Bug 60320 - issue opening password protected xlsx
Summary: issue opening password protected xlsx
Alias: None
Product: POI
Classification: Unclassified
Component: POIFS (show other bugs)
Version: 3.15-FINAL
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2016-10-28 22:04 UTC by PJ Fanning
Modified: 2016-11-01 01:35 UTC (History)
0 users

password protected xlsx (15.50 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
2016-10-28 22:04 UTC, PJ Fanning
preliminary patch for decrypting (14.57 KB, patch)
2016-10-29 21:28 UTC, Andreas Beeker
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description PJ Fanning 2016-10-28 22:04:51 UTC
Created attachment 34408 [details]
password protected xlsx

I will attach TestThisEncryption.xlsx. The password is: Test001!!
This opens ok in Excel but Poi fails to decrypt it using the password.
It seems to happen if the xlsx is created in one Excel version and then later password protected with a recent version of Excel on Windows.
If anyone has any insight into why this workbook won't decrypt in Poi 3.15 that would be appreciated.

This is the decryptor check that fails for me:

  def checkPassword(fileName: String, password: String) {
    val fs = new POIFSFileSystem(new FileInputStream(fileName))
    val info = new EncryptionInfo(fs)
    val decryptor = Decryptor.getInstance(info)
    println(s"$fileName password works? ${decryptor.verifyPassword(password)}")
Comment 1 Andreas Beeker 2016-10-28 22:15:30 UTC
the file also can't be opened via Libre Office 5 ... is the password wrong?
Comment 2 PJ Fanning 2016-10-28 22:21:48 UTC
Thanks Andreas for checking. The xlsx opens for in Excel 2016 on Mac. The xlsx itself was created by a colleague using a Windows install of Excel.
Comment 3 Andreas Beeker 2016-10-28 22:27:56 UTC
hm .. the cipher of the header (aes128) doesn't match the cipher of the verifier (aes256) ...
Comment 4 Javen O'Neal 2016-10-29 00:11:49 UTC
I am able to open the workbook with "Test001!!" in Excel 2013 on Windows 7.
Comment 5 Andreas Beeker 2016-10-29 08:15:25 UTC
Up till now the implementation used the cipher and hashes of the header and verifier interchangeably, as they were always the same in the test files.
So I guess, now we need to use the verifier data (keydata element) for validating the key, and the header data for en-/decryption.
I'll play around with it ...
(and it looks like Libre Office made the same mistake ...)
Comment 6 Andreas Beeker 2016-10-29 21:28:12 UTC
Created attachment 34410 [details]
preliminary patch for decrypting

This is a preliminary patch for decrypting. Currently encryption doesn't work. When both work, I'll add another customized encryption test, to produce a similar file as the original failing one ...
Comment 7 Andreas Beeker 2016-11-01 01:34:37 UTC
Thank you for providing the test file - patch applied via r1767399

I guess this won't be the last issue around encryption, as the agile encryption leaves a few more possibilities open on what to go wrong next :|