Bug 59857 - Password protected files with "Microsoft Enhanced Cryptographic Provider v1.0"
Summary: Password protected files with "Microsoft Enhanced Cryptographic Provider v1.0"
Alias: None
Product: POI
Classification: Unclassified
Component: HSSF (show other bugs)
Version: 3.14-FINAL
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2016-07-14 14:32 UTC by Nikoloz Gochiashvili
Modified: 2016-10-09 17:57 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Nikoloz Gochiashvili 2016-07-14 14:32:43 UTC
I have problem XLS file reading with POI:

org.apache.poi.EncryptedDocumentException: HSSF does not currently support CryptoAPI encryption
	at org.apache.poi.hssf.record.FilePassRecord$Rc4KeyData.read(FilePassRecord.java:66)
	at org.apache.poi.hssf.record.FilePassRecord.<init>(FilePassRecord.java:215)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.apache.poi.hssf.record.RecordFactory$ReflectionConstructorRecordCreator.create(RecordFactory.java:84)
	at org.apache.poi.hssf.record.RecordFactory.createSingleRecord(RecordFactory.java:334)
	at org.apache.poi.hssf.record.RecordFactoryInputStream$StreamEncryptionInfo.<init>(RecordFactoryInputStream.java:70)
	at org.apache.poi.hssf.record.RecordFactoryInputStream.<init>(RecordFactoryInputStream.java:203)
	at org.apache.poi.hssf.record.RecordFactory.createRecords(RecordFactory.java:475)
	at org.apache.poi.hssf.usermodel.HSSFWorkbook.<init>(HSSFWorkbook.java:337)
	at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:95)
	at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:178)
	at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:140)

File has workbook protection with Microsoft Enhanced Cryptographic Provider v1.0.

I have found on bugzilla  issue https://bz.apache.org/bugzilla/show_bug.cgi?format=multiple&id=35897 

Problem with Word doc was resolved.  but how about EXCEL ?  was it resolved for Excel?
Comment 1 Andreas Beeker 2016-07-14 14:57:24 UTC
As the exception says: cryptoapi is not yet supported / implemented ...
See also: http://poi.apache.org/encryption.html

it's on my todo-list, therefore I leave this bug entry open.
But as usual, I won't have the implementation in the near future ... maybe someone else give it a try ...
Comment 2 FINA 2016-07-20 07:49:11 UTC
Dear Andreas, 

Many thanks for your response.  We (small open source fun club from Georgia) appreciate your time and will be very thankful if that bug will be resolved.  I am sure it will also help to many devs who are using POI for Excel files. 
Kakha  & Nick

P.S.  By the way – very interesting question is how  and when that cryptographic method occurs?  With normal way of work non of the Excel s (2003, 2007,  2010, 2013, 2016) never have such kind of problem .
Comment 3 Andreas Beeker 2016-07-23 19:26:01 UTC
Just for the record ... there's already a crypto api XLS in our corpus:
spreadsheet/35897-type4.xls - password "freedom"

It actually doesn't look that complicated - I hope I can mix something of the HSLF encrypted document stream handling with the existing XLS RC4 encryption
Comment 4 Andreas Beeker 2016-08-08 00:16:07 UTC
The hssf_cryptoapi branch [1] contains an implementation.
I try to provide encryption support too, before I merge it back to the trunk.
The tests which covers Xor, RC4 and CryptoAPI is in [2]

[1] https://svn.apache.org/repos/asf/poi/branches/hssf_cryptoapi/
[2] org.apache.poi.hssf.usermodel.TestCryptoAPI
Comment 5 FINA 2016-08-10 13:51:43 UTC
Many thanks Andreas. Nick is on vacation but I will inform him about your message.
Comment 6 Andreas Beeker 2016-08-19 21:24:02 UTC
Added encryption support for XOR/RC4/CryptoAPI via r1756964

Unfortunately I've realized, that the existing and modified XOR obfuscation is flawed.
It works for very small files, but for files > ~4kb, the office file validation complaints and it doesn't get opened anymore ...

Of course I've tried to generate un-/encrypted files via Office and check when the de-/encryption goes wrong. Interestingly the first encrypted records (even long ones) get de-/encrypted correctly, but starting with the FontRecords (with the xor-encryption-abc.xls) only one of the bytes differ.
This also happens even when the whole record processing is bypassed and the plain/encrypted stream of the POIFS is processed.

My guess is, that similar to RC4/CryptoAPI there's a block key somewhere, although libre office [1] hasn't got something like this.
... but probably, it's something completely different and I was just focusing to much on the wrong spots ...

[1] http://docs.libreoffice.org/oox/html/binarycodec_8cxx_source.html
Comment 7 Andreas Beeker 2016-09-28 23:40:39 UTC
Patch for applied with r1762726

this also contains the mentioned encrpytion routines.
Up till now I couldn't fix the xor obfuscation bug.

Apart of the encryption routines, I needed to tweak the little endian stream classes to be real In-/OutputStreams, but that change effect only the closed resources warning, which were ignored in the original version
Comment 8 PJ Fanning 2016-10-09 17:57:59 UTC
I have come across a possible regression related to this patch. https://bz.apache.org/bugzilla/show_bug.cgi?id=60230