xref: /AOO42X/main/libxmlsec/xmlsec1-noverify.patch (revision a893be29343ee97512d484e6e8fefa91df2b44cb) 
1cdf0e10cSrcweir--- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c  2009-06-25 22:53:18.000000000 +0200
2cdf0e10cSrcweir+++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c    2009-09-23 10:01:07.237316078 +0200
3cdf0e10cSrcweir@@ -567,9 +567,16 @@
4cdf0e10cSrcweir             CertFreeCertificateContext(nextCert);
5cdf0e10cSrcweir         }
6cdf0e10cSrcweir
7cdf0e10cSrcweir-        if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
8cdf0e10cSrcweir-            return(cert);
9cdf0e10cSrcweir-        }
10cdf0e10cSrcweir+        /* JL: OpenOffice.org implements its own certificate verification routine.
11*a893be29SPedro Giffuni+           The goal is to separate validation of the signature
12cdf0e10cSrcweir+           and the certificate. For example, OOo could show that the document signature is valid,
13cdf0e10cSrcweir+           but the certificate could not be verified. If we do not prevent the verification of
14cdf0e10cSrcweir+           the certificate by libxmlsec and the verification fails, then the XML signature will not be
15cdf0e10cSrcweir+           verified. This would happen, for example, if the root certificate is not installed.
16cdf0e10cSrcweir+         */
17cdf0e10cSrcweir+/*      if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
18cdf0e10cSrcweir+        if (selected == 1)
19cdf0e10cSrcweir+            return cert;
20cdf0e10cSrcweir     }
21cdf0e10cSrcweir
22cdf0e10cSrcweir     return (NULL);
23cdf0e10cSrcweir--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c   2009-09-23 10:06:52.989793254 +0200
24cdf0e10cSrcweir+++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:05:03.183042205 +0200
25cdf0e10cSrcweir@@ -191,13 +191,27 @@
26cdf0e10cSrcweir        continue;
27cdf0e10cSrcweir    }
28cdf0e10cSrcweir
29cdf0e10cSrcweir-   status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
30cdf0e10cSrcweir-                   cert, PR_FALSE,
31cdf0e10cSrcweir-                   (SECCertificateUsage)0,
32cdf0e10cSrcweir-                           timeboundary , NULL, NULL, NULL);
33cdf0e10cSrcweir-   if (status == SECSuccess) {
34cdf0e10cSrcweir-       break;
35cdf0e10cSrcweir-   }
36cdf0e10cSrcweir+
37cdf0e10cSrcweir+   /*
38cdf0e10cSrcweir+      JL: OpenOffice.org implements its own certificate verification routine.
39*a893be29SPedro Giffuni+      The goal is to separate validation of the signature
40cdf0e10cSrcweir+      and the certificate. For example, OOo could show that the document signature is valid,
41cdf0e10cSrcweir+      but the certificate could not be verified. If we do not prevent the verification of
42cdf0e10cSrcweir+      the certificate by libxmlsec and the verification fails, then the XML signature may not be
43cdf0e10cSrcweir+      verified. This would happen, for example, if the root certificate is not installed.
44cdf0e10cSrcweir+
45cdf0e10cSrcweir+      status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
46cdf0e10cSrcweir+          cert, PR_FALSE,
47cdf0e10cSrcweir+          (SECCertificateUsage)0,
48cdf0e10cSrcweir+          timeboundary , NULL, NULL, NULL);
49cdf0e10cSrcweir+      if (status == SECSuccess) {
50cdf0e10cSrcweir+         break;
51cdf0e10cSrcweir+      }
52cdf0e10cSrcweir+
53cdf0e10cSrcweir+    */
54cdf0e10cSrcweir+   status = SECSuccess;
55cdf0e10cSrcweir+   break;
56cdf0e10cSrcweir+
57cdf0e10cSrcweir     }
58cdf0e10cSrcweir
59cdf0e10cSrcweir     if (status == SECSuccess) {
60