[Bug 65214] New: Document signed by POI reported as 'partially' signed

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 65214] New: Document signed by POI reported as 'partially' signed

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=65214

            Bug ID: 65214
           Summary: Document signed by POI reported as 'partially' signed
           Product: POI
           Version: 4.1.2-FINAL
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: OPC
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 37795
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37795&action=edit
Sample documents and code

I sign a Word document containing a hyperlink with POI/OPC
SignatureInfo.confirmSignature().

SignatureInfo.verifySignature() returns true/successfully verified.

However, when the signed document is opened with MS Word, Word reports the
signature status as 'Partial signatures'.

If the document is signed with MS Word (MSO Version 2102), Word reports the
status as 'Valid signatures'.


Comparing the sig.xml generated by POI with the sig.xml generated by Word shows
that Word includes a RelationshipReference to the Hyperlink, whereas POI skips
it.

<Reference
URI="/word/_rels/document.xml.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml">
  <Transforms>
    <Transform
Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform">
      ...
      <mdssi:RelationshipReference
xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature"
SourceId="rId6"/>
      ...


In OOXMLSignatureFacet.java is the following comment and code, so it seems to
be a glitch in MS Word:

/*
 * ECMA-376 Part 2 - 3rd edition
 * 13.2.4.16 Manifest Element
 * "The producer shall not create a Manifest element that references any data
outside of the package."
 */
if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
        continue;
}


However, as users get suspicious when Word reports 'Partial signatures' I
wonder if an additional OfficeSignatureFacet would make sense, which adds the
RelationshipReference to Hyperlinks to the signature.

Attached are the input and signed documents and sample code to create the
signed document with POI/OPC.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]