#65214 - Document signed by POI reported as 'partially' signed

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1889427 13f79535-47bb-0310-9956-ffa450edef68

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/EnvelopedSignatureFacet.java

@@ -56,7 +56,7 @@ public class EnvelopedSignatureFacet implements SignatureFacet {
         Transform exclusiveTransform = newTransform(signatureInfo, CanonicalizationMethod.EXCLUSIVE);
         transforms.add(exclusiveTransform);
 
-        Reference reference = newReference(signatureInfo, "", transforms, null, null, null);
+        Reference reference = newReference(signatureInfo, "", transforms, null);
         references.add(reference);
     }
 }

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/OOXMLSignatureFacet.java

@@ -37,6 +37,8 @@ import java.util.Comparator;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import javax.xml.XMLConstants;
 import javax.xml.crypto.URIReference;
@@ -118,7 +120,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
         XMLObject xo = sigFac.newXMLObject(objectContent, ID_PACKAGE_OBJECT, null, null);
         objects.add(xo);
 
-        Reference reference = newReference(signatureInfo, "#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object", null, null);
+        Reference reference = newReference(signatureInfo, "#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object");
         references.add(reference);
     }
 
@@ -150,6 +152,8 @@ public class OOXMLSignatureFacet implements SignatureFacet {
                  * "The producer shall not create a Manifest element that references any data outside of the package."
                  */
                 if (TargetMode.EXTERNAL == relationship.getTargetMode()) {
+                    // only add the relationship but not the reference/data
+                    parameterSpec.addRelationshipReference(relationship.getId());
                     continue;
                 }
 
@@ -183,7 +187,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
                 }
 
                 String uri = partName + "?ContentType=" + contentType;
-                Reference reference = newReference(signatureInfo, uri, null, null, null, null);
+                Reference reference = newReference(signatureInfo, uri, null, null);
                 manifestReferences.add(reference);
             }
 
@@ -193,7 +197,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
                 transforms.add(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE));
                 String uri = normalizePartName(pp.getPartName().getURI(), baseUri)
                     + "?ContentType=application/vnd.openxmlformats-package.relationships+xml";
-                Reference reference = newReference(signatureInfo, uri, transforms, null, null, null);
+                Reference reference = newReference(signatureInfo, uri, transforms, null);
                 manifestReferences.add(reference);
             }
         }
@@ -292,7 +296,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
         String objectId = "idOfficeObject";
         objects.add(sigFac.newXMLObject(objectContent, objectId, null, null));
 
-        Reference reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null);
+        Reference reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object");
         references.add(reference);
 
         Base64.Encoder enc = Base64.getEncoder();
@@ -302,7 +306,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
             DOMStructure tn = new DOMStructure(document.createTextNode(enc.encodeToString(imageValid)));
             objects.add(sigFac.newXMLObject(Collections.singletonList(tn), objectId, null, null));
 
-            reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null);
+            reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object");
             references.add(reference);
         }
 
@@ -312,7 +316,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
             DOMStructure tn = new DOMStructure(document.createTextNode(enc.encodeToString(imageInvalid)));
             objects.add(sigFac.newXMLObject(Collections.singletonList(tn), objectId, null, null));
 
-            reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null);
+            reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object");
             references.add(reference);
         }
     }
@@ -336,7 +340,7 @@ public class OOXMLSignatureFacet implements SignatureFacet {
     /**
      * Office 2010 list of signed types (extensions).
      */
-    private static final Set<String> signed = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
+    private static final Set<String> signed = Stream.of(
             "activeXControlBinary", "aFChunk", "attachedTemplate", "attachedToolbars", "audio", "calcChain", "chart", "chartColorStyle",
             "chartLayout", "chartsheet", "chartStyle", "chartUserShapes", "commentAuthors", "comments", "connections", "connectorXml",
             "control", "ctrlProp", "customData", "customData", "customProperty", "customXml", "diagram", "diagramColors",
@@ -357,5 +361,5 @@ public class OOXMLSignatureFacet implements SignatureFacet {
             "volatileDependencies", "webSettings", "wordVbaData", "worksheet", "wsSortMap", "xlBinaryIndex",
             "xlExternalLinkPath/xlAlternateStartup", "xlExternalLinkPath/xlLibrary", "xlExternalLinkPath/xlPathMissing",
             "xlExternalLinkPath/xlStartup", "xlIntlMacrosheet", "xlMacrosheet", "xmlMaps"
-    )));
+    ).collect(Collectors.toSet());
 }

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacetHelper.java

@@ -52,9 +52,7 @@ final class SignatureFacetHelper {
             SignatureInfo signatureInfo
             , String uri
             , List<Transform> transforms
-            , String type
+            , String type)
-            , String id
-            , byte[] digestValue)
             throws XMLSignatureException {
         // the references appear in the package signature or the package object
         // so we can use the default digest algorithm
@@ -68,8 +66,6 @@ final class SignatureFacetHelper {
             throw new XMLSignatureException("unknown digest method uri: "+digestMethodUri, e);
         }
 
-        return (digestValue == null)
+        return sigFac.newReference(uri, digestMethod, transforms, type, null);
-                ? sigFac.newReference(uri, digestMethod, transforms, type, id)
-                : sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue);
     }
 }

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESSignatureFacet.java

@@ -242,7 +242,7 @@ public class XAdESSignatureFacet implements SignatureFacet {
     private Reference addXadesReference(SignatureInfo signatureInfo) throws XMLSignatureException {
         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
         List<Transform> transforms = singletonList(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE));
-        return newReference(signatureInfo, "#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null);
+        return newReference(signatureInfo, "#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE);
     }
 
     /**

poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java

@@ -110,7 +110,9 @@ import org.apache.poi.xssf.usermodel.XSSFClientAnchor;
 import org.apache.poi.xssf.usermodel.XSSFSheet;
 import org.apache.poi.xssf.usermodel.XSSFSignatureLine;
 import org.apache.poi.xssf.usermodel.XSSFWorkbook;
+import org.apache.poi.xwpf.usermodel.UnderlinePatterns;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
+import org.apache.poi.xwpf.usermodel.XWPFHyperlinkRun;
 import org.apache.poi.xwpf.usermodel.XWPFSignatureLine;
 import org.apache.xmlbeans.SystemProperties;
 import org.apache.xmlbeans.XmlException;
@@ -745,6 +747,45 @@ class TestSignatureInfo {
         }
     }
 
+    // Test signing of external references / hyperlinks
+    @Test
+    void bug65214() throws Exception {
+        initKeyPair();
+
+	    ByteArrayOutputStream bos = new ByteArrayOutputStream();
+	    try (XWPFDocument doc = new XWPFDocument()) {
+            XWPFHyperlinkRun r = doc.createParagraph().createHyperlinkRun("http://poi.apache.org");
+	        r.setText("Hyperlink");
+	        r.setUnderline(UnderlinePatterns.SINGLE);
+	        r.setUnderlineColor("0000FF");
+	        doc.write(bos);
+        }
+
+        SignatureConfig signatureConfig = new SignatureConfig();
+        signatureConfig.setKey(keyPair.getPrivate());
+        signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
+        signatureConfig.setDigestAlgo(HashAlgorithm.sha256);
+        try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {
+            SignatureInfo si = new SignatureInfo();
+            si.setOpcPackage(pkg);
+            si.setSignatureConfig(signatureConfig);
+            si.confirmSignature();
+            bos.reset();
+            pkg.save(bos);
+        } catch (EncryptedDocumentException e) {
+            assumeTrue(e.getMessage().startsWith("Export Restrictions"));
+        }
+
+        try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {
+            SignatureInfo si = new SignatureInfo();
+            si.setOpcPackage(pkg);
+            si.setSignatureConfig(signatureConfig);
+            si.verifySignature();
+        } catch (EncryptedDocumentException e) {
+            assumeTrue(e.getMessage().startsWith("Export Restrictions"));
+        }
+    }
+
     @Test
     void bug58630() throws Exception {
         // test deletion of sheet 0 and signing