shameless self-promoting website
»Rejourn root
»LibreOffice Community Blogs
Posted Thursday, 05 July 2018 by Miklos Vajna
Tags: en libreoffice xmlsec

I wrote about ECDSA handling in LibreOffice last year, back then the target was to be able to verify signatures using the ECDSA algorithm on Linux.

Lots of things happened since then, this post is meant to summarize those improvements. My personal motivation is that Hungarian eID cards come with a gov-trusted ECDSA (x509) cert, so handling those in LibreOffice would be nice. My goals were:

  • platforms: handling Windows as well, not only Linux/macOS

  • operations: handling signing as well, not only verification

  • formats: cover all of ODF, OOXML and PDF

Let’s see what has happened:

  • Linux, ODF, sign: we had hardcoded RSA algorithm when generating a signature, now we infer the sign algorithm from the signing cert algorithm (commit)

  • Linux, OOXML, sign: same problem with hardcoded RSA (commit)

  • Windows, PDF, sign: the certificate chooser had to be ported to from CryptoAPI to CNG (commit)

  • Windows, ODF, verify / sign: this was the largest problem, this required a whole new libxmlsec backend (interface, implementation, all in C90) and also required conditionally using that new backend in LibreOffice (commit)

  • Windows, OOXML, sign: this was almost functional, except that the UI recently regressed, now fixed (commit)

  • Finally now that everything is ported on Windows to use CNG, I could enable it by default yesterday.

I could test hardware-based signing after this, which was fine out of the box on both platforms. Some screenshots:

  • Linux:

  • Windows:


(There is no reason why this would not work on macOS, but I did not test that.)

Thanks Gabor Kelemen who helped me to get a sane card reader that has reasonable driver support on Linux.

All this is available in master (towards LibreOffice 6.2), or you can grab a daily build and try it out right now. :-)