You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ki...@apache.org on 2021/11/03 00:00:22 UTC
svn commit: r1894701 - in /poi: site/src/documentation/content/xdocs/
trunk/poi-integration/ trunk/poi-ooxml/
trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/
trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/
Author: kiwiwings
Date: Wed Nov 3 00:00:21 2021
New Revision: 1894701
URL: http://svn.apache.org/viewvc?rev=1894701&view=rev
Log:
#65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable
Modified:
poi/site/src/documentation/content/xdocs/changes.xml
poi/trunk/poi-integration/build.gradle
poi/trunk/poi-ooxml/build.gradle
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
poi/trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java
Modified: poi/site/src/documentation/content/xdocs/changes.xml
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/changes.xml?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/changes.xml (original)
+++ poi/site/src/documentation/content/xdocs/changes.xml Wed Nov 3 00:00:21 2021
@@ -70,6 +70,12 @@
</p>
</section>
+ <release version="5.2.0" date="2022-03-??">
+ <actions>
+ <action type="add" fixes-bug="65668" context="OOXML">upgrade to xmlsec 2.3.0 - make secure validation configurable</action>
+ </actions>
+ </release>
+
<release version="5.1.0" date="2021-11-01">
<summary>
<summary-item>XDDF - bug fixes</summary-item>
Modified: poi/trunk/poi-integration/build.gradle
URL: http://svn.apache.org/viewvc/poi/trunk/poi-integration/build.gradle?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/trunk/poi-integration/build.gradle (original)
+++ poi/trunk/poi-integration/build.gradle Wed Nov 3 00:00:21 2021
@@ -184,3 +184,4 @@ javadocJar.onlyIf { false }
sourcesJar.onlyIf { false }
generateMetadataFileForPOIPublication.enabled = false
+publishPOIPublicationToMavenLocal.enabled = false
Modified: poi/trunk/poi-ooxml/build.gradle
URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/build.gradle?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/trunk/poi-ooxml/build.gradle (original)
+++ poi/trunk/poi-ooxml/build.gradle Wed Nov 3 00:00:21 2021
@@ -74,11 +74,11 @@ dependencies {
api "org.apache.logging.log4j:log4j-api:${log4jVersion}"
api 'org.apache.commons:commons-collections4:4.4'
- signingImplementation 'org.apache.santuario:xmlsec:2.2.3'
+ signingImplementation 'org.apache.santuario:xmlsec:2.3.0'
signingImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
signingImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
- rendersignImplementation 'org.apache.santuario:xmlsec:2.2.3'
+ rendersignImplementation 'org.apache.santuario:xmlsec:2.3.0'
rendersignImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
rendersignImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
Modified: poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java (original)
+++ poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java Wed Nov 3 00:00:21 2021
@@ -212,6 +212,14 @@ public class SignatureConfig {
*/
private boolean allowMultipleSignatures = false;
+ /**
+ * Switch to enable/disable secure validation - see setter for more information
+ *
+ * @since POI 5.2.0
+ */
+ private boolean secureValidation = true;
+
+
public SignatureConfig() {
// OOo doesn't like ds namespaces so per default prefixing is off.
// namespacePrefixes.put(XML_DIGSIG_NS, "");
@@ -1074,4 +1082,39 @@ public class SignatureConfig {
public void setAllowMultipleSignatures(boolean allowMultipleSignatures) {
this.allowMultipleSignatures = allowMultipleSignatures;
}
+
+ /**
+ * @return is secure validation enabled?
+ *
+ * @since POI 5.2.0
+ */
+ public boolean isSecureValidation() {
+ return secureValidation;
+ }
+
+ /**
+ * Enable or disable secure validation - default is enabled.
+ * <p>
+ * Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail,
+ * because a maximum of 30 references were hard-coded allowed for secure validation to succeed.
+ * <p>
+ * Secure validation has the following features:
+ * <ul>
+ * <li>Limits the number of Transforms per Reference to a maximum of 5.
+ * <li>Does not allow XSLT transforms.
+ * <li>Does not allow a RetrievalMethod to reference another RetrievalMethod.
+ * <li>Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
+ * <li>Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
+ * <li>MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
+ * <li>Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
+ * <li>Does not allow DTDs
+ * </ul>
+ *
+ * @see <a href="https://santuario.apache.org/faq.html#faq-4.SecureValidation">XmlSec SecureValidation</a>
+ *
+ * @since POI 5.2.0
+ */
+ public void setSecureValidation(boolean secureValidation) {
+ this.secureValidation = secureValidation;
+ }
}
\ No newline at end of file
Modified: poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java (original)
+++ poi/trunk/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java Wed Nov 3 00:00:21 2021
@@ -56,6 +56,7 @@ import org.xml.sax.SAXException;
public class SignaturePart {
private static final Logger LOG = LogManager.getLogger(SignaturePart.class);
private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
+ private static final String XMLSEC_VALIDATE_SECURE = "org.apache.jcp.xml.dsig.secureValidation";
private final PackagePart signaturePart;
@@ -121,6 +122,7 @@ public class SignaturePart {
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
+ domValidateContext.setProperty(XMLSEC_VALIDATE_SECURE, signatureInfo.getSignatureConfig().isSecureValidation());
URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer();
domValidateContext.setURIDereferencer(uriDereferencer);
Modified: poi/trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java?rev=1894701&r1=1894700&r2=1894701&view=diff
==============================================================================
--- poi/trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java (original)
+++ poi/trunk/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java Wed Nov 3 00:00:21 2021
@@ -170,6 +170,7 @@ import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
import org.junit.jupiter.params.provider.ValueSource;
import org.w3.x2000.x09.xmldsig.ObjectType;
import org.w3.x2000.x09.xmldsig.ReferenceType;
@@ -344,21 +345,22 @@ class TestSignatureInfo {
}
@ParameterizedTest
- @ValueSource(strings = {
- "hyperlink-example-signed.docx",
- "hello-world-signed.docx",
- "hello-world-signed.pptx",
- "hello-world-signed.xlsx",
- "hello-world-office-2010-technical-preview.docx",
- "ms-office-2010-signed.docx",
- "ms-office-2010-signed.pptx",
- "ms-office-2010-signed.xlsx",
- "Office2010-SP1-XAdES-X-L.docx",
- "signed.docx"
+ @CsvSource(value = {
+ "hyperlink-example-signed.docx, true",
+ "hello-world-signed.docx, true",
+ "hello-world-signed.pptx, false",
+ "hello-world-signed.xlsx, true",
+ "hello-world-office-2010-technical-preview.docx, true",
+ "ms-office-2010-signed.docx, true",
+ "ms-office-2010-signed.pptx, false",
+ "ms-office-2010-signed.xlsx, true",
+ "Office2010-SP1-XAdES-X-L.docx, true",
+ "signed.docx, true"
})
- void getSigner(String testFile) throws Exception {
+ void getSigner(String testFile, boolean secureValidation) throws Exception {
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
SignatureConfig sic = new SignatureConfig();
+ sic.setSecureValidation(secureValidation);
SignatureInfo si = new SignatureInfo();
si.setOpcPackage(pkg);
si.setSignatureConfig(sic);
@@ -909,6 +911,10 @@ class TestSignatureInfo {
@Test
void testRetrieveCertificate() throws InvalidFormatException, IOException {
SignatureConfig sic = new SignatureConfig();
+ // starting with xmlsec 2.3.0 disabling secure validation was necessary because of limitations
+ // on the amount of processed internal references (max. 30)
+ sic.setSecureValidation(false);
+
final File file = testdata.getFile("PPT2016withComment.pptx");
try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {
sic.setUpdateConfigOnValidate(true);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org