https://issues.apache.org/ooo/show_bug.cgi?id=119214
Bug #: 119214
Issue Type: DEFECT
Summary: Saving in ODF 1.1/1.2 Default Encryptions should omit
optional items defined by default
Classification: Code
Product: security
Version: AOO340-dev
Platform: PC
OS/Version: All
Status: CONFIRMED
Severity: normal
Priority: P3
Component: www
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
Apache OpenOffice 3.4.0 r1309668 will produce the ODF 1.1/1.2 default Blowfish
encryption with SHA1 digests. (It is the default in accordance with the
resolution of issue #119090.). However, elements and attributes are used which
are not defined for ODF 1.1 documents and are not recognized by OpenOffice.org
releases that precede the establishment of these optional elements in the ODF
1.2 specification.
RECOMMENDATION
Whenever the SHA1 digests and Blowfish encryption are used and the parameters
are those understood by default for ODF 1.2 (and as exclusive cases for ODF
1.1), the explicit setting of those parameters should not be performed.
Specifically:
The <manifest:start-key-generation> element should not be produced when the the
digest is the default "SHA1" and the key-size is the default 20. This is an
optional element in ODF 1.2. It does not exist in ODF 1.0/1.1. In ODF 1.0/1.1
the ODF 1.2 default parameters are tacit.
The <manifest:key-derivation> manifest:key-size should be omitted when the
default value of 16 is expected. This is an optional attribute in ODEF 1.2 It
does not exist in ODF 1.0/1.1. In ODF 1.0/1.1, the size of 16 is understood.
EXAMPLE
When the fully-explicit case is of this form:
<manifest:file-entry manifest:media-type="text/xml"
manifest:full-path="content.xml" manifest:size="3587">
<manifest:encryption-data manifest:checksum-type="SHA1/1K"
manifest:checksum="x6qqlWMYrhuzxAqPcO8niNZOWIc=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB"
manifest:initialisation-vector="1u3Zg9iEHQQ=" />
<manifest:key-derivation manifest:key-derivation-name="PBKDF2"
manifest:key-size="16" manifest:iteration-count="1024"
manifest:salt="O4elKYLGe3qqLjIXEO3NXQ==" />
<manifest:start-key-generation
manifest:start-key-generation-name="SHA1"
manifest:key-size="20" />
</manifest:encryption-data>
</manifest:file-entry>
It should be abbreviated to this form, providing the maximum safe downward
compatibility by achieving the same effect using the default definitions:
<manifest:file-entry manifest:media-type="text/xml"
manifest:full-path="content.xml" manifest:size="5427">
<manifest:encryption-data manifest:checksum-type="SHA1/1K"
manifest:checksum="c3hAKVVsQkDjjumyfU8/pECHfZA=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB"
manifest:initialisation-vector="4QYt5d5RrQ4="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2"
manifest:iteration-count="1024"
manifest:salt="ieDfP45urTGFmp6rb4gIAw=="/>
</manifest:encryption-data>
</manifest:file-entry>
--
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
