Author: kiwiwings
Date: Thu Oct 16 23:30:42 2014
New Revision: 1632447
URL: http://svn.apache.org/r1632447
Log:
Bug 56836 - XML signature support
Modified:
poi/site/src/documentation/content/xdocs/encryption.xml
poi/site/src/documentation/content/xdocs/status.xml
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
Modified: poi/site/src/documentation/content/xdocs/encryption.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/encryption.xml?rev=1632447&r1=1632446&r2=1632447&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/encryption.xml (original)
+++ poi/site/src/documentation/content/xdocs/encryption.xml Thu Oct 16 23:30:42
2014
@@ -95,6 +95,80 @@ fs.writeFilesystem(fos);
fos.close();
</source>
</section>
+
+ <section><title>XML-based formats - Signing (XML Signature)</title>
+ <p>An Office document can be digital signed by a <link
href="http://en.wikipedia.org/wiki/XML_Signature";>XML Signature</link>
+ to protect it from unauthorized modifications, i.e. modifications without
having the original certificate.
+ The current implementation is based on the <link
href="http://eid-applet.googlecode.com";>eID Applet</link> which
+ is dual-licensed to <link
href="https://code.google.com/p/eid-applet/source/browse/trunk/README.txt";>ASF/POI</link>.
+ Instead of using the internal <link
href="http://www.jsourcecode.com/class.php?proj=jdk%5Copenjdk&jar=openjdk-6-b14&class=org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory";>JDK
API</link>
+ this version is based on <link href="http://santuario.apache.org";>Apache
Santuario</link>.</p>
+ <p>The classes have been tested against the following libraries, which
need to be included additionally to the default
+ dependencies:</p>
+ <ul>
+ <li>BouncyCastle bcpkix and bcprov (tested against 1.51)</li>
+ <li>Apache Santuario "xmlsec" (tested against 2.0.1)</li>
+ <li>and slf4j-api (tested against 1.7.7)</li>
+ </ul>
+ <p>Depending on the <link
href="http://poi.apache.org/apidocs/org/apache/poi/poifs/crypt/dsig/SignatureConfig.html";>configuration</link>
+ and the activated <link
href="http://poi.apache.org/apidocs/org/apache/poi/poifs/crypt/dsig/facets/package-summary.html";>facets</link>
+ various <link href="http://en.wikipedia.org/wiki/XAdES";>XAdES
levels</link> are supported - the support for higher levels (XAdES-T+)
+ depend on supporting services and although the code is adopted, the
integration is not well tested ... please support us on
+ integration (testing) with timestamp and revocation (OCSP) services.
+ </p>
+ <p>Further test examples can be found in the corresponding <link
href="http://svn.apache.org/viewvc/poi/branches/xml_signature/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java?view=markup";>test
class</link>.</p>
+ </section>
+
+ <section><title>Validating a signed office document</title>
+
+ <source>
+OPCPackage pkg = OPCPackage.open(..., PackageAccess.READ);
+SignatureConfig sic = new SignatureConfig();
+sic.setOpcPackage(pkg);
+SignatureInfo si = new SignatureInfo();
+si.setSignatureConfig(sic);
+boolean isValid = si.validate();
+...
+ </source>
+ </section>
+
+ <section><title>Signing an office document</title>
+
+ <source>
+// loading the keystore - pkcs12 is used here, but of course jks & co are
also valid
+// the keystore needs to contain a private key and it's certificate having a
+// 'digitalSignature' key usage
+char password[] = "test".toCharArray();
+File file = new File("test.pfx");
+KeyStore keystore = KeyStore.getInstance("PKCS12");
+FileInputStream fis = new FileInputStream(file);
+keystore.load(fis, password);
+fis.close();
+
+// extracting private key and certificate
+String alias = "xyz"; // alias of the keystore entry
+Key key = keystore.getKey(alias, password);
+X509Certificate x509 = (X509Certificate)keystore.getCertificate(alias);
+
+// filling the SignatureConfig entries (minimum fields, more options are
available ...)
+SignatureConfig signatureConfig = new SignatureConfig();
+signatureConfig.setKey(keyPair.getPrivate());
+signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
+OPCPackage pkg = OPCPackage.open(..., PackageAccess.READ_WRITE);
+signatureConfig.setOpcPackage(pkg);
+
+// adding the signature document to the package
+SignatureInfo si = new SignatureInfo();
+si.setSignatureConfig(signatureConfig);
+si.confirmSignature();
+// optionally verify the generated signature
+boolean b = si.verifySignature();
+assert (b);
+// write the changes back to disc
+pkg.close();
+ </source>
+ </section>
+
</body>
<footer>
Modified: poi/site/src/documentation/content/xdocs/status.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/status.xml?rev=1632447&r1=1632446&r2=1632447&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/status.xml (original)
+++ poi/site/src/documentation/content/xdocs/status.xml Thu Oct 16 23:30:42 2014
@@ -38,6 +38,7 @@
</devs>
<release version="3.11-beta3" date="2014-??-??">
+ <action dev="PD" type="add" fixes-bug="56836">XML signature
support</action>
<action dev="PD" type="fix"
fixes-bug="57080">IndexOutOfBoundsException in poi decryptor</action>
<action dev="PD" type="add">The minimum Apache Ant version required to
build has been increased to 1.8.x or later</action>
<action dev="PD" type="add" fixes-bug="56956">Add a NPOIFSFileSystem
constructor with a FileChannel and the read-only option</action>
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java?rev=1632447&r1=1632446&r2=1632447&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
(original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
Thu Oct 16 23:30:42 2014
@@ -112,7 +112,7 @@ import org.w3c.dom.events.EventTarget;
* ...
* </pre>
*
- * <p><b>Signing a office document</b></p>
+ * <p><b>Signing an office document</b></p>
*
* <pre>
* // loading the keystore - pkcs12 is used here, but of course jks & co
are also valid
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
