Bug 158839 (OpenPGP)

Summary: [META] OpenPGP bugs and enhancements
Product: LibreOffice Reporter: steve <lo>
Component: LibreOfficeAssignee: Not Assigned <libreoffice-bugs>
Status: NEW ---    
Severity: normal CC: lo
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Crash report or crash signature: Regression By:
Bug Depends on: 108828, 115884, 133941, 156979, 157724, 159040, 159586, 159587, 160701, 152524, 155125, 156344, 156352, 159307, 160184    
Bug Blocks:    

Description steve 2023-12-23 15:27:11 UTC 
Description:
Meta bug for known issues and open feature requests around OpenPGP usage in LibreOffice.

Steps to Reproduce:
meta bug

Actual Results:
meta bug

Expected Results:
still a meta bug


Reproducible: Always


User Profile Reset: No

Additional Info:
meta bug
Comment 1 kolAflash 2024-05-27 13:12:12 UTC 
I found some problems with GPG and related NSS (X.509) problems, for which no bug report seems to exist yet. So I list them here to keep track of them. Please feel free to formulate separate tickets for them.


By the way, this is how I understand the terminology.
OpenPGP: open technical standard
PGP: initial proprietary software from which OpenPGP originated
GnuPG (short GPG): Open Source implementation by GNU
So LibreOffice encrypts and signs by the OpenPGP standard, using GnuPG as keyring.


Save dialog -> Password and GPG encryption:
https://git.libreoffice.org/core/+/ca5c9591ba38ad83415a2d4ced98bfc74d30b032/sfx2/source/dialog/filedlghelper.cxx#1420
`mbPwdCheckBoxState` becomes also set to true if the file is OpenPGP encrypted. (not with a password)
https://git.libreoffice.org/core/+/ca5c9591ba38ad83415a2d4ced98bfc74d30b032/sfx2/source/dialog/filedlghelper.cxx#1538
LO also asks for a password if `CHECKBOX_GPGENCRYPTION` && `CHECKBOX_PASSWORD` are checked. But only encrypts using GPG and discards the password.


GPG "Certificate Manager" for OpenPGP:
Make clear, that the the term "Certificate Manager" refers to the GPG keyring for OpenPGP keys.
(GPG can also handle X.509, but LibreOffice doesn't use that feature)
The GPG "Certificate Manager" is NOT for X.509. Instead for LibreOffice uses Mozilla (Firefox, Thunderbird, SeaMonkey) to manage X.509 certificates.
The term "Certificate Manager" is found here:
- File -> Digital Signatures -> Digital Signatures...
  -> Certificate Chooser -> Start Certificate Manager
- Options -> LibreOffice -> Security -> Certificate Manager
It runs one of these programs as GUI for managing GPG.
https://git.libreoffice.org/core/+/ca5c9591ba38ad83415a2d4ced98bfc74d30b032/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx#74
Here's a bug report, which is a mess up resulting from this obscurity:
https://bugs.documentfoundation.org/show_bug.cgi?id=133941#c6
"Start Certificate Manager in Windows should start certificates system store"
FUTURE TODO:
Think about loading OpenPGP keys and X.509 certificates from a common source. Either Thunderbird (Firefox has no OpenPGP) or GnuPG/GPG. Both can manage OpenPGP and X.509.
(Thunderbird >= 78 introduced it's own OpenPGP store in 2020)


CertificateChooser dialog:
Give a hint, that the X.509 keys are from Mozilla (Firefox / Thundebird / SeaMonkey), but the GPG keys are from GnuPG and NOT from Mozilla. (Thunderbird >= 78 introduced an internal GPG keyring in 2020)
More problems in this dialog:
- Table has column headers for `Issued to`, `Issued by` and `Expiration date`.
  But the column only contains `Issued to` stretched to full width.
  - REGRESSION (working in LO-7.4)
  - Outdated X.509 certificates can't be identified.
- Filtering doesn't work for X.509 (only for GPG).
- X.509 and PGP entries for the same identity (email / name) can't be easily distinguished.
  - Workaround: misuse use broken filtering *(see below)* to tell GPG and X.509 apart 🤪


Encrypt ODF:
CertificateChooser lists GPG keys for ENCRYPTION which are marked for SIGNING ONLY.
Error message when encrypting: "OpenPGP key not trusted, damaged, or encryption failure. Please try again."
GNUPGHOME=libreoffice.git/test/signing-keys has a sign-only and an encrypt-only PUBLIC key.
TODO: Add private test keys with sign-only and encrypt-only to test the other way around when signing.


Broken window resize rules:
View Certificate  # can't read long lines in "Details" tab, resize blocked
Options -> LibreOffice -> Security -> Certificate Path / Certificate


X.509: ODF signing: X.509 signing doesn't work
REGRESSION
Worked for outdated and for valid certificates in LO-7.4.
Broken in: LO-24.8.0.0.alpha1+ (Build ID: 71f3be3bee2e8a07f85594c02a9b44627b219e95)
Valid certificate - stderr:
warn:xmlsecurity.xmlsec:3979175:3979175:xmlsecurity/source/xmlsec/errorcallback.cxx:54: x509vfy.c:480: xmlSecNssX509StoreVerifyCert() '' '' 71 'subject="E=EMAIL@EXAMPLE.ORG,CN=FIRSTNAME LASTNAME"; reason=-8179'
Outdated certificate - stderr:
warn:xmlsecurity.xmlsec:3976088:3976088:xmlsecurity/source/xmlsec/errorcallback.cxx:54: x509vfy.c:470: xmlSecNssX509StoreVerifyCert() '' '' 76 'subject="E=EMAIL@EXAMPLE.ORG,CN=FIRSTNAME LASTNAME"; reason=expired'


X.509 & GPG: PDF signing:
Linked bug 115884 because it's a problem for X.509 caused by the introduction of GPG.
https://bugs.documentfoundation.org/show_bug.cgi?id=115884#c18
"PDF signing should mention it only works with x509 certificates"


X.509: NSS Password dialog:
Make clear that a Mozilla profile password is requested and for which Mozilla profile.
The dialog currently only states:
"Enter password to open file: NSS Certificate DB"
(normal users won't even know what's "NSS")


X.509: CertificateChooser:
Make clear from which Mozilla profile the X.509 keys are loaded. Else the user might look for a key from another profile. It's NOT enough to show this hint in NSS Password dialog, because Mozilla profile might not have a password.
Additionally the dialog only shows one X.509 certificate per email and it's unclear which one (probably the one imported into Thunderbird first). That's a problem when outdated certificates are not deleted from Thunderbird, which is common practice to continue reading ole mails.
Related:
https://bugs.documentfoundation.org/show_bug.cgi?id=119811
"LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents"
Comment 2 Commit Notification 2024-05-27 20:18:41 UTC 
Moritz Duge committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/55e74a33c757ffa40ce2ea50d986c60b9c84732b

Related tdf#158839: pw and GPG encryption, add comments and TODOs

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 3 steve 2024-06-02 15:57:30 UTC 
Can you please file individual bugs, ideally one problem per bug. This here is a meta bug. You can then connect your bugs with this meta bug here.