65668 – upgrade to xmlsec 2.3.0 - make secure validation configurable

Bug 65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable

Summary: upgrade to xmlsec 2.3.0 - make secure validation configurable

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	XSSF (show other bugs)
Version:	5.0.x-dev
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-02 17:18 UTC by PJ Fanning
Modified:	2021-11-03 00:01 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description PJ Fanning 2021-11-02 17:18:37 UTC

causes some test issues

3 tests in TestSignatureInfo fail

Caused by: javax.xml.crypto.MarshalException: A maxiumum of 30 references per Manifest are allowed with secure validation
	at org.apache.jcp.xml.dsig.internal.dom.DOMManifest.<init>(DOMManifest.java:105)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLObject.<init>(DOMXMLObject.java:111)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:165)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:189)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:144)
	at org.apache.poi.poifs.crypt.dsig.SignaturePart.validate(SignaturePart.java:129)

Comment 1 Andreas Beeker 2021-11-03 00:01:01 UTC

Starting with xmlsec 2.3.0 a limit introduced in xmlsec 1.5.0 was affecting POIs signature verification especially for PPTX.

In r1894701 , I've introduced a config option to disable secure validation and commented about the gained/lost features if enabled/disabled.


[1] https://santuario.apache.org/faq.html#faq-4.SecureValidation