Bug 65214 - Document signed by POI reported as 'partially' signed
Summary: Document signed by POI reported as 'partially' signed
Status: NEW
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 4.1.2-FINAL
Hardware: PC
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-31 15:08 UTC by Roger Eggenberger
Modified: 2021-03-31 15:08 UTC (History)
0 users



Attachments
Sample documents and code (54.50 KB, application/x-zip-compressed)
2021-03-31 15:08 UTC, Roger Eggenberger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Roger Eggenberger 2021-03-31 15:08:12 UTC
Created attachment 37795 [details]
Sample documents and code

I sign a Word document containing a hyperlink with POI/OPC SignatureInfo.confirmSignature().
 
SignatureInfo.verifySignature() returns true/successfully verified.

However, when the signed document is opened with MS Word, Word reports the signature status as 'Partial signatures'.

If the document is signed with MS Word (MSO Version 2102), Word reports the status as 'Valid signatures'.


Comparing the sig.xml generated by POI with the sig.xml generated by Word shows that Word includes a RelationshipReference to the Hyperlink, whereas POI skips it.

<Reference URI="/word/_rels/document.xml.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml">
  <Transforms>
    <Transform Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform">
      ...
      <mdssi:RelationshipReference xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId6"/>
      ...


In OOXMLSignatureFacet.java is the following comment and code, so it seems to be a glitch in MS Word:

/*
 * ECMA-376 Part 2 - 3rd edition
 * 13.2.4.16 Manifest Element
 * "The producer shall not create a Manifest element that references any data outside of the package."
 */
if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
	continue;
}


However, as users get suspicious when Word reports 'Partial signatures' I wonder if an additional OfficeSignatureFacet would make sense, which adds the RelationshipReference to Hyperlinks to the signature.

Attached are the input and signed documents and sample code to create the signed document with POI/OPC.