Author: kiwiwings
Date: Sun Aug 10 18:25:10 2014
New Revision: 1617141

URL: http://svn.apache.org/r1617141
Log:
Xml signature support - version 1

Added:
    poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/CertificateSecurityException.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ExpiredCertificateSecurityException.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxies.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxy.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/KeyInfoKeySelector.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/OOXMLURIDereferencer.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/RevokedCertificateSecurityException.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/TrustCertificateSecurityException.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/KeyInfoSignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/Office2010SignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignaturePolicyService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLSignatureFacet.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/RelationshipTransformService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/RevocationData.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/RevocationDataService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/SignatureService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TimeStampService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TimeStampServiceValidator.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/XmlSignatureService.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/spi/
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/spi/AddressDTO.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/spi/Constants.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/spi/DigestInfo.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/spi/IdentityDTO.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/util/MethodUtils.java
    poi/branches/xml_signature/src/ooxml/java/org/apache/poi/util/XmlSort.java
    
poi/branches/xml_signature/src/ooxml/resources/org/apache/poi/poifs/crypt/XAdES.xsd
    
poi/branches/xml_signature/src/ooxml/resources/org/apache/poi/poifs/crypt/XAdESv141.xsd
    
poi/branches/xml_signature/src/ooxml/resources/org/apache/poi/poifs/crypt/signatureInfo.xsd
    
poi/branches/xml_signature/src/ooxml/testcases/org/apache/poi/poifs/crypt/PkiTestUtils.java
    
poi/branches/xml_signature/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java
    poi/branches/xml_signature/test-data/xmldsign/
    poi/branches/xml_signature/test-data/xmldsign/Office2010-SP1-XAdES-X-L.docx 
  (with props)
    poi/branches/xml_signature/test-data/xmldsign/bcprov-ext-jdk15on-1.49.jar   
(with props)
    
poi/branches/xml_signature/test-data/xmldsign/hello-world-office-2010-technical-preview-unsigned.docx
   (with props)
    
poi/branches/xml_signature/test-data/xmldsign/hello-world-office-2010-technical-preview.docx
   (with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-signed-twice.docx 
  (with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-signed.docx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-signed.pptx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-signed.xlsx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-unsigned.docx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-unsigned.pptx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hello-world-unsigned.xlsx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/hyperlink-example-signed.docx 
  (with props)
    poi/branches/xml_signature/test-data/xmldsign/ms-office-2010-signed.docx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/ms-office-2010-signed.pptx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/ms-office-2010-signed.xlsx   
(with props)
    poi/branches/xml_signature/test-data/xmldsign/signed.docx   (with props)
Modified:
    poi/branches/xml_signature/.classpath
    poi/branches/xml_signature/build.xml
    
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CipherAlgorithm.java
    
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
    
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/HashAlgorithm.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationship.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationshipCollection.java
    
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/internal/ContentTypeManager.java
    poi/branches/xml_signature/src/ooxml/java/org/apache/poi/util/SAXHelper.java
    poi/branches/xml_signature/src/testcases/org/apache/poi/POIDataSamples.java

Modified: poi/branches/xml_signature/.classpath
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/.classpath?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- poi/branches/xml_signature/.classpath (original)
+++ poi/branches/xml_signature/.classpath Sun Aug 10 18:25:10 2014
@@ -24,7 +24,7 @@
        <classpathentry kind="lib" path="lib/hamcrest-core-1.3.jar"/>
        <classpathentry kind="lib" path="lib/junit-4.11.jar"/>
        <classpathentry kind="lib" path="ooxml-lib/ooxml-schemas-1.1.jar" 
sourcepath="ooxml-lib/ooxml-schemas-src-1.1.jar"/>
-       <classpathentry kind="lib" path="ooxml-lib/ooxml-encryption-1.1.jar" 
sourcepath="ooxml-lib/ooxml-encryption-src-1.1.jar"/>
+       <classpathentry kind="lib" path="ooxml-lib/ooxml-encryption-1.2.jar" 
sourcepath="ooxml-lib/ooxml-encryption-src-1.2.jar"/>
        <classpathentry kind="con" 
path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
        <classpathentry kind="output" path="build/eclipse"/>
 </classpath>

Modified: poi/branches/xml_signature/build.xml
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/build.xml?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- poi/branches/xml_signature/build.xml (original)
+++ poi/branches/xml_signature/build.xml Sun Aug 10 18:25:10 2014
@@ -118,7 +118,6 @@ under the License.
     <property name="ooxml.output.test.dir" 
location="build/ooxml-test-classes"/>
     <property name="ooxml.testokfile" location="build/ooxml-testokfile.txt"/>
     <property name="ooxml.lite.output.dir" 
location="build/ooxml-lite-classes"/>
-    <property name="ooxml.encryption.xsd.dir" 
location="src/ooxml/resources/org/apache/poi/poifs/crypt"/>
 
     <!-- Excelant: -->
     <property name="excelant.resource.dir" value="src/excelant/resources"/>
@@ -169,17 +168,28 @@ under the License.
 
     <!-- See 
http://www.ecma-international.org/publications/standards/Ecma-376.htm -->
     <!-- "Copy these file(s), free of charge" -->
-    <property name="ooxml.xsds.ozip" 
location="${ooxml.lib}/OfficeOpenXML-Part4.zip"/>
-    <property name="ooxml.xsds.izip" 
location="${ooxml.lib}/OfficeOpenXML-XMLSchema.zip"/>
-    <property name="ooxml.xsds.url"
+    <property name="ooxml.xsds.ozip.1" value="OfficeOpenXML-Part4.zip"/>
+    <property name="ooxml.xsds.izip.1" value="OfficeOpenXML-XMLSchema.zip"/>
+    <property name="ooxml.xsds.url.1"
               
value="http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%204%20(PDF).zip"/>
     <property name="ooxml.xsds.src.dir" location="build/ooxml-xsds-src"/>
     <property name="ooxml.xsds.src.jar" 
location="${ooxml.lib}/ooxml-schemas-src-1.1.jar"/>
     <property name="ooxml.xsds.jar" 
location="${ooxml.lib}/ooxml-schemas-1.1.jar"/>
 
+       <!-- additional schemas are packed into the poi schemas jar, -->
+       <!-- so we don't have to care about a seperate versioning of the 
original ooxml schemas -->
+       <property name="ooxml.xsds.dc.1" 
value="http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd"/>
+       <property name="ooxml.xsds.dc.2" 
value="http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd"/>
+       <property name="ooxml.xsds.dc.3" 
value="http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcmitype.xsd"/>
+       <property name="ooxml.xsds.dsig" 
value="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+    <property name="ooxml.xsds.ozip.2" value="OfficeOpenXML-Part2.zip"/>
+    <property name="ooxml.xsds.izip.2" 
value="OpenPackagingConventions-XMLSchema.zip"/>
+    <property name="ooxml.xsds.url.2"
+              
value="http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20(PDF).zip"/>
     <property name="ooxml.encryption.src.dir" 
location="build/ooxml-encryption-src"/>
-    <property name="ooxml.encryption.src.jar" 
location="${ooxml.lib}/ooxml-encryption-src-1.1.jar"/>
-    <property name="ooxml.encryption.jar" 
location="${ooxml.lib}/ooxml-encryption-1.1.jar"/>
+    <property name="ooxml.encryption.src.jar" 
location="${ooxml.lib}/ooxml-encryption-src-1.2.jar"/>
+    <property name="ooxml.encryption.jar" 
location="${ooxml.lib}/ooxml-encryption-1.2.jar"/>
+    <property name="ooxml.encryption.xsd.dir" 
location="src/ooxml/resources/org/apache/poi/poifs/crypt"/>
 
     <property name="maven.ooxml.xsds.version.id" value="1.0"/>
     <property name="maven.ooxml.xsds.jar" 
value="ooxml-schemas-${maven.ooxml.xsds.version.id}.jar"/>
@@ -356,7 +366,7 @@ under the License.
                        </fileset>
                </delete>
 
-               <condition property="jars.present">
+        <condition property="jars.present">
             <or>
                 <and>
                     <available file="${main.commons-logging.jar}"/>
@@ -458,19 +468,35 @@ under the License.
         <condition property="ooxml-xsds.present">
             <or>
                 <and>
-                    <available file="${ooxml.xsds.izip}"/>
+                    <available file="${ooxml.lib}/${ooxml.xsds.izip.1}"/>
                 </and>
                 <isset property="disconnected"/>
             </or>
         </condition>
     </target>
     <target name="fetch-ooxml-xsds" unless="ooxml-xsds.present"
-            depends="check-ooxml-xsds"
+        depends="check-ooxml-xsds"
             description="Fetches needed OOXML xsd files from the Internet">
-        <get src="${ooxml.xsds.url}" dest="${ooxml.xsds.ozip}"/>
-        <unzip src="${ooxml.xsds.ozip}" dest="${ooxml.lib}">
+        <get dest="${ooxml.lib}" skipexisting="true">
+               <url url="${ooxml.xsds.url.1}"/>
+               <url url="${ooxml.xsds.url.2}"/>
+               <url url="${ooxml.xsds.dc.1}"/>
+               <url url="${ooxml.xsds.dc.2}"/>
+               <url url="${ooxml.xsds.dc.3}"/>
+               <url url="${ooxml.xsds.dsig}"/>
+               <chainedmapper>
+                       <flattenmapper/>
+                       <firstmatchmapper>
+                               <globmapper 
from="Office%20Open%20XML%201st%20edition%20Part%20*%20(PDF).zip" 
to="OfficeOpenXML-Part*.zip"/>
+                               <identitymapper/>
+                       </firstmatchmapper>
+               </chainedmapper>
+       </get>
+        <unzip src="${ooxml.lib}/${ooxml.xsds.ozip.1}" dest="${ooxml.lib}">
+               <fileset dir="${ooxml.lib}" includes="OfficeOpenXML-Part*.zip"/>
             <patternset>
-                <include name="OfficeOpenXML-XMLSchema.zip"/>
+                <include name="${ooxml.xsds.izip.1}"/>
+               <include name="${ooxml.xsds.izip.2}"/>
             </patternset>
         </unzip>
     </target>
@@ -481,19 +507,10 @@ under the License.
                 <isset property="disconnected"/>
             </or>
         </condition>
-        <condition property="ooxml-compiled-encryption-xsds.present">
-            <or>
-                <available file="${ooxml.encryption.jar}"/>
-                <isset property="disconnected"/>
-            </or>
-        </condition>
     </target>
     <target name="compile-ooxml-xsds" unless="ooxml-compiled-xsds.present"
-            depends="check-jars,fetch-jars,check-compiled-ooxml-xsds"
-            description="Unpacks the OOXML xsd files, and compiles them into 
XmlBeans">
-        <property name="ooxml.xsds.tmp.dir" location="build/ooxml-xsds"/>
-        <mkdir dir="${ooxml.xsds.tmp.dir}"/>
-
+        depends="check-jars,fetch-jars,check-compiled-ooxml-xsds"
+        description="Unpacks the OOXML xsd files, and compiles them into 
XmlBeans">
         <taskdef name="xmlbean"
                  classname="org.apache.xmlbeans.impl.tool.XMLBean"
                  classpath="${ooxml.xmlbeans23.jar}"/>
@@ -505,11 +522,9 @@ under the License.
            <equals arg1="${sun.arch.data.model}" arg2="64" />
         </condition>
 
-        <unzip src="${ooxml.xsds.izip}" dest="${ooxml.xsds.tmp.dir}"/>
-        <!--
-              schema="build/ooxml-xsds/"
-              schema="build/ooxml-xsds/sml-workbook.xsd"
-          -->
+       <property name="ooxml.xsds.tmp.dir" location="build/ooxml-xsds"/>
+        <mkdir dir="${ooxml.xsds.tmp.dir}"/>
+        <unzip src="${ooxml.lib}/${ooxml.xsds.izip.1}" 
dest="${ooxml.xsds.tmp.dir}"/>
         <xmlbean
                 schema="${ooxml.xsds.tmp.dir}"
                 srcgendir="${ooxml.xsds.src.dir}"
@@ -523,41 +538,40 @@ under the License.
             <classpath refid="ooxml.classpath"/>
         </xmlbean>
 
-        <!-- Now make a jar of the schema sources -->
-        <jar
+       <!-- Now make a jar of the schema sources -->
+       <jar
                 basedir="${ooxml.xsds.src.dir}"
                 destfile="${ooxml.xsds.src.jar}"
                 />
-    </target>
-
-    <target name="compile-ooxml-encryption-xsds" 
unless="ooxml-compiled-encryption-xsds.present"
-            depends="check-jars,fetch-jars,check-compiled-ooxml-xsds"
-            description="Compiles the OOXML encryption xsd files into 
XmlBeans">
-        <taskdef name="xmlbean"
-                 classname="org.apache.xmlbeans.impl.tool.XMLBean"
-                 classpath="${ooxml.xmlbeans23.jar}"/>
-
-        <!-- We need a fair amount of memory to compile the xml schema, -->
-        <!--  but limit it in case it goes wrong! -->
-        <!-- Pick the right amount based on 32 vs 64 bit jvm -->
-        <condition property="ooxml.memory" value="768m" else="512m">
-           <equals arg1="${sun.arch.data.model}" arg2="64" />
-        </condition>
 
+               <!-- Now do the same for the encryption and supporting schemas 
-->
+       <property name="ooxml.enc.xsds.tmp.dir" 
location="build/ooxml-encryption-xsds"/>
+        <mkdir dir="${ooxml.enc.xsds.tmp.dir}"/>
+        <unzip src="${ooxml.lib}/${ooxml.xsds.izip.2}" 
dest="${ooxml.enc.xsds.tmp.dir}"/>
+       
+       <copy todir="${ooxml.enc.xsds.tmp.dir}">
+               <fileset dir="${ooxml.lib}" includes="dc*.xsd,xmldsig*.xsd"/>
+               <fileset dir="${ooxml.encryption.xsd.dir}"/>
+       </copy>
+
+       <!-- noupa/nopvr is set because of the dublincore schemas -->
+       <!-- https://issues.apache.org/jira/browse/XMLBEANS-340 -->
+       <!-- javasource > 1.5 will not generate all array accessor -->
         <xmlbean
-                schema="${ooxml.encryption.xsd.dir}"
+                schema="${ooxml.enc.xsds.tmp.dir}"
                 srcgendir="${ooxml.encryption.src.dir}"
                 optimize="yes"
                 destfile="${ooxml.encryption.jar}"
-                javasource="1.5"
+                javasource="1.5" 
                 failonerror="true"
                 fork="true"
                 memoryMaximumSize="${ooxml.memory}"
+                       noupa="true"
+                       nopvr="true"
                 >
             <classpath refid="ooxml.classpath"/>
         </xmlbean>
 
-        <!-- Now make a jar of the schema sources -->
         <jar
                 basedir="${ooxml.encryption.src.dir}"
                 destfile="${ooxml.encryption.src.jar}"
@@ -650,7 +664,7 @@ under the License.
         </copy>
     </target>
 
-    <target name="compile-ooxml" 
depends="compile-main,compile-scratchpad,compile-ooxml-xsds,compile-ooxml-encryption-xsds">
+    <target name="compile-ooxml" 
depends="compile-main,compile-scratchpad,compile-ooxml-xsds">
         <javac target="${jdk.version.class}"
                source="${jdk.version.source}"
                destdir="${ooxml.output.dir}"
@@ -1351,7 +1365,7 @@ under the License.
 
     <target name="gump" depends="compile-all, test-all, jar"/>
     <target name="jenkins" depends="compile-all, test-all, jar, javadocs, 
assemble, findbugs, release-notes, rat-check"/>
-       
+
     <available property="maven.ant.tasks.present" 
classname="org.apache.maven.artifact.ant.Pom"/>
     <target name="maven.ant.tasks-check">
       <fail unless="maven.ant.tasks.present">
@@ -1447,7 +1461,7 @@ under the License.
                                <exclude 
name="poi-*${version.id}-sources-*.jar"/>
                        </fileset>
                        <auxClasspath path="ooxml-lib/ooxml-schemas-1.1.jar" />
-                       <auxClasspath path="ooxml-lib/ooxml-encryption-1.1.jar" 
/>
+                       <auxClasspath path="ooxml-lib/ooxml-encryption-1.2.jar" 
/>
                        <auxClasspath path="ooxml-lib/xmlbeans-2.6.0.jar" />
                        <auxClasspath path="ooxml-lib/dom4j-1.6.1.jar" />
                        <auxClasspath path="lib/commons-codec-1.9.jar" />

Modified: 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CipherAlgorithm.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CipherAlgorithm.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CipherAlgorithm.java
 (original)
+++ 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CipherAlgorithm.java
 Sun Aug 10 18:25:10 2014
@@ -34,6 +34,8 @@ public enum CipherAlgorithm {
     // need bouncycastle provider for this one ...
     // see 
http://stackoverflow.com/questions/4436397/3des-des-encryption-using-the-jce-generating-an-acceptable-key
     des3_112(null, "DESede", -1, 128, new int[]{128}, 8, 32, "3DES_112", true),
+    // only for digital signatures
+    rsa(null, "RSA", -1, 1024, new int[]{1024, 2048, 3072, 4096}, -1, -1, "", 
false);
     ;
     
     public final CipherProvider provider;

Modified: 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
 (original)
+++ 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
 Sun Aug 10 18:25:10 2014
@@ -19,6 +19,7 @@ package org.apache.poi.poifs.crypt;
 import java.nio.charset.Charset;
 import java.security.DigestException;
 import java.security.GeneralSecurityException;
+import java.security.Key;
 import java.security.MessageDigest;
 import java.security.Provider;
 import java.security.Security;
@@ -189,7 +190,7 @@ public class CryptoFunctions {
      * @return the requested cipher
      * @throws GeneralSecurityException
      */
-    public static Cipher getCipher(SecretKey key, CipherAlgorithm 
cipherAlgorithm, ChainingMode chain, byte[] vec, int cipherMode, String 
padding) {
+    public static Cipher getCipher(Key key, CipherAlgorithm cipherAlgorithm, 
ChainingMode chain, byte[] vec, int cipherMode, String padding) {
         int keySizeInBytes = key.getEncoded().length;
         if (padding == null) padding = "NoPadding";
         
@@ -274,7 +275,7 @@ public class CryptoFunctions {
     }
 
     @SuppressWarnings("unchecked")
-    private static void registerBouncyCastle() {
+    public static void registerBouncyCastle() {
         if (Security.getProvider("BC") != null) return;
         try {
             Class<Provider> clazz = 
(Class<Provider>)Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");

Modified: 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/HashAlgorithm.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/HashAlgorithm.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/HashAlgorithm.java
 (original)
+++ 
poi/branches/xml_signature/src/java/org/apache/poi/poifs/crypt/HashAlgorithm.java
 Sun Aug 10 18:25:10 2014
@@ -17,22 +17,24 @@
 
 package org.apache.poi.poifs.crypt;
 
+import javax.xml.crypto.dsig.DigestMethod;
+
 import org.apache.poi.EncryptedDocumentException;
 
 public enum HashAlgorithm {
-    none     (         "", 0x0000,           "",  0,               "", false),
-    sha1     (    "SHA-1", 0x8004,       "SHA1", 20,       "HmacSHA1", false),
-    sha256   (  "SHA-256", 0x800C,     "SHA256", 32,     "HmacSHA256", false),
-    sha384   (  "SHA-384", 0x800D,     "SHA384", 48,     "HmacSHA384", false),
-    sha512   (  "SHA-512", 0x800E,     "SHA512", 64,     "HmacSHA512", false),
+    none     (         "", 0x0000,           "",  0,               "", null, 
false),
+    sha1     (    "SHA-1", 0x8004,       "SHA1", 20,       "HmacSHA1", 
DigestMethod.SHA1, false),
+    sha256   (  "SHA-256", 0x800C,     "SHA256", 32,     "HmacSHA256", 
DigestMethod.SHA256, false),
+    sha384   (  "SHA-384", 0x800D,     "SHA384", 48,     "HmacSHA384", null, 
false),
+    sha512   (  "SHA-512", 0x800E,     "SHA512", 64,     "HmacSHA512", 
DigestMethod.SHA512, false),
     /* only for agile encryption */
-    md5      (      "MD5",     -1,        "MD5", 16,        "HmacMD5", false),
+    md5      (      "MD5",     -1,        "MD5", 16,        "HmacMD5", null, 
false),
     // although sunjc2 supports md2, hmac-md2 is only supported by bouncycastle
-    md2      (      "MD2",     -1,        "MD2", 16,       "Hmac-MD2", true),
-    md4      (      "MD4",     -1,        "MD4", 16,       "Hmac-MD4", true),
-    ripemd128("RipeMD128",     -1, "RIPEMD-128", 16, "HMac-RipeMD128", true),
-    ripemd160("RipeMD160",     -1, "RIPEMD-160", 20, "HMac-RipeMD160", true),
-    whirlpool("Whirlpool",     -1,  "WHIRLPOOL", 64, "HMac-Whirlpool", true),
+    md2      (      "MD2",     -1,        "MD2", 16,       "Hmac-MD2", null, 
true),
+    md4      (      "MD4",     -1,        "MD4", 16,       "Hmac-MD4", null, 
true),
+    ripemd128("RipeMD128",     -1, "RIPEMD-128", 16, "HMac-RipeMD128", null, 
true),
+    ripemd160("RipeMD160",     -1, "RIPEMD-160", 20, "HMac-RipeMD160", 
DigestMethod.RIPEMD160, true),
+    whirlpool("Whirlpool",     -1,  "WHIRLPOOL", 64, "HMac-Whirlpool", null, 
true),
     ;
 
     public final String jceId;
@@ -40,14 +42,16 @@ public enum HashAlgorithm {
     public final String ecmaString;
     public final int hashSize;
     public final String jceHmacId;
+    public final String xmlSignUri;
     public final boolean needsBouncyCastle;
     
-    HashAlgorithm(String jceId, int ecmaId, String ecmaString, int hashSize, 
String jceHmacId, boolean needsBouncyCastle) {
+    HashAlgorithm(String jceId, int ecmaId, String ecmaString, int hashSize, 
String jceHmacId, String xmlSignUri, boolean needsBouncyCastle) {
         this.jceId = jceId;
         this.ecmaId = ecmaId;
         this.ecmaString = ecmaString;
         this.hashSize = hashSize;
         this.jceHmacId = jceHmacId;
+        this.xmlSignUri = xmlSignUri;
         this.needsBouncyCastle = needsBouncyCastle;
     }
     

Modified: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationship.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationship.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationship.java
 (original)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationship.java
 Sun Aug 10 18:25:10 2014
@@ -182,8 +182,6 @@ public final class PackageRelationship {
        }
 
        /**
-        * public URI getSourceUri(){ }
-        *
         * @return the targetMode
         */
        public TargetMode getTargetMode() {

Modified: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationshipCollection.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationshipCollection.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationshipCollection.java
 (original)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/PackageRelationshipCollection.java
 Sun Aug 10 18:25:10 2014
@@ -306,7 +306,7 @@ public final class PackageRelationshipCo
      * @throws InvalidFormatException
      *             Throws if the relationship part is invalid.
      */
-    private void parseRelationshipsPart(PackagePart relPart)
+    public void parseRelationshipsPart(PackagePart relPart)
             throws InvalidFormatException {
         try {
             logger.log(POILogger.DEBUG, "Parsing relationship: " + 
relPart.getPartName());

Modified: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/internal/ContentTypeManager.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/internal/ContentTypeManager.java?rev=1617141&r1=1617140&r2=1617141&view=diff
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/internal/ContentTypeManager.java
 (original)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/openxml4j/opc/internal/ContentTypeManager.java
 Sun Aug 10 18:25:10 2014
@@ -148,11 +148,10 @@ public abstract class ContentTypeManager
         * </p>
         */
        public void addContentType(PackagePartName partName, String 
contentType) {
-               boolean defaultCTExists = false;
+               boolean defaultCTExists = 
this.defaultContentType.containsValue(contentType);
                String extension = partName.getExtension().toLowerCase();
                if ((extension.length() == 0)
-                               || 
(this.defaultContentType.containsKey(extension) && !(defaultCTExists = 
this.defaultContentType
-                                               .containsValue(contentType))))
+                               || 
(this.defaultContentType.containsKey(extension) && !defaultCTExists))
                        this.addOverrideContentType(partName, contentType);
                else if (!defaultCTExists)
                        this.addDefaultContentType(extension, contentType);
@@ -461,7 +460,7 @@ public abstract class ContentTypeManager
        }
 
        /**
-        * Use to append default types XML elements, use by the save() metid.
+        * Use to append default types XML elements, use by the save() method.
         *
         * @param root
         *            XML parent element use to append this default type 
element.

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/CertificateSecurityException.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/CertificateSecurityException.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/CertificateSecurityException.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/CertificateSecurityException.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,38 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+/**
+ * Exception thrown in case there is something wrong with the incoming eID
+ * certificate.
+ * 
+ * @author Frank Cornelis
+ * 
+ */
+public class CertificateSecurityException extends SecurityException {
+
+    private static final long serialVersionUID = 1L;
+
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ExpiredCertificateSecurityException.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ExpiredCertificateSecurityException.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ExpiredCertificateSecurityException.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ExpiredCertificateSecurityException.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,38 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+/**
+ * Exception thrown in case the incoming eID certificate is expired.
+ * 
+ * @author Frank Cornelis
+ * 
+ */
+public class ExpiredCertificateSecurityException extends
+        CertificateSecurityException {
+
+    private static final long serialVersionUID = 1L;
+
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxies.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxies.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxies.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxies.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,375 @@
+package org.apache.poi.poifs.crypt.dsig;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Date;
+
+import javax.security.auth.x500.X500Principal;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.XMLCryptoContext;
+import javax.xml.crypto.dom.DOMCryptoContext;
+import javax.xml.crypto.dsig.XMLSignContext;
+import javax.xml.crypto.dsig.XMLSignatureException;
+
+import org.apache.poi.poifs.crypt.dsig.HorribleProxy.ProxyIf;
+import org.w3c.dom.Node;
+
+public interface HorribleProxies {
+    public static final String xmlSecBase = "org.jcp.xml.dsig.internal.dom";
+    // public static final String xmlSecBase = 
"org.apache.jcp.xml.dsig.internal.dom";
+    
+    public interface ASN1InputStreamIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.ASN1InputStream";
+        
+        ASN1OctetStringIf readObject$ASNString() throws IOException;
+        DEROctetStringIf readObject$DERString() throws IOException;
+        DERIntegerIf readObject$Integer() throws IOException;
+        ASN1SequenceIf readObject$Sequence() throws IOException;
+        Object readObject$Object() throws IOException;
+    }
+
+    public interface ASN1ObjectIdentifierIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.ASN1ObjectIdentifier";
+    }
+    
+    public interface ASN1OctetStringIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.ASN1OctetString";
+        byte[] getOctets();
+    }
+    
+    public interface ASN1SequenceIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.ASN1Sequence";
+    }
+    
+    public interface AuthorityInformationAccessIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.AuthorityInformationAccess";
+    }
+    
+    public interface AuthorityKeyIdentifierIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.AuthorityKeyIdentifier";
+        byte[] getKeyIdentifier();
+    }
+    
+    public interface BasicConstraintsIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.BasicConstraints";
+    }
+    
+    public interface BasicOCSPRespIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.BasicOCSPResp";
+        Date getProducedAt();
+        RespIDIf getResponderId();
+    }
+    
+    public interface BcDigestCalculatorProviderIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.operator.bc.BcDigestCalculatorProvider";
+    }
+
+    public interface BcRSASignerInfoVerifierBuilderIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder";
+        SignerInformationVerifierIf build(X509CertificateHolderIf holder); 
+    }
+    
+    public interface CanonicalizerIf extends ProxyIf {
+        String delegateClass = 
"com.sun.org.apache.xml.internal.security.c14n.Canonicalizer";
+        byte[] canonicalizeSubtree(Node node) throws Exception;
+    }
+    
+    public interface CRLNumberIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.CRLNumber";
+    }
+    
+    public interface DefaultDigestAlgorithmIdentifierFinderIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder";
+    }
+    
+    public interface DistributionPointNameIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.DistributionPointName";
+    }
+    
+    public interface DistributionPointIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.DistributionPoint";
+    }
+    
+    public interface DERIA5StringIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.DERIA5String";
+    }
+    
+    public interface DERIntegerIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.DERInteger";
+        BigInteger getPositiveValue();
+    }
+    
+    public interface DEROctetStringIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.DEROctetString";
+        byte[] getOctets();
+    }
+    
+    public interface DERTaggedObjectIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.DERTaggedObject";
+        int getTagNo();
+        ASN1OctetStringIf getObject$String();
+        Object getObject$Object();
+    }
+
+    public interface DERSequenceIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.DERSequence";
+    }
+    
+    public interface DOMKeyInfoIf extends ProxyIf {
+        String delegateClass = xmlSecBase+".DOMKeyInfo";
+        void marshal(Node parent, Node nextSibling, String dsPrefix, 
DOMCryptoContext context) throws MarshalException;
+    }
+    
+    public interface DOMReferenceIf extends ProxyIf {
+        String delegateClass = xmlSecBase+".DOMReference";
+        void digest(XMLSignContext paramXMLSignContext) throws 
XMLSignatureException;
+        byte[] getDigestValue();
+    }
+    
+    public interface DOMSignedInfoIf extends ProxyIf {
+        String delegateClass = xmlSecBase+".DOMSignedInfo";
+        void canonicalize(XMLCryptoContext paramXMLCryptoContext, 
ByteArrayOutputStream paramByteArrayOutputStream);
+    }
+    
+    public interface XMLSignatureIf extends ProxyIf {
+        String delegateClass = 
"com.sun.org.apache.xml.internal.security.signature.XMLSignature";
+        String ALGO_ID_SIGNATURE_RSA_SHA1();
+        String ALGO_ID_SIGNATURE_RSA_SHA256();
+        String ALGO_ID_SIGNATURE_RSA_SHA384();
+        String ALGO_ID_SIGNATURE_RSA_SHA512();
+        String ALGO_ID_MAC_HMAC_RIPEMD160();
+    }
+    
+    public interface DOMXMLSignatureIf extends ProxyIf {
+        String delegateClass = xmlSecBase+".DOMXMLSignature";
+        void marshal(Node node, String prefix, DOMCryptoContext context) 
throws MarshalException;
+    }
+    
+    public interface GeneralNameIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.GeneralName";
+        
+        int uniformResourceIdentifier();
+        
+    }
+    
+    public interface GeneralNamesIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.GeneralNames";
+    }
+    
+    public interface InitIf extends ProxyIf {
+        String delegateClass = "com.sun.org.apache.xml.internal.security.Init";
+        void init();
+    }
+
+    public interface KeyUsageIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.KeyUsage";
+        int digitalSignature();
+    }
+    
+    public interface OCSPRespIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.OCSPResp";
+        BasicOCSPRespIf getResponseObject();
+    }
+    
+    public interface PKIFailureInfoIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.cmp.PKIFailureInfo";
+        int intValue();
+    }
+
+    public interface RespIDIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.RespID";
+        ResponderIDIf toASN1Object();
+    }
+    
+    public interface ResponderIDIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.ocsp.ResponderID";
+        DERTaggedObjectIf toASN1Object();
+    }
+
+    public interface SignerIdIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cms.SignerId";
+        BigInteger getSerialNumber();
+        X500Principal getIssuer();
+    }
+
+    public interface SignerInformationVerifierIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.cms.SignerInformationVerifier";
+    }
+    
+    public interface StoreIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.util.Store";
+        Collection<Certificate> getMatches(Object selector) throws Exception;
+    }
+    
+    public interface SubjectKeyIdentifierIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.SubjectKeyIdentifier";
+        byte[] getKeyIdentifier();
+    }
+    
+    public interface SubjectPublicKeyInfoIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.SubjectPublicKeyInfo";
+    }
+    
+    public interface TimeStampRequestGeneratorIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.tsp.TimeStampRequestGenerator";
+        void setCertReq(boolean certReq);
+        void setReqPolicy(String reqPolicy);
+        TimeStampRequestIf generate(String igestAlgorithmOID, byte[] digest, 
BigInteger nonce);
+    }
+    
+    public interface TimeStampRequestIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.tsp.TimeStampRequest";
+        byte[] getEncoded() throws IOException;
+    }
+    
+    public interface TimeStampResponseIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.tsp.TimeStampResponse";
+        void validate(TimeStampRequestIf request) throws Exception;
+        int getStatus();
+        String getStatusString();
+        PKIFailureInfoIf getFailInfo();
+        TimeStampTokenIf getTimeStampToken();
+    }
+    
+    public interface TimeStampTokenIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.tsp.TimeStampToken";
+        SignerIdIf getSID();
+        StoreIf getCertificates();
+        StoreIf getCRLs();
+        TimeStampTokenInfoIf getTimeStampInfo();
+        byte[] getEncoded() throws IOException;
+        void validate(SignerInformationVerifierIf verifier) throws Exception;
+    }
+    
+    public interface TimeStampTokenInfoIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.tsp.TimeStampTokenInfo";
+        Date getGenTime();
+    }
+    
+    public interface X509CertificateHolderIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.X509CertificateHolder";
+    }
+
+    public interface X509NameIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.X509Name";
+        String toString$delegate();
+    }
+
+    public interface X509PrincipalIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.jce.X509Principal";
+        String getName();
+    }
+    
+    public interface X509V3CertificateGeneratorIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.x509.X509V3CertificateGenerator";
+        
+        void reset();
+        void setPublicKey(PublicKey key);
+        void setSignatureAlgorithm(String signatureAlgorithm);
+        void setNotBefore(Date date);
+        void setNotAfter(Date date);
+        void setIssuerDN(X509PrincipalIf issuerDN);
+        void setSubjectDN(X509PrincipalIf issuerDN);
+        void setSerialNumber(BigInteger serialNumber);
+        
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
SubjectKeyIdentifierIf value);
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
AuthorityKeyIdentifierIf value);
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
BasicConstraintsIf value);
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
DERSequenceIf value);
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
AuthorityInformationAccessIf value);
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
KeyUsageIf value);
+        
+        X509Certificate generate(PrivateKey issuerPrivateKey);
+    }
+
+    public interface OCSPReqIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.OCSPReq";
+
+        ReqIf[] getRequestList();
+    }
+    
+    public interface OCSPReqGeneratorIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.ocsp.OCSPReqGenerator";
+        
+        void addRequest(CertificateIDIf certId);
+        OCSPReqIf generate();
+    }
+
+    public interface BasicOCSPRespGeneratorIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.ocsp.BasicOCSPRespGenerator";
+
+        void addResponse(CertificateIDIf certificateID, CertificateStatusIf 
certificateStatus);
+        BasicOCSPRespIf generate(String signatureAlgorithm, PrivateKey 
ocspResponderPrivateKey,
+                X509Certificate chain[], Date date, String provider);
+    }
+    
+    public interface CertificateIDIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.CertificateID";
+        
+        String HASH_SHA1();
+    }
+    
+    public interface X509ExtensionsIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.X509Extensions";
+        
+        ASN1ObjectIdentifierIf AuthorityKeyIdentifier();
+        ASN1ObjectIdentifierIf SubjectKeyIdentifier();
+        ASN1ObjectIdentifierIf BasicConstraints();
+        ASN1ObjectIdentifierIf CRLDistributionPoints();
+        ASN1ObjectIdentifierIf AuthorityInfoAccess();
+        ASN1ObjectIdentifierIf KeyUsage();
+        ASN1ObjectIdentifierIf CRLNumber();
+    }
+    
+    public interface X509ObjectIdentifiersIf extends ProxyIf {
+        String delegateClass = 
"org.bouncycastle.asn1.x509.X509ObjectIdentifiers";
+        
+        ASN1ObjectIdentifierIf ocspAccessMethod();
+    }
+    
+    public interface X509V2CRLGeneratorIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.X509V2CRLGenerator";
+        
+        void setIssuerDN(X500Principal issuerDN);
+        void setThisUpdate(Date date);
+        void setNextUpdate(Date date);
+        void setSignatureAlgorithm(String algorithm);
+        
+        void addExtension(ASN1ObjectIdentifierIf oid, boolean critical, 
CRLNumberIf value);
+        X509CRL generate(PrivateKey privateKey);
+    }
+    
+    public interface ReqIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.Req";
+        
+        CertificateIDIf getCertID();
+    }
+    
+    public interface CertificateStatusIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.CertificateStatus";
+        
+        CertificateStatusIf GOOD();
+    }
+    
+    public interface RevokedStatusIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.cert.ocsp.RevokedStatus";
+    }
+    
+    public interface CRLReasonIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.asn1.x509.CRLReason";
+        int unspecified();
+    }
+
+    public interface OCSPRespGeneratorIf extends ProxyIf {
+        String delegateClass = "org.bouncycastle.ocsp.OCSPRespGenerator";
+        int SUCCESSFUL();
+        OCSPRespIf generate(int status, BasicOCSPRespIf basicOCSPResp);
+    }
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxy.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxy.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxy.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/HorribleProxy.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,249 @@
+package org.apache.poi.poifs.crypt.dsig;
+
+import java.lang.reflect.Array;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
+import java.lang.reflect.Proxy;
+
+import org.apache.poi.util.MethodUtils;
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+
+public class HorribleProxy implements InvocationHandler {
+    
+    private static final POILogger LOG = 
POILogFactory.getLogger(HorribleProxy.class);
+    
+       protected static interface ProxyIf {
+           Object getDelegate();
+           void setInitDeferred(boolean initDeferred);
+       };
+       
+    private final Class<?> delegateClass;
+       private Object delegateRef;
+       private boolean initDeferred = true;
+
+       protected HorribleProxy(Class<?> delegateClass, Object delegateRef) {
+        this.delegateClass = delegateClass;
+           // delegateRef can be null, then we have to deal with deferred 
initialisation
+           this.delegateRef = delegateRef;
+       }
+       
+       /**
+        * Create new instance by constructor
+        *
+        * @param proxyClass
+        * @param initargs
+        * @return
+        * @throws InvocationTargetException
+        * @throws IllegalAccessException
+        * @throws InstantiationException
+        * @throws NoSuchMethodException
+        * @throws ClassNotFoundException
+        */
+    @SuppressWarnings("unchecked")
+    public static <T extends ProxyIf> T newProxy(Class<T> proxyClass, Object 
... initargs)
+       throws InvocationTargetException, IllegalAccessException, 
InstantiationException
+       , NoSuchMethodException, ClassNotFoundException, NoSuchFieldException {
+               ClassLoader cl = Thread.currentThread().getContextClassLoader();
+               
+               Class<?> delegateClass = getDelegateClass(proxyClass);
+               Object delegateRef;
+               if (initargs.length == 0) {
+                   delegateRef = null;
+               } else if (initargs.length == 1 && 
delegateClass.isAssignableFrom(initargs[0].getClass())) {
+                       delegateRef = initargs[0];
+               } else {
+            Class<?> paramTypes[] = updateMethodArgs(null, initargs);
+            Constructor<?> cons = null;
+            try {
+                cons = delegateClass.getConstructor(paramTypes);
+            } catch (Exception e) {
+                // fallback - find constructor with same amount of parameters
+                // horrible et al. ...
+                cons = 
MethodUtils.getMatchingAccessibleConstructor(delegateClass, paramTypes);
+                
+                if (cons == null) {
+                    throw new RuntimeException("There's no constructor for the 
given arguments.");
+                }
+            }
+            
+                       delegateRef = cons.newInstance(initargs);
+               }
+
+               HorribleProxy hp = new HorribleProxy(delegateClass, 
delegateRef);
+               return (T)Proxy.newProxyInstance(cl, new 
Class<?>[]{proxyClass}, hp);
+       }
+       
+       /**
+        * Create new instance by factory method 
+        *
+        * @param proxyClass
+        * @param factoryMethod
+        * @param initargs
+        * @return
+        * @throws InvocationTargetException
+        * @throws IllegalAccessException
+        * @throws InstantiationException
+        * @throws NoSuchMethodException
+        * @throws ClassNotFoundException
+        */
+    @SuppressWarnings("unchecked")
+       public static <T extends ProxyIf> T createProxy(Class<T> proxyClass, 
String factoryMethod, Object ... initargs)
+    throws InvocationTargetException, IllegalAccessException, 
InstantiationException
+    , NoSuchMethodException, ClassNotFoundException, NoSuchFieldException {
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+
+        Class<?> delegateClass = getDelegateClass(proxyClass);
+        Class<?> paramTypes[] = updateMethodArgs(null, initargs);
+        Method facMethod = delegateClass.getMethod(factoryMethod, paramTypes);
+        Object delegateRef = facMethod.invoke(null, initargs);
+
+        if (delegateRef == null) {
+            return null;
+        }
+
+        HorribleProxy hp = new HorribleProxy(delegateClass, delegateRef);
+        return (T)Proxy.newProxyInstance(cl, new Class<?>[]{proxyClass}, hp);
+    }
+
+       @SuppressWarnings("unchecked")
+    @Override
+       public Object invoke(Object proxy, Method method, Object[] args)
+                       throws Exception {
+        String methodName = method.getName().replaceFirst("\\$.*", "");
+               if (Object.class == method.getDeclaringClass()) {
+               if ("equals".equals(methodName)) {
+                               return proxy == args[0];
+                       } else if ("hashCode".equals(methodName)) {
+                               return System.identityHashCode(proxy);
+                       } else if ("toString".equals(methodName)) {
+                               return proxy.getClass().getName() + "@"
+                                               + 
Integer.toHexString(System.identityHashCode(proxy))
+                                               + ", with InvocationHandler " + 
this;
+                       } else {
+                               throw new 
IllegalStateException(String.valueOf(method));
+                       }
+               }
+
+        if ("getDelegate".equals(methodName)) {
+            initDeferred();
+            return delegateRef;
+        } else if ("setInitDeferred".equals(methodName)) {
+            initDeferred = (Boolean)args[0];
+            return null;
+        }              
+               
+               Class<?> methodParams[] = 
updateMethodArgs(method.getParameterTypes(), args);
+
+               Object ret = null;
+               boolean isStaticField = false;
+               if (methodParams.length == 0) {
+                   // check for static fields first
+                   try {
+                       Field f = delegateClass.getDeclaredField(methodName);
+                       ret = f.get(delegateRef);
+                       isStaticField = true;
+                   } catch (NoSuchFieldException e) {
+                       LOG.log(POILogger.DEBUG, "No static field 
'"+methodName+"' in class '"+delegateClass.getCanonicalName()+"' - trying 
method now.");
+                   }
+               }
+               
+               if (!isStaticField) {
+               Method methodImpl = null;
+               try {
+                   methodImpl = delegateClass.getMethod(methodName, 
methodParams);
+               } catch (Exception e) {
+                   // fallback - if methodName is distinct, try to use it
+                   // in case we can't provide method declaration in the Proxy 
interface
+                   // ... and of course, this is horrible ...
+                methodImpl = 
MethodUtils.getMatchingAccessibleMethod(delegateClass, methodName, 
methodParams);
+
+                   if (methodImpl == null) {
+                       throw new RuntimeException("There's no method 
'"+methodName+"' for the given arguments.");
+                   }
+               }
+    
+               if (!Modifier.isStatic(methodImpl.getModifiers())) {
+                   initDeferred();
+               }
+               ret = methodImpl.invoke(delegateRef, args);
+               }
+               
+               Class<?> retType = method.getReturnType();
+               if (retType.isArray()) {
+                   if 
(ProxyIf.class.isAssignableFrom(retType.getComponentType())) {
+                       Class<? extends ProxyIf> cType = (Class<? extends 
ProxyIf>)retType.getComponentType();
+                       ProxyIf paRet[] = (ProxyIf[])Array.newInstance(cType, 
((Object[])ret).length);
+                       for (int i=0; i<((Object[])ret).length; i++) {
+                           paRet[i] = newProxy(cType, ((Object[])ret)[i]);
+                           paRet[i].setInitDeferred(false);
+                       }
+                       ret = paRet;
+                   }
+               } else if (ProxyIf.class.isAssignableFrom(retType)) {
+                   ProxyIf pRet = newProxy((Class<? extends ProxyIf>)retType, 
ret);
+            pRet.setInitDeferred(false);
+                   ret = pRet; 
+               }
+               
+               return ret;
+       }
+       
+    @SuppressWarnings("unchecked")
+    private static Class<?>[] updateMethodArgs(Class<?> types[], Object args[])
+    throws NoSuchFieldException, IllegalAccessException, 
ClassNotFoundException {
+        if (args == null) return new Class<?>[0];
+        if (types == null) types = new Class<?>[args.length];
+        if (types.length != args.length) {
+            throw new IllegalArgumentException();
+        }
+        
+        for (int i=0; i<types.length; i++) {
+            if (types[i] == null) {
+                if (args[i] == null) {
+                    throw new IllegalArgumentException();
+                }
+                types[i] = args[i].getClass();
+            }
+            
+            if (ProxyIf.class.isAssignableFrom(types[i])) {
+                types[i] = getDelegateClass((Class<? extends 
ProxyIf>)types[i]);
+                if (args[i] != null) {
+                    args[i] = ((ProxyIf)args[i]).getDelegate();
+                }
+            }
+        }
+        return types;
+    }
+
+    private void initDeferred() throws Exception {
+        if (delegateRef != null || !initDeferred) return;
+        // currently works only for empty constructor
+        delegateRef = delegateClass.getConstructor().newInstance();
+    }
+    
+       private static Class<?> getDelegateClass(Class<? extends ProxyIf> 
proxyClass)
+       throws NoSuchFieldException, IllegalAccessException, 
ClassNotFoundException {
+           Field delegateField;
+           try {
+           delegateField = proxyClass.getDeclaredField("delegateClass");
+           } catch (NoSuchFieldException e) {
+               // sometimes a proxy interface is returned as proxyClass
+               // this has to be asked for the real ProxyIf interface
+               Class<?> ifs[] = proxyClass.getInterfaces();
+               if (ifs == null || ifs.length != 1) {
+                   throw new IllegalArgumentException();
+               }
+               delegateField = ifs[0].getDeclaredField("delegateClass");
+           }
+
+           String delegateClassName = (String)delegateField.get(null);
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        Class<?> delegateClass = Class.forName(delegateClassName, true, cl);
+           return delegateClass;
+       }
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/KeyInfoKeySelector.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/KeyInfoKeySelector.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/KeyInfoKeySelector.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/KeyInfoKeySelector.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,101 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+import java.security.Key;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.crypto.AlgorithmMethod;
+import javax.xml.crypto.KeySelector;
+import javax.xml.crypto.KeySelectorException;
+import javax.xml.crypto.KeySelectorResult;
+import javax.xml.crypto.XMLCryptoContext;
+import javax.xml.crypto.XMLStructure;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+
+/**
+ * JSR105 key selector implementation using the ds:KeyInfo data of the 
signature
+ * itself.
+ */
+public class KeyInfoKeySelector extends KeySelector implements 
KeySelectorResult {
+
+    private static final POILogger LOG = 
POILogFactory.getLogger(KeyInfoKeySelector.class);
+
+    private X509Certificate certificate;
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose, 
AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException {
+        LOG.log(POILogger.DEBUG, "select key");
+        if (null == keyInfo) {
+            throw new KeySelectorException("no ds:KeyInfo present");
+        }
+        List<XMLStructure> keyInfoContent = keyInfo.getContent();
+        this.certificate = null;
+        for (XMLStructure keyInfoStructure : keyInfoContent) {
+            if (false == (keyInfoStructure instanceof X509Data)) {
+                continue;
+            }
+            X509Data x509Data = (X509Data) keyInfoStructure;
+            List<Object> x509DataList = x509Data.getContent();
+            for (Object x509DataObject : x509DataList) {
+                if (false == (x509DataObject instanceof X509Certificate)) {
+                    continue;
+                }
+                X509Certificate certificate = (X509Certificate) x509DataObject;
+                LOG.log(POILogger.DEBUG, "certificate", 
certificate.getSubjectX500Principal());
+                if (null == this.certificate) {
+                    /*
+                     * The first certificate is presumably the signer.
+                     */
+                    this.certificate = certificate;
+                }
+            }
+            if (null != this.certificate) {
+                return this;
+            }
+        }
+        throw new KeySelectorException("No key found!");
+    }
+
+    public Key getKey() {
+        return this.certificate.getPublicKey();
+    }
+
+    /**
+     * Gives back the X509 certificate used during the last signature
+     * verification operation.
+     * 
+     * @return
+     */
+    public X509Certificate getCertificate() {
+        return this.certificate;
+    }
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/OOXMLURIDereferencer.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/OOXMLURIDereferencer.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/OOXMLURIDereferencer.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/OOXMLURIDereferencer.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,114 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import javax.xml.crypto.Data;
+import javax.xml.crypto.OctetStreamData;
+import javax.xml.crypto.URIDereferencer;
+import javax.xml.crypto.URIReference;
+import javax.xml.crypto.URIReferenceException;
+import javax.xml.crypto.XMLCryptoContext;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+
+import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
+import org.apache.poi.openxml4j.opc.OPCPackage;
+import org.apache.poi.openxml4j.opc.PackagePart;
+import org.apache.poi.openxml4j.opc.PackagePartName;
+import org.apache.poi.openxml4j.opc.PackagingURIHelper;
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+
+/**
+ * JSR105 URI dereferencer for Office Open XML documents.
+ */
+public class OOXMLURIDereferencer implements URIDereferencer {
+
+    private static final POILogger LOG = 
POILogFactory.getLogger(OOXMLURIDereferencer.class);
+
+    private final OPCPackage pkg;
+
+    private final URIDereferencer baseUriDereferencer;
+
+    public OOXMLURIDereferencer(OPCPackage pkg) {
+        if (null == pkg) {
+            throw new IllegalArgumentException("OPCPackage is null");
+        }
+        this.pkg = pkg;
+        XMLSignatureFactory xmlSignatureFactory = 
SignatureInfo.getSignatureFactory();
+        this.baseUriDereferencer = xmlSignatureFactory.getURIDereferencer();
+    }
+
+    public Data dereference(URIReference uriReference, XMLCryptoContext 
context) throws URIReferenceException {
+        if (null == uriReference) {
+            throw new NullPointerException("URIReference cannot be null");
+        }
+        if (null == context) {
+            throw new NullPointerException("XMLCrytoContext cannot be null");
+        }
+
+        URI uri;
+        try {
+            uri = new URI(uriReference.getURI());
+        } catch (URISyntaxException e) {
+            throw new URIReferenceException("could not URL decode the uri: 
"+uriReference.getURI(), e);
+        }
+
+        PackagePart part = findPart(uri);
+        if (part == null) {
+            LOG.log(POILogger.DEBUG, "cannot resolve, delegating to base DOM 
URI dereferencer", uri);
+            return this.baseUriDereferencer.dereference(uriReference, context);
+        }
+        
+        try {
+            return new OctetStreamData(part.getInputStream(), uri.toString(), 
null);
+        } catch (IOException e) {
+            throw new URIReferenceException("I/O error: " + e.getMessage(), e);
+        }
+    }
+
+    private PackagePart findPart(URI uri) {
+        LOG.log(POILogger.DEBUG, "dereference", uri);
+
+        String path = uri.getPath();
+        if (path == null || "".equals(path)) {
+            LOG.log(POILogger.DEBUG, "illegal part name (expected)", uri);
+            return null;
+        }
+        
+        PackagePartName ppn;
+        try {
+            ppn = PackagingURIHelper.createPartName(path);
+        } catch (InvalidFormatException e) {
+            LOG.log(POILogger.WARN, "illegal part name (not expected)", uri);
+            return null;
+        }
+        
+        return pkg.getPart(ppn);
+    }
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/RevokedCertificateSecurityException.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/RevokedCertificateSecurityException.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/RevokedCertificateSecurityException.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/RevokedCertificateSecurityException.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,38 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+/**
+ * Exception thrown in case the incoming eID certificate has been revoked.
+ * 
+ * @author Frank Cornelis
+ * 
+ */
+public class RevokedCertificateSecurityException extends
+        CertificateSecurityException {
+
+    private static final long serialVersionUID = 1L;
+
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,283 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Date;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.crypto.Cipher;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMValidateContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+
+import org.apache.poi.EncryptedDocumentException;
+import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
+import org.apache.poi.openxml4j.opc.OPCPackage;
+import org.apache.poi.openxml4j.opc.PackagePart;
+import org.apache.poi.openxml4j.opc.PackageRelationship;
+import org.apache.poi.openxml4j.opc.PackageRelationshipCollection;
+import org.apache.poi.openxml4j.opc.PackageRelationshipTypes;
+import org.apache.poi.poifs.crypt.ChainingMode;
+import org.apache.poi.poifs.crypt.CipherAlgorithm;
+import org.apache.poi.poifs.crypt.CryptoFunctions;
+import org.apache.poi.poifs.crypt.HashAlgorithm;
+import org.apache.poi.poifs.crypt.dsig.HorribleProxies.InitIf;
+import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService;
+import org.apache.poi.poifs.crypt.dsig.services.XmlSignatureService;
+import org.apache.poi.poifs.crypt.dsig.spi.DigestInfo;
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
+import org.apache.poi.util.SAXHelper;
+import org.apache.xmlbeans.XmlCursor;
+import org.apache.xmlbeans.XmlObject;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class SignatureInfo {
+    
+    public static final byte[] SHA1_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 
0x04, 0x14 };
+
+    public static final byte[] SHA224_DIGEST_INFO_PREFIX = new byte[] 
+        { 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, (byte) 0x86
+        , 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x04, 0x1c };
+
+    public static final byte[] SHA256_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, (byte) 0x86
+        , 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, 0x20 };
+
+    public static final byte[] SHA384_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, (byte) 0x86
+        , 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x04, 0x30 };
+
+    public static final byte[] SHA512_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, (byte) 0x86
+        , 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x04, 0x40 };
+
+    public static final byte[] RIPEMD128_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x1b, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x02, 
0x04, 0x10 };
+
+    public static final byte[] RIPEMD160_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x01, 
0x04, 0x14 };
+
+    public static final byte[] RIPEMD256_DIGEST_INFO_PREFIX = new byte[]
+        { 0x30, 0x2b, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x03, 
0x04, 0x20 };
+    
+    
+    private static final POILogger LOG = 
POILogFactory.getLogger(SignatureInfo.class);
+    private static boolean isInitialized = false;
+    
+    private final OPCPackage pkg;
+    
+    public SignatureInfo(OPCPackage pkg) {
+        this.pkg = pkg;
+    }
+    
+    public boolean verifySignature() {
+        initXmlProvider();
+        // 
http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html
+        List<X509Certificate> signers = new LinkedList<X509Certificate>();
+        return getSignersAndValidate(signers, true);
+    }
+
+    public void confirmSignature(Key key, X509Certificate x509)
+    throws NoSuchAlgorithmException, IOException {
+        confirmSignature(key, x509, HashAlgorithm.sha1);
+    }
+    
+    public void confirmSignature(Key key, X509Certificate x509, HashAlgorithm 
hashAlgo)
+    throws NoSuchAlgorithmException, IOException {
+        XmlSignatureService signatureService = 
createSignatureService(hashAlgo, pkg);
+        
+        // operate
+        List<X509Certificate> x509Chain = Collections.singletonList(x509);
+        DigestInfo digestInfo = signatureService.preSign(null, x509Chain, 
null, null, null);
+
+        // setup: key material, signature value
+
+        Cipher cipher = CryptoFunctions.getCipher(key, CipherAlgorithm.rsa
+            , ChainingMode.ecb, null, Cipher.ENCRYPT_MODE, "PKCS1Padding");
+        
+        byte[] signatureValue;
+        try {
+            ByteArrayOutputStream digestInfoValueBuf = new 
ByteArrayOutputStream();
+            digestInfoValueBuf.write(SHA1_DIGEST_INFO_PREFIX);
+            digestInfoValueBuf.write(digestInfo.digestValue);
+            byte[] digestInfoValue = digestInfoValueBuf.toByteArray();
+            signatureValue = cipher.doFinal(digestInfoValue);
+        } catch (Exception e) {
+            throw new EncryptedDocumentException(e);
+        }
+
+        
+        // operate: postSign
+        signatureService.postSign(signatureValue, 
Collections.singletonList(x509));
+    }
+
+    public XmlSignatureService createSignatureService(HashAlgorithm hashAlgo, 
OPCPackage pkg) {
+        XmlSignatureService signatureService = new 
XmlSignatureService(hashAlgo, pkg);
+        signatureService.initFacets(new Date());
+        return signatureService;
+    }
+    
+    public List<X509Certificate> getSigners() {
+        initXmlProvider();
+        List<X509Certificate> signers = new LinkedList<X509Certificate>();
+        getSignersAndValidate(signers, false);
+        return signers;
+    }
+    
+    protected boolean getSignersAndValidate(List<X509Certificate> signers, 
boolean onlyFirst) {
+        boolean allValid = true;
+        List<PackagePart> signatureParts = getSignatureParts(onlyFirst);
+        if (signatureParts.isEmpty()) {
+            LOG.log(POILogger.DEBUG, "no signature resources");
+            allValid = false;
+        }
+        
+        for (PackagePart signaturePart : signatureParts) {
+            KeyInfoKeySelector keySelector = new KeyInfoKeySelector();
+
+            try {
+                Document doc = 
SAXHelper.readSAXDocumentW3C(signaturePart.getInputStream());
+                // dummy call to createSignatureService to tweak document 
afterwards
+                createSignatureService(HashAlgorithm.sha1, 
pkg).registerIds(doc);
+                
+                DOMValidateContext domValidateContext = new 
DOMValidateContext(keySelector, doc);
+                
domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", 
Boolean.TRUE);
+                OOXMLURIDereferencer dereferencer = new 
OOXMLURIDereferencer(pkg);
+                domValidateContext.setURIDereferencer(dereferencer);
+    
+                XMLSignatureFactory xmlSignatureFactory = 
getSignatureFactory();
+                XMLSignature xmlSignature = 
xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
+                boolean validity = xmlSignature.validate(domValidateContext);
+                allValid &= validity;
+                if (!validity) continue;
+                // TODO: check what has been signed.
+            } catch (Exception e) {
+                LOG.log(POILogger.ERROR, "error in marshalling and validating 
the signature", e);
+                continue;
+            }
+
+            X509Certificate signer = keySelector.getCertificate();
+            signers.add(signer);
+        }
+        
+        return allValid;
+    }
+
+    protected List<PackagePart> getSignatureParts(boolean onlyFirst) {
+        List<PackagePart> packageParts = new LinkedList<PackagePart>();
+        
+        PackageRelationshipCollection sigOrigRels = 
pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN);
+        for (PackageRelationship rel : sigOrigRels) {
+            PackagePart sigPart = pkg.getPart(rel);
+            LOG.log(POILogger.DEBUG, "Digital Signature Origin part", sigPart);
+
+            try {
+                PackageRelationshipCollection sigRels = 
sigPart.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE);
+                for (PackageRelationship sigRel : sigRels) {
+                    PackagePart sigRelPart = sigPart.getRelatedPart(sigRel); 
+                    LOG.log(POILogger.DEBUG, "XML Signature part", sigRelPart);
+                    packageParts.add(sigRelPart);
+                    if (onlyFirst) break;
+                }
+            } catch (InvalidFormatException e) {
+                LOG.log(POILogger.WARN, "Reference to signature is invalid.", 
e);
+            }
+            
+            if (onlyFirst && !packageParts.isEmpty()) break;
+        }
+
+        return packageParts;
+    }
+    
+    public static XMLSignatureFactory getSignatureFactory() {
+        Provider p = Security.getProvider("XMLDSig");
+        assert(p != null);
+        return XMLSignatureFactory.getInstance("DOM", p);
+    }
+
+    public static KeyInfoFactory getKeyInfoFactory() {
+        Provider p = Security.getProvider("XMLDSig");
+        assert(p != null);
+        return KeyInfoFactory.getInstance("DOM", p);
+    }
+
+    public static void insertXChild(XmlObject root, XmlObject child) {
+        XmlCursor rootCursor = root.newCursor();
+        insertXChild(rootCursor, child);
+        rootCursor.dispose();
+    }
+
+    public static void insertXChild(XmlCursor rootCursor, XmlObject child) {
+        rootCursor.toEndToken();
+        XmlCursor childCursor = child.newCursor();
+        childCursor.toNextToken();
+        childCursor.moveXml(rootCursor);
+        childCursor.dispose();
+    }
+
+    public static void setPrefix(XmlObject xobj, String ns, String prefix) {
+        for (XmlCursor cur = xobj.newCursor(); cur.hasNextToken(); 
cur.toNextToken()) {
+            if (cur.isStart()) {
+                Element el = (Element)cur.getDomNode();
+                if (ns.equals(el.getNamespaceURI())) el.setPrefix(prefix);
+            }
+        }
+    }
+    
+    public static synchronized void initXmlProvider() {
+        if (isInitialized) return;
+        isInitialized = true;
+        
+        try {
+            InitIf init = HorribleProxy.newProxy(InitIf.class);
+            init.init();
+
+            RelationshipTransformService.registerDsigProvider();
+            
+            Provider bcProv = Security.getProvider("BC");
+            if (bcProv == null) {
+                ClassLoader cl = 
Thread.currentThread().getContextClassLoader();
+                Class<?> c = 
cl.loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
+                bcProv = (Provider)c.newInstance();
+                Security.addProvider(bcProv);
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Xml & BouncyCastle-Provider 
initialization failed", e);
+        }
+    }
+}

Added: 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/TrustCertificateSecurityException.java
URL: 
http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/TrustCertificateSecurityException.java?rev=1617141&view=auto
==============================================================================
--- 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/TrustCertificateSecurityException.java
 (added)
+++ 
poi/branches/xml_signature/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/TrustCertificateSecurityException.java
 Sun Aug 10 18:25:10 2014
@@ -0,0 +1,38 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+/* ====================================================================
+   This product contains an ASLv2 licensed version of the OOXML signer
+   package from the eID Applet project
+   http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  
+   Copyright (C) 2008-2014 FedICT.
+   ================================================================= */ 
+
+package org.apache.poi.poifs.crypt.dsig;
+
+/**
+ * Exception thrown in case the incoming eID certificate is not trusted.
+ * 
+ * @author Frank Cornelis
+ * 
+ */
+public class TrustCertificateSecurityException extends
+        CertificateSecurityException {
+
+    private static final long serialVersionUID = 1L;
+
+}



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to