Bug 65214 - Document signed by POI reported as 'partially' signed
Summary: Document signed by POI reported as 'partially' signed
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 4.1.2-FINAL
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2021-03-31 15:08 UTC by Roger Eggenberger
Modified: 2021-05-20 15:17 UTC (History)
0 users

Sample documents and code (54.50 KB, application/x-zip-compressed)
2021-03-31 15:08 UTC, Roger Eggenberger

Note You need to log in before you can comment on or make changes to this bug.
Description Roger Eggenberger 2021-03-31 15:08:12 UTC
Created attachment 37795 [details]
Sample documents and code

I sign a Word document containing a hyperlink with POI/OPC SignatureInfo.confirmSignature().
SignatureInfo.verifySignature() returns true/successfully verified.

However, when the signed document is opened with MS Word, Word reports the signature status as 'Partial signatures'.

If the document is signed with MS Word (MSO Version 2102), Word reports the status as 'Valid signatures'.

Comparing the sig.xml generated by POI with the sig.xml generated by Word shows that Word includes a RelationshipReference to the Hyperlink, whereas POI skips it.

<Reference URI="/word/_rels/document.xml.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml">
    <Transform Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform">
      <mdssi:RelationshipReference xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId6"/>

In OOXMLSignatureFacet.java is the following comment and code, so it seems to be a glitch in MS Word:

 * ECMA-376 Part 2 - 3rd edition
 * Manifest Element
 * "The producer shall not create a Manifest element that references any data outside of the package."
if (TargetMode.EXTERNAL == relationship.getTargetMode()) {

However, as users get suspicious when Word reports 'Partial signatures' I wonder if an additional OfficeSignatureFacet would make sense, which adds the RelationshipReference to Hyperlinks to the signature.

Attached are the input and signed documents and sample code to create the signed document with POI/OPC.
Comment 1 Andreas Beeker 2021-05-01 23:06:23 UTC
Thank you for bringing this up and (un-)intentionally describing how to fix it.
Fixed it locally, but need to polish and test it a bit more :)

Opposed to the comment in the code, the reference doesn't need to be digested, i.e. there are no bytes to be provided by the OOXMLURIDereferencer.

Instead it's enough to just call/add parameterSpec.addRelationshipReference(relationship.getId());

in context of OOXMLSignatureFacet:
> if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
>    parameterSpec.addRelationshipReference(relationship.getId());
>    continue;
> }
Comment 2 Andreas Beeker 2021-05-02 21:48:40 UTC
Fixed via r1889427
Comment 3 Roger Eggenberger 2021-05-20 15:17:16 UTC
Cool, thanks for looking into this!

I'll try to downbranch the patch for now and start to update my project from POI 4 to 5.x soon.