#65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1894701 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 45 insertions, 0 deletions

diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
index ccbdd517ac..1a6006c0f9 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
@@ -212,6 +212,14 @@ public class SignatureConfig {
      */
     private boolean allowMultipleSignatures = false;
 
+    /**
+     * Switch to enable/disable secure validation - see setter for more information
+     *
+     * @since POI 5.2.0
+     */
+    private boolean secureValidation = true;
+
+
     public SignatureConfig() {
         // OOo doesn't like ds namespaces so per default prefixing is off.
         // namespacePrefixes.put(XML_DIGSIG_NS, "");
@@ -1074,4 +1082,39 @@ public class SignatureConfig {
     public void setAllowMultipleSignatures(boolean allowMultipleSignatures) {
         this.allowMultipleSignatures = allowMultipleSignatures;
     }
+
+    /**
+     * @return is secure validation enabled?
+     *
+     * @since POI 5.2.0
+     */
+    public boolean isSecureValidation() {
+        return secureValidation;
+    }
+
+    /**
+     * Enable or disable secure validation - default is enabled.
+     * <p>
+     * Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail,
+     * because a maximum of 30 references were hard-coded allowed for secure validation to succeed.
+     * <p>
+     * Secure validation has the following features:
+     * <ul>
+     * <li>Limits the number of Transforms per Reference to a maximum of 5.
+     * <li>Does not allow XSLT transforms.
+     * <li>Does not allow a RetrievalMethod to reference another RetrievalMethod.
+     * <li>Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
+     * <li>Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
+     * <li>MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
+     * <li>Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
+     * <li>Does not allow DTDs
+     * </ul>
+     *
+     * @see <a href="https://santuario.apache.org/faq.html#faq-4.SecureValidation">XmlSec SecureValidation</a>
+     *
+     * @since POI 5.2.0
+     */
+    public void setSecureValidation(boolean secureValidation) {
+        this.secureValidation = secureValidation;
+    }
 }
\ No newline at end of file
diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
index 1fd4151eb7..19440d0938 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
@@ -56,6 +56,7 @@ import org.xml.sax.SAXException;
 public class SignaturePart {
     private static final Logger LOG = LogManager.getLogger(SignaturePart.class);
     private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
+    private static final String XMLSEC_VALIDATE_SECURE = "org.apache.jcp.xml.dsig.secureValidation";
 
 
     private final PackagePart signaturePart;
@@ -121,6 +122,7 @@ public class SignaturePart {
 
             DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
             domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
+            domValidateContext.setProperty(XMLSEC_VALIDATE_SECURE, signatureInfo.getSignatureConfig().isSecureValidation());
 
             URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer();
             domValidateContext.setURIDereferencer(uriDereferencer);