68379 – POI generates invalid signature when Excel contains classification labels

Bug 68379 - POI generates invalid signature when Excel contains classification labels

Summary: POI generates invalid signature when Excel contains classification labels

Status:	NEW

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POIFS (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 critical (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-12-20 17:21 UTC by rubgape
Modified:	2024-01-15 17:49 UTC (History)
CC List:	0 users

Attachments
Adding classification label to signed supported types (43.66 KB, image/png) 2023-12-20 17:21 UTC, rubgape	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rubgape 2023-12-20 17:21:01 UTC

Created attachment 39479 [details]
Adding classification label to signed supported types

Hi!

Just found a bug / not supported feature on signing process. It affects all versions of POI released so far when trying to sign an Excel file containing a classification label.

If you try to sign that kind of file (again, any Excel .XLSX containing a classification label, that is, a part name docMetadata/LabelInfo.xml) it will generate an invalid signature since that's not recognised inside the SignatureInfo facets while signing.

The signing process finishes ok, but when opening the file the signature will be reported as invalid due to POI not including this part in the signing.

Digging down into the process, the class OOXMLSignatureFacet doesn't support the signed type classificationlabels, so when method isSignedRelationship is called for that relationship it will reject to include it.

This was included in Office in 2020 (http://schemas.microsoft.com/office/2020/02/relationships/classificationlabels) but signed types supported seems to be from 2010.

The FIX is really simple: Just change OOXMLSignatureFacet to add the new type to the default collection "signed", since this property can't be overriden.

WORKAROUND: Created a custom facet that includes it and override default facet list definition.

Thanks for fixing this! as of today, it's impossible to properly sign an Excel that includes classification label/s and that kind of feature is becoming more common accoss companies.

Best!

Comment 1 PJ Fanning 2023-12-20 17:38:39 UTC

Apache POI does not have a very active community. I am not aware of any active volunteers who have a major interest or experience with the signing feature.

Sometimes you need to find the right tool. Couldn't you do some scripting and get Excel to sign your files? Google Docs and some other non-MS tools may also support it.

Microsoft created these proprietary formats. There is not much incentive for volunteers to support 100% of what Microsoft support.

Comment 2 PJ Fanning 2023-12-20 18:02:10 UTC

 I added r1914808. If someone has a test xlsx file that could be used to test this, that would be appreciated.

Comment 3 Nguyen Dat 2024-01-15 17:49:42 UTC

Hi
 Have you signed with p12 file, usb token or hsm ?