https://issues.apache.org/bugzilla/show_bug.cgi?id=56836
Bug ID: 56836
Summary: XML signature support
Product: POI
Version: 3.11-dev
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: POIFS
Assignee: [email protected]
Reporter: [email protected]
Created attachment 31892
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31892&action=edit
XML signature support version 1
This patch adds xml signature support. [1]
My aim was to workaround, the limitation of the first implementation try [2],
so basically, to compile it, there's no further library neccessary (-> see
HorribleProxy),
at runtime the bouncy castle jar needs to be in the context class loader.
The bc provider is not included in the patch and the (e.g.)
bcprov-ext-jdk15on-1.49.jar needs
to be placed in test-data/xmldsign.
The work on this patch hasn't been finished yet, as the following issues still
exist:
- the license issues with the eid applet project for non-aslv2-licensed files
need be clarified
- not all tests (e.g. timestamp service and XAdESXL facets haven't been tested
at all ...)
have been migrated
- I'd like to have feedback if the HorribleProxy-approach is ok
- it uses code of #56814, which hasn't been committed yet
- documentation left for later ...
Implementation notes:
- Originally I thought I can use the SignatureDocument xmlbean as a baking
store, which works with JDK 6.
... but in the end didn't with JDK 7, as it calls the unsupported DOM3
setIdAttribue method
- The HorribleProxy references classes in the bouncy castle and sun/oracle jdk
namespace.
I haven't tested it with other JDKs than oracle JDK 6/7. the clean way would
be the usage of
Apache Santuario or similar
- I haven't yet understood the canonization process fully. Basically you need
to make sure that the
input for the digesting is binary equal to what you write to the sig1.xml
with the xmlbean.
To the check the input/output, my solution was to provide my own
implementation of
UnsyncBufferedOutputStream and preload it via -Xbootclasspath/p jvm option
- The logging of the jdk classes is of course JUL-based, so you might want to
include the usual suspects
i.e. logback-classic/slf4j/jul-to-slf4j/jcl-over-slf4j jars for debugging and
use the jvm options
-Dorg.apache.poi.util.POILogger=org.apache.poi.util.CommonsLogger
-Djava.util.logging.config.file=<path>/logging.properties
[1]
http://apache-poi.1045710.n5.nabble.com/Digital-signature-on-MS-Office-documents-td5715238.html
[2]
http://apache-poi.1045710.n5.nabble.com/Recent-additions-to-POI-quot-Added-implementation-of-Digital-Signature-support-quot-td2339353.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
