Bug 62159

Summary: Support XML signature over windows certificate store
Product: POI Reporter: Andreas Beeker <kiwiwings>
Component: OPCAssignee: POI Developers List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 4.0.x-dev   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Andreas Beeker 2018-03-05 23:59:42 UTC 
Up till it was not possible to use a windows certificate store entry to sign OPC package, because the code expected the encoded format of the key. Furthermore there were some SHA2 workarounds in place for a IBM JDK6, which is now obsolete as we've upgraded to JDK8.

Using the windows keys is not straight forward, as the SunMSCAPI has some surprises [1] - especially using the private key with the cipher api results actually in signing it with the public key ... therefore the existing code using the cipher api only works with keys derived from PKCS12 / JKS keystores.

I've refactored a few of the internals, but kept the documented convenience API [2] as-is.

Another flaw I've discovered by testing the various hashes was, that XmlSec is adding line-breaks to the digests when base64 encoded hash/digest is longer than the base64 default line-length of 76 chars. This affects the hash with 64 bytes like SHA512 and Office marks the signature as invalid.
To workaround you need to set the following JVM property [3]:
-Dorg.apache.xml.security.ignoreLineBreaks=true

I haven't hardcoded that setting as I think this is a bad approach, i.e. setting it in POI (+ security manager handling) is as worse as relying on a JVM property to be set instead of providing an API for it ...


[1] https://stackoverflow.com/questions/39196145
[2] http://poi.apache.org/encryption.html#Signing+an+office+document
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=42061
Comment 1 Andreas Beeker 2018-03-06 00:11:02 UTC 
applied via r1825948

inspired by https://stackoverflow.com/questions/48616473