From: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Date: Tue, 6 Aug 2019 18:20:01 +0000 (+0100)
Subject: show-partial-signatures-even-if-cert-validation-fails
X-Git-Tag: archive/raspbian/1%5.2.7-1+rpi1+deb9u10^2~9
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=078cde758bb09ee2692ffeca55cc4e2a3cec6156;p=libreoffice.git

show-partial-signatures-even-if-cert-validation-fails


Gbp-Pq: Name show-partial-signatures-even-if-cert-validation-fails.diff
---

diff --git a/include/sfx2/signaturestate.hxx b/include/sfx2/signaturestate.hxx
index b2bccf3469c..cd23d029845 100644
--- a/include/sfx2/signaturestate.hxx
+++ b/include/sfx2/signaturestate.hxx
@@ -33,7 +33,9 @@ enum class SignatureState
     NOTVALIDATED  = 4,
     //signatur and certificate are ok,but not al files are signed, as was the case in
     //OOo 2.x - OOo 3.1.1. This state is only used  together with document signatures.
-    PARTIAL_OK    = 5
+    PARTIAL_OK    = 5,
+    /// Certificate could not be validated and the document is only partially signed.
+    NOTVALIDATED_PARTIAL_OK = 6
 };
 
 #endif // INCLUDED_SFX2_SIGNATURESTATE_HXX
diff --git a/sfx2/source/doc/objserv.cxx b/sfx2/source/doc/objserv.cxx
index a2360a2e7fc..1549c9834d8 100644
--- a/sfx2/source/doc/objserv.cxx
+++ b/sfx2/source/doc/objserv.cxx
@@ -1293,7 +1293,9 @@ SignatureState SfxObjectShell::ImplCheckSignaturesInformation( const uno::Sequen
         }
     }
 
-    if ( nResult == SignatureState::OK && !bCertValid )
+    if ( nResult == SignatureState::OK && !bCertValid && !bCompleteSignature )
+        nResult = SignatureState::NOTVALIDATED_PARTIAL_OK;
+    else if (nResult == SignatureState::OK && !bCertValid)
         nResult = SignatureState::NOTVALIDATED;
     else if ( nResult == SignatureState::OK && bCertValid && !bCompleteSignature)
         nResult = SignatureState::PARTIAL_OK;
diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx
index d2a9f1741f3..7f20c8ed6c4 100644
--- a/xmlsecurity/qa/unit/signing/signing.cxx
+++ b/xmlsecurity/qa/unit/signing/signing.cxx
@@ -358,13 +358,14 @@ void SigningTest::testOOXMLPartial()
     SfxObjectShell* pObjectShell = pBaseModel->GetObjectShell();
     CPPUNIT_ASSERT(pObjectShell);
     // This was SignatureState::BROKEN due to missing RelationshipTransform and SHA-256 support.
-    // We expect NOTVALIDATED in case the root CA is not imported on the system, and PARTIAL_OK otherwise, so accept both.
+    // We expect NOTVALIDATED_PARTIAL_OK in case the root CA is not imported on the system, and PARTIAL_OK otherwise, so accept both.
+    // But reject NOTVALIDATED, hiding incompleteness is not OK.
     SignatureState nActual = pObjectShell->GetDocumentSignatureState();
     CPPUNIT_ASSERT_MESSAGE(
         (OString::number(
              static_cast<std::underlying_type<SignatureState>::type>(nActual))
          .getStr()),
-        (nActual == SignatureState::NOTVALIDATED
+        (nActual == SignatureState::NOTVALIDATED_PARTIAL_OK
          || nActual == SignatureState::PARTIAL_OK));
 }