libxmlsec/xmlsec1-noverify.patch

   1 --- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c  2009-06-25 22:53:18.000000000 +0200
   2 +++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c    2009-09-23 10:01:07.237316078 +0200
   3 @@ -567,9 +567,16 @@
   4              CertFreeCertificateContext(nextCert);
   5          }
   6
   7 -        if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
   8 -            return(cert);
   9 -        }
  10 +        /* JL: OpenOffice.org implements its own certificate verification routine.
  11 +           The goal is to seperate validation of the signature
  12 +           and the certificate. For example, OOo could show that the document signature is valid,
  13 +           but the certificate could not be verified. If we do not prevent the verification of
  14 +           the certificate by libxmlsec and the verification fails, then the XML signature will not be
  15 +           verified. This would happen, for example, if the root certificate is not installed.
  16 +         */
  17 +/*      if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */
  18 +        if (selected == 1)
  19 +            return cert;
  20      }
  21
  22      return (NULL);
  23 --- misc/xmlsec1-1.2.14/src/nss/x509vfy.c       2009-09-23 10:06:52.989793254 +0200
  24 +++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:05:03.183042205 +0200
  25 @@ -191,13 +191,27 @@
  26             continue;
  27         }
  28
  29 -       status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
  30 -                                       cert, PR_FALSE,
  31 -                                       (SECCertificateUsage)0,
  32 -                                       timeboundary , NULL, NULL, NULL);
  33 -       if (status == SECSuccess) {
  34 -           break;
  35 -       }
  36 +
  37 +       /*
  38 +      JL: OpenOffice.org implements its own certificate verification routine.
  39 +      The goal is to seperate validation of the signature
  40 +      and the certificate. For example, OOo could show that the document signature is valid,
  41 +      but the certificate could not be verified. If we do not prevent the verification of
  42 +      the certificate by libxmlsec and the verification fails, then the XML signature may not be
  43 +      verified. This would happen, for example, if the root certificate is not installed.
  44 +
  45 +      status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
  46 +          cert, PR_FALSE,
  47 +          (SECCertificateUsage)0,
  48 +          timeboundary , NULL, NULL, NULL);
  49 +      if (status == SECSuccess) {
  50 +         break;
  51 +      }
  52 +
  53 +    */
  54 +       status = SECSuccess;
  55 +       break;
  56 +
  57      }
  58
  59      if (status == SECSuccess) {