Bug 63712

Summary: upgrading xmlsec causes junit tests to fail
Product: POI Reporter: PJ Fanning <fanningpj>
Component: POI OverallAssignee: POI Developers List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 4.0.x-dev   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description PJ Fanning 2019-08-31 13:33:24 UTC 
XMLSEC 2.1.4 fixes a CVE issue. https://santuario.apache.org/javareleasenotes.html

But upgrading causes issues. Similar issues discussed here:

https://stackoverflow.com/questions/17331187/xml-dig-sig-error-after-upgrade-to-java7u25


<testcase classname="org.apache.poi.poifs.crypt.TestSignatureInfo" name="bug58630" time="1.826">
    <error message="javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties" type="javax.xml.crypto.dsig.XMLSignatureException">javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:418)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210)
	at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775)
Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)
	at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414)
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78)
	at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278)
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110)
javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)
	at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210)
	at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775)
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78)
	at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278)
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110)
</error>
Comment 1 PJ Fanning 2019-08-31 15:37:21 UTC 
The issue seems to happen with xmlsec 2.1.3 and 2.1.4.

I tried a few things with trying to set the xsd:ID type but it didn't help.
Comment 2 Andreas Beeker 2020-03-16 21:13:45 UTC 
Just a short follow-up:

The error happens with the following Santuario commit in xmlsec 2.1.3:
r1853805 | coheigea | 2019-02-18 16:10:04 +0100 (Mo, 18 Feb 2019) | 3 lines
Revert "[SANTUARIO-349] - Update JCP dsig code to simplify serialization"
This reverts commit 18b0fde1f8a5c7de811bc8ec3a886890d31276b9.


The symptom is that SignatureMarshalDefaultListener is only presented DigestValues instead of Signature elements.

Investigating further ...
Comment 3 Andreas Beeker 2020-03-18 21:08:50 UTC 
Patched via r1875392 and updated to XMLSec 2.1.5

I've validated a signed workbook in Excel ... I hope that the other signing options still work too ...