0\green255\blue0;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red50\green205\blue50;
+\red176\green48\blue96;
+\red0\green0\blue128;
+\red85\green107\blue47;
+\red160\green32\blue240;
+\red255\green0\blue0;
+\red192\green-1733928082104\blue192;
+\red0\green128\blue128;
+\red255\green255\blue255;
+\red255\green255\blue0;
+}
+{\info
+{\*\userprops
+{\propname creator}\proptype30
+{\staticval XMLmind FO Converter}
+}
+}
+\facingp\masgmirror\fet0\ftnbj
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440J\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1|pgndec
+{\headerr
+\trowd\trleft0
+clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf18446744073709551614\cellx279
+\pard\intbl
+\cell
+\tard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\�ellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrT\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10Lbrdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdvs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brd2cf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\row
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+}
+{\*\bkmkstart id2754642}
+{\*\bkmkend i`2754642}
+\pard\qect
+\sectd
+\pghsxn1\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720\footery720
+\titlepg
+\pgncont\pgnlcrm
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+^clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerl
+\trowd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\headerf
+\trkwd\trleft0
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\b�drcf8\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerr
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\cdrertal�VQbdqomA
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf3\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20|cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+{\*\bkmkstart toc_2e__2e__2e_id2754642}
+\pard\sb518\qj
+{\plain\f000000000000000000000000000000000000000000000000000000128\fs35\b\cf2
+Table of %nntentsmpUMjkI
+}
+\par
+{\*\bkmkend toc_2e__2e__2e_id2754642}
+\pard\sb291\li960\ri480\tldot\tx4920
+{\field{\*|fldinst HYPERLINK \\l id2884528}{\fldrslt
+{\plai~\f0\fs20cf2
+1. 
+}
+}}
+{\plain\f0\fs20\cf2
+ 
+}
+{\plain\f0\fs20\cf2
+\tab
+}
+{\plain\f0\fs20\cf2
+ 
+}
+{\field{\*\fldinst HYPERLINK \\n id2884528}{\fldrslt
+{\plain\f0\fs20\cf2
+{\field{\*\fldinst PAGEREF id2884528}{\fldrslt 0}}
+}
+}}
+\par
+\pard\sect
+\sectd
+\pghsxn15840\pgwsxn12240
+\margtsxn1440\margbsxn1440\marglsxn1440\margrsxn1440
+\margmirsxn
+\headery720
+\footery720
+\titlepg
+\pgnrestart\pgnstarts1\pgndec
+{\headerr
+\trowd\trleft0
+\clvertalt
+\clbrdrb�brdrs\brdrw10\brdrcf2\cellx93
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalt
+\clbrdrb\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\pard\intbl
+\cell
+\rou
+}
+{\footarl
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+mkend toc_2e__2e__2e_id2754642}
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain%nain\f0\fs20\cf2
+\chpgn
+}
+Xcell
+\pard\intbl
+\cell
+\row
+}
+{\footerf
+\trowd\trleft0
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx93
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx186
+\clvertalb
+\clbrdrt\brdrs\brdrw10\brdrcf2\cellx279
+\pard\intbl
+\cell
+\pard\intbl\qc
+{\plain\f0\fs20\cf2
+\chpgn
+}
+\cell
+\pard\intbl
+\cell
+\row
+}
+\󠁰par}
+\󠁰par}
+\row
+kbkmkend id2884--1888⁦84712918700}
+\󠁰par}
\ No newline at end of file
diff --git a/sw/qa/extras/layout/layout.cxx b/sw/qa/extras/layout/layout.cxx
index d7b936aa89e8..de540b8e4834 100644
--- a/sw/qa/extras/layout/layout.cxx
+++ b/sw/qa/extras/layout/layout.cxx
@@ -2923,6 +2923,9 @@ CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint75)
 //just care it doesn't crash/assert
 CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testForcepoint76) { 
createDoc("forcepoint76-1.rtf"); }
 
+//just care it doesn't crash/assert
+CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testN4LA0OHZ) { 
createDoc("LIBREOFFICE-N4LA0OHZ.rtf"); }
+
 CPPUNIT_TEST_FIXTURE(SwLayoutWriter, testTdf118058)
 {
     SwDoc* pDoc = createDoc("tdf118058.fodt");
diff --git a/sw/source/core/layout/tabfrm.cxx b/sw/source/core/layout/tabfrm.cxx
index 4f2c504cc8e5..f2314a12ac2f 100644
--- a/sw/source/core/layout/tabfrm.cxx
+++ b/sw/source/core/layout/tabfrm.cxx
@@ -2112,6 +2112,7 @@ void SwTabFrame::MakeAll(vcl::RenderContext* 
pRenderContext)
             }
             SwFootnoteBossFrame *pOldBoss = bFootnotesInDoc ? 
FindFootnoteBossFrame( true ) : nullptr;
             bool bReformat;
+            SwFrameDeleteGuard g(this);
             if ( MoveBwd( bReformat ) )
             {
                 aRectFnSet.Refresh(this);
commit 5802bd03c9aca495aacc25cf3da32d3a051d5237
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Feb 25 12:33:13 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:50:54 2022 +0200

    lastPoint might be 0xFFFF
    
    LIBREOFFICE-KYYAZMB9
    
    Change-Id: Ic0d95bd39a01dc1e5e0fec83dcc2c40b3f23b747
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130462
    Tested-by: Jenkins
    Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
    (cherry picked from commit 21ea1eacd214dbaac8d0ce7f437580d535871415)
    (cherry picked from commit 1f3e7bc9e47b83f009b8085effa61467101aa102)

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 979783a5021a..8cd986bdd55c 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -412,7 +412,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf, 
sal_uInt32 glyphID, Contr
     const sal_uInt8* p = ptr + nOffset;
 
     const sal_uInt32 nBytesRemaining = nTableSize - nOffset;
-    const sal_uInt16 palen = lastPoint+1;
+    const sal_uInt32 palen = lastPoint+1;
 
     //at a minimum its one byte per entry
     if (palen > nBytesRemaining || lastPoint > nBytesRemaining-1)
commit 0d212697a3145b9a08205346a2709414089673ef
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 10:39:34 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:50:46 2022 +0200

    fail more gracefully if m_aTmpPosition is empty
    
    LIBREOFFICE-N4LA0OHZ
    
    Change-Id: I7f863151f753ad5605c4f1f280cfd79aa4c6bce4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130772
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 02837024ea8d3d52c92420858327b309f2e96487)
    (cherry picked from commit 9fc1be2594ceac46e9a769d7ee2a2004869603ac)

diff --git a/writerfilter/source/dmapper/DomainMapperTableManager.cxx 
b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
index ea26eca7b973..9cbe527cfb9a 100644
--- a/writerfilter/source/dmapper/DomainMapperTableManager.cxx
+++ b/writerfilter/source/dmapper/DomainMapperTableManager.cxx
@@ -519,6 +519,8 @@ void DomainMapperTableManager::endOfRowAction()
     // Compare the table position with the previous ones. We may need to split
     // into two tables if those are different. We surely don't want to do 
anything
     // if we don't have any row yet.
+    if (m_aTmpPosition.empty())
+        throw std::out_of_range("row without a position");
     TablePositionHandlerPtr pTmpPosition = m_aTmpPosition.back();
     TablePropertyMapPtr pTablePropMap = m_aTmpTableProperties.back( );
     TablePositionHandlerPtr pCurrentPosition = m_aTablePositions.back();
commit 517bbdf2d692e308dae409bc6e1cd8056f4aad23
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 28 09:45:55 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:50:38 2022 +0200

    check if cast is to the right type
    
    LIBREOFFICE-311XVJ95
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130670
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit b44bd9ef8e2efdb66558917200e1f179b9db1c58)
    
    Change-Id: I159f516daafad3e4088677fe2c8c6f5423b3e264
    (cherry picked from commit f9350f9a8404fd9eb5b6963022f0069e89ddd061)

diff --git a/drawinglayer/source/tools/emfphelperdata.cxx 
b/drawinglayer/source/tools/emfphelperdata.cxx
index a9ac0e9f8e30..ffd7f73beb12 100644
--- a/drawinglayer/source/tools/emfphelperdata.cxx
+++ b/drawinglayer/source/tools/emfphelperdata.cxx
@@ -346,7 +346,7 @@ namespace emfplushelper
         }
         else // we use a pen
         {
-            const EMFPPen* pen = 
static_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
+            const EMFPPen* pen = 
dynamic_cast<EMFPPen*>(maEMFPObjects[brushIndexOrColor & 0xff].get());
             if (pen)
             {
                 color = pen->GetColor();
@@ -615,7 +615,7 @@ namespace emfplushelper
         }
         else // use Brush
         {
-            EMFPBrush* brush = static_cast<EMFPBrush*>( 
maEMFPObjects[brushIndexOrColor & 0xff].get() );
+            EMFPBrush* brush = dynamic_cast<EMFPBrush*>( 
maEMFPObjects[brushIndexOrColor & 0xff].get() );
             SAL_INFO("drawinglayer", "EMF+\t Fill polygon, brush slot: " << 
brushIndexOrColor << " (brush type: " << (brush ? brush->GetType() : -1) << 
")");
 
             // give up in case something wrong happened
@@ -1110,7 +1110,11 @@ namespace emfplushelper
                         rMS.ReadUInt32(brushIndexOrColor);
                         SAL_INFO("drawinglayer", "EMF+ FillRegion slot: " << 
index);
 
-                        
EMFPPlusFillPolygon(static_cast<EMFPRegion*>(maEMFPObjects[flags & 
0xff].get())->regionPolyPolygon, flags & 0x8000, brushIndexOrColor);
+                        EMFPRegion* region = 
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+                        if (region)
+                            EMFPPlusFillPolygon(region->regionPolyPolygon, 
flags & 0x8000, brushIndexOrColor);
+                        else
+                            SAL_WARN("drawinglayer.emf", 
"EMF+\tEmfPlusRecordTypeFillRegion missing region");
                     }
                     break;
                     case EmfPlusRecordTypeDrawEllipse:
@@ -1285,9 +1289,10 @@ namespace emfplushelper
                         SAL_INFO("drawinglayer", "EMF+\tTODO: use image 
attributes");
 
                         // For DrawImage and DrawImagePoints, source unit of 
measurement type must be 1 pixel
-                        if (sourceUnit == UnitTypePixel && maEMFPObjects[flags 
& 0xff].get())
+                        if (EMFPImage* image = sourceUnit == UnitTypePixel ?
+                                dynamic_cast<EMFPImage*>(maEMFPObjects[flags & 
0xff].get()) :
+                                nullptr)
                         {
-                            EMFPImage& image = *static_cast<EMFPImage 
*>(maEMFPObjects[flags & 0xff].get());
                             float sx, sy, sw, sh;
                             ReadRectangle(rMS, sx, sy, sw, sh);
                             ::tools::Rectangle aSource(Point(sx, sy), Size(sw, 
sh));
@@ -1342,9 +1347,9 @@ namespace emfplushelper
                                         /* Row 1, Column 1 */ aDstSize.getY(),
                                         /* Row 1, Column 2 */ 
aDstPoint.getY());
 
-                            if (image.type == ImageDataTypeBitmap)
+                            if (image->type == ImageDataTypeBitmap)
                             {
-                                BitmapEx aBmp(image.graphic.GetBitmapEx());
+                                BitmapEx aBmp(image->graphic.GetBitmapEx());
                                 aBmp.Crop(aSource);
                                 Size aSize(aBmp.GetSizePixel());
                                 SAL_INFO("drawinglayer", "EMF+\t bitmap size: 
" << aSize.Width() << "x" << aSize.Height());
@@ -1359,9 +1364,9 @@ namespace emfplushelper
                                     break;
                                 }
                             }
-                            else if (image.type == ImageDataTypeMetafile)
+                            else if (image->type == ImageDataTypeMetafile)
                             {
-                                GDIMetaFile 
aGDI(image.graphic.GetGDIMetaFile());
+                                GDIMetaFile 
aGDI(image->graphic.GetGDIMetaFile());
                                 aGDI.Clip(aSource);
                                 mrTargetHolders.Current().append(
                                         
std::make_unique<drawinglayer::primitive2d::MetafilePrimitive2D>(aTransformMatrix,
 aGDI));
@@ -1395,7 +1400,7 @@ namespace emfplushelper
                             // get the stringFormat from the Object table ( 
this is OPTIONAL and may be nullptr )
                             const EMFPStringFormat *stringFormat = 
dynamic_cast<EMFPStringFormat*>(maEMFPObjects[formatId & 0xff].get());
                             // get the font from the flags
-                            const EMFPFont *font = static_cast< EMFPFont* >( 
maEMFPObjects[flags & 0xff].get() );
+                        const EMFPFont *font = 
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
                             if (!font)
                             {
                                 break;
@@ -1760,7 +1765,7 @@ namespace emfplushelper
                         SAL_INFO("drawinglayer", "EMF+ SetClipPath combine 
mode: " << combineMode);
                         SAL_INFO("drawinglayer", "EMF+\tpath in slot: " << 
(flags & 0xff));
 
-                        EMFPPath *path = 
static_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
+                        EMFPPath *path = 
dynamic_cast<EMFPPath*>(maEMFPObjects[flags & 0xff].get());
                         if (!path)
                         {
                             SAL_WARN("drawinglayer", "EMF+\t TODO Unable to 
find path in slot: " << (flags & 0xff));
@@ -1777,7 +1782,7 @@ namespace emfplushelper
                         int combineMode = (flags >> 8) & 0xf;
                         SAL_INFO("drawinglayer", "EMF+ SetClipRegion");
                         SAL_INFO("drawinglayer", "EMF+\tregion in slot: " << 
(flags & 0xff) << " combine mode: " << combineMode);
-                        EMFPRegion *region = 
static_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
+                        EMFPRegion *region = 
dynamic_cast<EMFPRegion*>(maEMFPObjects[flags & 0xff].get());
                         if (!region)
                         {
                             SAL_WARN("drawinglayer", "EMF+\t TODO Unable to 
find region in slot: " << (flags & 0xff));
@@ -1846,7 +1851,7 @@ namespace emfplushelper
                             }
 
                             // get the font from the flags
-                            EMFPFont *font = static_cast< EMFPFont* >( 
maEMFPObjects[flags & 0xff].get() );
+                            EMFPFont *font = 
dynamic_cast<EMFPFont*>(maEMFPObjects[flags & 0xff].get());
                             if (!font)
                             {
                                 break;
commit 3abe0470b747868589dbe04e1ed03739ce502e74
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 28 09:15:10 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:50:31 2022 +0200

    ensure null terminator
    
    LIBREOFFICE-WB8DT2Q9
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130668
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    Tested-by: Jenkins
    (cherry picked from commit 4b6956ca146f25b746f63c176b377d3c15d204ff)
    
    Change-Id: I98529325bbd3ff475ba84b4991eb17240440df4b
    (cherry picked from commit 918c4a49fa841f0d234b18234d946684fe6378af)

diff --git a/sc/source/filter/lotus/op.cxx b/sc/source/filter/lotus/op.cxx
index 7033f6da0550..40f01ab37556 100644
--- a/sc/source/filter/lotus/op.cxx
+++ b/sc/source/filter/lotus/op.cxx
@@ -583,14 +583,9 @@ void OP_SheetName123(LotusContext& rContext, SvStream& 
rStream, sal_uInt16 nLeng
     SCTAB nSheetNum = static_cast<SCTAB>(nDummy);
     rContext.pDoc->MakeTable(nSheetNum);
 
-    ::std::vector<sal_Char> sSheetName;
-    sSheetName.reserve(nLength-4);
-    for (sal_uInt16 i = 4; i < nLength; ++i)
-    {
-        sal_Char c;
-        rStream.ReadChar( c );
-        sSheetName.push_back(c);
-    }
+    const size_t nStrLen = nLength - 4;
+    std::vector<sal_Char> sSheetName(nStrLen + 1);
+    sSheetName[rStream.ReadBytes(sSheetName.data(), nStrLen)] = 0;
 
     if (!sSheetName.empty())
     {
commit 55e9e1132da7e7c636925ff7a0d18a415ca0249c
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Feb 22 16:09:53 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:50:19 2022 +0200

    keep paragraph's that failed to load until import is complete
    
    LIBREOFFICE-509JU93T
    
    Change-Id: I526edb182fed4fa023cce58e78a650a7c2046ed3
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130326
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 32e8d3e45698a3cc09f66460b460db1d10ac50b5)
    (cherry picked from commit 0635bbb035940dcedb17713a958f81265d69e67e)

diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx
index 8f221c743a43..3656da012c18 100644
--- a/hwpfilter/source/hwpfile.cxx
+++ b/hwpfilter/source/hwpfile.cxx
@@ -241,6 +241,7 @@ void HWPFile::ReadParaList(std::vector < HWPPara* > &aplist)
         aplist.push_back(spNode.release());
         spNode.reset( new HWPPara );
     }
+    pfailedlist.push_back(std::move(spNode));
 }
 
 void HWPFile::ReadParaList(std::vector< std::unique_ptr<HWPPara> > &aplist, 
unsigned char flag)
@@ -274,6 +275,7 @@ void HWPFile::ReadParaList(std::vector< 
std::unique_ptr<HWPPara> > &aplist, unsi
         aplist.push_back(std::move(spNode));
         spNode.reset( new HWPPara );
     }
+    pfailedlist.push_back(std::move(spNode));
 }
 
 void HWPFile::TagsRead()
diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h
index 88e2151a5c9a..539c1b401c45 100644
--- a/hwpfilter/source/hwpfile.h
+++ b/hwpfilter/source/hwpfile.h
@@ -284,6 +284,10 @@ class DLLEXPORT HWPFile
         std::vector<std::unique_ptr<ColumnInfo>> columnlist;
         // paragraph list
         std::vector<std::unique_ptr<HWPPara>> plist;
+        // keep paragraph's that failed to load until
+        // import is complete to avoid dangling references
+        // elsewhere
+        std::vector<std::unique_ptr<HWPPara>> pfailedlist;
         // floating box list
         std::vector<FBox*> blist;
         // embedded picture list(tag datas)
commit f6ecedf1b0f9038403ffad6ef65d27939593172a
Author:     Renwa Hiwa <renwa...@gmail.com>
AuthorDate: Tue Feb 22 09:36:29 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:47:04 2022 +0200

    Better handling of msi
    
    LIBREOFFICE-SK4E5D8N
    
    Change-Id: I44f25a47ab6ffeb9d2b679874c8c96af1319eb2c
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130317
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit ccaabe8e8100a3a0600456c5a65221ca2b263c95)
    (cherry picked from commit aa993b7667136ff858a7c8d6f3d1bac8f255151a)

diff --git a/shell/source/win32/SysShExec.cxx b/shell/source/win32/SysShExec.cxx
index 4d9ba43a6cc3..dc0f48a8fa9a 100644
--- a/shell/source/win32/SysShExec.cxx
+++ b/shell/source/win32/SysShExec.cxx
@@ -426,7 +426,7 @@ void SAL_CALL CSysShExec::execute( const OUString& 
aCommand, const OUString& aPa
                     if (!(checkExtension(ext, env)
                           && checkExtension(
                               ext,
-                              
".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.CLASS;"
+                              
".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.MSI;.PY;.CLASS;"
                                   ".JAR;.APPLICATION;.LNK;.SCR")))
                     {
                         throw css::lang::IllegalArgumentException(
commit 7c1db85c3d0c887c4356561848725756e846d27f
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Feb 10 10:53:27 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:46:36 2022 +0200

    limit style export to words max style count
    
    and
    
    use std::vector
    
    LIBREOFFICE-U78X8I5G
    
    Change-Id: I436b4c13a4ce07f5e9e5d374163bc4de55cd2cde
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129766
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 8e94ec9d93fe3e1057fb1aaa2f0419114c4ea11c)
    (cherry picked from commit 0361cc74c7e0619f8b25a5584accb56d0c45f97a)

diff --git a/sw/source/filter/ww8/wrtw8sty.cxx 
b/sw/source/filter/ww8/wrtw8sty.cxx
index 3747b59dc0fd..03b7ace7caa8 100644
--- a/sw/source/filter/ww8/wrtw8sty.cxx
+++ b/sw/source/filter/ww8/wrtw8sty.cxx
@@ -150,13 +150,13 @@ MSWordStyles::MSWordStyles( MSWordExportBase& rExport, 
bool bListStyles )
         m_rExport.m_pDoc->GetFootnoteInfo().GetAnchorCharFormat( 
*m_rExport.m_pDoc );
         m_rExport.m_pDoc->GetFootnoteInfo().GetCharFormat( *m_rExport.m_pDoc );
     }
-    sal_uInt16 nAlloc = WW8_RESERVED_SLOTS + 
m_rExport.m_pDoc->GetCharFormats()->size() - 1 +
+    sal_uInt32 nAlloc = WW8_RESERVED_SLOTS + 
m_rExport.m_pDoc->GetCharFormats()->size() - 1 +
                                          
m_rExport.m_pDoc->GetTextFormatColls()->size() - 1 +
                                          (bListStyles ? 
m_rExport.m_pDoc->GetNumRuleTable().size() - 1 : 0);
+    nAlloc = std::min<sal_uInt32>(nAlloc, MSWORD_MAX_STYLES_LIMIT);
 
     // somewhat generous ( free for up to 15 )
-    m_pFormatA.reset( new SwFormat*[ nAlloc ] );
-    memset( m_pFormatA.get(), 0, nAlloc * sizeof( SwFormat* ) );
+    m_aFormatA.resize(nAlloc, nullptr);
     memset( m_aHeadingParagraphStyles, -1 , MAXLEVEL * sizeof( sal_uInt16));
 
     BuildStylesTable();
@@ -172,7 +172,7 @@ sal_uInt16 MSWordStyles::GetSlot( const SwFormat* pFormat ) 
const
 {
     sal_uInt16 n;
     for ( n = 0; n < m_nUsedSlots; n++ )
-        if ( m_pFormatA[n] == pFormat )
+        if ( m_aFormatA[n] == pFormat )
             return n;
     return 0xfff;                   // 0xfff: WW: zero
 }
@@ -281,19 +281,19 @@ void MSWordStyles::BuildStylesTable()
 
     const SwCharFormats& rArr = *m_rExport.m_pDoc->GetCharFormats();       // 
first CharFormat
     // the default character style ( 0 ) will not be outputted !
-    for( size_t n = 1; n < rArr.size(); n++ )
+    for( size_t n = 1; n < rArr.size() && m_nUsedSlots < 
MSWORD_MAX_STYLES_LIMIT; n++ )
     {
         SwCharFormat* pFormat = rArr[n];
-        m_pFormatA[ BuildGetSlot( *pFormat ) ] = pFormat;
+        m_aFormatA[ BuildGetSlot( *pFormat ) ] = pFormat;
     }
 
     const SwTextFormatColls& rArr2 = *m_rExport.m_pDoc->GetTextFormatColls();  
 // then TextFormatColls
     // the default character style ( 0 ) will not be outputted !
-    for( size_t n = 1; n < rArr2.size(); n++ )
+    for( size_t n = 1; n < rArr2.size() && m_nUsedSlots < 
MSWORD_MAX_STYLES_LIMIT; n++ )
     {
         SwTextFormatColl* pFormat = rArr2[n];
         sal_uInt16 nId = BuildGetSlot( *pFormat ) ;
-        m_pFormatA[ nId ] = pFormat;
+        m_aFormatA[ nId ] = pFormat;
         if ( pFormat->IsAssignedToListLevelOfOutlineStyle() )
         {
             int nLvl = pFormat->GetAssignedOutlineStyleLevel() ;
@@ -306,7 +306,7 @@ void MSWordStyles::BuildStylesTable()
         return;
 
     const SwNumRuleTable& rNumRuleTable = m_rExport.m_pDoc->GetNumRuleTable();
-    for (size_t i = 0; i < rNumRuleTable.size(); ++i)
+    for (size_t i = 0; i < rNumRuleTable.size() && m_nUsedSlots < 
MSWORD_MAX_STYLES_LIMIT; ++i)
     {
         const SwNumRule* pNumRule = rNumRuleTable[i];
         if (pNumRule->IsAutoRule() || pNumRule->GetName().startsWith("WWNum"))
@@ -326,8 +326,8 @@ void MSWordStyles::BuildStyleIds()
     for (sal_uInt16 n = 1; n < m_nUsedSlots; ++n)
     {
         OUString aName;
-        if(m_pFormatA[n])
-            aName = m_pFormatA[n]->GetName();
+        if (m_aFormatA[n])
+            aName = m_aFormatA[n]->GetName();
         else if (m_aNumRules.find(n) != m_aNumRules.end())
             aName = m_aNumRules[n]->GetName();
         OStringBuffer aStyleIdBuf(aName.getLength());
@@ -606,8 +606,8 @@ void MSWordStyles::OutputStyle( SwFormat* pFormat, 
sal_uInt16 nPos )
             for ( int nSuffix = 0; ; ++nSuffix ) {
                 bool clash=false;
                 for ( sal_uInt16 n = 1; n < m_nUsedSlots; ++n )
-                    if ( m_pFormatA[n] &&
-                         m_pFormatA[n]->GetName().equalsIgnoreAsciiCase(aName) 
)
+                    if ( m_aFormatA[n] &&
+                         m_aFormatA[n]->GetName().equalsIgnoreAsciiCase(aName) 
)
                     {
                         clash = true;
                         break;
@@ -688,7 +688,7 @@ void MSWordStyles::OutputStylesTable()
         if (m_aNumRules.find(n) != m_aNumRules.end())
             OutputStyle(m_aNumRules[n], n);
         else
-            OutputStyle( m_pFormatA[n], n );
+            OutputStyle(m_aFormatA[n], n);
     }
 
     m_rExport.AttrOutput().EndStyles( m_nUsedSlots );
diff --git a/sw/source/filter/ww8/wrtww8.hxx b/sw/source/filter/ww8/wrtww8.hxx
index f72302f88538..a8c81bf07d6c 100644
--- a/sw/source/filter/ww8/wrtww8.hxx
+++ b/sw/source/filter/ww8/wrtww8.hxx
@@ -1539,7 +1539,7 @@ class MSWordStyles
 {
     MSWordExportBase& m_rExport;
     sal_uInt16 m_aHeadingParagraphStyles[MAXLEVEL];
-    std::unique_ptr<SwFormat*[]> m_pFormatA; ///< Slot <-> Character and 
paragraph style array (0 for list styles).
+    std::vector<SwFormat*> m_aFormatA; ///< Slot <-> Character and paragraph 
style array (0 for list styles).
     sal_uInt16 m_nUsedSlots;
     bool const m_bListStyles; ///< If list styles are requested to be exported 
as well.
     std::map<sal_uInt16, const SwNumRule*> m_aNumRules; ///< Slot <-> List 
style map.
@@ -1587,7 +1587,7 @@ public:
     /// Get styleId of the nId-th style (nId is its position in pFormatA).
     OString const & GetStyleId(sal_uInt16 nId) const;
 
-    const SwFormat* GetSwFormat(sal_uInt16 nId) const { return 
m_pFormatA[nId]; }
+    const SwFormat* GetSwFormat(sal_uInt16 nId) const { return 
m_aFormatA[nId]; }
     /// Get numbering rule of the nId-th style
     const SwNumRule* GetSwNumRule(sal_uInt16 nId) const;
     sal_uInt16 GetHeadingParagraphStyleId(sal_uInt16 nLevel) const { return 
m_aHeadingParagraphStyles[ nLevel ]; }
commit 22ad2eb9bb4f08a188616d2710aae07039397131
Author:     zhutyra <zhutyra>
AuthorDate: Tue Feb 1 13:54:55 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:45:59 2022 +0200

    read of width/height uses wrong record size
    
    this initially went wrong at:
    
    commit b4fb7a437bb0ce987702b12008737756623618ac
    Date:   Mon May 23 21:38:40 2011 +0100
    
        fix up some more endian
    
    LIBREOFFICE-SBQ5TJRS
    
    Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc)
    (cherry picked from commit aaad67afccf1c59bf7d8fe7ab5207ff903f1c515)

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index c09c0304bedd..a0d5ef65d360 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1371,8 +1371,12 @@ void LwpDrawBitmap::Read()
 
     if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
     {
-        m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-        m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+        sal_uInt16 nTmp;
+
+        m_pStream->ReadUInt16( nTmp );
+        aInfoHeader2.nWidth = nTmp;
+        m_pStream->ReadUInt16( nTmp );
+        aInfoHeader2.nHeight = nTmp;
         m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
         m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
commit a4b90fcb28670c2adecb32cd77765313f27b824b
Author:     zhutyra <zhutyra>
AuthorDate: Tue Feb 1 14:07:26 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:45:42 2022 +0200

    ensure bounds checking
    
    LIBREOFFICE-SBQ5TJRS
    
    Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e)
    (cherry picked from commit b268215d10f7da6d01c223b260970198c00cb610)

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 7bcfcf155e89..c09c0304bedd 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1352,21 +1352,20 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+    // 20 == length of draw-specific fields.
     if (m_aObjHeader.nRecLen < 20)
         throw BadRead();
 
-    // 20 == length of draw-specific fields.
-    // 14 == length of bmp file header.
-    m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+    sal_uInt64 nBmpPos = m_pStream->Tell();
+    sal_uInt64 nBmpLen =
+        std::min<sal_uInt64>(m_aObjHeader.nRecLen - 20, 
m_pStream->remainingSize());
 
     BmpInfoHeader2 aInfoHeader2;
     m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
-    if (!m_pStream->good())
+    if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
         throw BadRead();
 
-    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
     sal_uInt32 N;
     sal_uInt32 rgbTableSize;
 
@@ -1387,7 +1386,7 @@ void LwpDrawBitmap::Read()
             rgbTableSize = 3 * (1 << N);
         }
     }
-    else
+    else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
     {
         m_pStream->ReadUInt32( aInfoHeader2.nWidth );
         m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1402,8 +1401,14 @@ void LwpDrawBitmap::Read()
         {
             rgbTableSize = 4 * (1 << N);
         }
-
     }
+    else
+    {
+        throw BadRead();
+    }
+
+    m_aBmpRec.nFileSize = static_cast<sal_uInt32>(nBmpLen + 14);
+    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
 
     sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
     m_pImageData[0] = 'B';
@@ -1421,50 +1426,10 @@ void LwpDrawBitmap::Read()
     m_pImageData[12] = static_cast<sal_uInt8>(nOffBits >> 16);
     m_pImageData[13] = static_cast<sal_uInt8>(nOffBits >> 24);
 
-    sal_uInt32 nDIBRemaining;
     sal_uInt8* pPicData = m_pImageData.get();
-    if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 26;
-        pPicData += 26*sizeof(sal_uInt8);
-    }
-    else
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 16);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 24);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 16);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 24);
-        m_pImageData[26] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[27] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[28] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[29] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 30;
-        pPicData += 30*sizeof(sal_uInt8);
-    }
 
-    if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+    m_pStream->Seek(nBmpPos);
+    if (nBmpLen != m_pStream->ReadBytes(pPicData + 14, nBmpLen))
         throw BadRead();
 }
 
commit c3790ca7a6a29c1433a411b578512691546697b3
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Jan 13 16:57:48 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:45:37 2022 +0200

    ofz#43577 valid reclen must be >= 20
    
    Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 444477a07bcaf59181dbbc719b913566091deadc)
    
    ofz: Use-of-uninitialized-value
    
    Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66)
    
    ofz: Undefined-Shift
    
    Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 7c8b41bc322720dc9434fbef1f10a6740913165e)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129416
    Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    (cherry picked from commit 7664ec93edc190ae0bc18b5793763fde5cec8d62)

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 7240a57d13b9..7bcfcf155e89 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1352,14 +1352,21 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+    if (m_aObjHeader.nRecLen < 20)
+        throw BadRead();
+
     // 20 == length of draw-specific fields.
     // 14 == length of bmp file header.
     m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
-    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
 
     BmpInfoHeader2 aInfoHeader2;
     m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
+    if (!m_pStream->good())
+        throw BadRead();
+
+    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
     sal_uInt32 N;
     sal_uInt32 rgbTableSize;
 
@@ -1371,7 +1378,7 @@ void LwpDrawBitmap::Read()
         m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
@@ -1387,7 +1394,7 @@ void LwpDrawBitmap::Read()
         m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
         m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
commit 5dcd4d06483f6a545f2c42d0719775de7ee33f35
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jan 17 10:48:12 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:41:01 2022 +0200

    ofz: Use-of-uninitialized-value
    
    Change-Id: Ic5f41e4f1f6b20a8cd8887807296f33adb48b728
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128439
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit bb03203848ef1c30786ad084440b5d317a466127)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129415
    Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    (cherry picked from commit b3288c52844bec9e33a7ae725332f95c84384ac7)

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 45637de0c32c..7240a57d13b9 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1457,7 +1457,8 @@ void LwpDrawBitmap::Read()
         pPicData += 30*sizeof(sal_uInt8);
     }
 
-    m_pStream->ReadBytes(pPicData, nDIBRemaining);
+    if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+        throw BadRead();
 }
 
 OUString LwpDrawBitmap::RegisterStyle()
commit 28c3411ea8d81f1b75ca6f1a5f06ff784ed88b9d
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Mar 3 14:22:37 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:06:44 2022 +0200

    compare authors using Thumbprint
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929
    Tested-by: Jenkins
    Reviewed-by: Miklos Vajna <vmik...@collabora.com>
    (cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8)
    
    Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131368
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 0ce93b38af84453aba8002c098ac168b0fadfc97)

diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx 
b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index 4852af7c1ad6..7143a1d82c0c 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -637,9 +637,18 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
     Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = 
SvtSecurityOptions().GetTrustedAuthors();
 
     return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(),
-        [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& 
rAuthor) {
-            return xmlsecurity::EqualDistinguishedNames(rAuthor[0], 
xAuthor->getIssuerName(), xmlsecurity::NOCOMPAT)
-                && ( rAuthor[1] == sSerialNum );
+        [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& 
rAuthor) {
+            if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], 
xAuthor->getIssuerName(), xmlsecurity::NOCOMPAT))
+                return false;
+            if (rAuthor[1] != sSerialNum)
+                return false;
+
+            DocumentSignatureManager aSignatureManager(mxCtx, {});
+            if (!aSignatureManager.init())
+                return false;
+            uno::Reference<css::security::XCertificate> xCert =
+                
aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]);
+            return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint();
         });
 }
 
commit 6d6e45864006dfa62febf2809fc884dca28a6117
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Oct 27 15:28:11 2021 +0200
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:02:47 2022 +0200

    xmlsecurity: some Distinguished Names are less equal than others
    
    It turns out that the 2 backends NSS and MS CryptoAPI generate different
    string representations of the same Distinguished Name in at least one
    corner case, when a value contains a quote " U+0022.
    
    The CryptoAPI function to generate the strings is:
    CertNameToStr(..., CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, ...)
    
    This is documented on MSDN:
    
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#CERT_X500_NAME_STR
    
    NSS appears to implement RFC 1485, at least that's what the internal
    function is named after, or perhaps one of its several successor RFCs
    (not clear currently if there's a relevant difference).
    
    This is now causing trouble if a certificate with such a DN is used in a
    signature, created on WNT but then verified on another platform, because
    commit 5af5ea893bcb8a8eb472ac11133da10e5a604e66
    introduced consistency checks that compare the DNs that occur as strings
    in META-INF/documentsignatures.xml:
    
    xmlsecurity/source/helper/xmlsignaturehelper.cxx:672: X509Data cannot be 
parsed
    
    The reason is that in XSecController::setX509Data() the value read from
    the X509IssuerSerial element (a string generated by CryptoAPI) doesn't
    match the value generated by NSS from the certificate parsed from the
    X509Certificate element, so these are erroneously interpreted as 2
    distinct certificates.
    
    Try to make the EqualDistinguishedNames() more flexible so that it can
    try also a converted variant of the DN.
    
    (libxmlsec's NSS backend also complains that it cannot parse the DN:
     x509vfy.c:607: xmlSecNssX509NameRead() '' '' 12 'invalid data for 'char': 
actual=34 and expected comma ',''
     but it manages to validate the signature despite this.)
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124287
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit e63611fabd38c757809b510fbb71c077880b1081)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124196
    Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
    (cherry picked from commit 3dfe381032fc61ea31106f103dee9db8277d4d25)
    
    Change-Id: I4f72900738d1f5313146bbda7320a8f44319ebc8
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124420
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit ee48ce9886d884730a91c695b5d0668c6d90c740)

diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index 7ed85aed76f5..3cd293ce1a39 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -27,6 +27,7 @@ $(eval $(call 
gb_CppunitTest_use_libraries,xmlsecurity_signing, \
        unotest \
        utl \
        xmlsecurity \
+       xsec_xmlsec \
 ))
 
 $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
diff --git a/xmlsecurity/inc/biginteger.hxx b/xmlsecurity/inc/biginteger.hxx
index 8b4d8a9143b5..1e6b3f4a876e 100644
--- a/xmlsecurity/inc/biginteger.hxx
+++ b/xmlsecurity/inc/biginteger.hxx
@@ -32,8 +32,17 @@ namespace xmlsecurity
 XSECXMLSEC_DLLPUBLIC OUString bigIntegerToNumericString( const 
css::uno::Sequence< sal_Int8 >& serial );
 XSECXMLSEC_DLLPUBLIC css::uno::Sequence< sal_Int8 > numericStringToBigInteger 
( const OUString& serialNumber );
 
+// DNs read as strings from XML files may need to be mangled for compatibility
+// as NSS and MS CryptoAPI have different string serialisations; if the DN is
+// from an XCertificate it's "native" already and doesn't need to be mangled.
+enum EqualMode
+{
+    NOCOMPAT,
+    COMPAT_2ND,
+    COMPAT_BOTH
+};
 XSECXMLSEC_DLLPUBLIC bool EqualDistinguishedNames(OUString const& rName1,
-                                                  OUString const& rName2);
+                                                  OUString const& rName2, 
EqualMode eMode);
 }
 
 #endif
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index e7835324072f..6ef0a817d31f 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -51,6 +51,7 @@
 #include <documentsignaturehelper.hxx>
 #include <xmlsignaturehelper.hxx>
 #include <documentsignaturemanager.hxx>
+#include <biginteger.hxx>
 #include <certificate.hxx>
 #include <xsecctl.hxx>
 #include <sfx2/docfile.hxx>
@@ -707,6 +708,21 @@ CPPUNIT_TEST_FIXTURE(SigningTest, 
testODFDoubleX509Certificate)
     CPPUNIT_ASSERT(!infos[0].Signer.is());
 }
 
+CPPUNIT_TEST_FIXTURE(SigningTest, testDNCompatibility)
+{
+    OUString const msDN("CN=\"\"\"ABC\"\".\", O=\"Enterprise \"\"ABC\"\"\"");
+    OUString const nssDN("CN=\\\"ABC\\\".,O=Enterprise \\\"ABC\\\"");
+    // this is just the status quo, possibly either NSS or CryptoAPI might 
change
+    CPPUNIT_ASSERT(!xmlsecurity::EqualDistinguishedNames(msDN, nssDN, 
xmlsecurity::NOCOMPAT));
+    CPPUNIT_ASSERT(!xmlsecurity::EqualDistinguishedNames(nssDN, msDN, 
xmlsecurity::NOCOMPAT));
+    // with compat flag it should work, with the string one 2nd and the native 
one 1st
+#ifdef _WIN32
+    CPPUNIT_ASSERT(xmlsecurity::EqualDistinguishedNames(msDN, nssDN, 
xmlsecurity::COMPAT_2ND));
+#else
+    CPPUNIT_ASSERT(xmlsecurity::EqualDistinguishedNames(nssDN, msDN, 
xmlsecurity::COMPAT_2ND));
+#endif
+}
+
 /// Test a typical OOXML where a number of (but not all) streams are signed.
 CPPUNIT_TEST_FIXTURE(SigningTest, testOOXMLPartial)
 {
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx 
b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index ede79ffc4900..4852af7c1ad6 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -638,7 +638,7 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
 
     return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(),
         [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& 
rAuthor) {
-            return xmlsecurity::EqualDistinguishedNames(rAuthor[0], 
xAuthor->getIssuerName())
+            return xmlsecurity::EqualDistinguishedNames(rAuthor[0], 
xAuthor->getIssuerName(), xmlsecurity::NOCOMPAT)
                 && ( rAuthor[1] == sSerialNum );
         });
 }
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx 
b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 6bc4748b097f..8b1281130aff 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -44,6 +44,7 @@
 #include <comphelper/ofopxmlhelper.hxx>
 #include <comphelper/sequence.hxx>
 #include <tools/diagnose_ex.h>
+#include <rtl/ustrbuf.hxx>
 #include <sal/log.hxx>
 
 #include <boost/optional.hpp>
@@ -608,7 +609,7 @@ static auto CheckX509Data(
                 start = i; // issuer isn't in the list
                 break;
             }
-            if 
(xmlsecurity::EqualDistinguishedNames(certs[i]->getIssuerName(), 
certs[j]->getSubjectName()))
+            if 
(xmlsecurity::EqualDistinguishedNames(certs[i]->getIssuerName(), 
certs[j]->getSubjectName(), xmlsecurity::NOCOMPAT))
             {
                 if (i == j) // self signed
                 {
@@ -641,7 +642,7 @@ static auto CheckX509Data(
             if (chain[i] != j)
             {
                 if (xmlsecurity::EqualDistinguishedNames(
-                        certs[chain[i]]->getSubjectName(), 
certs[j]->getIssuerName()))
+                        certs[chain[i]]->getSubjectName(), 
certs[j]->getIssuerName(), xmlsecurity::NOCOMPAT))
                 {
                     if (chain.size() != i + 1) // already found issuee?
                     {
diff --git a/xmlsecurity/source/helper/xsecverify.cxx 
b/xmlsecurity/source/helper/xsecverify.cxx
index 89141ed1dfd4..1b34afef6c2a 100644
--- a/xmlsecurity/source/helper/xsecverify.cxx
+++ b/xmlsecurity/source/helper/xsecverify.cxx
@@ -271,7 +271,7 @@ void XSecController::setX509Data(
             OUString const 
serialNumber(xmlsecurity::bigIntegerToNumericString(xCert->getSerialNumber()));
             auto const iter = std::find_if(rX509IssuerSerials.begin(), 
rX509IssuerSerials.end(),
                 [&](auto const& rX509IssuerSerial) {
-                    return xmlsecurity::EqualDistinguishedNames(issuerName, 
rX509IssuerSerial.first)
+                    return xmlsecurity::EqualDistinguishedNames(issuerName, 
rX509IssuerSerial.first, xmlsecurity::COMPAT_2ND)
                         && serialNumber == rX509IssuerSerial.second;
                 });
             if (iter != rX509IssuerSerials.end())
@@ -418,7 +418,7 @@ void XSecController::setX509CertDigest(
     {
         for (auto & it : rData)
         {
-            if (xmlsecurity::EqualDistinguishedNames(it.X509IssuerName, 
rX509IssuerName)
+            if (xmlsecurity::EqualDistinguishedNames(it.X509IssuerName, 
rX509IssuerName, xmlsecurity::COMPAT_BOTH)
                 && it.X509SerialNumber == rX509SerialNumber)
             {
                 it.CertDigest = rCertDigest;
@@ -441,7 +441,7 @@ void XSecController::setX509CertDigest(
                     {
                         SAL_INFO("xmlsecurity.helper", "cannot parse 
X509Certificate");
                     }
-                    else if 
(xmlsecurity::EqualDistinguishedNames(xCert->getIssuerName(),rX509IssuerName)
+                    else if 
(xmlsecurity::EqualDistinguishedNames(xCert->getIssuerName(), rX509IssuerName, 
xmlsecurity::COMPAT_2ND)
                         && 
xmlsecurity::bigIntegerToNumericString(xCert->getSerialNumber()) == 
rX509SerialNumber)
                     {
                         it.CertDigest = rCertDigest;
diff --git a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx 
b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
index a705f3844030..c1e6573cf716 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
@@ -32,6 +32,7 @@
 #include "oid.hxx"
 
 #include <rtl/locale.h>
+#include <rtl/ustrbuf.hxx>
 #include <osl/nlsupport.h>
 #include <osl/process.h>
 #include <o3tl/char16_t2wchar_t.hxx>
@@ -677,6 +678,67 @@ Sequence<OUString> SAL_CALL 
X509Certificate_MSCryptImpl::getSupportedServiceName
 
 namespace xmlsecurity {
 
+// based on some guesswork and:
+// https://datatracker.ietf.org/doc/html/rfc1485
+// 
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#CERT_X500_NAME_STR
+// the main problem appears to be that in values NSS uses \ escapes but 
CryptoAPI requires " quotes around value
+static OUString CompatDNNSS(OUString const& rDN)
+{
+    OUStringBuffer buf(rDN.getLength());
+    enum { DEFAULT, INVALUE, INQUOTE } state(DEFAULT);
+    for (sal_Int32 i = 0; i < rDN.getLength(); ++i)
+    {
+        if (state == DEFAULT)
+        {
+            buf.append(rDN[i]);
+            if (rDN[i] == '=')
+            {
+                if (rDN.getLength() == i+1)
+                {
+                    break; // invalid?
+                }
+                else
+                {
+                    buf.append('"');
+                    state = INVALUE;
+                }
+            }
+        }
+        else if (state == INVALUE)
+        {
+            if (rDN[i] == '+' || rDN[i] == ',' || rDN[i] == ';')
+            {
+                buf.append('"');
+                buf.append(rDN[i]);
+                state = DEFAULT;
+            }
+            else if (rDN[i] == '\\')
+            {
+                if (rDN.getLength() == i+1)
+                {
+                    break; // invalid?
+                }
+                if (rDN[i+1] == '"')
+                {
+                    buf.append('"');
+                }
+                buf.append(rDN[i+1]);
+                ++i;
+            }
+            else
+            {
+                buf.append(rDN[i]);
+            }
+            if (i+1 == rDN.getLength())
+            {
+                buf.append('"');
+                state = DEFAULT;
+            }
+        }
+    }
+    return buf.makeStringAndClear();
+}
+
 static bool EncodeDistinguishedName(OUString const& rName, CERT_NAME_BLOB & 
rBlob)
 {
     LPCWSTR pszError;
@@ -699,22 +761,38 @@ static bool EncodeDistinguishedName(OUString const& 
rName, CERT_NAME_BLOB & rBlo
 }
 
 bool EqualDistinguishedNames(
-        OUString const& rName1, OUString const& rName2)
+        OUString const& rName1, OUString const& rName2,
+        EqualMode const eMode)
 {
+    if (eMode == COMPAT_BOTH && !rName1.isEmpty() && rName1 == rName2)
+    {   // handle case where both need to be converted
+        return true;
+    }
     CERT_NAME_BLOB blob1;
     if (!EncodeDistinguishedName(rName1, blob1))
     {
         return false;
     }
     CERT_NAME_BLOB blob2;
-    if (!EncodeDistinguishedName(rName2, blob2))
+    bool ret(false);
+    if (!!EncodeDistinguishedName(rName2, blob2))
     {
-        delete[] blob1.pbData;
-        return false;
+        ret = CertCompareCertificateName(X509_ASN_ENCODING,
+            &blob1, &blob2) == TRUE;
+        delete[] blob2.pbData;
+    }
+    if (!ret && eMode == COMPAT_2ND)
+    {
+        CERT_NAME_BLOB blob2compat;
+        if (!EncodeDistinguishedName(CompatDNNSS(rName2), blob2compat))
+        {
+            delete[] blob1.pbData;
+            return false;
+        }
+        ret = CertCompareCertificateName(X509_ASN_ENCODING,
+            &blob1, &blob2compat) == TRUE;
+        delete[] blob2compat.pbData;
     }
-    bool const ret(CertCompareCertificateName(X509_ASN_ENCODING,
-            &blob1, &blob2) == TRUE);
-    delete[] blob2.pbData;
     delete[] blob1.pbData;
     return ret;
 }
diff --git a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx 
b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
index 8ef3bb2d3492..bd51325a6ef0 100644
--- a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx
@@ -29,6 +29,8 @@
 #include <comphelper/servicehelper.hxx>
 #include <cppuhelper/supportsservice.hxx>
 #include <rtl/ref.hxx>
+#include <rtl/ustrbuf.hxx>
+#include <sal/log.hxx>
 #include "x509certificate_nssimpl.hxx"
 
 #include <biginteger.hxx>
@@ -536,22 +538,103 @@ Sequence<OUString> SAL_CALL 
X509Certificate_NssImpl::getSupportedServiceNames()
 
 namespace xmlsecurity {
 
+// based on some guesswork and:
+// https://datatracker.ietf.org/doc/html/rfc1485
+// 
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#CERT_X500_NAME_STR
+// the main problem appears to be that in values " is escaped as "" vs. \"
+static OUString CompatDNCryptoAPI(OUString const& rDN)
+{
+    OUStringBuffer buf(rDN.getLength());
+    enum { DEFAULT, INVALUE, INQUOTE } state(DEFAULT);
+    for (sal_Int32 i = 0; i < rDN.getLength(); ++i)
+    {
+        if (state == DEFAULT)
+        {
+            buf.append(rDN[i]);
+            if (rDN[i] == '=')
+            {
+                if (rDN.getLength() == i+1)
+                {
+                    break; // invalid?
+                }
+                else if (rDN[i+1] == '"')
+                {
+                    buf.append(rDN[i+1]);
+                    ++i;
+                    state = INQUOTE;
+                }
+                else
+                {
+                    state = INVALUE;
+                }
+            }
+        }
+        else if (state == INVALUE)
+        {
+            if (rDN[i] == '+' || rDN[i] == ',' || rDN[i] == ';')
+            {
+                state = DEFAULT;
+            }
+            buf.append(rDN[i]);
+        }
+        else
+        {
+            assert(state == INQUOTE);
+            if (rDN[i] == '"')
+            {
+                if (rDN.getLength() != i+1 && rDN[i+1] == '"')
+                {
+                    buf.append('\\');
+                    buf.append(rDN[i+1]);
+                    ++i;
+                }
+                else
+                {
+                    buf.append(rDN[i]);
+                    state = DEFAULT;
+                }
+            }
+            else
+            {
+                buf.append(rDN[i]);
+            }
+        }
+    }
+    return buf.makeStringAndClear();
+}
+
 bool EqualDistinguishedNames(
-        OUString const& rName1, OUString const& rName2)
+        OUString const& rName1, OUString const& rName2,
+        EqualMode const eMode)
 {
+    if (eMode == COMPAT_BOTH && !rName1.isEmpty() && rName1 == rName2)
+    {   // handle case where both need to be converted
+        return true;
+    }
     CERTName *const pName1(CERT_AsciiToName(OUStringToOString(rName1, 
RTL_TEXTENCODING_UTF8).getStr()));
     if (pName1 == nullptr)
     {
         return false;
     }
     CERTName *const pName2(CERT_AsciiToName(OUStringToOString(rName2, 
RTL_TEXTENCODING_UTF8).getStr()));
-    if (pName2 == nullptr)
+    bool ret(false);
+    if (pName2)
     {
-        CERT_DestroyName(pName1);
-        return false;
+        ret = (CERT_CompareName(pName1, pName2) == SECEqual);
+        CERT_DestroyName(pName2);
+    }
+    if (!ret && eMode == COMPAT_2ND)
+    {
+        CERTName *const pName2Compat(CERT_AsciiToName(OUStringToOString(
+            CompatDNCryptoAPI(rName2), RTL_TEXTENCODING_UTF8).getStr()));
+        if (pName2Compat == nullptr)
+        {
+            CERT_DestroyName(pName1);
+            return false;
+        }
+        ret = CERT_CompareName(pName1, pName2Compat) == SECEqual;
+        CERT_DestroyName(pName2Compat);
     }
-    bool const ret(CERT_CompareName(pName1, pName2) == SECEqual);
-    CERT_DestroyName(pName2);
     CERT_DestroyName(pName1);
     return ret;
 }
commit 3ecd4bf57f9688a0346f5cd83451985bc00a0d8a
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Oct 15 20:52:47 2021 +0200
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:02:39 2022 +0200

    xmlsecurity: fix test failing because NSS policy forbids SHA1
    
    With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
    8 tests including testODFGood in CppunitTest/xmlsecurity_signing
    fail because the crypto policy disallows SHA1 for signatures.
    
    Apparently this particular policy bit was added in NSS 3.59:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
    
    For signatures, maybe it's not a good idea to override system policy
    for product builds, so do it locally in the tests, at least for now.
    
    If similar problems turn up for encrypted documents in the future,
    that should be fixed in product builds too of course, as encrypted
    documents must always be decryptable.
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123768
    Tested-by: Jenkins
    Tested-by: Caolán McNamara <caol...@redhat.com>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 51e82016e8783a452fe5f7921d12c1bf20bfd6b5)
    
    xmlsecurity: fix --without-system-nss usage of NSS_SetAlgorithmPolicy
    
    The problem with commit ff572d9222ec16ffd679ae907a0bf4a8900265e1
    is that it's using the wrong library; NSS_SetAlgorithmPolicy is actually
    in libnssutil3.so.
    
    This causes a linking problem when upgrading the internal NSS to a
    version that has NSS_USE_ALG_IN_ANY_SIGNATURE.
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123819
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 395c0c0bbaceadf909e0189af99c6358487c7978)
    
    Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123838
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 0f3431026dbff0251efeb0b92be335841a08cc5d)

diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index 717b70efa0dc..82da26bfe624 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -3399,6 +3399,11 @@ $(call gb_LinkTarget_add_libs,$(1),\
 
 endef
 
+define gb_LinkTarget__use_nssutil3
+$(call gb_LinkTarget__use_nss3,$(1))
+
+endef
+
 define gb_LinkTarget__use_plc4
 $(call gb_LinkTarget__use_nss3,$(1))
 
@@ -3468,6 +3473,27 @@ endif
 
 endef
 
+define gb_LinkTarget__use_nssutil3
+$(call gb_LinkTarget_use_package,$(1),nss)
+$(call gb_LinkTarget_set_include,$(1),\
+       $$(INCLUDE) \
+       -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss \
+       -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include \
+)
+
+ifeq ($(COM),MSC)
+$(call gb_LinkTarget_add_libs,$(1),\
+       $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/nssutil3.lib \
+)
+else
+$(call gb_LinkTarget_add_libs,$(1),\
+       -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib \
+       -lnssutil3 \
+)
+endif
+
+endef
+
 define gb_ExternalProject__use_nss3
 $(call gb_ExternalProject_use_package,$(1),nss)
 
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
index f2500b5d3100..f6a74a9eabd7 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk
@@ -34,6 +34,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
     boost_headers \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\
+    nssutil3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk 
b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
index 84e7a76c043b..7ed85aed76f5 100644
--- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
+++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk
@@ -34,6 +34,14 @@ $(eval $(call 
gb_CppunitTest_use_externals,xmlsecurity_signing,\
     libxml2 \
 ))
 
+ifneq ($(OS),WNT)
+ifneq (,$(ENABLE_NSS))
+$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\
+    nssutil3 \
+))
+endif
+endif
+
 $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\
        -I$(SRCDIR)/xmlsecurity/inc \
        $$(INCLUDE) \
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx 
b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 2894b4a2fa2d..6dd7a86cac5c 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -7,6 +7,10 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
 #include <com/sun/star/xml/crypto/SEInitializer.hpp>
 #include <com/sun/star/security/DocumentSignatureInformation.hpp>
 
@@ -84,6 +88,18 @@ void PDFSigningTest::setUp()
     osl::File::copy(aSourceDir + "key4.db", aTargetDir + "/key4.db");
     osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "/pkcs11.txt");
     setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1);
+#endif
+
+    uno::Reference<xml::crypto::XSEInitializer> xSEInitializer
+        = xml::crypto::SEInitializer::create(mxComponentContext);
+    uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext
+        = xSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
 #endif
 }
 
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index fb1cdb86eee0..e7835324072f 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -14,6 +14,10 @@
 
 #include <cstdlib>
 
+#ifndef _WIN32
+#include <secoid.h>
+#endif
+
 #include <test/bootstrapfixture.hxx>
 #include <unotest/macros_test.hxx>
 #include <test/xmltesttools.hxx>
@@ -152,6 +156,13 @@ void SigningTest::setUp()
     mxDesktop.set(frame::Desktop::create(mxComponentContext));
     mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext);
     mxSecurityContext = mxSEInitializer->createSecurityContext(OUString());
+#ifndef _WIN32
+#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE
+    // policy may disallow using SHA1 for signatures but unit test documents
+    // have such existing signatures (call this after createSecurityContext!)
+    NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
+#endif
+#endif
 }
 
 void SigningTest::tearDown()
commit d2131df258d63c090500fc72e1a7886ec5c96f1d
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Thu Oct 14 13:44:14 2021 +0200
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:02:30 2022 +0200

    test: upgrade test NSS database from dbm: to sql:
    
    Fedora nss-3.69.0-1.fc34.x86_64 and Debian libnss3:amd64 2:3.70-1 no
    longer support the old BerekelyDB databases, so convert them to the new
    SQLite format for the benefit of --with-system-nss builds.
    
    This worked to do the upgrade:
    
    > certutil -N -d sql:test/new --empty-password
    > LD_LIBRARY_PATH=instdir/program 
workdir/UnpackedTarball/nss/dist/out/bin/certutil --merge -d sql:test/new 
--source-dir dbm:test/signing-keys
    
    Builds would fail running tests added in commit
    40d70d427edddb589eda64fafc2e56536953d274
    
      signing.cxx:551:Assertion
      Test name: testODFX509CertificateChain::TestBody
      equality assertion failed
      - Expected: 0
      - Actual  : 1
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123586
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 907784ccce7bd8b5121888cff7f5723a55d35358)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123643
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    (cherry picked from commit 7b4b03b9cf21ecd11bc82da5f29c4ff91ad242c9)
    
    Change-Id: I00aa20703e117ebf583c3331b84e966c2cfc78cd
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123837
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 755155498b13c8724831276808c930adba891f5c)

diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx 
b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 1d45d5bef16b..2894b4a2fa2d 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -79,9 +79,10 @@ void PDFSigningTest::setUp()
     OUString caVar("LIBO_TEST_CRYPTOAPI_PKCS7");
     osl_setEnvironment(caVar.pData, aTargetPath.pData);
 #else
-    // Set up cert8.db and key3.db in workdir/CppunitTest/
-    osl::File::copy(aSourceDir + "cert8.db", aTargetDir + "cert8.db");
-    osl::File::copy(aSourceDir + "key3.db", aTargetDir + "key3.db");
+    // Set up NSS database in workdir/CppunitTest/
+    osl::File::copy(aSourceDir + "cert9.db", aTargetDir + "/cert9.db");
+    osl::File::copy(aSourceDir + "key4.db", aTargetDir + "/key4.db");
+    osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "/pkcs11.txt");
     setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1);
 #endif
 }
diff --git a/xmlsecurity/qa/unit/signing/data/cert8.db 
b/xmlsecurity/qa/unit/signing/data/cert9.db
similarity index 50%
rename from xmlsecurity/qa/unit/signing/data/cert8.db
rename to xmlsecurity/qa/unit/signing/data/cert9.db
index 95e58ffe5b92..c4064e419f42 100644
Binary files a/xmlsecurity/qa/unit/signing/data/cert8.db and 
b/xmlsecurity/qa/unit/signing/data/cert9.db differ
diff --git a/xmlsecurity/qa/unit/signing/data/key3.db 
b/xmlsecurity/qa/unit/signing/data/key3.db
deleted file mode 100644
index f449e60a667f..000000000000
Binary files a/xmlsecurity/qa/unit/signing/data/key3.db and /dev/null differ
diff --git a/xmlsecurity/qa/unit/signing/data/key4.db 
b/xmlsecurity/qa/unit/signing/data/key4.db
new file mode 100644
index 000000000000..34a7fa28aa32
Binary files /dev/null and b/xmlsecurity/qa/unit/signing/data/key4.db differ
diff --git a/xmlsecurity/qa/unit/signing/data/pkcs11.txt 
b/xmlsecurity/qa/unit/signing/data/pkcs11.txt
new file mode 100644
index 000000000000..22c8f8519efd
--- /dev/null
+++ b/xmlsecurity/qa/unit/signing/data/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:test/new' certPrefix='' keyPrefix='' 
secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' 
updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 
slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
 askpw=any timeout=30})
+
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index e1853d4ad235..fb1cdb86eee0 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -101,9 +101,10 @@ void SigningTest::setUp()
     OUString aTargetDir
         = 
m_directories.getURLFromWorkdir("CppunitTest/xmlsecurity_signing.test.user");
 
-    // Set up cert8.db in workdir/CppunitTest/
-    osl::File::copy(aSourceDir + "cert8.db", aTargetDir + "/cert8.db");
-    osl::File::copy(aSourceDir + "key3.db", aTargetDir + "/key3.db");
+    // Set up NSS database in workdir/CppunitTest/
+    osl::File::copy(aSourceDir + "cert9.db", aTargetDir + "/cert9.db");
+    osl::File::copy(aSourceDir + "key4.db", aTargetDir + "/key4.db");
+    osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "/pkcs11.txt");
 
     // Make gpg use our own defined setup & keys
     osl::File::copy(aSourceDir + "pubring.gpg", aTargetDir + "/pubring.gpg");
commit 216fdb664bbe12cb843aaf4f4b93ea7cb6578131
Author:     Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Oct 15 16:58:07 2021 +0200
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Apr 1 14:02:21 2022 +0200

    xmlsecurity: fix new tests on WNT
    
    Tests added in commit 40d70d427edddb589eda64fafc2e56536953d274 don't
    actually run on WNT but that wasn't obvious because commit
    149df1fec6472e30582162e17e04c75aee91d26a prevented running them in
    Jenkins on master, they failed only in the libreoffice-7-1 backport.
    
      xmlsecurity/qa/unit/signing/signing.cxx(631) : error : Assertion
      Test name: testODFDoubleX509Certificate::TestBody
      assertion failed
      - Expression: (nActual == SignatureState::NOTVALIDATED || nActual == 
SignatureState::OK)
      - 2
    
    This is an oddity where NSS claims the signature in the document is
    valid but CryptoAPI claims it is invalid; the hashes passed into the
    validation functions are the same.  Just allow BROKEN as an additional
    result value on WNT.
    
      xmlsecurity/qa/unit/signing/signing.cxx(550) : error : Assertion
      Test name: testODFX509CertificateChain::TestBody
      equality assertion failed
      - Expected: 0
      - Actual  : 1
    
    The problem here is that with NSS the tests use a custom NSS database
    in test/signing-keys so we need to make these certificates available for
    CryptoAPI too.
    
    The following one-liner converts the NSS database to a PKCS#7 that can
    be loaded by CrytpAPI:
    
    > openssl crl2pkcs7 -nocrl -certfile <(certutil -d sql:test/signing-keys -L 
| awk '/^[^ ].*,[^ ]*,/ { printf "%s", $1; for (i = 2; i < NF; i++) { printf " 
%s", $i; } printf "\n"; }' | while read name; do certutil -L -d 
sql:test/signing-keys -a -n "${name}" ; done) > test/signing-keys/test.p7b
    
    Then one might naively assume that something like this would allow these
    certificates to be added temporarily as trusted CAs:
    
    +                HCERTSTORE hRoot = CertOpenSystemStoreW( 0, L"Root" ) ;
    +                HCERTSTORE const hExtra = CertOpenStore(
    +                        CERT_STORE_PROV_FILENAME_A,
    +                        PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
    +                        NULL,
    +                        CERT_STORE_OPEN_EXISTING_FLAG | 
CERT_STORE_READONLY_FLAG,
    +                        path);
    +                if (hExtra != NULL && hRoot != NULL)
    +                {
    +                    BOOL ret = CertAddStoreToCollection(
    +                        hRoot,
    +                        hExtra,
    +                        CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
    +                        0);
    +                    SAL_DEBUG("XXX hExtra done " << ret);
    +                }
    
    There is no error from this, but it doesn't work.
    
    Instead, check if CertGetCertificateChain() sets the
    CERT_TRUST_IS_UNTRUSTED_ROOT flag and then look up the certificate
    manually in the extra PKCS#7 store.
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123667
    Tested-by: Jenkins
    Reviewed-by: Miklos Vajna <vmik...@collabora.com>
    (cherry picked from commit 7d664ec788acdc378506a7ff8b1120cea24a6770)
    
    Change-Id: Ic9865e0b5783211c2128ce0327c4583b7784ff62
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123836
    Tested-by: Michael Stahl <michael.st...@allotropia.de>
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
    (cherry picked from commit 7c622c58cda433964dd73544d56a81a7c88e3f5d)

diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx 
b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 20241f016d52..1d45d5bef16b 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -12,6 +12,7 @@
 
 #include <comphelper/processfactory.hxx>
 #include <osl/file.hxx>
+#include <osl/process.h>
 #include <sal/log.hxx>
 #include <test/bootstrapfixture.hxx>
 #include <tools/datetime.hxx>
@@ -66,15 +67,21 @@ void PDFSigningTest::setUp()
 
     
mxComponentContext.set(comphelper::getComponentContext(getMultiServiceFactory()));
 
-#ifndef _WIN32
-    // Set up cert8.db and key3.db in workdir/CppunitTest/
     OUString aSourceDir = m_directories.getURLFromSrc(DATA_DIRECTORY);
     OUString aTargetDir
         = 
m_directories.getURLFromWorkdir("/CppunitTest/xmlsecurity_pdfsigning.test.user/");
-    osl::File::copy(aSourceDir + "cert8.db", aTargetDir + "cert8.db");
-    osl::File::copy(aSourceDir + "key3.db", aTargetDir + "key3.db");
     OUString aTargetPath;
     osl::FileBase::getSystemPathFromFileURL(aTargetDir, aTargetPath);
+
+#ifdef _WIN32
+    // CryptoAPI test certificates
+    osl::File::copy(aSourceDir + "test.p7b", aTargetDir + "/test.p7b");
+    OUString caVar("LIBO_TEST_CRYPTOAPI_PKCS7");
+    osl_setEnvironment(caVar.pData, aTargetPath.pData);
+#else
+    // Set up cert8.db and key3.db in workdir/CppunitTest/
+    osl::File::copy(aSourceDir + "cert8.db", aTargetDir + "cert8.db");
+    osl::File::copy(aSourceDir + "key3.db", aTargetDir + "key3.db");
     setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1);
 #endif
 }
diff --git a/xmlsecurity/qa/unit/signing/data/test.p7b 
b/xmlsecurity/qa/unit/signing/data/test.p7b
new file mode 100644
index 000000000000..44723697a2bf
--- /dev/null
+++ b/xmlsecurity/qa/unit/signing/data/test.p7b
@@ -0,0 +1,249 @@
+-----BEGIN PKCS7-----
+MIIuNgYJKoZIhvcNAQcCoIIuJzCCLiMCAQExADALBgkqhkiG9w0BBwGggi4LMIIF
+sjCCA5qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVUsxEDAO
+BgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSUw
+IwYDVQQDDBxYbWxzZWN1cml0eSBSU0EgVGVzdCBSb290IENBMCAXDTE4MDYwNjE1
+MjAwNloYDzIxMTgwNTEzMTUyMDA2WjBpMQswCQYDVQQGEwJVSzEQMA4GA1UECAwH
+RW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJpdHkgUlNBIFRlc3QxKTAnBgNVBAMM
+IFhtbHNlY3VyaXR5IEludGVybWVkaWF0ZSBSb290IENBMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEA+uBkXt39Yc0aOe2UkBWlVIqQcvlSwLheXlcGeDDI
+PSwSRaDcuGdGQXs+WFM65xDak8eZJwyyQSWtoDRV0lXEP63OJk/ktWLjFywLP69g
+Br2E4vsjOdr9DR94AAQY2WTW2/UXxcI92nB+sq6ZhVF5I9rfzDHPGYEiWTQqtnTM
+JDGpO5eo9JBjQtaB/sHG7ZnxF1FOl6V85F/dfGG3MBGp9glg5qE6QDjA11DsTuki
+V5OeP8vZsmoYkyNmViA7L+xuOM6iVUGY+b4XDCeI1Kgr5ZhF9xL7ByVTxtZrdMXz
+cPu+Dgcr9VF7QqhAYg/W/0s4WzoyXV/f1fjC5+uKXWSuttrRHNt16DMOh5T1lS4q
+HLfMoDYZ+AK8L0JrjQMXCzCp4WTmqplBg6bYWFpHvyzp0uccYJdUXv5o6PFhpIV6
+VpdVtT6fVfh9V5C5jDKBv+n14rZ9hPYzvIxVAnF6SYtXRTbrSzSDi5QqCiWwU56u
+SAWyyrwdED1zETgTDmGOFv5j2tIEcAbQ6TT8n/Mit5NuL98M5XxPnKduCQ39ssKD
+wO146lAe5kREJRv4Va/o47tards6tdkaV5267rXZA7ndvnov0TmZFNwDMQz9tRZJ
+ov07V7kriLS47xD/eDH7IyEOWYsgoU3N1J1GZKCYSRxZ3Wh6AiZy211PYwuJpP3x
+ugUCAwEAAaNmMGQwHQYDVR0OBBYEFDXB8g347TUPMvCNXTBSRQpVRvroMB8GA1Ud
+IwQYMBaAFOOqggO/I6PkIyJZqJ16mbDbtiXxMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+DgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAiyaCtGnPZRsfGD69y
+jkPptc6cwa8icyF9iiJwdngjvdMTCOJHhUAtzGTOuUITJEh0OJYzabB+EUgHmZWe
+6hwrWCzhJQysDktdsARQOB91Vi19VyDrcHPxnn43zObnbkLpFvZXg3Q3/S+eiTn/
+UWMg7f2tQjaCdj6xx1DGTiJmZBRI/CG24EWzYy+H7/MBNFuW3+1CdoDuPR3lkbWm
+YFJbvkOaWR8+faL6o5u7IagKCSmMaNDjRQA8/LKwJ8waD61Hw4S4H465I16UVCT4
+d226anZIfz7N3/NbVw0B8emJP1ZtVty1vDPEx/6A7+sXfgAYgjfMeiHhGHs17i2d
+7EvdwxlyvKq/iQkLMzkyAkA5kpUbZ/kpOQh8sR9JHxv3QEz0clRvRIwlJU5W+Pa1
+e3dNYTDR9x0fBaLwPUIc5RnnSZ5Aws2qxnp7yYrQzxTtLd3IoDU4BuuyBE+/Pauk
+bbfJUnr+e9Pwt+OXqrECnhxz+f0FDAMlX0CEe7Vlx8p37roBiT4sf3anXrNyrUZM
+QWQFLs9H3+yooEJJWTgs7QjFZ0l5LIQyTv1I4UmGBgEWlW8UNIJhvAeq1ykY+WZw
+At9JDlNwiAbFbFoMqGkVZDko1foTE8KUJfgth63ZmdWw1yzX8H9+zDlhpHCehJsJ
+68Rk7INjBNZr6IxpVViGLsW1qTCCBbgwggOgoAMCAQICAhAAMA0GCSqGSIb3DQEB
+CwUAMGkxCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdFbmdsYW5kMR8wHQYDVQQKDBZY
+bWxzZWN1cml0eSBFQ0RTQSBUZXN0MScwJQYDVQQDDB5YbWxzZWN1cml0eSBFQ0RT
+QSBUZXN0IFJvb3QgQ0EwIBcNMTgwNjA2MTUyMDIxWhgPMjExODA1MTMxNTIwMjFa
+MGsxCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdFbmdsYW5kMR8wHQYDVQQKDBZYbWxz
+ZWN1cml0eSBFQ0RTQSBUZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1l
+ZGlhdGUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKlB
+Wij1qE0sYqzYZ8p9FAejgwuf0npT2uplFdq2VZGJaMRS+dbbxnjAh7N78q8aSkag
+kYOQcWtp/XmBCAsGC7D5MA+H6eyPAfZdnb+CycwGkvTH3CfJHCS9QVHRk4HGmAgO
+DEQtLzA5z65wrfZDD5utBtItWd5brhjDQTROmfjbm7t4V/+2uTr94WrMvykj5Cye
+vo2VeAz/zjJIgN+eNQwGnCZWWpITwzq6II4oUIz+/oHSHox4Q8s0XdjXpkfvZfN4
+lVOXlqnUC3pZEPSn4siJEkw26s5fwt9oeoyGDWoKPZmy9jlkxIOiaBz8RAGYPsSS
+sfZ28w0XCxG70WIzOBbLe5IuCGzpv7jzygAWjSVxeyVuGFs1ev8t77Ij/9wPXg0c
+tDclq/nGqIWBNsXFezUpmf0Pjp/owUOmdE+eX7IiPHCqiqyZAzk8NmQTz81UfzA5
+gemdXY1PwXj1ubIM80oLynGmgyWGP4QQJKk2X0o6iLKIkjJzf0VG7kz6pd/MryJC
+esPAdHJ5XkGsOcNDTGxJrVcHii91puRkllIUB/Pa99R6/tDdNpwfsQHbVydhknLt
+lPzQaL04Jx8qglFxS6UGVXThGe809s9KOjCI8jw9+k9u1Aj1XeEtrqXe1bkUbtgP
+UPb0OS9pZbzEEH8ayKQ9mZX/AxCGBSKnkeYn1ywvAgMBAAGjZjBkMB0GA1UdDgQW
+BBTQTJbg+FLm6ZFV0dKdvzzzxEgyRzAfBgNVHSMEGDAWgBQgN6w+MdwLFedzVTyQ
+o/oFcYBa1TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkq
+hkiG9w0BAQsFAAOCAgEAQArGH6CD7ouqF8lg3apFkGl2jnutJdRLtCfGt2iwAxZo
+DArpQyYw5OGvbr8J9DTf4jdGFsjDTK4Ir82B6nUWCJuOnf7leuG1CsPLFL9QYhK/
+JJCO3hgqDPJqxsF1wtNMCowTTo71wdOLIUnIiKVULEJ55YHGvUjv9ufDUMhtViEj
+lA0TLjLMk1NQDi8wArZ0uR71yoqsjkQcwqXanmmE/iQU/wJSEtTtlHgXNeHR35Sr
+mSqBinCfIIxab6zGsq8TrnkDlpxCZ+5I70Ly65WAvrmGn4a9mm96F0UpXlllCtg9
+AAC/cIydTZlwLxsM+wgMAVuEPHC6njnubregPvhiVs0Bx2o+IIdZT6vqlheD4GdA
+DB7m9yOV9sS2VSjD7yuH76FtfybJZvm5MEdIatgxqnWSQH+uSjbjiXujagkuaI9L
+Jlsf5hwO9D6VCTl8rgIUecSLDRS9qBAjZBZZ5HHld3c6W8D+mXnIfJuJBh9/1J/w
+/meA58hVGVrJPEfjLADE9FF/PeHj0mRI8E98JZGdQs8WXHjkWe+yPectC+clkvLm
+fH8lINEj7A+2Ji6uduIxBrAXbhpKcdanL6epqNHXY1tw4TqjjYtvggBkjsRJ8QEV
+aeDthXGh/Z8NxXp/SKh1DeKtt0VH0Uy+ouAcZSDPH00wqTZqyX2mS+LaGAZsYGww
+ggS2MIIDnqADAgECAhAMealEsIwRlSCSYV/iax2DMA0GCSqGSIb3DQEBCwUAMGwx
+CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3
+dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJhbmNl
+IEVWIFJvb3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjB1MQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZh
+bGlkYXRpb24gU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA11OkBFH4maYWSEtnJ6qTSdA57QywsACH8WcohoWMjmPavLFAOOLT9eylBRi4
+PT7FmRcy7BiM+vEMpmQhhcsHEDSwUogrH2ib0rGPErCz0ueIHx/vOHdUU1+AeT8u
+GqqoHksrDau3Y7k1t30UvFlL31FK0qHiDOKQgodqrurXZNaYVej9rxpQbFS8EfL9
+SvKdu38O9NW+jhaJElXYwHE07vbcLezEhyWGjdgh5LBNDIncOSYX3fbXlIXYBCFw
+nW9v/1y6GeFFy1ZXKH4cDUFXqre4J7ux5Poq7yEjdRqtLZuGNYycd7VzrdiULeTz
+DJ3uwU5ifhfAcZ4s3vH5ECgZMwIDAQABo4IBSTCCAUUwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
+aWNlcnQuY29tMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
+LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwPQYDVR0gBDYw
+NDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9DUFMwHQYDVR0OBBYEFD3TUKXWoK3u80pgCmXTIdT4+NYPMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBCwUAA4IBAQCdttCQhuGG
+Au3FoPA0HHTBjXbMhgqo8EqKQtY/yKlNrXwIrea2ULiiGk2IB7EpIdzn2sY8IeDj
+EUlwrHodAaTKETpXq31XKkB0/dMdhRhQ31dHdaF9VSAuRzdQcox/ghvSYo8tA1ra
+w8ihzixSogBj63O6cchJJyOXZIWeOA6tY2g8ulKBWHmjLAzf3m3rMfK6oHxs8SzU
+4b13hDcDzjK1yJqBGkqSTjtGmoX+g6L5noyjzA1esz3PBHiPFBR7MpzHAKZcxLWh
+VY1aVmikInCqPIFx2Z2oRTv05faiUd3He2Lobwx067ja+L+HDXlQkZCbGDuRWSfx
+NSgTqyZ+1fd6MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG
+9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkw
+FwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9i
+YWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJ
+BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lD
+ZXJ0IFNIQTIgU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAK
+c24RmDYXZK83nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yr
+BvSqXUu3R0bdKpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TX
+vi/TC2rSsd9f/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdI
+kARFdRrdNzGXkujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+gu
+qw9ypzAO+sf0/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1
+oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwN6A1oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
+b2JhbFJvb3RDQS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEW
+HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHV
+LyjnjUY4tCzhxtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0G
+CSqGSIb3DQEBCwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHg
+l4+mUwnNqipl5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZg
+THbO7Djc1lGA8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB
+40f/1LkAtDdC2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8Z
+DOo0rwAhaPitc+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4
+d60tbvVS3bR0j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLzMIIEXDCCA0SgAwIBAgIN
+AeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxT
+aWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMK
+R2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMFQxCzAJ
+BgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxJTAjBgNV
+BAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVWXQ5IWi01CXZaz6TIHLGp
+/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK71G4nzKMfHCGUksW/mon
+a+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9RUk2T0HNouB2VzxoMXlk
+yW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1zouAqYGVQMc/7sy+/EYhA
+LrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWTkaIeoYvy/sGIJEmjR0vF
+EwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAzAgMBAAGjggEzMIIBLzAO
+BgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIG
+A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCaZ3Z2sS3ChtCDoH6mfrpL
+MB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkw
+JzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8E
+KzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYD
+VR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29v
+Zy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAHLeJluRT7bvs26gyAZ8s
+o81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2eux9LSD+PAj2LIYRFHW31
+/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPqwnb8Oa2I/maSJukcxDjN
+SfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbuFIwsIONGl1p3A8CgxkqI
+/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy7a8IVk6wuy6pm+T7HT4L
+Y8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZVc7o835DLAFshEWfC7TIe
+3jCCBFMwggI7oAMCAQICAhAAMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNVBAYTAlVL
+MRAwDgYDVQQIDAdFbmdsYW5kMR8wHQYDVQQKDBZYbWxzZWN1cml0eSBFQ0RTQSBU
+ZXN0MSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAg
+Fw0xODA2MDYxNTIwMjFaGA8yMTE4MDUxMzE1MjAyMVowbzELMAkGA1UEBhMCVUsx
+EDAOBgNVBAgMB0VuZ2xhbmQxHzAdBgNVBAoMFlhtbHNlY3VyaXR5IEVDRFNBIFRl
+c3QxLTArBgNVBAMMJFhtbHNlY3VyaXR5IEVDRFNBIFRlc3QgZXhhbXBsZSBBbGlj
+ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARLFn7pnI5fqVyPKZsn+1aFSgoF
+NxwX30u97S9Ti3v0LkMhzCvJgCMRTRFE5Utzrg1tmNvAO1gl5Cn3VeRv/qWjgcUw
+gcIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYW
+JE9wZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+6iBLx5qDOXkoKU2kRXYBsRuOKEQwHwYDVR0jBBgwFoAU0EyW4PhS5umRVdHSnb88
+88RIMkcwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDBDANBgkqhkiG9w0BAQsFAAOCAgEACu+ViKlFl5euwbhuysQro10mplQXhocM
+EpLyN4ZwSkplKbyfQIDahoCU1GSVUr6r5/3oOOjeqHNqeRYpd2hGQbmLaDydTbLO
+7Eb/i9u4VIYKrSKQCz4Q5Z7Hc/8hD+YFuwN8xQdzQRE5tMqHQ2PmEYwYkt0ABbqA
+El0Ae5nII98ejz5b1S7a4wPSr4CLVhSUDBTUSglJxaT5ZTa/rhmUjgOg4cFgE+Qm
+OQuaD2VEy65eCWcjUY7r7ZNP6+JbHVBW8DxiWvBd2YZwh4A4TwxUwRwcOgDMh8Z8
+B2D+xz+We4KQF+hhlA1CyKDcLcJR5OujQX4C2/zhzzmKOA1ilmH8HrJ0iTAf4mOo
+7l2vpRhDR3W3q4l7WsthCJhno/UGKz9F/v8E7fXQC7WnmffXgGzBDdOF+nojZLFn
+JMe62Zd38vydfcl7QPnJS4G+g7XZIg1pn5YlrygCcyCkOIJZ2qdigPm5tDWwweP9
+fDANlfmyVRDPJ1hfQkpgP9tIdgyoYx1AR6SBGXgXNNb1fl3t+sBYt8n4Vb2O/7sN
+9Cvr8zxrxflJ3qK8asp7XSy3cQCUfGyTLsH43u+uv5l9Q/iX1KfXo3KYR4fzv8dZ
+uNjrFunhQIb7HTbtgIDp+jerBSCIWBAhqGvwMEKEcWNj7uig9BHvKG7npeZyzaB5
+/gsM/nofo5UwggUYMIIDAKADAgECAgIQADANBgkqhkiG9w0BAQsFADBpMQswCQYD
+VQQGEwJVSzEQMA4GA1UECAwHRW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJpdHkg
+UlNBIFRlc3QxKTAnBgNVBAMMIFhtbHNlY3VyaXR5IEludGVybWVkaWF0ZSBSb290
+IENBMCAXDTE4MDYwNjE1MjAwNloYDzIxMTgwNTEzMTUyMDA2WjBrMQswCQYDVQQG
+EwJVSzEQMA4GA1UECAwHRW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJpdHkgUlNB
+IFRlc3QxKzApBgNVBAMMIlhtbHNlY3VyaXR5IFJTQSBUZXN0IGV4YW1wbGUgQWxp
+Y2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jNbYTvv/epCVWXDp
+cJJ2vicKBt4GkzmOXTVBKRRJE0KodEldWdsCySMvT1aCfcZAf8l+CGCNyim7f4Fl
+L1IJ7j+N0Rhsi105mkFAZ1EkU2mfHdx3j9c7+ybbc1219cfMEAzgwjnGNGqpD9ZR
+dTWgipeFCOwSt1hcWV+bvuP5DnKJFQtoEObkXUE/Ehb3a8FfXnH+2sBTEkKmjL5J
+Bg46NRv1cA7gTTbh9JrYAEmGRnt4fjkV3Njc2phzPryoOYZudb9CWE6HUIyhw7BI
+oc/OlvFypoykuz4ciTviVh7bAKS/OMugbX9fz4CRljilDw3LIIKMtFR5ohWRPBcr
+rfo7AgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJ
+YIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0
+ZTAdBgNVHQ4EFgQUoMyXNKeDde/7MDve+sSR2rKd10QwHwYDVR0jBBgwFoAUNcHy
+DfjtNQ8y8I1dMFJFClVG+ugwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsG
+AQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAIxT1eA8eDG44lGUp
+OroRAqFAzhrX11s5OlAJPdXtjE4OrSQ4105eNbsARsrgEuEdvTR+KGzsRO90iHYd
+3DXUVr1QrcDb0lExbQk5fXMqaKdyXta+DUMdbEl1F7j8kKwr73y7zthziKnY8Ehd
+DOmUUjGf7AbYyZIaizgqWBjHMOgDhaq9t+vW15SJfNF9P5h+xNFZO1xqkad6ATvd
+vQ6NjHKjps6kU08AUpRk2L+Tx4sRu03zCMFdgqMhjdvDSDjDl38FCvNwCTCik1U5
+NhqIwjsXBhmkm9NZ/5UDXBLnTiPiWCFzF4+bWzeahLN1ky1roiFX9AOwP2z1Px2G
+V7VhC//f2nDvKPHNswcGLHoXsyg0hYJyGA+Hnvl2g8StD3Lk2DZzbjbC99BDPMKL
+g2s4w7Hpz7fLjKe8k6w6GrSOoyCDCK4oBL3ZY0g/rMR+ZybhW0K0bo+h3y9s6292
+Btsk24EacgGNx8XPZe5BEmX1n8rELCpcYxLvzo4yNMIptL9dlofC87Cskej2KC9D
+nTYM/7YbDOdmqAAhyHG1ZnEzMgjfpA9Wl2dO6Mb+QJTBSq+61Xee6ylyKhaeL3L5
+61M3frsI2irETwU0HSZTgl5zGFQs/VTMMwE+5wLyoo+JgIQo38J9fp3gpmNlqoVs
+w1sPLs4AeXm5/0jhMUx3ZMCdE8YwggWyMIIDmqADAgECAgkAlxa9qhMuSpowDQYJ
+KoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAb
+BgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSUwIwYDVQQDDBxYbWxzZWN1cml0
+eSBSU0EgVGVzdCBSb290IENBMCAXDTE4MDYwNjE1MjAwNFoYDzIxMTgwNTEzMTUy
+MDA0WjBlMQswCQYDVQQGEwJVSzEQMA4GA1UECAwHRW5nbGFuZDEdMBsGA1UECgwU
+WG1sc2VjdXJpdHkgUlNBIFRlc3QxJTAjBgNVBAMMHFhtbHNlY3VyaXR5IFJTQSBU
+ZXN0IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+iaaD
+NjD39bYz7vlqzWlXpRnxav6GmJyLROygf8odZgtaZL2LwgDVh/oFjchIC4q8N+pN
+aDKgMV4nJNXM01QeVh/piashiAbQNvauehyKFwwwW5WddETBtCCKBZj3eII2LYqm
+gY5YHrdm6nJ8xN7KPsW69i3gCW0ntDSj5EhEbHrVp4/aCgaLH2jWOSME3pOffBDd
+4mChrQJI+R9p5j7BU755QSVgTfkXCY9ZHrwCcXuGD9JLVEQ1JDhmpUDUYrZ8pqRf
+p7vOSokJvpm5DadfkY0lYUVKUFclatWqkFm94osx8ZBqRlSzDPcVE9c3SpQrjS8p
+duURK43fk8depV9IA8RDqIYolTtULe5M90LIHO3AlsgCz5Gr13FvrJm/rxcKEaF5
+7dVbT9p78amuQcSd48GTyluRKpLTnZn3Lfo2eNHBlFWdGZCPDpdLWHZzpx1GxX3H
+YXCaWUBCHPpXatm7851L2IIbcITjmcOeBiDhWcPDin2OcJ5roxhU8G09T1/Y2Oci
+cjFQZGJ1fY3arXL1SI85TzuaWiXJABJX5K3HAeSbslrrD4xF/CBTb+g4uVzcykzL
+jityxECWFsngJZdHATD7EmgdvdbSX6LLjvoy18xofBpET/Gw+b4xeBcyP55sTn1x
+4LoYlLo4DmfnkpHrnOmZCwziffLMmtT2EzEMowIDAQABo2MwYTAdBgNVHQ4EFgQU
+46qCA78jo+QjIlmonXqZsNu2JfEwHwYDVR0jBBgwFoAU46qCA78jo+QjIlmonXqZ
+sNu2JfEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
+AQELBQADggIBACRuAgJickA2ogZ+3/RyGDW5Kbp5kyuXSR8AJkoWkvwo6GPsLrpw
+h6yR/tZwlsdA5bcICDQ5mmRL2eG8/E7KxBuVL6xDCj11aI3s0BOiRPHJJgYV2sQ1
+dJR0Yj0wwWyLODyo3TsS1vKept0nAU0NqiYnPSZRdiXG0JHiBMaitaYvwTMkg33w
+te4wObmCiZ3lFMKCpzWEFP4OrQTdZqmdRWUwWvUpLx7H9Ep9UFDmAlEnXRkhqxpV
+2kKXeAYV3wwAzKqplc7KW07VFFNNdjO3nQbVSYAR3ZIMfoAOqPxPTgjRSKumxDtv
+gZqwmiZZAG4K/2NjrmsA593uZYfhEOZWfY/hcJVnr76gKavYIwRF+hGxUi3fGDHk
+665Xgx0BxUHDosyRDPolGn3aQQY8wT3HXCcNFyeSznzOcK+ixlETAtj+y1arZ4ts
+4pnl0ImqILjEZxrmXTAkRO51TlYt0iA8NQVDa1Ne64Fy2N3OHz4XJzo3aoynf5Ta
+bakQCsh3/prFpCGMYkQMkxXonTdaJnyX/0aMiVfYdAZupG8cAvuRQSQ/i1k5SLAY
+ai1qQW8kmJVYPKdWmEvyBNqZHWVpNiG3SZka1nklMxzCkTfv7Z2Ix8DL+GqM5cNz
+I0DDfG0sOVfqLlcraumu7wZpY+KRGSBN9EF1ZZ9GOX7SwTn57U3yYd0xMIIFujCC
+A6KgAwIBAgIJAMtBg6xEFRDTMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAlVL
+MRAwDgYDVQQIDAdFbmdsYW5kMR8wHQYDVQQKDBZYbWxzZWN1cml0eSBFQ0RTQSBU
+ZXN0MScwJQYDVQQDDB5YbWxzZWN1cml0eSBFQ0RTQSBUZXN0IFJvb3QgQ0EwIBcN
+MTgwNjA2MTUyMDIxWhgPMjExODA1MTMxNTIwMjFaMGkxCzAJBgNVBAYTAlVLMRAw
+DgYDVQQIDAdFbmdsYW5kMR8wHQYDVQQKDBZYbWxzZWN1cml0eSBFQ0RTQSBUZXN0
+MScwJQYDVQQDDB5YbWxzZWN1cml0eSBFQ0RTQSBUZXN0IFJvb3QgQ0EwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCjKXY/LOLDioXDCWBi3GLP29BMDoYx
+J0tkL9Pdir7mBACxRshI9K/eHfzzBURDWycUfW9jU9xPtt2NfJFB3TfUjet4uHkr
+f2K9oZW9QxloVvBSAMPR5393o/cSrcijJ1BA77hilZJQ75t8xOgqBu5uxLfR3yS2
+GHnZAqckavR9y7oQEbmf/b1b+Fa1WWz21RuT82E02M0Ew2/NpvrP7dpkgovyvLPz
+J/pDrdTWOzzYmvNxuKRnHsaDdBSPvgsGmokbZr5GevK5CUYhSumpcD+orZVelFxI
+Fv+KAMAZGlIyyW6Ipv5fs4fGORLJy0h1z2SYzNz41bqnWZsDCruZmEI4RCZkCfq2
+7gEoPQVRjP+RsgpZmnuI2Deyw33Uh/pLtUYf3bjOPnKRThRqzDl7JC27sRhgdUDM
+2KLOPC7IVMG+u94ejOvzSJ5zVdujNvki5OEscN4xPWUDYj/y3QOnDp8MarCd7al4
+P+Dk3niNnkFMLFSl+gbbLjDNcrabtVqCnd/dmgjwiU9k80oNa0jKx7pdKPqPvxKM
+e5xffmkDp9XFdKl7qeDprk5KQ9PtCO00JTVQGhyxapmMuUsJgezpGQSqF5wAKrNm
+dcdHWtFeZDq1IoLMQUS9uMCzzHV5tAfFDX/GnAz2xnPq88RW7nt9LFjzWA8ZsTYf
+/LPjaO+tYim8wQIDAQABo2MwYTAdBgNVHQ4EFgQUIDesPjHcCxXnc1U8kKP6BXGA
+WtUwHwYDVR0jBBgwFoAUIDesPjHcCxXnc1U8kKP6BXGAWtUwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAByhIRpqnRqr
+z/NrI2+LsQawI5PYFyyA8QDxHJveId8DX7OIJDqoXxdl0pqhPSli+2f1ZaLzfTfY
+av1BT2+ALcVY1DDz4RHSUg1YLk6n+1IPeq4hSAf7JVa13tA8tyK7ghjZMCIzX08Z
+Ux9Wz5FlnGSC/jFg2qRjjlZyHQB4N9mLtPp83OEuQBuFJ2LMd6dHcDDpERjrRGpH
+tLFxYnLKgT745h0A/k/HjZLKs46xJBO1y8ZruOoNKklsTkiysGImhRW4KnLJ5iSS
+/V6vzfaCGcDxSSYlbIT1twEN1lRcCuPlPmm7LgV/X12lACg+UR12/dcJnCe94x4E
+QaydT0wsAzT5WSNh69UOrRp0sDJrKtehhQ+7oGeIqTYQNpnmvA3L3MssRvcyw9wB
+ZUdAAw0Jr3jsgy0wZuYIFSbEUWzTlyhkL2Rhp9zzq4f0AW61m+yDb8QXkPnWJPln
+NrKqKYGTfzQNcMSIkcLiDnAmsBeZOze+iXpnuzZSWqlkPQfGhlFRkJ4jm63H15cX
+Hz2OE7zr/HoMJCxXXUbFVIyHDL2i9GbShHr+DVIM9OgBJ6UEPNEN2RZo4vncNCnQ
+zRZe4H1bvaGnh0SUKoLiE2Jy93LBUKrSygHLOtweerXL2dtHad2qi+SQjWXjYBUr
+Y3U3LDo+kQfo7hfVZ/HdrhK7ldhXbz7nMQA=
+-----END PKCS7-----
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx 
b/xmlsecurity/qa/unit/signing/signing.cxx
index 59be265bcb4b..e1853d4ad235 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx

... etc. - the rest is truncated