https://bugs.kde.org/show_bug.cgi?id=390338

            Bug ID: 390338
           Summary: implementation of 19.697 table:protection-key doesn't
                    conform to ODF 1.2
           Product: calligrasheets
           Version: 3.0.0
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: opendocument
          Assignee: calligra-sheets-bugs-n...@kde.org
          Reporter: mst...@redhat.com
  Target Milestone: ---

tested version: calligra-sheets-3.0.1-16.fc27.x86_64

ODF 1.1 allowed these attributes to set passwords to "protect" spreadsheet
documents and sheets, and did not specify in any way what their string value
means.

ODF 1.2 part 1 says about them:

19.851 text:protection-key-digest-algorithm

... The password shall be provided as a sequence of bytes in UTF-8 encoding.

... Consumers shall support http://www.w3.org/2000/09/xmldsig#sha1, which is
the default, and http://www.w3.org/2000/09/xmldsig#sha256.

bugs vs. ODF 1.2:

1. apparently the implementation uses UTF-16 little-endian encoding for the
password, at least LibreOffice 5.4 can verify the password and it only uses
UTF-16

2. only SHA1 is supported, not the mandatory SHA256

verifying the above variants in addition to the currently implemented one would
be nice i guess.

see LO bug https://bugs.documentfoundation.org/show_bug.cgi?id=115483
and LO fix
http://cgit.freedesktop.org/libreoffice/core/commit/?id=398275ba9f4d65bebcc78864e70eee6212a84397
for inspiration, particularly SvPasswordHelper::CompareHashPassword which does
all verification in one place.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to