XMLSEC 2.1.4 fixes a CVE issue. https://santuario.apache.org/javareleasenotes.html But upgrading causes issues. Similar issues discussed here: https://stackoverflow.com/questions/17331187/xml-dig-sig-error-after-upgrade-to-java7u25 <testcase classname="org.apache.poi.poifs.crypt.TestSignatureInfo" name="bug58630" time="1.826"> <error message="javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties" type="javax.xml.crypto.dsig.XMLSignatureException">javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:418) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371) at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427) at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210) at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775) Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117) at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414) Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78) at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278) at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110) javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117) at org.apache.poi.poifs.crypt.dsig.OOXMLURIDereferencer.dereference(OOXMLURIDereferencer.java:85) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:414) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:352) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:486) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:371) at org.apache.poi.poifs.crypt.dsig.SignatureInfo.preSign(SignatureInfo.java:427) at org.apache.poi.poifs.crypt.dsig.SignatureInfo.confirmSignature(SignatureInfo.java:210) at org.apache.poi.poifs.crypt.TestSignatureInfo.bug58630(TestSignatureInfo.java:775) Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID idSignedProperties at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:78) at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:278) at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:110) </error>
The issue seems to happen with xmlsec 2.1.3 and 2.1.4. I tried a few things with trying to set the xsd:ID type but it didn't help.
Just a short follow-up: The error happens with the following Santuario commit in xmlsec 2.1.3: r1853805 | coheigea | 2019-02-18 16:10:04 +0100 (Mo, 18 Feb 2019) | 3 lines Revert "[SANTUARIO-349] - Update JCP dsig code to simplify serialization" This reverts commit 18b0fde1f8a5c7de811bc8ec3a886890d31276b9. The symptom is that SignatureMarshalDefaultListener is only presented DigestValues instead of Signature elements. Investigating further ...
Patched via r1875392 and updated to XMLSec 2.1.5 I've validated a signed workbook in Excel ... I hope that the other signing options still work too ...