You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by bu...@apache.org on 2018/03/05 23:59:42 UTC
[Bug 62159] New: Support XML signature over windows certificate
store
https://bz.apache.org/bugzilla/show_bug.cgi?id=62159
Bug ID: 62159
Summary: Support XML signature over windows certificate store
Product: POI
Version: 4.0-dev
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: OPC
Assignee: dev@poi.apache.org
Reporter: kiwiwings@apache.org
Target Milestone: ---
Up till it was not possible to use a windows certificate store entry to sign
OPC package, because the code expected the encoded format of the key.
Furthermore there were some SHA2 workarounds in place for a IBM JDK6, which is
now obsolete as we've upgraded to JDK8.
Using the windows keys is not straight forward, as the SunMSCAPI has some
surprises [1] - especially using the private key with the cipher api results
actually in signing it with the public key ... therefore the existing code
using the cipher api only works with keys derived from PKCS12 / JKS keystores.
I've refactored a few of the internals, but kept the documented convenience API
[2] as-is.
Another flaw I've discovered by testing the various hashes was, that XmlSec is
adding line-breaks to the digests when base64 encoded hash/digest is longer
than the base64 default line-length of 76 chars. This affects the hash with 64
bytes like SHA512 and Office marks the signature as invalid.
To workaround you need to set the following JVM property [3]:
-Dorg.apache.xml.security.ignoreLineBreaks=true
I haven't hardcoded that setting as I think this is a bad approach, i.e.
setting it in POI (+ security manager handling) is as worse as relying on a JVM
property to be set instead of providing an API for it ...
[1] https://stackoverflow.com/questions/39196145
[2] http://poi.apache.org/encryption.html#Signing+an+office+document
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=42061
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 62159] Support XML signature over windows certificate store
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62159
Andreas Beeker <ki...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Andreas Beeker <ki...@apache.org> ---
applied via r1825948
inspired by https://stackoverflow.com/questions/48616473
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org