Bug 65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable
Summary: upgrade to xmlsec 2.3.0 - make secure validation configurable
Alias: None
Product: POI
Classification: Unclassified
Component: XSSF (show other bugs)
Version: 5.0.x-dev
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2021-11-02 17:18 UTC by PJ Fanning
Modified: 2021-11-03 00:01 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description PJ Fanning 2021-11-02 17:18:37 UTC
causes some test issues

3 tests in TestSignatureInfo fail

Caused by: javax.xml.crypto.MarshalException: A maxiumum of 30 references per Manifest are allowed with secure validation
	at org.apache.jcp.xml.dsig.internal.dom.DOMManifest.<init>(DOMManifest.java:105)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLObject.<init>(DOMXMLObject.java:111)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:165)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:189)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:144)
	at org.apache.poi.poifs.crypt.dsig.SignaturePart.validate(SignaturePart.java:129)
Comment 1 Andreas Beeker 2021-11-03 00:01:01 UTC
Starting with xmlsec 2.3.0 a limit introduced in xmlsec 1.5.0 was affecting POIs signature verification especially for PPTX.

In r1894701 , I've introduced a config option to disable secure validation and commented about the gained/lost features if enabled/disabled.

[1] https://santuario.apache.org/faq.html#faq-4.SecureValidation