You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by bu...@apache.org on 2021/03/31 15:08:12 UTC

[Bug 65214] New: Document signed by POI reported as 'partially' signed

https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

            Bug ID: 65214
           Summary: Document signed by POI reported as 'partially' signed
           Product: POI
           Version: 4.1.2-FINAL
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: OPC
          Assignee: dev@poi.apache.org
          Reporter: eggenberger@keyon.ch
  Target Milestone: ---

Created attachment 37795
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37795&action=edit
Sample documents and code

I sign a Word document containing a hyperlink with POI/OPC
SignatureInfo.confirmSignature().

SignatureInfo.verifySignature() returns true/successfully verified.

However, when the signed document is opened with MS Word, Word reports the
signature status as 'Partial signatures'.

If the document is signed with MS Word (MSO Version 2102), Word reports the
status as 'Valid signatures'.


Comparing the sig.xml generated by POI with the sig.xml generated by Word shows
that Word includes a RelationshipReference to the Hyperlink, whereas POI skips
it.

<Reference
URI="/word/_rels/document.xml.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml">
  <Transforms>
    <Transform
Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform">
      ...
      <mdssi:RelationshipReference
xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature"
SourceId="rId6"/>
      ...


In OOXMLSignatureFacet.java is the following comment and code, so it seems to
be a glitch in MS Word:

/*
 * ECMA-376 Part 2 - 3rd edition
 * 13.2.4.16 Manifest Element
 * "The producer shall not create a Manifest element that references any data
outside of the package."
 */
if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
        continue;
}


However, as users get suspicious when Word reports 'Partial signatures' I
wonder if an additional OfficeSignatureFacet would make sense, which adds the
RelationshipReference to Hyperlinks to the signature.

Attached are the input and signed documents and sample code to create the
signed document with POI/OPC.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 65214] Document signed by POI reported as 'partially' signed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

Dominik Stadler <do...@gmx.at> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 65214] Document signed by POI reported as 'partially' signed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

Andreas Beeker <ki...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Andreas Beeker <ki...@apache.org> ---
Fixed via r1889427

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 65214] Document signed by POI reported as 'partially' signed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

--- Comment #1 from Andreas Beeker <ki...@apache.org> ---
Thank you for bringing this up and (un-)intentionally describing how to fix it.
Fixed it locally, but need to polish and test it a bit more :)

Opposed to the comment in the code, the reference doesn't need to be digested,
i.e. there are no bytes to be provided by the OOXMLURIDereferencer.

Instead it's enough to just call/add
parameterSpec.addRelationshipReference(relationship.getId());

in context of OOXMLSignatureFacet:
> if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
>    parameterSpec.addRelationshipReference(relationship.getId());
>    continue;
> }

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 65214] Document signed by POI reported as 'partially' signed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

--- Comment #3 from Roger Eggenberger <eg...@keyon.ch> ---
Cool, thanks for looking into this!

I'll try to downbranch the patch for now and start to update my project from
POI 4 to 5.x soon.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org