PDF signing: don't fail unittest on invalid certificates

Without this, expired/not yet valid certificates, as well as certificates without private key, make test needlessly fail. Change-Id: Ic8ff85db54f1f1b1fb49fde82424f597f1555c96 Reviewed-on: https://gerrit.libreoffice.org/42434Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>

PDF signing: don't fail unittest on invalid certificates
Without this, expired/not yet valid certificates, as well as certificates without private key, make test needlessly fail. Change-Id: Ic8ff85db54f1f1b1fb49fde82424f597f1555c96 Reviewed-on: https://gerrit.libreoffice.org/42434Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
2caf3904 · Mike Kaganski · Miklos Vajna · 07fef83b · 2caf3904 · 2caf3904
Kaydet (Commit) 2caf3904 authored Eyl 18, 2017 tarafından Mike Kaganski Kaydeden (comit) Miklos Vajna Eyl 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 8 deletions

log-areas.dox include/sal/log-areas.dox +1 -0

pdfsigning.cxx xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +40 -8

No files found.
--- a/include/sal/log-areas.dox
+++ b/include/sal/log-areas.dox
@@ -533,6 +533,7 @@ certain functionality.
 @li @c xmlsecurity.helper
 @li @c xmlsecurity.ooxml - OOXML signature support
 @li @c xmlsecurity.pdfio - signing of existing PDF
+@li @c xmlsecurity.pdfio.test
 @li @c xmlsecurity.xmlsec - xmlsec wrapper
 @li @c xmlsecurity.xmlsec.gpg - gpg xmlsec component


--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -19,6 +19,11 @@
 #include <documentsignaturemanager.hxx>
 #include <pdfio/pdfdocument.hxx>

+#ifdef _WIN32
+ #define WIN32_LEAN_AND_MEAN
+ #include <windows.h>
+#endif
+
 using namespace com::sun::star;

 namespace
@@ -162,24 +167,51 @@ bool PDFSigningTest::sign(const OUString& rInURL, const OUString& rOutURL, size_
        CPPUNIT_ASSERT_EQUAL(nOriginalSignatureCount, aSignatures.size());
    }

+    bool bSignSuccessful = false;
    // Sign it and write out the result.
    {
        uno::Reference<xml::crypto::XSecurityEnvironment> xSecurityEnvironment = xSecurityContext->getSecurityEnvironment();
        uno::Sequence<uno::Reference<security::XCertificate>> aCertificates = xSecurityEnvironment->getPersonalCertificates();
-        if (!aCertificates.hasElements())
+        DateTime now(DateTime::SYSTEM);
+        for (auto& cert : aCertificates)
        {
-            // NSS failed to parse it's own profile or Windows has no certificates installed.
-            return false;
+            css::util::DateTime aNotValidAfter = cert->getNotValidAfter();
+            css::util::DateTime aNotValidBefore = cert->getNotValidBefore();
+
+            // Only try certificates that are already active and not expired
+            if ((now > aNotValidAfter) || (now < aNotValidBefore))
+            {
+                SAL_WARN("xmlsecurity.pdfio.test", "Skipping a certificate that is not yet valid or already not valid");
+            }
+            else
+            {
+                bool bSignResult = aDocument.Sign(cert, "test", /*bAdES=*/true);
+#ifdef _WIN32
+                if (!bSignResult)
+                {
+                    DWORD dwErr = GetLastError();
+                    if (dwErr == CRYPT_E_NO_KEY_PROPERTY)
+                    {
+                        SAL_WARN("xmlsecurity.pdfio.test", "Skipping a certificate without a private key");
+                        continue; // The certificate does not have a private key - not a valid certificate
+                    }
+                }
+#endif
+                CPPUNIT_ASSERT(bSignResult);
+                SvFileStream aOutStream(rOutURL, StreamMode::WRITE | StreamMode::TRUNC);
+                CPPUNIT_ASSERT(aDocument.Write(aOutStream));
+                bSignSuccessful = true;
+                break;
+            }
        }
-        CPPUNIT_ASSERT(aDocument.Sign(aCertificates[0], "test", /*bAdES=*/true));
-        SvFileStream aOutStream(rOutURL, StreamMode::WRITE | StreamMode::TRUNC);
-        CPPUNIT_ASSERT(aDocument.Write(aOutStream));
    }

    // This was nOriginalSignatureCount when PDFDocument::Sign() silently returned success, without doing anything.
-    verify(rOutURL, nOriginalSignatureCount + 1, /*rExpectedSubFilter=*/OString());
+    if (bSignSuccessful)
+        verify(rOutURL, nOriginalSignatureCount + 1, /*rExpectedSubFilter=*/OString());

-    return true;
+    // May return false if NSS failed to parse it's own profile or Windows has no valid certificates installed.
+    return bSignSuccessful;
 }

 void PDFSigningTest::testPDFAdd()