another signature ubuntu jdk6 bug fix ... and offline/online handling

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1637283 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andreas Beeker 2014-11-07 01:16:21 +00:00
parent 70177caa04
commit 69dc33caf2
3 changed files with 186 additions and 160 deletions

View File

@ -57,6 +57,7 @@ import javax.xml.crypto.dsig.XMLSignContext;
import javax.xml.crypto.dsig.XMLSignature; import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException; import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory; import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.XMLValidateContext;
import javax.xml.crypto.dsig.dom.DOMSignContext; import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
@ -230,9 +231,25 @@ public class SignatureInfo implements SignatureConfigurable {
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc); DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE); domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);
domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer()); domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer());
brokenJvmWorkaround(domValidateContext);
XMLSignatureFactory xmlSignatureFactory = signatureConfig.getSignatureFactory(); XMLSignatureFactory xmlSignatureFactory = signatureConfig.getSignatureFactory();
XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext); XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
// TODO: replace with property when xml-sec patch is applied
for (Reference ref : (List<Reference>)xmlSignature.getSignedInfo().getReferences()) {
SignatureFacet.brokenJvmWorkaround(ref);
}
for (XMLObject xo : (List<XMLObject>)xmlSignature.getObjects()) {
for (XMLStructure xs : (List<XMLStructure>)xo.getContent()) {
if (xs instanceof Manifest) {
for (Reference ref : (List<Reference>)((Manifest)xs).getReferences()) {
SignatureFacet.brokenJvmWorkaround(ref);
}
}
}
}
boolean valid = xmlSignature.validate(domValidateContext); boolean valid = xmlSignature.validate(domValidateContext);
if (valid) { if (valid) {
@ -241,8 +258,6 @@ public class SignatureInfo implements SignatureConfigurable {
} }
return valid; return valid;
} catch (ArrayIndexOutOfBoundsException e) {
throw new JvmBrokenException(e);
} catch (Exception e) { } catch (Exception e) {
LOG.log(POILogger.ERROR, "error in marshalling and validating the signature", e); LOG.log(POILogger.ERROR, "error in marshalling and validating the signature", e);
return false; return false;
@ -399,7 +414,6 @@ public class SignatureInfo implements SignatureConfigurable {
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public DigestInfo preSign(Document document, List<DigestInfo> digestInfos) public DigestInfo preSign(Document document, List<DigestInfo> digestInfos)
throws XMLSignatureException, MarshalException { throws XMLSignatureException, MarshalException {
try {
signatureConfig.init(false); signatureConfig.init(false);
// it's necessary to explicitly set the mdssi namespace, but the sign() method has no // it's necessary to explicitly set the mdssi namespace, but the sign() method has no
@ -428,11 +442,7 @@ public class SignatureInfo implements SignatureConfigurable {
xmlSignContext.setDefaultNamespacePrefix(""); xmlSignContext.setDefaultNamespacePrefix("");
// signatureConfig.getNamespacePrefixes().get(XML_DIGSIG_NS)); // signatureConfig.getNamespacePrefixes().get(XML_DIGSIG_NS));
// workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012 brokenJvmWorkaround(xmlSignContext);
Provider bcProv = Security.getProvider("BC");
if (bcProv != null) {
xmlSignContext.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", bcProv);
}
XMLSignatureFactory signatureFactory = signatureConfig.getSignatureFactory(); XMLSignatureFactory signatureFactory = signatureConfig.getSignatureFactory();
@ -539,9 +549,6 @@ public class SignatureInfo implements SignatureConfigurable {
String description = signatureConfig.getSignatureDescription(); String description = signatureConfig.getSignatureDescription();
return new DigestInfo(digestValue, signatureConfig.getDigestAlgo(), description); return new DigestInfo(digestValue, signatureConfig.getDigestAlgo(), description);
} catch (ArrayIndexOutOfBoundsException e) {
throw new JvmBrokenException(e);
}
} }
/** /**
@ -652,9 +659,19 @@ public class SignatureInfo implements SignatureConfigurable {
return other == null ? Collections.EMPTY_LIST : other; return other == null ? Collections.EMPTY_LIST : other;
} }
private static class JvmBrokenException extends EncryptedDocumentException { private void brokenJvmWorkaround(XMLSignContext context) {
public JvmBrokenException(Throwable cause) { // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
super("\"your JVM is just too broken\" - check https://bugzilla.redhat.com/show_bug.cgi?id=1155012 if this applies to the stacktrace ...", cause); Provider bcProv = Security.getProvider("BC");
if (bcProv != null) {
context.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", bcProv);
}
}
private void brokenJvmWorkaround(XMLValidateContext context) {
// workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
Provider bcProv = Security.getProvider("BC");
if (bcProv != null) {
context.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", bcProv);
} }
} }
} }

View File

@ -150,6 +150,16 @@ public abstract class SignatureFacet implements SignatureConfigurable {
reference = sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue); reference = sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue);
} }
brokenJvmWorkaround(reference);
return reference;
}
// helper method ... will be removed soon
public static void brokenJvmWorkaround(Reference reference) {
DigestMethod digestMethod = reference.getDigestMethod();
String digestMethodUri = digestMethod.getAlgorithm();
// workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012 // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
// overwrite standard message digest, if a digest <> SHA1 is used // overwrite standard message digest, if a digest <> SHA1 is used
Provider bcProv = Security.getProvider("BC"); Provider bcProv = Security.getProvider("BC");
@ -166,7 +176,5 @@ public abstract class SignatureFacet implements SignatureConfigurable {
LOG.log(POILogger.WARN, "Can't overwrite message digest (workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012)", e); LOG.log(POILogger.WARN, "Can't overwrite message digest (workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012)", e);
} }
} }
return reference;
} }
} }

View File

@ -50,7 +50,6 @@ import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.TimeZone; import java.util.TimeZone;
import org.apache.poi.EncryptedDocumentException;
import org.apache.poi.POIDataSamples; import org.apache.poi.POIDataSamples;
import org.apache.poi.openxml4j.opc.OPCPackage; import org.apache.poi.openxml4j.opc.OPCPackage;
import org.apache.poi.openxml4j.opc.PackageAccess; import org.apache.poi.openxml4j.opc.PackageAccess;
@ -299,7 +298,9 @@ public class TestSignatureInfo {
signatureConfig.addSignatureFacet(new XAdESSignatureFacet()); signatureConfig.addSignatureFacet(new XAdESSignatureFacet());
signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet()); signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());
boolean mockTsp = false; // check for internet
Process p1 = Runtime.getRuntime().exec("ping www.google.com");
boolean mockTsp = (p1.waitFor() == 1);
// http://timestamping.edelweb.fr/service/tsp // http://timestamping.edelweb.fr/service/tsp
// http://tsa.belgium.be/connect // http://tsa.belgium.be/connect
// http://timestamp.comodoca.com/authenticode // http://timestamp.comodoca.com/authenticode
@ -471,14 +472,14 @@ public class TestSignatureInfo {
si.confirmSignature(); si.confirmSignature();
boolean b = si.verifySignature(); boolean b = si.verifySignature();
assertTrue("Signature not correctly calculated for " + ha, b); assertTrue("Signature not correctly calculated for " + ha, b);
} catch (EncryptedDocumentException e) { // } catch (EncryptedDocumentException e) {
// see http://apache-poi.1045710.n5.nabble.com/org-apache-poi-poifs-crypt-TestSignatureInfo-failing-on-trunk-on-Java-6-tp5717032.html // // see http://apache-poi.1045710.n5.nabble.com/org-apache-poi-poifs-crypt-TestSignatureInfo-failing-on-trunk-on-Java-6-tp5717032.html
Throwable cause = e.getCause(); // Throwable cause = e.getCause();
if (cause instanceof ArrayIndexOutOfBoundsException) { // if (cause instanceof ArrayIndexOutOfBoundsException) {
LOG.log(POILogger.ERROR, "ignoring AIOOBE - hopefully a SHA2 bug ...", e); // LOG.log(POILogger.ERROR, "ignoring AIOOBE - hopefully a SHA2 bug ...", e);
} else { // } else {
throw e; // throw e;
} // }
} finally { } finally {
if (pkg != null) pkg.close(); if (pkg != null) pkg.close();
} }