Apache OpenOffice (AOO) Bugzilla – Issue 39382
OOo won't access certificate stored in token or SmartCard
Last modified: 2006-10-21 12:43:36 UTC
Once a certificate is stored in Mozilla's Software Security Device, I am able to sign documents using it. However, certificates stored in hardware devices, such as a USB Token, are not accessed even though they are correctly configured in Mozilla and can be used by it to sign e-mails. Since these certificates stored in hardware are usable in Evolution through libnss, I assume that OOo has still to implement the interface to access these devices. Is this currently a restriction or are there plans to implement access to hardware devices though libnss? Environment: SuSE Linux 9.2, Java 1.5.0, OOo 2.0 (1.9 m65) eAladdin eToken Pro
framework issue.
reassigned to reauirements...
This issue is duplicate to issue 39448... *** This issue has been marked as a duplicate of 39448 ***
.
reopened for fixing an Issue with USB Sticks bound to mozillas security device
Hi Malte, please have a look at this Issue. Frank
Have a look at the latest comment from rfsalomon in Issue 39448 also. Frank
set to NEW
Any progress on this issue? If needed, I can provide the required modules for the USB token I'm using.
Please see comments on issue 46283
JL...
keyword security
retargetted due to workload
With 2.0.0 out the door, are we ready to start work on this issue? I would like to remind that digital signatures are an important issue for government users here in Brazil.
I understand the workload issue but fixing this and issue 46283 would make OpenOffice.org a must for Brazilian Public Service. Is there any documentation regarding how OOo accesses Mozilla's NSS libraries?
Unfortunately there is no documentation available.
So this is one of those cases where the code is the only available documentation? Surely someone must have some kind of doc available on the implementation of digital signatures em OOo. I don't mean the user spec available, but some real info on how the OOo/libnss was made...
Downloaded and tested 2.0.1 RC1. Despite the mention on the changelog of work having been done in xmlsecurity to address smartcard access the problem continues on Linux.
Due to limited resources and time release the fix will not make it into 2.0.2, sorry. Retargeting to OOo 2.0.3
retarget to 2.0.4
Please verify. re-open issue and reassign to fst@openoffice.org
reassign to fst@openoffice.org
reset resolution to FIXED
*** Issue 65771 has been marked as a duplicate of this issue. ***
found fixed on cws jl34
Found integrated on master m181
Hello OpenOffice Developers, I want to help you to integrate smartcards directly into openoffice using PKCS#11 implementation without the need of external Mozilla dependency. I have implemented PKCS#11 support into OpenVPN, OpenSSH, GnuPG, QCA, and I think I can help you to do it for OpenOffice as well, using OpenSSL or GnuTLS for your choice. The problem is that I am not a GUI programmer, I can lay the infrastructure for you if you point me to the right interface. More info is at: http://alon.barlev.googlepages.com/ Best Regards, Alon Bar-Lev.
OOo currently uses the mozilla certificate store and certificate verification function. Moreover it uses the libxmlsec (external project) which uses itself mozilla functionality. The libxmlsec could be configured to use another PKI framework, such as OpenSSL. However, Mozilla already brings a GUI for certificate management. Direct support of PKCS#11 is certainly interessting but does not seem to solve the problem of the dependency to Mozilla. Currently we do not intent to implement a certificate store on our own. Frankly, this should be part of the operating system. Was your idea to completely get rid of the dependency or only decouple the PKCS#11 functionality?
Hello, Let's divide the subject into two: 1. Signing document, this process requires user private credential and X.509 certificate. Here there should be a simple implementation to use PKCS#12 files or PKCS#11 tokens in order to actually perform the signature, using libxmlsec and OpenSSL. If using PKCS#12 based storage, GUI should prompt the user for a file and passphrase. If using PKCS#11 based token, GUI should prompt the user with a list of certificates and allow the user to select one. Also a GUI should be available to allow user to specify which providers to load. This should be simple enough, and can be integrated directly into Open Office. 2. Verifying document, this process requires validating a certificate chain. This feature is more complex only because it involve in more GUI... Since it really doesn't access any user private credentials. But actually it quite simple... Since the verification using libxmlsec and OpenSSL should be simple. Displaying the certificate chain using text dump is also simple enough. The problem is verifying the certificate chain, downloading CRLs, using OCSP etc... > OOo currently uses the mozilla certificate store and certificate verification > function. True... But it is not built in... I don't think I am simple user, but I was unable to activate it... The external dependency makes it very hard. One option is integrating NSS into your build, but I find OpensSSL better API. > Moreover it uses the libxmlsec (external project) which uses itself > mozilla functionality. The libxmlsec could be configured to use another PKI > framework, such as OpenSSL. However, Mozilla already brings a GUI for > certificate management. True... But I think the GUI should be Open Office built-in... To be user friendly, many people have already national id cards, and wish to sign... But in KDE/Open Office environment, external dependency of Mozilla is not intuitive. > Direct support of PKCS#11 is certainly interessting but does not seem to solve > the problem of the dependency to Mozilla. Currently we do not intent to > implement a certificate store on our own. Frankly, this should be part of the > operating system. Well... I don't agree... Operating system should handle resource allocation... and be as small as it can... (Unlike Windows...). Operating system should not pop up dialogs (Unlike Windows, again). Maybe you refer to a common library that can be used by multiple applications... But again, I don't think this common library should provide user interface, but allow you to perform your requirements using a simple API. NSS is one API.... But you should implement a UI to integrate correctly, OpenSSL is another, the same effort of integrating UI, with simpler API. KDE has its own certificate store, I am sure Gnome has one also... > Was your idea to completely get rid of the dependency or only decouple the > PKCS#11 functionality? I think PKI functionality should be integrated into Open Office. So first stage is to integrate this functionality, then the what most projects find it hard to accomplish is to integrate smart card functionality. Here I usually come to help... :) But reading your response, I think I can help you also with integrating PKI functionality... I prefer OpenSSL, this do require some UI additions. And we can do the chain checking in steps, first one is to require CRLs already downloaded, second stage is to use OCSP, third is to download CRL automatically. In short... I think it is very important to integrate X.509 into Open Office, thus allowing out of the box solution for users, this solution should support smartcards using PKCS#11 interface, to used in Windows and *inux environments. Best Regards, Alon Bar-Lev.
>True... But it is not built in... I don't think I am simple user, but I was unable to >activate it... The external dependency makes it very hard. This has certainly to do with the right Mozilla/Firefox profile that has not been found. Selecting the proper profile should be improved in OOo. However, this idea was postponed because of lack of resources. Integrating PKI into OOo is interesting but I would still rely on external libraries for signature and certificate validation. Since this is a sensible area it needs a great deal of time to maintain this particular code in terms of security and compliance to specifications, such as RFC3280, ISIS-MTT. I do not want to put you off but currently there is no one available (who I know of) who could spend time on this. Nevertheless, you could start a discussion on dev@openoffice.org with regard to integrating PKI in OOo. This may be the place to find other developers who are willing to contribute. But do not underestimate the effort for creating a feature specification and GUI. If you are interested in helping with the current implementation, there come two things to mind: 1. Help for selecting the right Mozilla profile (Unix). For example, when the user wants to sign a document or receives a signed document for the first time, he could be asked by a dialog to select the proper profile. The profile should also be selectable in the options. 2. We are using an older version of libxmlsec which contains a lot of bugfixes. To migrate to using the latest version, it is necessary to -evaluate every fix made -confer with the owner of libxmlsec if the fix can be integrated there -if not apply the fix in the latest version. I assume that this alone could cost a couple of weeks. What do you think?
> Integrating PKI into OOo is interesting but I would still rely on external > libraries for signature and certificate validation. Since this is a sensible > area it needs a great deal of time to maintain this particular code in terms of > security and compliance to specifications, such as RFC3280, ISIS-MTT. This is why you have OpenSSL library... This is the only major external dependency you have to integrate, dropping much more problematic dependency of mozilla and NSS. > I do not want to put you off but currently there is no one available (who I know > of) who could spend time on this. Well.. I hope you add the removal of Mozilla dependency into your roadmap, and remember me when you reach to the point when you start implementing that. > But do not underestimate > the effort for creating a feature specification and GUI. I don't! Because of this I did not send a patch... :) > 1. Help for selecting the right Mozilla profile (Unix). For example, when the I won't do that, since I think it is wrong approach. I will be able to help dropping this dependency when you have resources for this. > 2. We are using an older version of libxmlsec which contains a lot of bugfixes. I can help with this one. But I rather see you have roadmap to dropping Mozilla first, so I will be able to provide you a full solution based on libxmlsec and OpenSSL. I will do this is stages (of course), first integrating new version into corrent codebase, then continue to the second stage. It is just entering a new project, especially as large as Open Office, requires vast resource investment, even before the first line of code... So I need to know we are going to a direction I like... :) Thank you for your offerings!