Bug 63712 - upgrading xmlsec causes junit tests to fail
Summary: upgrading xmlsec causes junit tests to fail
Status: NEW
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: 4.0.x-dev
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-31 13:33 UTC by PJ Fanning
Modified: 2019-08-31 15:37 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description PJ Fanning 2019-08-31 13:33:24 UTC
XMLSEC 2.1.4 fixes a CVE issue. https://santuario.apache.org/javareleasenotes.html

But upgrading causes issues. Similar issues discussed here:

https://stackoverflow.com/questions/17331187/xml-dig-sig-error-after-upgrade-to-java7u25


<testcase classname="org.apache.poi.poifs.crypt.TestSignatureInfo" name="bug58630" time="1.826">
    <error message="javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties" type="javax.xml.crypto.dsig.XMLSignatureException">javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:418)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210)
	at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775)
Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)
	at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414)
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78)
	at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278)
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110)
javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)
	at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414)
	at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427)
	at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210)
	at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775)
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties
	at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78)
	at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278)
	at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110)
</error>
Comment 1 PJ Fanning 2019-08-31 15:37:21 UTC
The issue seems to happen with xmlsec 2.1.3 and 2.1.4.

I tried a few things with trying to set the xsd:ID type but it didn't help.