You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ki...@apache.org on 2020/03/18 21:11:57 UTC
svn commit: r1875393 - in /poi/site/publish: changes.html
components/index.html encryption.html
Author: kiwiwings
Date: Wed Mar 18 21:11:57 2020
New Revision: 1875393
URL: http://svn.apache.org/viewvc?rev=1875393&view=rev
Log:
Updated to XMLSec 2.1.5 and updated the signature debugging section
Modified:
poi/site/publish/changes.html
poi/site/publish/components/index.html
poi/site/publish/encryption.html
Modified: poi/site/publish/changes.html
URL: http://svn.apache.org/viewvc/poi/site/publish/changes.html?rev=1875393&r1=1875392&r2=1875393&view=diff
==============================================================================
--- poi/site/publish/changes.html (original)
+++ poi/site/publish/changes.html Wed Mar 18 21:11:57 2020
@@ -217,6 +217,13 @@ document.write("Last Published: " + docu
4.1.3 (2020-05-??)
</h2>
<div class="section">
+<a name="Summary"></a>
+<h3 class="boxed">Summary</h3>
+<ul>
+
+<li>Upgrade to XMLSec 2.1.5</li>
+
+</ul>
<a name="Changes"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
@@ -234,6 +241,10 @@ document.write("Last Published: " + docu
<tbody>
<tr class="action">
+<td><img class="icon" alt="add" src="images/add.png"></td><td><a href="https://github.com/apache/poi/pull/167">github-167</a></td><td>HSMF</td><td>HSMF enhancements - NamedIdChunk, MultiValueChunks, ByteChunkDeferred</td>
+</tr>
+
+<tr class="action">
<td><img class="icon" alt="fix" src="images/fix.png"></td><td></td><td>SS_Common</td><td>Fix incorrect handling of format which should not produce any digit for zero</td>
</tr>
@@ -244,6 +255,14 @@ document.write("Last Published: " + docu
<tr class="action">
<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=64186">64186</a></td><td>OPC</td><td>Decrease usage of ThreadLocals in XML Signature API</td>
</tr>
+
+<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=64213">64213</a></td><td>SS_Common</td><td>Picture.resize(double scale) scales width wrong for small pictures and when dx1 is set</td>
+</tr>
+
+<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=63712">63712</a></td><td>OPC</td><td>upgrading xmlsec causes junit tests to fail</td>
+</tr>
</tbody>
</table>
@@ -255,7 +274,7 @@ document.write("Last Published: " + docu
4.1.2 (2020-02-17)
</h2>
<div class="section">
-<a name="Summary"></a>
+<a name="Summary-N100A7"></a>
<h3 class="boxed">Summary</h3>
<ul>
@@ -268,7 +287,7 @@ document.write("Last Published: " + docu
<li>XSLF - OOM fixes when parsing arbitrary shape ids + a new dependency to SparseBitSet 1.2</li>
</ul>
-<a name="Changes-N10080"></a>
+<a name="Changes-N100BA"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
<colgroup>
@@ -402,7 +421,7 @@ document.write("Last Published: " + docu
4.1.1 (2019-10-20)
</h2>
<div class="section">
-<a name="Summary-N1024B"></a>
+<a name="Summary-N10285"></a>
<h3 class="boxed">Summary</h3>
<ul>
@@ -421,7 +440,7 @@ document.write("Last Published: " + docu
<li>CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI</li>
</ul>
-<a name="Changes-N10267"></a>
+<a name="Changes-N102A1"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
<colgroup>
@@ -571,7 +590,7 @@ document.write("Last Published: " + docu
4.1.0 (2019-04-09)
</h2>
<div class="section">
-<a name="Summary-N1046F"></a>
+<a name="Summary-N104A9"></a>
<h3 class="boxed">Summary</h3>
<ul>
@@ -596,7 +615,7 @@ document.write("Last Published: " + docu
<li>Upgrade to XMLSec 2.1.2</li>
</ul>
-<a name="Changes-N10494"></a>
+<a name="Changes-N104CE"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
<colgroup>
@@ -770,7 +789,7 @@ document.write("Last Published: " + docu
4.0.1 (2018-12-03)
</h2>
<div class="section">
-<a name="Summary-N10705"></a>
+<a name="Summary-N1073F"></a>
<h3 class="boxed">Summary</h3>
<ul>
@@ -781,7 +800,7 @@ document.write("Last Published: " + docu
<li>Upgrade to XMLBeans 3.0.2</li>
</ul>
-<a name="Changes-N10715"></a>
+<a name="Changes-N1074F"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
<colgroup>
@@ -939,7 +958,7 @@ document.write("Last Published: " + docu
4.0.0 (2018-09-07)
</h2>
<div class="section">
-<a name="Summary-N10946"></a>
+<a name="Summary-N10980"></a>
<h3 class="boxed">Summary</h3>
<ul>
@@ -948,7 +967,7 @@ document.write("Last Published: " + docu
<li>New OOXML schema (1.4) necessary, because of incompatible XMLBeans loading not anymore through POIXMLTypeLoader</li>
</ul>
-<a name="Changes-N10953"></a>
+<a name="Changes-N1098D"></a>
<h3 class="boxed">Changes</h3>
<table class="POITable">
<colgroup>
Modified: poi/site/publish/components/index.html
URL: http://svn.apache.org/viewvc/poi/site/publish/components/index.html?rev=1875393&r1=1875392&r2=1875393&view=diff
==============================================================================
--- poi/site/publish/components/index.html (original)
+++ poi/site/publish/components/index.html Wed Mar 18 21:11:57 2020
@@ -681,7 +681,7 @@ document.write("Last Published: " + docu
For signing:
<a href="https://search.maven.org/#artifactdetails|org.bouncycastle|bcpkix-jdk15on|1.64|jar">bcpkix-jdk15on</a>,
<a href="https://search.maven.org/#artifactdetails|org.bouncycastle|bcprov-jdk15on|1.64|jar">bcprov-jdk15on</a>,
- <a href="https://search.maven.org/#artifactdetails|org.apache.santuario|xmlsec|2.1.2|bundle">xmlsec</a>,
+ <a href="https://search.maven.org/#artifactdetails|org.apache.santuario|xmlsec|2.1.5|bundle">xmlsec</a>,
<a href="https://search.maven.org/#artifactdetails|org.slf4j|slf4j-api|1.7.30|jar">slf4j-api</a>
</td>
<td colspan="1" rowspan="1"><a href="https://search.maven.org/#artifactdetails|org.apache.poi|ooxml-security|1.1|jar">ooxml-security-1.1.jar</a></td>
Modified: poi/site/publish/encryption.html
URL: http://svn.apache.org/viewvc/poi/site/publish/encryption.html?rev=1875393&r1=1875392&r2=1875393&view=diff
==============================================================================
--- poi/site/publish/encryption.html (original)
+++ poi/site/publish/encryption.html Wed Mar 18 21:11:57 2020
@@ -178,32 +178,32 @@ document.write("Last Published: " + docu
<div class="section">
<p>Apache POI contains support for reading few variants of encrypted office files: </p>
<ul>
-
+
<li>Binary formats (.xls, .ppt, .doc, ...)<br>
- encryption is format-dependent and needs to be implemented per format differently.<br>
- Use <a href="apidocs/dev/org/apache/poi/hssf/record/crypto/Biff8EncryptionKey.html">
- Biff8EncryptionKey</a>.<a href="apidocs/dev/org/apache/poi/hssf/record/crypto/Biff8EncryptionKey.html#setCurrentUserPassword(java.lang.String)">setCurrentUserPassword</a>(String password)
- to specify the decryption password before opening the file or (where applicable) before saving.
- Setting a null password before saving removes the password protection.<br>
- The password is set in a thread local variable. Do not forget to reset it to null after text extraction.
- </li>
-
+ encryption is format-dependent and needs to be implemented per format differently.<br>
+ Use <a href="apidocs/dev/org/apache/poi/hssf/record/crypto/Biff8EncryptionKey.html">
+ Biff8EncryptionKey</a>.<a href="apidocs/dev/org/apache/poi/hssf/record/crypto/Biff8EncryptionKey.html#setCurrentUserPassword(java.lang.String)">setCurrentUserPassword</a>(String password)
+ to specify the decryption password before opening the file or (where applicable) before saving.
+ Setting a null password before saving removes the password protection.<br>
+ The password is set in a thread local variable. Do not forget to reset it to null after text extraction.
+ </li>
+
<li>XML-based formats (.xlsx, .pptx, .docx, ...)<br>
- use the same encryption logic over all formats. When encrypted, the zipped files will be
- stored within an OLE file in the EncryptedPackage stream.<br>
- If you plan to use POI to actually generate encrypted documents, be aware not to use anything less than
- agile encryption, because <a href="https://eprint.iacr.org/2005/007.pdf">RC4 is not really secure</a> and
- <a href="https://blog.cryptographyengineering.com/2011/12/01/how-not-to-use-symmetric-encryption/">ECB chaining is problematic too</a>.
- Of course you'll need to make sure, that your clients can read the documents,
- i.e. the various free Excel, Powerpoint, Word viewers have limitations in the cipher or hashing parameters.<br>
- If you want to use high encryption parameters, you need to install the "Java Cryptography Extension (JCE) Unlimited
- Strength Jurisdiction Policy Files" for your JRE version
- (Oracle <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html">JDK6</a>,
- <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html">JDK7</a>,
- <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">JDK8</a>,
- IBM <a href="https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/sdkpolicyfiles.html">JDK8</a>).
- </li>
-
+ use the same encryption logic over all formats. When encrypted, the zipped files will be
+ stored within an OLE file in the EncryptedPackage stream.<br>
+ If you plan to use POI to actually generate encrypted documents, be aware not to use anything less than
+ agile encryption, because <a href="https://eprint.iacr.org/2005/007.pdf">RC4 is not really secure</a> and
+ <a href="https://blog.cryptographyengineering.com/2011/12/01/how-not-to-use-symmetric-encryption/">ECB chaining is problematic too</a>.
+ Of course you'll need to make sure, that your clients can read the documents,
+ i.e. the various free Excel, Powerpoint, Word viewers have limitations in the cipher or hashing parameters.<br>
+ If you want to use high encryption parameters, you need to install the "Java Cryptography Extension (JCE) Unlimited
+ Strength Jurisdiction Policy Files" for your JRE version
+ (Oracle <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html">JDK6</a>,
+ <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html">JDK7</a>,
+ <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">JDK8</a>,
+ IBM <a href="https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/sdkpolicyfiles.html">JDK8</a>).
+ </li>
+
</ul>
<p>Some "write-protected" files are encrypted with the built-in password "VelvetSweatshop", POI can read that files too.</p>
</div>
@@ -213,95 +213,95 @@ document.write("Last Published: " + docu
<h2 class="boxed">Supported feature matrix</h2>
<div class="section">
<table class="autosize POITable">
-
-<tr>
+<tr>
+
<th colspan="1" rowspan="1">Encryption</th>
- <th colspan="1" rowspan="1">HSSF</th>
- <th colspan="1" rowspan="1">HSLF</th>
- <th colspan="1" rowspan="1">HWPF</th>
-
+ <th colspan="1" rowspan="1">HSSF</th>
+ <th colspan="1" rowspan="1">HSLF</th>
+ <th colspan="1" rowspan="1">HWPF</th>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd949802(v=office.12).aspx">XOR obfuscation *)</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes (Writing since 3.16)</td>
- <td class="feature-na" colspan="1" rowspan="1">N/A</td>
- <td class="feature-no" colspan="1" rowspan="1">No</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes (Writing since 3.16)</td>
+ <td class="feature-na" colspan="1" rowspan="1">N/A</td>
+ <td class="feature-no" colspan="1" rowspan="1">No</td>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd909583(v=office.12).aspx">40-bit RC4 encryption</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes (Writing since 3.16)</td>
- <td class="feature-na" colspan="1" rowspan="1">N/A</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes (since 3.17)</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes (Writing since 3.16)</td>
+ <td class="feature-na" colspan="1" rowspan="1">N/A</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes (since 3.17)</td>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd910113(v=office.12).aspx">Office Binary Document RC4 CryptoAPI Encryption</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes (Since 3.16)</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes (since 3.17)</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes (Since 3.16)</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes (since 3.17)</td>
+
</tr>
-
-<tr>
+<tr>
+
<th colspan="1" rowspan="1"></th>
- <th colspan="1" rowspan="1">XSSF</th>
- <th colspan="1" rowspan="1">XSLF</th>
- <th colspan="1" rowspan="1">XWPF</th>
-
+ <th colspan="1" rowspan="1">XSSF</th>
+ <th colspan="1" rowspan="1">XSLF</th>
+ <th colspan="1" rowspan="1">XWPF</th>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd907466(v=office.12).aspx">Office Binary Document RC4 Encryption **)</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd906131(v=office.12).aspx">ECMA-376 Standard Encryption</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/dd906131(v=office.12).aspx">ECMA-376 Agile Encryption</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+
</tr>
-
-<tr>
+<tr>
+
<td colspan="1" rowspan="1"><a href="https://msdn.microsoft.com/en-us/library/ms757845(v=vs.85).aspx">ECMA-376 XML Signature</a></td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
- <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
-
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+ <td class="feature-yes" colspan="1" rowspan="1">Yes</td>
+
</tr>
-
+
</table>
<p>*) the xor encryption is flawed and works only for very small files - see <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=59857">#59857</a>.
- </p>
+ </p>
<p>**) the <a href="https://msdn.microsoft.com/en-us/library/cc313071(v=office.12).aspx">MS-OFFCRYPTO</a>
- documentation only mentions the RC4 (without CryptoAPI) encryption as a "in place" encryption, but
- apparently there's also a container based method with that key generation logic.
- </p>
+ documentation only mentions the RC4 (without CryptoAPI) encryption as a "in place" encryption, but
+ apparently there's also a container based method with that key generation logic.
+ </p>
</div>
@@ -408,7 +408,7 @@ document.write("Last Published: " + docu
<h2 class="boxed">XML-based formats - Decryption</h2>
<div class="section">
<p>XML-based formats are stored in OLE-package stream "EncryptedPackage". Use org.apache.poi.poifs.crypt.Decryptor
- to decode file:</p>
+ to decode file:</p>
<div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
@@ -459,21 +459,21 @@ document.write("Last Published: " + docu
<span class="lineno"></span><span class="codebody">}</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
</div>
<p>If you want to read file encrypted with build-in password, use Decryptor.DEFAULT_PASSWORD.</p>
</div>
-
+
<a name="XML-based+formats+-+Encryption"></a>
<h2 class="boxed">XML-based formats - Encryption</h2>
<div class="section">
<p>Encrypting a file is similar to the above decryption process. Basically you'll need to choose between
- <a href="apidocs/dev/org/apache/poi/poifs/crypt/EncryptionMode.html">binaryRC4, standard and agile encryption</a>,
- the cryptoAPI mode is used internally and it's direct use would result in an incomplete file.
- Apart of the CipherMode, the EncryptionInfo class provides further parameters to specify the cipher and
- hashing algorithm to be used.</p>
+ <a href="apidocs/dev/org/apache/poi/poifs/crypt/EncryptionMode.html">binaryRC4, standard and agile encryption</a>,
+ the cryptoAPI mode is used internally and it's direct use would result in an incomplete file.
+ Apart of the CipherMode, the EncryptionInfo class provides further parameters to specify the cipher and
+ hashing algorithm to be used.</p>
<div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
@@ -482,110 +482,110 @@ document.write("Last Published: " + docu
<span class="lineno"></span><span class="codebody">try (POIFSFileSystem fs = new POIFSFileSystem()) {</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> EncryptionInfo info = new EncryptionInfo(EncryptionMode.agile);</span>
+<span class="lineno"></span><span class="codebody"> EncryptionInfo info = new EncryptionInfo(EncryptionMode.agile);</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> // EncryptionInfo info = new EncryptionInfo(EncryptionMode.agile, CipherAlgorithm.aes192, HashAlgorithm.sha384, -1, -1, null);</span>
+<span class="lineno"></span><span class="codebody"> // EncryptionInfo info = new EncryptionInfo(EncryptionMode.agile, CipherAlgorithm.aes192, HashAlgorithm.sha384, -1, -1, null);</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> Encryptor enc = info.getEncryptor();</span>
+<span class="lineno"></span><span class="codebody"> Encryptor enc = info.getEncryptor();</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> enc.confirmPassword("foobaa");</span>
+<span class="lineno"></span><span class="codebody"> enc.confirmPassword("foobaa");</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> // Read in an existing OOXML file and write to encrypted output stream</span>
+<span class="lineno"></span><span class="codebody"> // Read in an existing OOXML file and write to encrypted output stream</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> // don't forget to close the output stream otherwise the padding bytes aren't added</span>
+<span class="lineno"></span><span class="codebody"> // don't forget to close the output stream otherwise the padding bytes aren't added</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> try (OPCPackage opc = OPCPackage.open(new File("..."), PackageAccess.READ_WRITE);</span>
+<span class="lineno"></span><span class="codebody"> try (OPCPackage opc = OPCPackage.open(new File("..."), PackageAccess.READ_WRITE);</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> OutputStream os = enc.getDataStream(fs)) {</span>
+<span class="lineno"></span><span class="codebody"> OutputStream os = enc.getDataStream(fs)) {</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> opc.save(os);</span>
+<span class="lineno"></span><span class="codebody"> opc.save(os);</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> }</span>
+<span class="lineno"></span><span class="codebody"> }</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> // Write out the encrypted version</span>
+<span class="lineno"></span><span class="codebody"> // Write out the encrypted version</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> try (FileOutputStream fos = new FileOutputStream("...")) {</span>
+<span class="lineno"></span><span class="codebody"> try (FileOutputStream fos = new FileOutputStream("...")) {</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> fs.writeFilesystem(fos);</span>
+<span class="lineno"></span><span class="codebody"> fs.writeFilesystem(fos);</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> }</span>
+<span class="lineno"></span><span class="codebody"> }</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody">}</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
</div>
</div>
-
+
<a name="XML-based+formats+-+Signing+%28XML+Signature%29"></a>
<h2 class="boxed">XML-based formats - Signing (XML Signature)</h2>
<div class="section">
<div class="note">
<div class="label">Note</div>
<div class="content">As of <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=64186">#64186</a> the configuration of the
- OPCPackage has changed, the examples below have been adopted and reflect the POI 4.1.3 API</div>
+ OPCPackage has changed, the examples below have been adopted and reflect the POI 4.1.3 API</div>
</div>
<p>An Office document can be digital signed by a <a href="https://en.wikipedia.org/wiki/XML_Signature">XML Signature</a>
- to protect it from unauthorized modifications, i.e. modifications without having the original certificate.
- The current implementation is based on the <!--<a href="http://eid-applet.googlecode.com">eID Applet</a>-->
- <a href="https://github.com/e-Contract/eid-applet">eID Applet</a> which
- is dual-licensed to <!--<a href="https://code.google.com/p/eid-applet/source/browse/trunk/README.txt">ASF/POI</a>-->
- <a href="https://github.com/e-Contract/eid-applet/blob/master/README.md#7-license">Apache License 2.0 and LGPL v3.0</a>.
- Instead of using the internal <a href="http://www.jsourcecode.com/class.php?proj=jdk%5Copenjdk&jar=openjdk-6-b14&class=org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory">JDK API</a>
- this version is based on <a href="https://santuario.apache.org">Apache Santuario</a>.</p>
+ to protect it from unauthorized modifications, i.e. modifications without having the original certificate.
+ The current implementation is based on the <!--<a href="http://eid-applet.googlecode.com">eID Applet</a>-->
+ <a href="https://github.com/e-Contract/eid-applet">eID Applet</a> which
+ is dual-licensed to <!--<a href="https://code.google.com/p/eid-applet/source/browse/trunk/README.txt">ASF/POI</a>-->
+ <a href="https://github.com/e-Contract/eid-applet/blob/master/README.md#7-license">Apache License 2.0 and LGPL v3.0</a>.
+ Instead of using the internal <a href="http://www.jsourcecode.com/class.php?proj=jdk%5Copenjdk&jar=openjdk-6-b14&class=org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory">JDK API</a>
+ this version is based on <a href="https://santuario.apache.org">Apache Santuario</a>.</p>
<p>The classes have been tested against the following libraries, which need to be included additionally to the
- <a href="components/">default dependencies</a>:</p>
+ <a href="components/">default dependencies</a>:</p>
<ul>
-
+
<li>BouncyCastle bcpkix and bcprov (tested against 1.64)</li>
-
-<li>Apache Santuario "xmlsec" (tested against 2.1.2)</li>
-
+
+<li>Apache Santuario "xmlsec" (tested against 2.1.5)</li>
+
<li>and slf4j-api (tested against 1.7.30)</li>
-
+
</ul>
<p>Depending on the <a href="apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureConfig.html">configuration</a>
- and the activated <a href="apidocs/dev/org/apache/poi/poifs/crypt/dsig/facets/package-summary.html">facets</a>
- various <a href="https://en.wikipedia.org/wiki/XAdES">XAdES levels</a> are supported - the support for higher levels (XAdES-T+)
- depend on supporting services and although the code is adopted, the integration is not well tested ... please support us on
- integration (testing) with timestamp and revocation (OCSP) services.
- </p>
+ and the activated <a href="apidocs/dev/org/apache/poi/poifs/crypt/dsig/facets/package-summary.html">facets</a>
+ various <a href="https://en.wikipedia.org/wiki/XAdES">XAdES levels</a> are supported - the support for higher levels (XAdES-T+)
+ depend on supporting services and although the code is adopted, the integration is not well tested ... please support us on
+ integration (testing) with timestamp and revocation (OCSP) services.
+ </p>
<p>Further test examples can be found in the corresponding <a href="https://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java?view=markup">test class</a>.</p>
<p>If you want to use a hash algorithm with 64 bytes (currently only applies to SHA512),
- <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=42061">a base64 "feature"</a> in xmlsec
- leads to line breaks in the digest values, which won't be accepted by Office. To workaround this, you
- need to set the following system property:<br>
-
+ <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=42061">a base64 "feature"</a> in xmlsec
+ leads to line breaks in the digest values, which won't be accepted by Office. To workaround this, you
+ need to set the following system property:<br>
+
<strong>-Dorg.apache.xml.security.ignoreLineBreaks=true</strong>
</p>
</div>
-
+
<a name="Validating+a+signed+office+document"></a>
<h2 class="boxed">Validating a signed office document</h2>
<div class="section">
@@ -615,12 +615,12 @@ document.write("Last Published: " + docu
<span class="lineno"></span><span class="codebody">...</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
</div>
</div>
-
+
<a name="Signing+an+office+document"></a>
<h2 class="boxed">Signing an office document</h2>
<div class="section">
@@ -724,14 +724,14 @@ document.write("Last Published: " + docu
<span class="lineno"></span><span class="codebody">pkg.close();</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
</div>
<a name="Signing+a+stream+-+in-memory"></a>
<h3 class="boxed">Signing a stream - in-memory</h3>
<p>When saving a OOXML document, POI creates missing relations on the fly. Therefore calling the signing method before
- would result in an invalid signature. Instead of trying to fix all save invocations, the user is asked to save the stream
- before in a intermediate byte array (stream) and process this stream instead.</p>
+ would result in an invalid signature. Instead of trying to fix all save invocations, the user is asked to save the stream
+ before in a intermediate byte array (stream) and process this stream instead.</p>
<div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
@@ -803,81 +803,124 @@ document.write("Last Published: " + docu
<span class="lineno"></span><span class="codebody">// bos now contains the signed ooxml document</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
</div>
</div>
-
+
<a name="Encrypting+temporary+files+created+when+unzipping+an+OOXML+document"></a>
<h2 class="boxed">Encrypting temporary files created when unzipping an OOXML document</h2>
<div class="section">
<p>For security-conscious environments where data at rest must be stored encrypted,
- the creation of plaintext temporary files is a grey area.</p>
+ the creation of plaintext temporary files is a grey area.</p>
<p>The code example, written by PJ Fanning, modifies the behavior of SXSSFWorkbook
- to extract an OOXML spreadsheet zipped container and write the contents to disk using AES
- encryption.</p>
+ to extract an OOXML spreadsheet zipped container and write the contents to disk using AES
+ encryption.</p>
<p>See <a href="https://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/temp/SXSSFWorkbookWithCustomZipEntrySource.java?view=markup">SXSSFWorkbookWithCustomZipEntrySource.java</a>
- and other <a href="https://svn.apache.org/viewvc?view=revision&revision=1768744">files</a>
- that are needed for this example.</p>
+ and other <a href="https://svn.apache.org/viewvc?view=revision&revision=1768744">files</a>
+ that are needed for this example.</p>
</div>
-
+
<a name="Debugging+XML+signature+issues"></a>
<h2 class="boxed">Debugging XML signature issues</h2>
<div class="section">
<p>Finding the source of a XML signature problem can be sometimes a pain in the ... neck, because
- the hashing of the canonicalized form is more or less intransparent done in the background.</p>
+ the hashing of the canonicalized form is more or less intransparent done in the background.</p>
<p>One of the tripping hazards are <a href="https://stackoverflow.com/questions/36063375">different
- linebreaks in Windows/Unix</a>, therefore use the non-indent form of the xmls.</p>
+ linebreaks in Windows/Unix</a>, therefore use the non-indent form of the xmls. Furthermore the
+ elements/anchestors containing namespace definitions and the used prefix might also differ.</p>
<p>The next thing is to compare successful signed documents from Office vs. POIs generated signature,
- i.e. unzip both files and look for differences. Usually the package relations (*.rels) will be different,
- and the sig1.xml, core.xml and [Content_Types].xml due to different order of the references.</p>
+ i.e. unzip both files and look for differences. Usually the package relations (*.rels) will be different,
+ and the sig1.xml, core.xml and [Content_Types].xml due to different order of the references.</p>
<p>The package relationsships (*.rels) will be specially handled, i.e. they will be filtered and only
- a subset will be processed - see <a href="https://www.ecma-international.org/activities/Office%20Open%20XML%20Formats/Draft%20ECMA-376%203rd%20edition,%20March%202011/Office%20Open%20XML%20Part%202%20-%20Open%20Packaging%20Conventions.pdf">13.2.4.24 Relationships Transform Algorithm</a>.</p>
-<p>To check the processed files in the canonicalized form, the below UnsyncBufferedOutputStream class needs
- to be injected/replaced. Put the .class file in separate directory and add the following JVM parameters:</p>
-<div class="code">
+ a subset will be processed - see <a href="https://www.ecma-international.org/activities/Office%20Open%20XML%20Formats/Draft%20ECMA-376%203rd%20edition,%20March%202011/Office%20Open%20XML%20Part%202%20-%20Open%20Packaging%20Conventions.pdf">13.2.4.24 Relationships Transform Algorithm</a>.</p>
+<p>POI can use <a href="https://commons.apache.org/proper/commons-logging/">commons logging</a>
+ and Santuario (XmlSec) uses <a href="http://www.slf4j.org/">SLF4J</a> for logging.
+ To get logging information and debug output ...:</p>
+<ul>
+
+<li>
+ add the following JVM parameters:
+ <div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody">-Djava.io.tmpdir=</span>
+<span class="lineno"></span><span class="codebody">-Djava.io.tmpdir=<custom temp directory></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"><custom temp directory></span>
+<span class="lineno"></span><span class="codebody">-Xbootclasspath/p:<preload dir, which contains /org/apache/xml/security/utils/UnsyncBufferedOutputStream.class></span>
+</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">-Dorg.apache.poi.util.POILogger=org.apache.poi.util.CommonsLogger</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
+</div>
+
+</li>
+
+<li>
+ replace commons-logging.jar with <a href="https://search.maven.org/artifact/org.slf4j/jcl-over-slf4j/1.7.30/jar">jcl-over-slf4j.jar</a>
+
+</li>
+
+<li>
+ beside log4j.jar, add <a href="https://search.maven.org/artifact/org.slf4j/slf4j-log4j12/1.7.30/jar">slf4j-log4j12.jar</a>
+
+</li>
+
+<li>
+ add a log4j.properties into the path with the following content:
+ <div class="code">
<div class="codeline">
-<span class="lineno"></span><span class="codebody">-Xbootclasspath/p:</span>
+<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"><preload dir, which contains /org/apache/xml/security/utils/UnsyncBufferedOutputStream.class></span>
+<span class="lineno"></span><span class="codebody">log4j.rootLogger=ALL,FILE</span>
</div>
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody">-Dorg.apache.poi.util.POILogger=org.apache.poi.util.CommonsLogger</span>
+<span class="lineno"></span><span class="codebody"># Define the file appender</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody">-Djava.util.logging.config.file=</span>
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE=org.apache.log4j.FileAppender</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"><a dir containing ...></span>
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.File=debug.log</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody">/logging.properties</span>
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.ImmediateFlush=true</span>
</div>
<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.Threshold=debug</span>
</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.Append=false</span>
</div>
-<a name="UnsyncBufferedOutputStream%3A"></a>
-<h3 class="boxed">UnsyncBufferedOutputStream:</h3>
-<div class="code">
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.layout=org.apache.log4j.PatternLayout</span>
+</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">log4j.appender.FILE.layout.conversionPattern=%-5p %c %x - %m%n</span>
+</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody"></span>
+</div>
+</div>
+
+</li>
+
+<li>
+ To check the processed files in the canonicalized form, the below UnsyncBufferedOutputStream class needs
+ to be injected/replaced. Put the .class file in separate directory and add it to the JVM parameters (see above):
+
+ <div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
@@ -1136,28 +1179,16 @@ document.write("Last Published: " + docu
<div class="codeline">
<span class="lineno"></span><span class="codebody">}</span>
</div>
-</div>
-<a name="logging.properties"></a>
-<h3 class="boxed">logging.properties</h3>
-<div class="code">
<div class="codeline">
<span class="lineno"></span><span class="codebody"></span>
</div>
-<div class="codeline">
-<span class="lineno"></span><span class="codebody">handlers = org.slf4j.bridge.SLF4JBridgeHandler</span>
-</div>
-<div class="codeline">
-<span class="lineno"></span><span class="codebody">.level=ALL</span>
-</div>
-<div class="codeline">
-<span class="lineno"></span><span class="codebody">org.slf4j.bridge.SLF4JBridgeHandler.level=ALL</span>
-</div>
-<div class="codeline">
-<span class="lineno"></span><span class="codebody"> </span>
-</div>
</div>
+
+</li>
+
+</ul>
</div>
-
+
<p align="right">
<font size="-2">by Maxim Valyanskiy, Andreas Beeker</font>
</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org