Thanks for the reminder, Andy ;) attach sample file content directly: <document-signatures><Signature Id="ID_00e7007f0099001d00e000d1004d00a4009500d200da00d400ae0069007c0002"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="Configurations2/accelerator/current.xml"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue></Reference><Reference URI="content.xml"><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>dvxqjF0isF +EFvrjHfOhhFtaXzk=</DigestValue></Reference><Reference URI="styles.xml"><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>xd4MpTt +uK4LOtBGWAs296/TPTo=</DigestValue></Reference><Reference URI="meta.xml"><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Lf9fOFqgy1rJpz4K9IKPx9MGiB0=</DigestValue></Reference><Reference URI="Thumbnails/thumbnail.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>EIUjzTBZOktfBJxSUuYwHyVeMiY=</DigestValue></Reference><Reference URI="settings.xml"><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>DtNgz +zhzijTqslMJ0X5WoBX3aY=</DigestValue></Reference><Reference URI="#ID_003a00a40036005c0099001b004900a400960062003000c500f900e300af00f7"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>nMVzRVAhTViD0vzYJ1tOJxaNUTU=</DigestValue></Reference></SignedInfo><SignatureValue>bcVNzaeX3G61irh3Gm/Sdn +zuVMDvyfYeh8+HPov1kDxrHPGYrEUi0aZhBGek6pI 9u6ACR482+dY8S1v4Q1H8WfTYjF8exPAlhUdth1wxx04HgMYXiKf+UarLVGpnMS/ sSzEwNLQZ452kgUD4y+Qz8imPdKnPahlLtm6uXeBoKSzaJQM9frFx0IM/evNoXa+ dYV5IF4nPx3PYw5KBRNKrlk6Ic3DmkwYUwVywcfBxQ9NTbMOtRBBCQyaxCUkgKzW HFpp0lpYaV1WUGov9xJR0ZH7EnYsjjQjDAlY/oji/duRpKLoml7nlh6LUAD2D1tL dh4Py +REbwH2BcdmFab8/w==</SignatureValue><KeyInfo><X509Data><X509IssuerSerial><X509IssuerName>[email protected],CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA</X509IssuerName><X509SerialNumber>676584</X509SerialNumber></X509IssuerSerial><X509Certificate>MIIFMDCCAxigAwIBAgIDClLoMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTExMDYwOTA3MTk0OVoXDTExMTIwNjA3MTk0OVowPDEYMBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMSAwHgYJKoZIhvcNAQkBFhFvcGVuZ3RkQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMETB1ARQtO0OoRHZAMiDmXHRcCwQJRwJlLMHttCIqhmaEJD6FzS5DbJy7/XxhSgZdi5C7kR3X3KGeHzJF0rkPh58slGwJQ2Uwp3 +JN41pSkMWBgt6YJ/t1RlgnyrHkAYCEG405LWSSqjSDKERFGUcvBJu2eK28g3Zl0zP1vP2tZrF9HR +Hr4PWBr//KFmg5qvWiIXXxrmwuYfsMoWybnB/Zr1/qDJOtwM4f0akhLsz2H6Gj/avxtIKeKSqQm7iBhjaymbfyLr3Gs +h89lJpifV +Du7O8kyErbzHZ8qBlcWCDnhEEBf4GJCwlPCw9AAffxDHtYSOAadAcvoeepZnsx8CAwEAAaOB/TCB +jAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG +EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG +EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwHAYDVR0RBBUwE4ERb3Blbmd0ZEBnbWFpbC5jb20wDQYJKoZIhvcNAQEFBQADggIBAF5zJH/CBt9ZSYvg4LVywwid3YPj7wshHktkMfKe7mcUQ7GOzW5jb3ZU4FnU2hFypiYF89xT9JJhKXPcS1xRYvDwEw3J6geNXLz9SeHyznOSfIF4965hXp05njwzxNAhIyl/TptBn1gwJMW9pwB0ytXWya8oUWmEXYtuXOUO40xxq9qPZVUHyYzIZ4wZAz1ibmiekY9CKkIoD0vNOe7JBRAsGWMPppVMk/ggqoDrEMVU +j/Zpa6xgIXwlN4CS1+aKzcSTS5w5Gyusuz4fDuAmWaZ9Dlxyz3BZFxN+sba4VdaaOxWZzOY +BYV5LaghF71CtcdBpuTJ7L8z3KHKfq53PYSLrCGeHqFHqsh9t7YvBG6KuGfGphV/DtH10 +kAfWTUJK/6f9gFnxkiNPHGiHdW +cs3QWhXy0y/w77SjOmlBnfWXheZ0l18HHOPaHIxntFdKLpYHuKrMoZJ3Z/nTHqnxkhllqcfBQh8CSmO4IJXC0x4GQaU7vxaAqiM4LWf3GF/aEmoR4/7Jj3c0P9atDn7wltee5ClHtA/+tUGLyH2KxWvICzk014mPCED +NjijOm6gRQ5IizH/FbtY4ng+jjPpCHqGnwCux4OVzzmY2Pb7ojgCo2g5XrGn8AMHQoQ +UmonaubJh53hgjL73nPJH6FMDcaLWoK/d12CkOLV44OBlv</X509Certificate><X509Certificate>MIIFMDCCAxigAwIBAgIDClLoMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTExMDYwOTA3MTk0OVoXDTExMTIwNjA3MTk0OVowPDEY MBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMSAwHgYJKoZIhvcNAQkBFhFvcGVuZ3Rk QGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMETB1AR QtO0OoRHZAMiDmXHRcCwQJRwJlLMHttCIqhmaEJD6FzS5DbJy7/XxhSgZdi5C7kR 3X3KGeHzJF0rkPh58slGwJQ2Uwp3+JN41pSkMWBgt6YJ/t1RlgnyrHkAYCEG405L WSSqjSDKERFGUcvBJu2eK28g3Zl0zP1vP2tZrF9HR+Hr4PWBr//KFmg5qvWiIXXx rmwuYfsMoWybnB/Zr1/qDJOtwM4f0akhLsz2H6Gj/avxtIKeKSqQm7iBhjaymbfy Lr3Gs+h89lJpifV+Du7O8kyErbzHZ8qBlcWCDnhEEBf4GJCwlPCw9AAffxDHtYSO AadAcvoeepZnsx8CAwEAAaOB/TCB+jAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIB DQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBv dmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3BggrBgEFBQcD BAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAy BggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v cmcwHAYDVR0RBBUwE4ERb3Blbmd0ZEBnbWFpbC5jb20wDQYJKoZIhvcNAQEFBQAD ggIBAF5zJH/CBt9ZSYvg4LVywwid3YPj7wshHktkMfKe7mcUQ7GOzW5jb3ZU4FnU 2hFypiYF89xT9JJhKXPcS1xRYvDwEw3J6geNXLz9SeHyznOSfIF4965hXp05njwz xNAhIyl/TptBn1gwJMW9pwB0ytXWya8oUWmEXYtuXOUO40xxq9qPZVUHyYzIZ4wZ Az1ibmiekY9CKkIoD0vNOe7JBRAsGWMPppVMk/ggqoDrEMVU+j/Zpa6xgIXwlN4C S1+aKzcSTS5w5Gyusuz4fDuAmWaZ9Dlxyz3BZFxN+sba4VdaaOxWZzOY+BYV5Lag hF71CtcdBpuTJ7L8z3KHKfq53PYSLrCGeHqFHqsh9t7YvBG6KuGfGphV/DtH10+k AfWTUJK/6f9gFnxkiNPHGiHdW+cs3QWhXy0y/w77SjOmlBnfWXheZ0l18HHOPaHI xntFdKLpYHuKrMoZJ3Z/nTHqnxkhllqcfBQh8CSmO4IJXC0x4GQaU7vxaAqiM4LW f3GF/aEmoR4/7Jj3c0P9atDn7wltee5ClHtA/+tUGLyH2KxWvICzk014mPCED+Nj ijOm6gRQ5IizH/FbtY4ng+jjPpCHqGnwCux4OVzzmY2Pb7ojgCo2g5XrGn8AMHQo Q +UmonaubJh53hgjL73nPJH6FMDcaLWoK/d12CkOLV44OBlv</X509Certificate><X509Certificate>MIIFMDCCAxigAwIBAgIDClLoMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTExMDYwOTA3MTk0OVoXDTExMTIwNjA3MTk0OVowPDEY MBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMSAwHgYJKoZIhvcNAQkBFhFvcGVuZ3Rk QGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMETB1AR QtO0OoRHZAMiDmXHRcCwQJRwJlLMHttCIqhmaEJD6FzS5DbJy7/XxhSgZdi5C7kR 3X3KGeHzJF0rkPh58slGwJQ2Uwp3+JN41pSkMWBgt6YJ/t1RlgnyrHkAYCEG405L WSSqjSDKERFGUcvBJu2eK28g3Zl0zP1vP2tZrF9HR+Hr4PWBr//KFmg5qvWiIXXx rmwuYfsMoWybnB/Zr1/qDJOtwM4f0akhLsz2H6Gj/avxtIKeKSqQm7iBhjaymbfy Lr3Gs+h89lJpifV+Du7O8kyErbzHZ8qBlcWCDnhEEBf4GJCwlPCw9AAffxDHtYSO AadAcvoeepZnsx8CAwEAAaOB/TCB+jAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIB DQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBv dmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3BggrBgEFBQcD BAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAy BggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v cmcwHAYDVR0RBBUwE4ERb3Blbmd0ZEBnbWFpbC5jb20wDQYJKoZIhvcNAQEFBQAD ggIBAF5zJH/CBt9ZSYvg4LVywwid3YPj7wshHktkMfKe7mcUQ7GOzW5jb3ZU4FnU 2hFypiYF89xT9JJhKXPcS1xRYvDwEw3J6geNXLz9SeHyznOSfIF4965hXp05njwz xNAhIyl/TptBn1gwJMW9pwB0ytXWya8oUWmEXYtuXOUO40xxq9qPZVUHyYzIZ4wZ Az1ibmiekY9CKkIoD0vNOe7JBRAsGWMPppVMk/ggqoDrEMVU+j/Zpa6xgIXwlN4C S1+aKzcSTS5w5Gyusuz4fDuAmWaZ9Dlxyz3BZFxN+sba4VdaaOxWZzOY+BYV5Lag hF71CtcdBpuTJ7L8z3KHKfq53PYSLrCGeHqFHqsh9t7YvBG6KuGfGphV/DtH10+k AfWTUJK/6f9gFnxkiNPHGiHdW+cs3QWhXy0y/w77SjOmlBnfWXheZ0l18HHOPaHI xntFdKLpYHuKrMoZJ3Z/nTHqnxkhllqcfBQh8CSmO4IJXC0x4GQaU7vxaAqiM4LW f3GF/aEmoR4/7Jj3c0P9atDn7wltee5ClHtA/+tUGLyH2KxWvICzk014mPCED+Nj ijOm6gRQ5IizH/FbtY4ng+jjPpCHqGnwCux4OVzzmY2Pb7ojgCo2g5XrGn8AMHQo Q +UmonaubJh53hgjL73nPJH6FMDcaLWoK/d12CkOLV44OBlv</X509Certificate></X509Data></KeyInfo><Object><SignatureProperties><SignatureProperty Id="ID_003a00a40036005c0099001b004900a400960062003000c500f900e300af00f7" Target="#ID_00e7007f0099001d00e000d1004d00a4009500d200da00d400ae0069007c0002"><dc:date>2011-07-06T16:20:12,07</dc:date></SignatureProperty></SignatureProperties></Object></Signature></document-signatures> Biao Han/China/IBM@IBMCN wrote on 2011-08-17 11:48:16:
> From: Biao Han/China/IBM@IBMCN > To: [email protected] > Date: 2011-08-17 11:51 > Subject: Re: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011 > > "Dennis E. Hamilton" <[email protected]> wrote on 2011-08-16 01:59:01: > > > From: "Dennis E. Hamilton" <[email protected]> > > To: "odf-dev ODF Toolkit Incubator" <[email protected]> > > Date: 2011-08-16 01:58 > > Subject: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011 > > > > Now that the list exists, ... > > > > -----Original Message----- > > From: Dennis E. Hamilton [mailto:[email protected]] > > Sent: Wednesday, August 10, 2011 08:42 > > To: 'Biao Han' > > Subject: RE: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011 > > > > Nicely done. Thanks for being so visible. > > > > Another thing you can do is set up an ODFtoolkit blog at Apache. > > Ideally, the mailing lists will appear soon. > > > > Two Questions: > > > > 1. My impression is that the signatures from OO.o are correct. > > They do specify namespaces, but use default namespace declarations > > instead of prefixes. > > In what way is the signature document incorrect? > > The signature document always work. The question is the realization > detail. Duplicate X.509 certificate info and without namespace prefix. > > > Also, what versions of OpenOffice.org/LibreOffice are you checking > > signatures against? > > I have signatures from LibreOffice 3.4 that do not appear to > > duplicate X.509 certificates and that seem to use namespaces > > correctly, although dsig namespace is > > declared with default xmlns declaration. > > I attach a sample file. I am sure there are duplicate X.509 > certificate info in it. > You can also reference http://openoffice.org/bugzilla/show_bug.cgi?id=66276 > , they face the same issue. > > > 2. Does ODFDOM fail because of namespace being declared as > > default or because of something to do with canonicalization? If the > > XML Digital Signature specification requires default namespace, it > > may be that ODF specification is incorrect. > > Have you found expert appraisal of what XML Digital Signature requires? > ODFDOM fails, because the signature file without namespace prefix. > This maybe considered as a bug of ODFDOM. > But all of the other xml files, content.xml, styles.xml. meta.xml, > settings.xml and manifest.xml have namespace prefix. Even the schema > of documentsingature.xml has namespace prefix. But the OpenOffice > generated file doesn't have. I suggest OpenOffice should follow this. > > <define name="dsig-document-signatures"> > <element name="dsig:document-signatures"> > <ref name="dsig-document-signatures-attlist"/> > <oneOrMore> > <ref name="ds-signature"/> > </oneOrMore> > </element> > </define> > <define name="dsig-document-signatures-attlist"> > <attribute name="dsig:version"> > <value>1.2</value> > </attribute> > </define> > <define name="ds-signature"> > <element name="ds:Signature"> > <!-- The permitted content of this element is the permitted --> > <!-- content of the Signature element defined by W3C XML --> > <!-- Signature Syntax and Processing (Second Edition). --> > <!-- See OpenDocument v1.2 part 3, section 4.3. --> > <ref name="dsMarkup"/> > </element> > </define> > > > > - Dennis > > > > -----Original Message----- > > From: Biao Han [mailto:[email protected]] > > Sent: Wednesday, August 10, 2011 08:14 > > To: [email protected]; [email protected]; > > [email protected] > > Cc: [email protected] > > Subject: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011 > > > > [ ... ] > > > > ODFDOM > > 1. Working on data signature. There are two issues caused by OpenOffice > > block the process. > > (1) OpenOffice.org generate a Namespace unaware signature document. > > ODFDOM loads it fails. > > (2) OpenOffice.org creates multiple X509Certificates instead of the > > correct certification chain under ds:KeyInfo. > > see also: > > https://bugs.freedesktop.org/show_bug.cgi?id=39657 (ds namespace > > in LibreOffice) > > http://openoffice.org/bugzilla/show_bug.cgi?id=107864 (ds > > namespace in OOo) > > http://openoffice.org/bugzilla/show_bug.cgi?id=66276 (multiple > > X509Certificate in OOo) > > http://openoffice.org/bugzilla/show_bug.cgi?id=108286 > > We have to supply two modes to fix it. One follows ODF > > specification, the other follows Open Office. The question is which is > > the default? > > [ ... ] > > > > Regards > > > > Biao Han (Devin) > > SOA Standards Growth, Emerging Technology Institute(ETI), IBM China > > Software Development Laboratory > > Tel:(86-10)82450541 > > Email: [email protected] > > Address: 3/F Ring Building, No.28 Building, Zhong Guan Cun Software Park, > > No. 8 Dong Bei Wang West Road, ShangDi, Haidian District, Beijing, > > P.R.C.100193 > > > (See attached file: documentsignatures-openoffice.xml)
