From 45995b4a2485eb141aa8cf95afacdfebc367c8e2 Mon Sep 17 00:00:00 2001 From: Andreas Beeker Date: Sun, 2 May 2021 21:48:02 +0000 Subject: [PATCH] #65214 - Document signed by POI reported as 'partially' signed git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1889427 13f79535-47bb-0310-9956-ffa450edef68 --- .../dsig/facets/EnvelopedSignatureFacet.java | 2 +- .../dsig/facets/OOXMLSignatureFacet.java | 20 +++++---- .../dsig/facets/SignatureFacetHelper.java | 8 +--- .../dsig/facets/XAdESSignatureFacet.java | 2 +- .../poifs/crypt/dsig/TestSignatureInfo.java | 41 ++++++++++++++++++ poi/src/main/java9/module-info.class | Bin 3388 -> 3387 bytes poi/src/test/java9/module-info.class | Bin 4135 -> 4134 bytes 7 files changed, 57 insertions(+), 16 deletions(-) diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/EnvelopedSignatureFacet.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/EnvelopedSignatureFacet.java index 87a4a7c86c..a7dfb8dd3a 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/EnvelopedSignatureFacet.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/EnvelopedSignatureFacet.java @@ -56,7 +56,7 @@ public class EnvelopedSignatureFacet implements SignatureFacet { Transform exclusiveTransform = newTransform(signatureInfo, CanonicalizationMethod.EXCLUSIVE); transforms.add(exclusiveTransform); - Reference reference = newReference(signatureInfo, "", transforms, null, null, null); + Reference reference = newReference(signatureInfo, "", transforms, null); references.add(reference); } } diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java index 6f5061aac9..b9063e30fc 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java @@ -37,6 +37,8 @@ import java.util.Comparator; import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.stream.Collectors; +import java.util.stream.Stream; import javax.xml.XMLConstants; import javax.xml.crypto.URIReference; @@ -118,7 +120,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { XMLObject xo = sigFac.newXMLObject(objectContent, ID_PACKAGE_OBJECT, null, null); objects.add(xo); - Reference reference = newReference(signatureInfo, "#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object", null, null); + Reference reference = newReference(signatureInfo, "#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object"); references.add(reference); } @@ -150,6 +152,8 @@ public class OOXMLSignatureFacet implements SignatureFacet { * "The producer shall not create a Manifest element that references any data outside of the package." */ if (TargetMode.EXTERNAL == relationship.getTargetMode()) { + // only add the relationship but not the reference/data + parameterSpec.addRelationshipReference(relationship.getId()); continue; } @@ -183,7 +187,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { } String uri = partName + "?ContentType=" + contentType; - Reference reference = newReference(signatureInfo, uri, null, null, null, null); + Reference reference = newReference(signatureInfo, uri, null, null); manifestReferences.add(reference); } @@ -193,7 +197,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { transforms.add(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE)); String uri = normalizePartName(pp.getPartName().getURI(), baseUri) + "?ContentType=application/vnd.openxmlformats-package.relationships+xml"; - Reference reference = newReference(signatureInfo, uri, transforms, null, null, null); + Reference reference = newReference(signatureInfo, uri, transforms, null); manifestReferences.add(reference); } } @@ -292,7 +296,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { String objectId = "idOfficeObject"; objects.add(sigFac.newXMLObject(objectContent, objectId, null, null)); - Reference reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null); + Reference reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object"); references.add(reference); Base64.Encoder enc = Base64.getEncoder(); @@ -302,7 +306,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { DOMStructure tn = new DOMStructure(document.createTextNode(enc.encodeToString(imageValid))); objects.add(sigFac.newXMLObject(Collections.singletonList(tn), objectId, null, null)); - reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null); + reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object"); references.add(reference); } @@ -312,7 +316,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { DOMStructure tn = new DOMStructure(document.createTextNode(enc.encodeToString(imageInvalid))); objects.add(sigFac.newXMLObject(Collections.singletonList(tn), objectId, null, null)); - reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null); + reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object"); references.add(reference); } } @@ -336,7 +340,7 @@ public class OOXMLSignatureFacet implements SignatureFacet { /** * Office 2010 list of signed types (extensions). */ - private static final Set signed = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( + private static final Set signed = Stream.of( "activeXControlBinary", "aFChunk", "attachedTemplate", "attachedToolbars", "audio", "calcChain", "chart", "chartColorStyle", "chartLayout", "chartsheet", "chartStyle", "chartUserShapes", "commentAuthors", "comments", "connections", "connectorXml", "control", "ctrlProp", "customData", "customData", "customProperty", "customXml", "diagram", "diagramColors", @@ -357,5 +361,5 @@ public class OOXMLSignatureFacet implements SignatureFacet { "volatileDependencies", "webSettings", "wordVbaData", "worksheet", "wsSortMap", "xlBinaryIndex", "xlExternalLinkPath/xlAlternateStartup", "xlExternalLinkPath/xlLibrary", "xlExternalLinkPath/xlPathMissing", "xlExternalLinkPath/xlStartup", "xlIntlMacrosheet", "xlMacrosheet", "xmlMaps" - ))); + ).collect(Collectors.toSet()); } \ No newline at end of file diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacetHelper.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacetHelper.java index e60771f563..ebdd5bcaed 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacetHelper.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacetHelper.java @@ -52,9 +52,7 @@ final class SignatureFacetHelper { SignatureInfo signatureInfo , String uri , List transforms - , String type - , String id - , byte[] digestValue) + , String type) throws XMLSignatureException { // the references appear in the package signature or the package object // so we can use the default digest algorithm @@ -68,8 +66,6 @@ final class SignatureFacetHelper { throw new XMLSignatureException("unknown digest method uri: "+digestMethodUri, e); } - return (digestValue == null) - ? sigFac.newReference(uri, digestMethod, transforms, type, id) - : sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue); + return sigFac.newReference(uri, digestMethod, transforms, type, null); } } diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java index eafb2cb387..d20912a519 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java @@ -242,7 +242,7 @@ public class XAdESSignatureFacet implements SignatureFacet { private Reference addXadesReference(SignatureInfo signatureInfo) throws XMLSignatureException { SignatureConfig signatureConfig = signatureInfo.getSignatureConfig(); List transforms = singletonList(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE)); - return newReference(signatureInfo, "#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null); + return newReference(signatureInfo, "#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE); } /** diff --git a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java index 83b79e1cb2..52516d0c68 100644 --- a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java +++ b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java @@ -110,7 +110,9 @@ import org.apache.poi.xssf.usermodel.XSSFClientAnchor; import org.apache.poi.xssf.usermodel.XSSFSheet; import org.apache.poi.xssf.usermodel.XSSFSignatureLine; import org.apache.poi.xssf.usermodel.XSSFWorkbook; +import org.apache.poi.xwpf.usermodel.UnderlinePatterns; import org.apache.poi.xwpf.usermodel.XWPFDocument; +import org.apache.poi.xwpf.usermodel.XWPFHyperlinkRun; import org.apache.poi.xwpf.usermodel.XWPFSignatureLine; import org.apache.xmlbeans.SystemProperties; import org.apache.xmlbeans.XmlException; @@ -745,6 +747,45 @@ class TestSignatureInfo { } } + // Test signing of external references / hyperlinks + @Test + void bug65214() throws Exception { + initKeyPair(); + + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try (XWPFDocument doc = new XWPFDocument()) { + XWPFHyperlinkRun r = doc.createParagraph().createHyperlinkRun("http://poi.apache.org"); + r.setText("Hyperlink"); + r.setUnderline(UnderlinePatterns.SINGLE); + r.setUnderlineColor("0000FF"); + doc.write(bos); + } + + SignatureConfig signatureConfig = new SignatureConfig(); + signatureConfig.setKey(keyPair.getPrivate()); + signatureConfig.setSigningCertificateChain(Collections.singletonList(x509)); + signatureConfig.setDigestAlgo(HashAlgorithm.sha256); + try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) { + SignatureInfo si = new SignatureInfo(); + si.setOpcPackage(pkg); + si.setSignatureConfig(signatureConfig); + si.confirmSignature(); + bos.reset(); + pkg.save(bos); + } catch (EncryptedDocumentException e) { + assumeTrue(e.getMessage().startsWith("Export Restrictions")); + } + + try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) { + SignatureInfo si = new SignatureInfo(); + si.setOpcPackage(pkg); + si.setSignatureConfig(signatureConfig); + si.verifySignature(); + } catch (EncryptedDocumentException e) { + assumeTrue(e.getMessage().startsWith("Export Restrictions")); + } + } + @Test void bug58630() throws Exception { // test deletion of sheet 0 and signing diff --git a/poi/src/main/java9/module-info.class b/poi/src/main/java9/module-info.class index 86d7379bf9e5272942ed0321816af5e1e07b7203..65a7086587a0de967df019c649f7d2b63c78f1ad 100644 GIT binary patch literal 3387 zcmai$_nzBC5XXNTAje&Lyy?ABLe9!17kUYS90?EzF%UZJNo!kYSrU?LpJ_RI?;S$# zJOY3406Yax!iUkwMQ6#*eLnZKt(}>jvNNlH{`>2107vlW7?ubut9w?%(UZ1Y_5>zM zUL!E|jO}QF)v2Z8oN6k8rKecBfH8r!UQj72Uzt^1^gTQNFJN3?JQgj^s*p@9otiEl zEFLOgxxkK;yy?~Jo*NcT&vCRF+4Oz7fRzFpbA>Ez7O+}iMOUw`qUzxS)(R{y`6>wY zF*_>hr~tXxgyU5zwp%IE=ky%8bEp_QRKNyOWH&nk1#Id*v2<9AJimY~0;}e%TCw4V z4d3^INLv!y1XhxZMiRF{F-z8C23FFv#hejeh1D>&*wUW20Cj@-7~aQW3h;_Ylhq)c|@D3R}u4AqY+ z67P=`X~ehbhq>iQmGR?Te|iG_5%p=#SqzP2Kz*KVC<-cGGfcW%Tgs_Pe3`vl6Ya0F zKDPY+3&R+`5!gR))OyF*INp6ZI30LR+tR@pz7sewARoKaeN8dWQq5*Puh!T2L11!F z!%1nB9I{-hdab_7PuX$P?Z1<83!Tv}ITO3{OV)Vb{Zq&J-YVWAn5fu`CEdE=*tpZj7#Y8zgWtT$8qTbFo9+K zYXx%^a}BdVT!;0<32bC;W*)^>`UJK!cQSV~_cAYIUcubYJish64>AuirAg`xBHbkydI^CX32>0aK8*0#>FBqZ6+(Gq&^z4!VE z{J{h86g&wZM&qViE0_Cx?kj6&c6N4Vc2@uV_t)P54&l!d9yGAH61HMTO?tjEu(BDt zEnn^Tf@)~a*lpXu!YLUl1Hy-dj|d+VJ|TQc z_>Ay5;S0i-gs%u+6TTsQOZblPJ>dt!k0tz6!p|lAQo^q#{8qy6CH!GvNiISLR)=xT zv?JT8D>Dkc?BBqmEO6$uop3<6wA1=Q z14}EB9VhCDmsV6dccvfKYFb0+q>+Y^ffX}u!)ygfD~iH6Rjz^M z?1a_bhb4PhGk3u1deYrbPO&#`wGtI`V3coQPvOj=hE)xNH0g#eZ^?D5-7Vz@)tNN5 zoivOMlr_8cDB%fP3P!EmtU`H5`FvsveE5f}EaWN96cac|*x;lB(ut z6?84+HHyR9w4FFC$VYd6;Bjf_DesD+IOI&Gvj#R7#vtJiWY@T2)@tI!x7^t7jOMu~ zuxcvg4e9Q(Gx+;ivE6l+QA$UYtNT_u~&0?Xmst7H3((aWp2<#eLq zvIh2QRtI%x9qr$>C*rW}xr&eSK23Sf4o-7Ero*r?RNt?w`@@y3iqAGH^{_M4*V{q= z&>YXI|C9>Yhs+Dz?9k;Y+Y1J6Ps)b^pW$)Mjcz;cf1y~%DwWB;?}IsdSo*H;w^q}R z<~Vc?F!=kq`?mlK_{RcVgo}CjUtA)?i?HwVW(g~VD}{%# zil4x0VOdDRHNv&Rb;9++4Z@AWO~TE>EyAtBZNlxs9m1W$UBcbMJ;KX`mkX~DUMbuw zyh^xFxL;@rE#a7OTzEiuP&gqxB)nR9jqqCGb;9d~HwbSO-Xy$Pc#H6`@K)gw;cdd( zg-3;x!aIb=gvW(<3hxr$Eu0eGBfM95LI}>|Nt{9j_i;{7a;ER+HvvHyX&}amHY}kS4DLZlX?|}-<7qq<8$WeBM77Ciz9@nsv`tAxX7BsgS zT2ZX_xk*(e6_S%(ctNe^`ZYuIz=#fKmw|vPv`i1=Ff)S+t!RI7R6LplVTD!+S}@{_ z8cjcLhG7sT%Bj#A9fYqEW2lv=p{C=sDzr|}5=1@H^xZ^b=q4)CiE#zZ*kkN9`YW_C zi)ylo4%}+Qk~RyPuN|0aE=`?BN#~_bbKlH#?UK$tVYDttsg+b7Kd3n2amW z8});6U(!V-?qj&WSkSU=_qxM$)R?481+6XXRAb6dvdmmAXk$;CTn4WcWSrg3befGu zD^hk4Ig+j}Sr~%Lt$m-M6=iO-=&lvCvaGv3!(dU@I%Y`wO{-RmRLx41*7Z=2U@}u% zC-XW%>wC{;+I1^RB;6or!&FwhmnGd;tjm08wyriwN6+FbYK2K4>DbiE4BfFHNvt7H zNxG%SGILVi*27!J#H=eXRFO{F?Zu+!MKlvv@2Wcmt?J5z-mSxNXK&tJlrJ;D!X({W zOn9ze%cl=sN%srdTs{rFm_x2_MXkslkTf*4rOoNoN0B5)(55MT#);)S7HW97xQFr~ zp1|g>7qgVw@GjH`ZF%^-4Ttp-<5rxgh9s|8GO3@uk>4xn4a<%Kty$PB8sF8W6cy_u zog<6_t$EUtln7c~nwwZ3byiI)GA3wgmqqNEPGpTsI#G-->oaRA(5rl~)F5{zJX}1} zvLH6P6}Go9h=U|6D8x~{7Lj=F>P_IFNH{7u9BWEo>N(G)3YQ!Q_Si_ zw`nDzr00qUZO%j=2dFtc(+kCd%h{*pN-qk1rmZj6 zamyQ(^hxn_|{WG9J)e)p$;)94)iV;W7T8AQ_;(@g$6m(D#& zG@IsdYaZhQ#zl-3jZ0{$#@V!-aV6twjYMnp|9aZMxQ{mB6K!GK%6I|eg^W8GO~!u4 z-Hdw}_cC6>cp2jrj8`#U!?>UE0OLW%!;IH69$~zR@n*&<_z2@;jE^&(Vtk76G~=_3&ojQr_%h?GjIT4k z$@n(oyNvHMe#rPS3))Zy3~j(r2i*1qozR9-U}yz~ zT43k}hGJl728L>2=my@OF|!E z40XZK7i?z?jnS@U44u)2(qL!}hT3504Tj=iXby(zVCW8p@?dBWhWcRW4?dMKY5?ui z8KVx+MkRnz3t&_O81(=~MSxKgU{nPdbpb|YfKeM@R0kOK0iI50=sWs>e$r>b8U5uK M-4gVhZVUS3e<1;2VgLXD literal 4135 zcmai0XLsC06uk-|O9>%lA2pb@Q~nP z!Ct{5f=3092_6?bA$U^ol;CN>GlFLY&k3FvydZc{@RHzV!7GAS1+NKS7rY^OQ}CAH zZNWQ&cLnbW-WPlz_)zeX;A6ojf=>mX2|gEmA^1}8mEdc^H-c{k-wD1K{7}V@f}bk* zxq@FR__c!HD)_yEKPvds!Qr{sIan4Y&6*c`^>M!zM*;sG9LkW^M!i%+y((u=kJ{}h zOl$S1)$;3EpudM599L@5@aqna=+9_-+4$KG7LUYUlKNYMY{bv@o!N?-%^+;nl!qtO z(p>0u_L~hqoy?-x!I2Y<$yz5&J8>K(ncvVag??5Woyq*sPNOm7;AlEE(Fuc0F%B|6 z(Ov4+%-MbW)g`Z;I#{Ap+-@jb3j^24b-3NlbVD-O?{-o@(b)Pe2kT2`&RMu)QJCo` z8U6f9jfQ3@UCej-d$PoODjlEpTdm13nhr}=O}Xl^#Z|S} zZTM3TR+f$UQ+}BBw!e122Dup34s7H$I_>sM;@6`@B_7xY9m;L<__76i9-UA&)?c`& z);JgL4!T~mnfOgF^Hr@<2YPmOjo9k_f5feidx>WJn)yuZbPc9g-krMU%>hlFsU9hfvb z4ea!kJ7ULYOgEIyq?z9y%!2L;d5iL}w!L~1mFUr(9|oElMajEEaT2MLnbyt|OJk5~ z1@fAjF~<~!)0W#vyy-!mdjoFMk90#tcXc#(c#G9WM}xL~u4LY9`Z+kN=!|ZCU`Cq% zQc;>T)oPsR1?8YvL3%@-mOdzoL7N+My-cs9V$I8q>!D@p=m&~7P=iPXR*HuZhbNZC{FgrR|JO)xKb-Sg5uaEp) zsLpY~t?TVI?X~pXR=g6+OU`sWcli$L%xl!u=T4wc7M7#l!y#^Y8B;^wJNE7wEJp)H z)xqfnk7sk--P*s$cO=nN(D1cPoLMmD_WG{~cb95C8by0Q2Ag|`h+UbYt1HC9NJLmFtF9>Jd-e!*wtq(&5H@c;M*6*uEMz-~RpPf?-OWzfJ z3bws?ABXk=jz0Xme+#fce=NX3SO_d!hJ&qpF&6CwDmcVihZ-Jcc(~zW#Urppv4SHF zml__W2rSe8D#UOLj%F8*F+A4rIK$%&PcU3=c%tD7!{a;c14a8=hf!rr`#|nxSjB(QwG{EW@)6hYdFwo@2P#@La?549_>b!0huGGuB)raI*QO4NyMDn+JNWU578-D4`oHZ>ztH8OQ0Q#mrV zBU3#x^&?Y3GBqSqMRI>9)RS#0N~We{s!FD=WGYLhwq&YHroLn|529TKpWM%=Gc|c|+keLf)W&@e|KxRge tnG64sAKOQ`-*i`XBl!KGy&M -- 2.39.5