#65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1894701 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 65 insertions, 14 deletions

diff --git a/poi-ooxml/build.gradle b/poi-ooxml/build.gradle
index d0fd2cae63..412880b609 100644
--- a/poi-ooxml/build.gradle
+++ b/poi-ooxml/build.gradle
@@ -74,11 +74,11 @@ dependencies {
     api "org.apache.logging.log4j:log4j-api:${log4jVersion}"
     api 'org.apache.commons:commons-collections4:4.4'
 
-    signingImplementation 'org.apache.santuario:xmlsec:2.2.3'
+    signingImplementation 'org.apache.santuario:xmlsec:2.3.0'
     signingImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
     signingImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
 
-    rendersignImplementation 'org.apache.santuario:xmlsec:2.2.3'
+    rendersignImplementation 'org.apache.santuario:xmlsec:2.3.0'
     rendersignImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
     rendersignImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
 
diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
index ccbdd517ac..1a6006c0f9 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java
@@ -212,6 +212,14 @@ public class SignatureConfig {
      */
     private boolean allowMultipleSignatures = false;
 
+    /**
+     * Switch to enable/disable secure validation - see setter for more information
+     *
+     * @since POI 5.2.0
+     */
+    private boolean secureValidation = true;
+
+
     public SignatureConfig() {
         // OOo doesn't like ds namespaces so per default prefixing is off.
         // namespacePrefixes.put(XML_DIGSIG_NS, "");
@@ -1074,4 +1082,39 @@ public class SignatureConfig {
     public void setAllowMultipleSignatures(boolean allowMultipleSignatures) {
         this.allowMultipleSignatures = allowMultipleSignatures;
     }
+
+    /**
+     * @return is secure validation enabled?
+     *
+     * @since POI 5.2.0
+     */
+    public boolean isSecureValidation() {
+        return secureValidation;
+    }
+
+    /**
+     * Enable or disable secure validation - default is enabled.
+     * <p>
+     * Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail,
+     * because a maximum of 30 references were hard-coded allowed for secure validation to succeed.
+     * <p>
+     * Secure validation has the following features:
+     * <ul>
+     * <li>Limits the number of Transforms per Reference to a maximum of 5.
+     * <li>Does not allow XSLT transforms.
+     * <li>Does not allow a RetrievalMethod to reference another RetrievalMethod.
+     * <li>Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
+     * <li>Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
+     * <li>MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
+     * <li>Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
+     * <li>Does not allow DTDs
+     * </ul>
+     *
+     * @see <a href="https://santuario.apache.org/faq.html#faq-4.SecureValidation">XmlSec SecureValidation</a>
+     *
+     * @since POI 5.2.0
+     */
+    public void setSecureValidation(boolean secureValidation) {
+        this.secureValidation = secureValidation;
+    }
 }
\ No newline at end of file
diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
index 1fd4151eb7..19440d0938 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java
@@ -56,6 +56,7 @@ import org.xml.sax.SAXException;
 public class SignaturePart {
     private static final Logger LOG = LogManager.getLogger(SignaturePart.class);
     private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
+    private static final String XMLSEC_VALIDATE_SECURE = "org.apache.jcp.xml.dsig.secureValidation";
 
 
     private final PackagePart signaturePart;
@@ -121,6 +122,7 @@ public class SignaturePart {
 
             DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
             domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
+            domValidateContext.setProperty(XMLSEC_VALIDATE_SECURE, signatureInfo.getSignatureConfig().isSecureValidation());
 
             URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer();
             domValidateContext.setURIDereferencer(uriDereferencer);
diff --git a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java
index fa6054bb92..ec21a8d982 100644
--- a/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java
+++ b/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java
@@ -170,6 +170,7 @@ import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.w3.x2000.x09.xmldsig.ObjectType;
 import org.w3.x2000.x09.xmldsig.ReferenceType;
@@ -344,21 +345,22 @@ class TestSignatureInfo {
     }
 
     @ParameterizedTest
-    @ValueSource(strings = {
-        "hyperlink-example-signed.docx",
-        "hello-world-signed.docx",
-        "hello-world-signed.pptx",
-        "hello-world-signed.xlsx",
-        "hello-world-office-2010-technical-preview.docx",
-        "ms-office-2010-signed.docx",
-        "ms-office-2010-signed.pptx",
-        "ms-office-2010-signed.xlsx",
-        "Office2010-SP1-XAdES-X-L.docx",
-        "signed.docx"
+    @CsvSource(value = {
+        "hyperlink-example-signed.docx, true",
+        "hello-world-signed.docx, true",
+        "hello-world-signed.pptx, false",
+        "hello-world-signed.xlsx, true",
+        "hello-world-office-2010-technical-preview.docx, true",
+        "ms-office-2010-signed.docx, true",
+        "ms-office-2010-signed.pptx, false",
+        "ms-office-2010-signed.xlsx, true",
+        "Office2010-SP1-XAdES-X-L.docx, true",
+        "signed.docx, true"
     })
-    void getSigner(String testFile) throws Exception {
+    void getSigner(String testFile, boolean secureValidation) throws Exception {
         try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
             SignatureConfig sic = new SignatureConfig();
+            sic.setSecureValidation(secureValidation);
             SignatureInfo si = new SignatureInfo();
             si.setOpcPackage(pkg);
             si.setSignatureConfig(sic);
@@ -909,6 +911,10 @@ class TestSignatureInfo {
     @Test
     void testRetrieveCertificate() throws InvalidFormatException, IOException {
         SignatureConfig sic = new SignatureConfig();
+        // starting with xmlsec 2.3.0 disabling secure validation was necessary because of limitations
+        // on the amount of processed internal references (max. 30)
+        sic.setSecureValidation(false);
+
         final File file = testdata.getFile("PPT2016withComment.pptx");
         try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {
             sic.setUpdateConfigOnValidate(true);