From 4f2692f87071bc60480e1475246acdb68da02928 Mon Sep 17 00:00:00 2001 From: Andreas Beeker Date: Fri, 20 Nov 2015 22:38:27 +0000 Subject: [PATCH] #58630 - Signing failed after deletion of first sheet git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1715438 13f79535-47bb-0310-9956-ffa450edef68 --- .../dsig/facets/OOXMLSignatureFacet.java | 7 ++-- .../poi/poifs/crypt/TestSignatureInfo.java | 32 ++++++++++++++++++ test-data/xmldsign/bug58630.xlsx | Bin 0 -> 8563 bytes 3 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 test-data/xmldsign/bug58630.xlsx diff --git a/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java b/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java index 8ba8bf2395..9e094a6415 100644 --- a/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java +++ b/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java @@ -33,7 +33,6 @@ import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Set; -import java.util.TimeZone; import javax.xml.XMLConstants; import javax.xml.crypto.XMLStructure; @@ -113,6 +112,7 @@ public class OOXMLSignatureFacet extends SignatureFacet { references.add(reference); } + @SuppressWarnings("resource") protected void addManifestReferences(List manifestReferences) throws XMLSignatureException { @@ -149,7 +149,10 @@ public class OOXMLSignatureFacet extends SignatureFacet { parameterSpec.addRelationshipReference(relationship.getId()); // TODO: find a better way ... - String partName = baseUri + relationship.getTargetURI().toString(); + String partName = relationship.getTargetURI().toString(); + if (!partName.startsWith(baseUri)) { + partName = baseUri + partName; + } try { partName = new URI(partName).normalize().getPath().replace('\\', '/'); LOG.log(POILogger.DEBUG, "part name: " + partName); diff --git a/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java b/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java index 6f43fdd1f1..d2fead012d 100644 --- a/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java +++ b/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java @@ -28,6 +28,8 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; @@ -68,11 +70,13 @@ import org.apache.poi.poifs.crypt.dsig.services.RevocationData; import org.apache.poi.poifs.crypt.dsig.services.RevocationDataService; import org.apache.poi.poifs.crypt.dsig.services.TimeStampService; import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator; +import org.apache.poi.ss.usermodel.WorkbookFactory; import org.apache.poi.util.DocumentHelper; import org.apache.poi.util.IOUtils; import org.apache.poi.util.LocaleUtil; import org.apache.poi.util.POILogFactory; import org.apache.poi.util.POILogger; +import org.apache.poi.xssf.streaming.SXSSFWorkbook; import org.apache.poi.xssf.usermodel.XSSFWorkbook; import org.apache.xmlbeans.XmlObject; import org.bouncycastle.asn1.x509.KeyUsage; @@ -240,6 +244,7 @@ public class TestSignatureInfo { public void testManipulation() throws Exception { // sign & validate String testFile = "hello-world-unsigned.xlsx"; + @SuppressWarnings("resource") OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE); sign(pkg, "Test", "CN=Test", 1); @@ -379,6 +384,7 @@ public class TestSignatureInfo { try { si.confirmSignature(); } catch (RuntimeException e) { + pkg.close(); // only allow a ConnectException because of timeout, we see this in Jenkins from time to time... if(e.getCause() == null) { throw e; @@ -546,6 +552,32 @@ public class TestSignatureInfo { } } } + + @Test + public void bug58630() throws Exception { + // test deletion of sheet 0 and signing + File tpl = copy(testdata.getFile("bug58630.xlsx")); + SXSSFWorkbook wb1 = new SXSSFWorkbook((XSSFWorkbook)WorkbookFactory.create(tpl), 10); + wb1.setCompressTempFiles(true); + wb1.removeSheetAt(0); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + wb1.write(os); + wb1.close(); + OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray())); + + initKeyPair("Test", "CN=Test"); + SignatureConfig signatureConfig = new SignatureConfig(); + signatureConfig.setKey(keyPair.getPrivate()); + signatureConfig.setSigningCertificateChain(Collections.singletonList(x509)); + signatureConfig.setOpcPackage(pkg); + + SignatureInfo si = new SignatureInfo(); + si.setSignatureConfig(signatureConfig); + si.confirmSignature(); + assertTrue("invalid signature", si.verifySignature()); + + pkg.close(); + } private void sign(OPCPackage pkgCopy, String alias, String signerDn, int signerCount) throws Exception { diff --git a/test-data/xmldsign/bug58630.xlsx b/test-data/xmldsign/bug58630.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..cf7b1cc4f5bdb17225a3dc4de6f10c17464cc845 GIT binary patch literal 8563 zcmeHMbyQS+w;sA1q+#gpkQh3pq$L#?x`vWQkd|)ga_DYpkPeYfL8JtcQl#UKzTfxx zzP#Rb|Gn$p_slxytXb>q=ge>Rv-f^}d#fuWAQA$Q0jK}~fCk`v#*#hZZ zXuVc{p_pSj)E>uHgD6fKUHRHgFfiJtTwvb*LKZGiH;!F4JT{+}xBty z*#X1uAQSB%I)zr#rK9F^nBC_HX=Qb_O17`VWHpfnA-A^S&Q<^v!#o@yVG5vzSD&rL zqa#SVTvcViNj5ixs%zD`!tc#!ajgxt@?OnAUXHOuq6e`qWUN9>wV*IjM|#O`zmg$$ zha>RYpv`O$f@HMOb0x6{(&1#-qb+SVaJwrRJhYIZdF7v88@Dvhp*QAwYqJjzcPj|l{006hQ2mtlJ#9o6AH{Ev_ zp;Ta@g#j3Yd*WhY@5;sb;|k0l{wL=C&%|0(!aG=)VfG&=w#jT^wIK){S!}UQij>wWpQm}Bw0(+6`dJB;6wJ6DK0?`roO&Lp!l6OnR>Cz() zf{4ClPT>t*(t;7P85fNn9^WCh^#|QOATD-h5QyE6O7k!3BmSU1?Aia{ zM_b}M+n=NfY7d(5b53xyND^s}lBzO11u$x?jrR(soG?Ko5@lK>hdA?ygXpjPB*u%b zKNcPI5+mDY>BKRxpw<_Z87wiM3AKxZf`GG)lUa4eCX#_N&i+mQJ!-C3vW4I2^CK9L zLKhC8&`Faj7H2Al%xTW!bTBE|&Qq^htYMI96YtebfLS3+Omd)8xgbz2D0b}DuC>Kc z+1Gi~DmJA`ZxBK}W{xWy@p&A`mTEvhFvR$x7g*J^aX)nErAaM$kGV4Ul7Q*pcEF5i zSgLeOx$W%ZKraKL&@j%>XXu#G-xIFa(@!WKqH*nmSq3~7!!no6jxc`5plva~58g0V zWWll}4vZQw2K|{kQJP|qH{7_(Y~LmHR+OcIgf#fj(u!eC9`#gJUz&R{lndB2w;fh= z)~rvrH!=^FFNLg{Tc#5-yY=#P+^9JZ`?snnN^=U^>PqufCzbXRh)-Kypv7!*V%X(9?JvqfYEgUSkeqMQgg!vbJ zRS3BpNeA5#wY(1m%+yG(@U--->^UPt#Bx5>!0yrhbe(8fnzQBybst%2X~JHl7vw02 z+O`awn{$W}xr)~qZG3gDD=+5gZRl{-sqqiK@Ex4aMOA(9#N~054Tgdoy=KaYaN_4b zfyq!f4#ukeEv95NKYB)y#y%LyAlO-+e|DO+>!}<G z9Y?aF`Z~NiPyw$z8c7_v1<%m1N}J3MudpV}i~?>!jJ-JNOzEW}S?`Lwe8)h5LOJyD zVH%0`TJJKrYu!diX2ZxmRZ=0f0c0YuH6Zg<(ktAwWL0jYEH$>N(a#SHQjn2qP}5Xh z1rguraO?4GarBHZN#d(Gv3qN`oY?`#-4M0=-8<{CK#>(-{!~hbO*!7OqEp|&iXQ`b z`83VFNV96%$oKh8f5PZn_f}&_VXa<1vU%rh%3(&byo1$pH+fv&+{?p;6Sbl#r$c1( zqi6=-TZ1|c*CS*?Ub2TT#~1UipDBrjsR%7`gh1eZ>k{4&Glz$Q+V~^UVrPa;A`ksI zF9OCDLy4l})0xZz{lYh}W8?$P-oiofj6A_FeVgl{X*4?+>BT9h&jM-K?j1iCyWOAp zR?{BBUz>& z0nhn;#^5}c&GR8_;NcJ$ii^pVG_YSRz&o>eT*&u&vF7cK@$^=?$}Xp{OMDz|YBH(> z{V316Do9I+l}@-9kB!V1r>t6Ku-oWN&gdcQp_?R$LOaj%eqGu=6!>Efq3e60fjXa0 z`~+i-pz3Z0@~$|pk7eD@>j~DFS$eRoDel!A46y_=%cB@2cb_(A&|HvS1*|9UcPPJD z-><{yrX&-h<$#y%Oha>!E1p)nj<&vf)R(GJ+&_B(iF6)WdOoY2g5O%CbjbR?v-;5e zh+Q0ryE_v7$zj>g(4+m=W8ei42)*uW-L7%wQ&oZTNq{0bEYRj@2@duOKfEsTYGWSPaSRA6m zq>LBpOpSBM?4{!L_P*5^uZ)i@d;~Iqz12)&a!Frdsjjw-3RV`#O6|>=>dr`KWf;zc zTiRyza6BT-d|gh)zBL=ngV=otuj|+)Y+M)GgJx-7zUL_Fv~_PiWW+5V^C%T6KIzSM zS!|n`)ECi=6EM$m6feG$W!eDWRLFRV{C;d5O53`K?w)qK(yOeG$khfVIMo)ZeVv-g zExDB z$r6b}EospU733c+<44ph7uG+Y+clXT(d?4Huv4t5LF+z@eE{d~W~|IeuvV5|hrzb! ze!|01;9D3@61)!PH{){-@4gn%mdfEtb`mpX4SW_b!tdblZJ1-sW|F9?8gr}?oDwX= z(Ig^Qr_$(@IM9r_RRW~i)@5zg*k3D6P3olAi7>sA(2_ePc+E9WVuy3)l*Pt9dA|7d zwK`20Yf|v^0Y)l?%3gr=a}0e?EGeXy!&{v|g^SL&!pc2R0gB6M8mze7@mOtURN;VH z^ZWx$vzdAi{RDOfbJ|j1rAqlcor~->WlAa{sAR=N@X7TnSfoVDOfCX$fG`4<#K_*H)X5_BM`M9t~3q!QA z(T+_OD_blpznXtYjklj?tEgfP^3d0fnqoOb^oCSx5|QAlnw~o<8zB)T?keTgLd!K1 ztRnqgoK`g;83n_n#S56UAo(RNT&*oE++4YS-gti$t|-kVr5;IKKjNz}ixmg_3SH#{ z+ItfyQf=ap#0Rzf3;OOw6&K&t@Jj=cPKHeP3;y%*4qd}*@?Ll;SVoI><+~wv%DXhug*We!%Y*WOG|XFR+ril z6ZoxoB(K=+)w+;)q=*B16sqejHD)QR)@nk8YFLT_Zfu3+M{2Tl_zfEy`dJ((NSD-z z5qEQE{G@M{^UAaASp?BU3(or#(q2E?W42T8)U}neWNc5ly)u?&yk^-7e71I*^XKmO ztv`qM`CQCEO7uUK6lEoR#MhYId0c9qjrum<16`OwKy1$;8#Y-&21?@^eB$)}swXZMj|_8R&Ma zI4va8Wiij6pSl)-SHO$zD^97^>R{bmsFc9kEfB3<*(y|4pF^;($vBRW89z$epF`sY z?RTClCc}y=gL&@lfA2ZIKRl-jS>ncQ$JzGBb$eoO(Mt)gb2v*ALp>;g!9pv%$wAn{O_f<`u|GJYmM2|lxb>~&tegg>aQGm$pIC98Hj zH{KsOe0lQO*ze6Di2?vWYSoNRfwq$~qF5nS+b9=hAdRXA8ota;IDw*W?3iv}!#=WP zrrAG4YD#&7f^fNFJ)bYGvTBWtWj z@b-vmsmmodeqI)~6{#xhl#cZszEo5Cm=z<-6;@3L%0qfRAQg{y@(Yr#eIAX&0 ziMkSvBP~L_?OQoMV?m?9$5@9tA>FT;*^l3Aaq4OYr|~TXiz^)H&RIOIYq=5fZ_@k{ zk6PqUukcK7Rb#jhg~eM|M3i0GY#ENS?QmFTK8?78ZiOu9Bhx6?oMPz z^SCOSo9fTx#w|`GwHOFd;zV*V-+P!vjh`37#LMp}&NrH`q->u@OzL6ax&%HpD!?mY zf0^{^W#Dix8#UAYt~cmam!_~=d*8jAoT}R}=Tfj*kP5Q~ZTL3mxfJGo9hOY| zR<*pfA72-apHxrfHs(WluI%iSDEFmeWxqjQ9v|1WL%}{LBz)$vC@FErj3iS7jvB3l z44oNyy*3YnFx%|NW{}e)fU9;9L05Li zerCSjYrJK|g{s+8Vl*>mJ@W#bh!%gZ@A0g>Wp?zhy7@2b^C3Hi-m(X%%yi^9llX*1 zQE1~&SsnHSRkvF^CdFqlMVg$?3SHFd)KrC}S_Tmn+MN@Rxn|_|{6}iReiaWRh#RX^ z-filqdyF;p_+Uo7qb>guC5JGVAcLT&L-|fsuaGpCeP^%mWb|n>^-Rle-*Ju6I z25DnrZ#8nZR-NMp&q+Ir^ed=Bg$K@2Sf2fspB#(S1phVK zaH%(>5g}Pj7`L3cBV@yoP0&U$fBB}}rga88H1;$*@gUphL8C~q$OYVPsr;w#ezXY5 zNO@iFm#>;!q7O7SKywLm(V-NS-FZ5&goM^33;x(Ah+JOPCHEXkNx-P!bAUzH`$CL) ze{FSK>b;<@GqqAHU1%g%2SNhl5T(Xy^G0?ecKBOGStckU-K6hQ3yPvtE;7=hs5DsV zrj4rHf?MjV_Wn3oZ%t_v6 ztH`8+9jp6a*ZhdBt&68t{a?5}XX&%ioD|MLS#yyFA%wnvnUi}4o2mUh`$y7s$Cto( z=LF0CxPRuIsgu(`wEIE0KaR}AZbz783q3$M!4BPzeqYZVDygdhW%Hh|1~~gznTz1D zDhKwGIp0V52^5-btOdmYVr{6z~9x}kx5H+mc)gR-nAJ$oP#5mCuH}(VT z(^nIbSk;(N%DZ!QKEo?p1tCw8)R~)tyWM4=QLx#{mWW_RVE>6^9cg zr^p;fUfCa<-xDmNm$CWto4;DmFSr$`$ozc1X18#T$S${os!~Fp)Vx|G3-W~2!z;DE zlxRTbY)P*@@ClJWEMdm~PB!B+KK-3)O1qqh#Hf&Zm`p{s`ytX%)HwAPx?8wreZ93t zJcj->^^VXd_9e+)syY)6M648i#}9&xGWNbuAoUw$fxhVTZyBgTt0i{Yp-wF(WV?o5 zeEiVWwwn7SHVIB+`nJ3z{xfW-Zg7{D5n|j?<8;`~_Cfj~$Y^COTX<(!6Hf@qwmG@P zz}K=(ZqX=91*#OUs24l>h@Z4506{97ZOpTxsCorbRL5FUprYr9QyJ_YCQW*j-Zw-S zqQ@fQKrgYJ%^mW}u{_4Josz*$n4kWjHyk_%Oq~6Gr2KDp{`>x$0kgXDUjhC)7yGy2 zkGn4{X8trKyKDH@A;X^ytzjL>|9<3f7w2xP`4>_tY-)a|@qE|#ZUgj}u?G5Y+o5*> z?(Rl^0U+W1=k0&no8CpayEFQQ(ux0Dl%M;gyC`?%_b-%Om>U0`7{7~fSM2^ma3lHy z;Xl&%uIXKE^~+R}__s^=skH8*{I$;i!Te@)kaHg|z_xc_7RujH++ Uj09sE0D$@910$;j)sJug1-{dGb^rhX literal 0 HcmV?d00001 -- 2.39.5