Apache OpenOffice (AOO) Bugzilla – Issue 76124
Smart card handle is not user friendly
Last modified: 2013-08-07 15:31:14 UTC
There is some problem I found in the OO about the certificate handling: 1) It is possible, to sign a document with an encipherment certificate. Correct way: It should not possible. Singin certificate should have Non Repudation bit set. Reproduction: Create a certificate with Key Enciphermnet bit, and try to sign, it will works. 2) On the Windows platform, it you have installed more certificate on secure device (smart card, token) the OO ask for them to put in or you should click to cancel. As tester ,I have a lot of installed, so i should click on the Cancel few times, before I get the certificate list. Correct way: aquire the certificate list from the Windows, then access the certificate storage and/or crypto device, if the certificate on the crypto device is selected.
@ fst: Please have a look.
Hi vargav, please only one problem in a single Issue. @JL Hi Joachim, please have a look at this one. Frank
You have right. Can somebody cut the second half of this ticket, and paste it into another? Or should I create a new entry for the second half, and somebody removes the second half of this ticket? b.r. Viktor
For now leave it as it is. But for future Issues keep it in mind. Thanks Frank
Frank can you confirm this (at least the second part)? As for the KeyUsage bits in the certificate, I am not sure if this is processed. However, I do not have a certificate at hand to check this.
https://www.netlock.hu/index.cgi?lang=EN&tem=ANONYMOUS/online/online_indul.tem You can here request test certificates, they valid for 1 months length. The signin certificate includes only DigSig bit, which is not the best nowadays, but the Encription certificate has only the KEy Enchipherment feature. Requesting multiple certifcate for sign, and importing it to some kind of crypto hardware make it possible to reproduce the 2. part of the problem. Requesting an encryption certificate make it possible to try the first part of the ticket, that you can sign a document with an encription certificate. Don't forget to import the CA rott certificate. (A link you get by mail is useble only, for multiple certificates, you need to get a new mail for each.)
.
If I have more than one secure device connected to the computer at a given time, it must ask for access granting for each and every device. Otherwise this behavior has to be called a security hole as it would allow access to different keystores with a single entering of an password for different devices. Or did I miss the point ? Frank
>If I have more than one secure device connected to the computer at a given time, >it must ask for access granting for each and every device. Its Ok when you have connected them in the time of signing. I have as tester a lot of security device installed, and when I want to test one of it, was only one device connected to the computer. In this case the OO still ask the PINs, passphrases for installed devices, but tohse are not present at that time, only the certificates registrated from them. Maybe it is not a good behavior.
If I connect two storages for Certs to my computer and try to sign a document I get two questions for Passwords, one for each device. If I try this with only one device connected, I get only one question to enter a password. That's my findings. Frank
fst: whick kind of type token did you use? has it cert remove feature on removal? because i have tried with some token and cards too. (micardo card, oberthurt card, alladin etoken, ikey 2032, gemsafe card are installed on my computer) when the oo reads the certificate list, ask for the card and should i click on the cancel for a few times, until I see the actual token, I am using actually. so this is comming aout, when the usable certificate list is generated.) of-course, the oo ask for password only for selected card. but the other part of thus bug report is more important than this. please concentrate on it.
I'm using an Omnikey cardman 3121 and a USB Token from Giesecke & Devrient. And yes I can erase the Cert from both stores using the software delivered with the Token and Reader.
some of the smart card drivers has the feature, that on removal of the sc, token, the certificate isn't removed form the store. then this is the cause, why the oo asks for the token, sc. but if you will a list of certificates registered on the computer, you dont need to ask all the tokens, its enough, to ask for it, when you are signing with one of these.
Retargeting to 3.0
I have tested again on the OO3 the RFC compatibility. There is no filtering on the Key Usage bits, and certificate without Non Repudation bit is allowed to use for signing. Maybe a retargeting to OO4? :) (I have tested the smart card problem too, and i am starting an other issue with the included info.)
Oops, I have found that i reported the RFC part it previously as 60175 bug. So the RFC compatible handling is already in another bug. Maybe should we close this bug, and the smart card problem, without certificate auto remove should be posted into another bug, as new? Or it is possible to edit out the 60175 bug info from this bug? Smart card problem still in in the OO 3.
You certainly mean issue 90875 You can just edit the summary of this issue to refer to the smart card issue only.
I have edited the subject of this problem. For summary: This ticket now concetrating on the smart card using problem, copied here: On the Windows platform, it you have installed more certificate on secure device (smart card, token) the OO ask for them to put in or you should click to cancel. As tester ,I have a lot of installed, so i should click on the Cancel few times, before I get the certificate list. Correct way: aquire the certificate list from the Windows, then access the certificate storage and/or crypto device, if the certificate on the crypto device is selected. Still in in the OpenOffice 3.00 How the certificates are handled by OpenOffice? (issue 90875 doensot connects to it, it is a nepali dictionary)