from here: https://stackoverflow.com/questions/44499457/apache-poi-creates-invalid-signature-for-stream-xslx-file I am trying to create and add a valid regular cryptographic signature to a xlsx file i am creating. In addition, i am trying to do it in-memory. This seems to cause problems for me. This code creates the file but in windows excel states that the signature is invalid. note that i am sending an input stream containing the xlsx (in-memory - not in file system) file, and i am writing the pkg object to the output stream. private ByteArrayOutputStream signFile(PrivateKey key, X509Certificate x509Certificate, InputStream input) { //change to approve signed SignatureConfig signatureConfig = new SignatureConfig(); ByteArrayOutputStream stream = new ByteArrayOutputStream(); signatureConfig.setKey(key); signatureConfig.setExecutionTime(new Date()); ArrayList<X509Certificate> x509Certificates = new ArrayList<>(Collections.singletonList(x509Certificate)); x509Certificates.add(x509Certificate); signatureConfig.setSigningCertificateChain(x509Certificates); OPCPackage pkg = null; try { if (input instanceof ByteArrayInputStream) pkg = OPCPackage.open(input); } catch (Exception ex) { logger.error("failed to open package for file, exception:",ex); } signatureConfig.setOpcPackage(pkg); // adding the signature document to the package SignatureInfo si = new SignatureInfo(); si.setSignatureConfig(signatureConfig); try { si.confirmSignature(); } catch (Exception ex) { logger.error("failed to confirm signature",ex); } // optionally verify the generated signature boolean b = si.verifySignature(); if (b==false){ logger.error("signature verified result:" + b); } try { pkg.flush(); pkg.save(stream); pkg.close(); } catch (Exception ex) { logger.error("failed to close package",ex); } return stream; } in addition i have this test code which creates a file and uses OPCPackage.open(...) which works!! excel identifies the signature. SignatureConfig signatureConfig = new SignatureConfig(); signatureConfig.setKey(aPrivate); ArrayList<X509Certificate> x509Certificates = new ArrayList<>(); x509Certificates.add(x509Certificate); signatureConfig.setSigningCertificateChain(x509Certificates);//Collections.singletonList(x509)); OPCPackage pkg = OPCPackage.open(filePath, PackageAccess.READ_WRITE); signatureConfig.setOpcPackage(pkg); // adding the signature document to the package SignatureInfo si = new SignatureInfo(); si.setSignatureConfig(signatureConfig); si.confirmSignature(); // optionally verify the generated signature boolean b = si.verifySignature(); assertTrue(b); // write the changes back to disc pkg.close();
Created attachment 35075 [details] Patch for XML Signatures / Unix linebreaks I'll apply the patch after the 3.17-beta1 is out. Originally I've adapted/developed the XML signature code under a Win7 box, but now couldn't sign any documents anymore in an Ubuntu environment. The reason was the indenting setting in StreamHelper. For the actual bug entry, look at TestSignatureInfo on how to add a signature in-memory. I haven't changed the OPC code, which adds relations on the fly when saving, but rather ask the user to save the unsigned file first to a byte buffer before using OPCPackage to reload/sign/save it.
applied via r1800207
Testcase: bug61182 took 0.187 sec FAILED expected:<[HDdvgXblLMiE6gZSoRSQUof6+aedrhK9i51we1n+4Q/ioqrQCeh5UkfQ8lD63nV4ZDbM4/pIVFi6VpMpN/HMnAUHeVdVUCVTgpn3Iz21Ymcd9/aerNov2BjHLhS8X3oUE+XTu2TbJLNmms0I9G4lfg6HWP9t7ZCXBXy6vyCMArc]=> but was:<[jVW6EPMywZ8jr4+I4alDosXzqrVuDG4wTdrr+la8QVbXfLm6HOh9AUFlo5yUZuWo/1gXrrkc34UTYNzuslyrOxKqadPOIRKUssJzdCh/hKeTxs/YtyWkpGHggrUjrF/vUUIeIXRHo+1DCAh6ptoicviH/I/Dtoa5NgkEHVuOHk8]=> junit.framework.AssertionFailedError: expected:<[HDdvgXblLMiE6gZSoRSQUof6+aedrhK9i51we1n+4Q/ioqrQCeh5UkfQ8lD63nV4ZDbM4/pIVFi6VpMpN/HMnAUHeVdVUCVTgpn3Iz21Ymcd9/aerNov2BjHLhS8X3oUE+XTu2TbJLNmms0I9G4lfg6HWP9t7ZCXBXy6vyCMArc]=> but was:<[jVW6EPMywZ8jr4+I4alDosXzqrVuDG4wTdrr+la8QVbXfLm6HOh9AUFlo5yUZuWo/1gXrrkc34UTYNzuslyrOxKqadPOIRKUssJzdCh/hKeTxs/YtyWkpGHggrUjrF/vUUIeIXRHo+1DCAh6ptoicviH/I/Dtoa5NgkEHVuOHk8]=> at org.apache.poi.poifs.crypt.TestSignatureInfo.bug61182(TestSignatureInfo.java:191) Hi Andi, Is this user error on my part? Something odd about my dev environment? Windows 10, Java 8 131
I guess this is again a line ending problem - as I need to setup my windows environment first - could you write the ByteArrayOutputStream to a file, which is filled after pkg1.close()?
Created attachment 35140 [details] requested binary dump pkg1.save(bos); pkg1.close(); OutputStream tmp = new FileOutputStream(new File("C:/data/testsig.bin")); IOUtils.copy(new ByteArrayInputStream(bos.toByteArray()), tmp); tmp.flush(); tmp.close(); Thank you, Andi!
The windows/linux files differ in their line-endings, due to org.apache.xmlbeans.impl.store.Saver._newLine being system dependent. As the xml canonicalization handles the newlines as-is, this leads to different hashes. Currently I think about 3 options: a) change the _newLine static final via reflection b) normalize the xmls to unix linebreaks on signing c) add a switch in the junit test to check for windows/mac/linux hashes As the files signed by a linux system worked in Libre/MS Office, I probably just go with c)
add hashes for other linebreaks via r1803011
This is fixed as far as I see.