fdo#72277: Use NSS CACERT in cmis ucp with internal curl

This fix contains two parts: * initialize NSS in the CMIS UCP right before sending an HTTP request in case internal curl is used. This makes internal curl find the NSS CACERT database from the user mozilla profile. * add nsspem to allow curl to use CACERTs from libnssckbi. Without libnsspem curl is unable to read the certificates from the NSS database. The nss-pem code has been extracted from the fedora-hosted repository: https://git.fedorahosted.org/cgit/nss-pem.git Change-Id: Ie8dedf020480cca01bf9761382886566a1150778

fdo#72277: Use NSS CACERT in cmis ucp with internal curl
This fix contains two parts: * initialize NSS in the CMIS UCP right before sending an HTTP request in case internal curl is used. This makes internal curl find the NSS CACERT database from the user mozilla profile. * add nsspem to allow curl to use CACERTs from libnssckbi. Without libnsspem curl is unable to read the certificates from the NSS database. The nss-pem code has been extracted from the fedora-hosted repository: https://git.fedorahosted.org/cgit/nss-pem.git Change-Id: Ie8dedf020480cca01bf9761382886566a1150778
165075e0 · Cédric Bosdonnat · 1a6e47e3 · 165075e0 · 165075e0 · 165075e0
Kaydet (Commit) 165075e0 authored Tem 15, 2014 tarafından Cédric Bosdonnat
5 changed files
--- a/external/nss/ExternalPackage_nss.mk
+++ b/external/nss/ExternalPackage_nss.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
 		dist/out/lib/libnss3.dylib \
 		dist/out/lib/libnssckbi.dylib \
 		dist/out/lib/libnssdbm3.dylib \
+		dist/out/lib/libnsspem.dylib \
 		dist/out/lib/libnssutil3.dylib \
 		dist/out/lib/libplc4.dylib \
 		dist/out/lib/libplds4.dylib \
@@ -33,6 +34,7 @@ $(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
 		dist/out/lib/nss3.dll \
 		dist/out/lib/nssckbi.dll \
 		dist/out/lib/nssdbm3.dll \
+		dist/out/lib/nsspem.dll \
 		dist/out/lib/nssutil3.dll \
 		dist/out/lib/plc4.dll \
 		dist/out/lib/plds4.dll \
@@ -48,6 +50,7 @@ $(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
 		dist/out/lib/libnss3.so \
 		dist/out/lib/libnssckbi.so \
 		dist/out/lib/libnssdbm3.so \
+		dist/out/lib/libnsspem.so \
 		dist/out/lib/libnssutil3.so \
 		dist/out/lib/libplc4.so \
 		dist/out/lib/libplds4.so \

--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/nss_macosx.patch \
 	external/nss/nss-linux-x86.patch.0 \
 	external/nss/nss-win32-make.patch.1 \
+	external/nss/nss-pem.patch \
 	$(if $(filter WNTMSC,$(OS)$(COM)),external/nss/nss.windows.patch) \
 	$(if $(filter WNTGCC,$(OS)$(COM)),external/nss/nspr-4.9-build.patch.3 \
 		external/nss/nss-3.13.3-build.patch.3 \

--- a/external/nss/nss-pem.patch
+++ b/external/nss/nss-pem.patch
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -32,6 +32,10 @@
 #include <com/sun/star/ucb/UnsupportedOpenModeException.hpp>
 #include <com/sun/star/ucb/XCommandInfo.hpp>
 #include <com/sun/star/ucb/XDynamicResultSet.hpp>
+#include <com/sun/star/xml/crypto/XDigestContext.hpp>
+#include <com/sun/star/xml/crypto/XDigestContextSupplier.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>

 #include <comphelper/processfactory.hxx>
 #include <config_oauth2.h>
@@ -272,6 +276,16 @@ namespace cmis

        if ( NULL == m_pSession )
        {
+            // Initialize NSS library to make sure libcmis (and curl) can access CACERTs using NSS
+            // when using internal libcurl.
+            uno::Reference< com::sun::star::xml::crypto::XNSSInitializer >
+                xNSSInitializer = com::sun::star::xml::crypto::NSSInitializer::create( m_xContext );
+
+            uno::Reference< com::sun::star::xml::crypto::XDigestContext > xDigestContext(
+                    xNSSInitializer->getDigestContext( com::sun::star::xml::crypto::DigestID::SHA256,
+                                                              uno::Sequence< beans::NamedValue >() ),
+                                                              uno::UNO_SET_THROW );
+
            // Set the SSL Validation handler
            libcmis::CertValidationHandlerPtr certHandler(
                    new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );

--- a/ucb/source/ucp/cmis/cmis_repo_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_repo_content.cxx
@@ -15,6 +15,10 @@
 #include <com/sun/star/ucb/XCommandInfo.hpp>
 #include <com/sun/star/ucb/XDynamicResultSet.hpp>
 #include <com/sun/star/ucb/XProgressHandler.hpp>
+#include <com/sun/star/xml/crypto/XDigestContext.hpp>
+#include <com/sun/star/xml/crypto/XDigestContextSupplier.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>

 #include <comphelper/processfactory.hxx>
 #include <config_oauth2.h>
@@ -120,6 +124,16 @@ namespace cmis

    void RepoContent::getRepositories( const uno::Reference< ucb::XCommandEnvironment > & xEnv )
    {
+        // Initialize NSS library to make sure libcmis (and curl) can access CACERTs using NSS
+        // when using internal libcurl.
+        uno::Reference< com::sun::star::xml::crypto::XNSSInitializer >
+            xNSSInitializer = com::sun::star::xml::crypto::NSSInitializer::create( m_xContext );
+
+        uno::Reference< com::sun::star::xml::crypto::XDigestContext > xDigestContext(
+                xNSSInitializer->getDigestContext( com::sun::star::xml::crypto::DigestID::SHA256,
+                                                          uno::Sequence< beans::NamedValue >() ),
+                                                          uno::UNO_SET_THROW );
+
        // Set the proxy if needed. We are doing that all times as the proxy data shouldn't be cached.
        ucbhelper::InternetProxyDecider aProxyDecider( m_xContext );
        INetURLObject aBindingUrl( m_aURL.getBindingUrl( ) );