[Bug 68379] New: POI generates invalid signature when Excel contains classification labels

Wed, 20 Dec 2023 09:21:06 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=68379

            Bug ID: 68379
           Summary: POI generates invalid signature when Excel contains
                    classification labels
           Product: POI
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POIFS
          Assignee: dev@poi.apache.org
          Reporter: rubg...@gmail.com
  Target Milestone: ---

Created attachment 39479
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=39479&action=edit
Adding classification label to signed supported types

Hi!

Just found a bug / not supported feature on signing process. It affects all
versions of POI released so far when trying to sign an Excel file containing a
classification label.

If you try to sign that kind of file (again, any Excel .XLSX containing a
classification label, that is, a part name docMetadata/LabelInfo.xml) it will
generate an invalid signature since that's not recognised inside the
SignatureInfo facets while signing.

The signing process finishes ok, but when opening the file the signature will
be reported as invalid due to POI not including this part in the signing.

Digging down into the process, the class OOXMLSignatureFacet doesn't support
the signed type classificationlabels, so when method isSignedRelationship is
called for that relationship it will reject to include it.

This was included in Office in 2020
(http://schemas.microsoft.com/office/2020/02/relationships/classificationlabels)
but signed types supported seems to be from 2010.

The FIX is really simple: Just change OOXMLSignatureFacet to add the new type
to the default collection "signed", since this property can't be overriden.

WORKAROUND: Created a custom facet that includes it and override default facet
list definition.

Thanks for fixing this! as of today, it's impossible to properly sign an Excel
that includes classification label/s and that kind of feature is becoming more
common accoss companies.

Best!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Reply via email to