Bug 60320

Summary: issue opening password protected xlsx
Product: POI Reporter: PJ Fanning <fanningpj>
Component: POIFSAssignee: POI Developers List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 3.15-FINAL   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: password protected xlsx
preliminary patch for decrypting

Description PJ Fanning 2016-10-28 22:04:51 UTC
Created attachment 34408 [details]
password protected xlsx

I will attach TestThisEncryption.xlsx. The password is: Test001!!
This opens ok in Excel but Poi fails to decrypt it using the password.
It seems to happen if the xlsx is created in one Excel version and then later password protected with a recent version of Excel on Windows.
If anyone has any insight into why this workbook won't decrypt in Poi 3.15 that would be appreciated.

This is the decryptor check that fails for me:

  def checkPassword(fileName: String, password: String) {
    val fs = new POIFSFileSystem(new FileInputStream(fileName))
    val info = new EncryptionInfo(fs)
    val decryptor = Decryptor.getInstance(info)
    println(s"$fileName password works? ${decryptor.verifyPassword(password)}")
  }
Comment 1 Andreas Beeker 2016-10-28 22:15:30 UTC
the file also can't be opened via Libre Office 5 ... is the password wrong?
Comment 2 PJ Fanning 2016-10-28 22:21:48 UTC
Thanks Andreas for checking. The xlsx opens for in Excel 2016 on Mac. The xlsx itself was created by a colleague using a Windows install of Excel.
Comment 3 Andreas Beeker 2016-10-28 22:27:56 UTC
hm .. the cipher of the header (aes128) doesn't match the cipher of the verifier (aes256) ...
Comment 4 Javen O'Neal 2016-10-29 00:11:49 UTC
I am able to open the workbook with "Test001!!" in Excel 2013 on Windows 7.
Comment 5 Andreas Beeker 2016-10-29 08:15:25 UTC
Up till now the implementation used the cipher and hashes of the header and verifier interchangeably, as they were always the same in the test files.
So I guess, now we need to use the verifier data (keydata element) for validating the key, and the header data for en-/decryption.
I'll play around with it ...
(and it looks like Libre Office made the same mistake ...)
Comment 6 Andreas Beeker 2016-10-29 21:28:12 UTC
Created attachment 34410 [details]
preliminary patch for decrypting

This is a preliminary patch for decrypting. Currently encryption doesn't work. When both work, I'll add another customized encryption test, to produce a similar file as the original failing one ...
Comment 7 Andreas Beeker 2016-11-01 01:34:37 UTC
Thank you for providing the test file - patch applied via r1767399

I guess this won't be the last issue around encryption, as the agile encryption leaves a few more possibilities open on what to go wrong next :|