You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by bu...@apache.org on 2018/03/05 23:59:42 UTC

[Bug 62159] New: Support XML signature over windows certificate store

https://bz.apache.org/bugzilla/show_bug.cgi?id=62159

            Bug ID: 62159
           Summary: Support XML signature over windows certificate store
           Product: POI
           Version: 4.0-dev
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: OPC
          Assignee: dev@poi.apache.org
          Reporter: kiwiwings@apache.org
  Target Milestone: ---

Up till it was not possible to use a windows certificate store entry to sign
OPC package, because the code expected the encoded format of the key.
Furthermore there were some SHA2 workarounds in place for a IBM JDK6, which is
now obsolete as we've upgraded to JDK8.

Using the windows keys is not straight forward, as the SunMSCAPI has some
surprises [1] - especially using the private key with the cipher api results
actually in signing it with the public key ... therefore the existing code
using the cipher api only works with keys derived from PKCS12 / JKS keystores.

I've refactored a few of the internals, but kept the documented convenience API
[2] as-is.

Another flaw I've discovered by testing the various hashes was, that XmlSec is
adding line-breaks to the digests when base64 encoded hash/digest is longer
than the base64 default line-length of 76 chars. This affects the hash with 64
bytes like SHA512 and Office marks the signature as invalid.
To workaround you need to set the following JVM property [3]:
-Dorg.apache.xml.security.ignoreLineBreaks=true

I haven't hardcoded that setting as I think this is a bad approach, i.e.
setting it in POI (+ security manager handling) is as worse as relying on a JVM
property to be set instead of providing an API for it ...


[1] https://stackoverflow.com/questions/39196145
[2] http://poi.apache.org/encryption.html#Signing+an+office+document
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=42061

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 62159] Support XML signature over windows certificate store

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62159

Andreas Beeker <ki...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Andreas Beeker <ki...@apache.org> ---
applied via r1825948

inspired by https://stackoverflow.com/questions/48616473

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org