Bug 62159 - Support XML signature over windows certificate store
Summary: Support XML signature over windows certificate store
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 4.0.x-dev
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-05 23:59 UTC by Andreas Beeker
Modified: 2018-03-06 00:11 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Beeker 2018-03-05 23:59:42 UTC
Up till it was not possible to use a windows certificate store entry to sign OPC package, because the code expected the encoded format of the key. Furthermore there were some SHA2 workarounds in place for a IBM JDK6, which is now obsolete as we've upgraded to JDK8.

Using the windows keys is not straight forward, as the SunMSCAPI has some surprises [1] - especially using the private key with the cipher api results actually in signing it with the public key ... therefore the existing code using the cipher api only works with keys derived from PKCS12 / JKS keystores.

I've refactored a few of the internals, but kept the documented convenience API [2] as-is.

Another flaw I've discovered by testing the various hashes was, that XmlSec is adding line-breaks to the digests when base64 encoded hash/digest is longer than the base64 default line-length of 76 chars. This affects the hash with 64 bytes like SHA512 and Office marks the signature as invalid.
To workaround you need to set the following JVM property [3]:
-Dorg.apache.xml.security.ignoreLineBreaks=true

I haven't hardcoded that setting as I think this is a bad approach, i.e. setting it in POI (+ security manager handling) is as worse as relying on a JVM property to be set instead of providing an API for it ...


[1] https://stackoverflow.com/questions/39196145
[2] http://poi.apache.org/encryption.html#Signing+an+office+document
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=42061
Comment 1 Andreas Beeker 2018-03-06 00:11:02 UTC
applied via r1825948

inspired by https://stackoverflow.com/questions/48616473