From f2f4ea44b6a5406704fb69c04911e6c7e34b854a Mon Sep 17 00:00:00 2001 From: Andreas Beeker Date: Wed, 3 Nov 2021 00:00:21 +0000 Subject: [PATCH] #65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1894701 13f79535-47bb-0310-9956-ffa450edef68 --- poi-integration/build.gradle | 1 + poi-ooxml/build.gradle | 4 +- .../poi/poifs/crypt/dsig/SignatureConfig.java | 43 +++++++++++++++++++ .../poi/poifs/crypt/dsig/SignaturePart.java | 2 + .../poifs/crypt/dsig/TestSignatureInfo.java | 30 +++++++------ 5 files changed, 66 insertions(+), 14 deletions(-) diff --git a/poi-integration/build.gradle b/poi-integration/build.gradle index b6f73982f4..e6eafcbb8f 100644 --- a/poi-integration/build.gradle +++ b/poi-integration/build.gradle @@ -184,3 +184,4 @@ javadocJar.onlyIf { false } sourcesJar.onlyIf { false } generateMetadataFileForPOIPublication.enabled = false +publishPOIPublicationToMavenLocal.enabled = false diff --git a/poi-ooxml/build.gradle b/poi-ooxml/build.gradle index d0fd2cae63..412880b609 100644 --- a/poi-ooxml/build.gradle +++ b/poi-ooxml/build.gradle @@ -74,11 +74,11 @@ dependencies { api "org.apache.logging.log4j:log4j-api:${log4jVersion}" api 'org.apache.commons:commons-collections4:4.4' - signingImplementation 'org.apache.santuario:xmlsec:2.2.3' + signingImplementation 'org.apache.santuario:xmlsec:2.3.0' signingImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}" signingImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}" - rendersignImplementation 'org.apache.santuario:xmlsec:2.2.3' + rendersignImplementation 'org.apache.santuario:xmlsec:2.3.0' rendersignImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}" rendersignImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}" diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java index ccbdd517ac..1a6006c0f9 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java @@ -212,6 +212,14 @@ public class SignatureConfig { */ private boolean allowMultipleSignatures = false; + /** + * Switch to enable/disable secure validation - see setter for more information + * + * @since POI 5.2.0 + */ + private boolean secureValidation = true; + + public SignatureConfig() { // OOo doesn't like ds namespaces so per default prefixing is off. // namespacePrefixes.put(XML_DIGSIG_NS, ""); @@ -1074,4 +1082,39 @@ public class SignatureConfig { public void setAllowMultipleSignatures(boolean allowMultipleSignatures) { this.allowMultipleSignatures = allowMultipleSignatures; } + + /** + * @return is secure validation enabled? + * + * @since POI 5.2.0 + */ + public boolean isSecureValidation() { + return secureValidation; + } + + /** + * Enable or disable secure validation - default is enabled. + *

+ * Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail, + * because a maximum of 30 references were hard-coded allowed for secure validation to succeed. + *

+ * Secure validation has the following features: + *

+ * + * @see XmlSec SecureValidation + * + * @since POI 5.2.0 + */ + public void setSecureValidation(boolean secureValidation) { + this.secureValidation = secureValidation; + } } \ No newline at end of file diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java index 1fd4151eb7..19440d0938 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java +++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java @@ -56,6 +56,7 @@ import org.xml.sax.SAXException; public class SignaturePart { private static final Logger LOG = LogManager.getLogger(SignaturePart.class); private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests"; + private static final String XMLSEC_VALIDATE_SECURE = "org.apache.jcp.xml.dsig.secureValidation"; private final PackagePart signaturePart; @@ -121,6 +122,7 @@ public class SignaturePart { DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc); domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE); + domValidateContext.setProperty(XMLSEC_VALIDATE_SECURE, signatureInfo.getSignatureConfig().isSecureValidation()); URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer(); domValidateContext.setURIDereferencer(uriDereferencer); diff --git a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java index fa6054bb92..ec21a8d982 100644 --- a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java +++ b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java @@ -170,6 +170,7 @@ import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Tag; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; import org.junit.jupiter.params.provider.ValueSource; import org.w3.x2000.x09.xmldsig.ObjectType; import org.w3.x2000.x09.xmldsig.ReferenceType; @@ -344,21 +345,22 @@ class TestSignatureInfo { } @ParameterizedTest - @ValueSource(strings = { - "hyperlink-example-signed.docx", - "hello-world-signed.docx", - "hello-world-signed.pptx", - "hello-world-signed.xlsx", - "hello-world-office-2010-technical-preview.docx", - "ms-office-2010-signed.docx", - "ms-office-2010-signed.pptx", - "ms-office-2010-signed.xlsx", - "Office2010-SP1-XAdES-X-L.docx", - "signed.docx" + @CsvSource(value = { + "hyperlink-example-signed.docx, true", + "hello-world-signed.docx, true", + "hello-world-signed.pptx, false", + "hello-world-signed.xlsx, true", + "hello-world-office-2010-technical-preview.docx, true", + "ms-office-2010-signed.docx, true", + "ms-office-2010-signed.pptx, false", + "ms-office-2010-signed.xlsx, true", + "Office2010-SP1-XAdES-X-L.docx, true", + "signed.docx, true" }) - void getSigner(String testFile) throws Exception { + void getSigner(String testFile, boolean secureValidation) throws Exception { try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) { SignatureConfig sic = new SignatureConfig(); + sic.setSecureValidation(secureValidation); SignatureInfo si = new SignatureInfo(); si.setOpcPackage(pkg); si.setSignatureConfig(sic); @@ -909,6 +911,10 @@ class TestSignatureInfo { @Test void testRetrieveCertificate() throws InvalidFormatException, IOException { SignatureConfig sic = new SignatureConfig(); + // starting with xmlsec 2.3.0 disabling secure validation was necessary because of limitations + // on the amount of processed internal references (max. 30) + sic.setSecureValidation(false); + final File file = testdata.getFile("PPT2016withComment.pptx"); try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) { sic.setUpdateConfigOnValidate(true); -- 2.39.5