#65668 - upgrade to xmlsec 2.3.0 - make secure validation configurable

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1894701 13f79535-47bb-0310-9956-ffa450edef68

poi-integration/build.gradle

@@ -184,3 +184,4 @@ javadocJar.onlyIf { false }
 sourcesJar.onlyIf { false }
 
 generateMetadataFileForPOIPublication.enabled = false
+publishPOIPublicationToMavenLocal.enabled = false

poi-ooxml/build.gradle

@@ -74,11 +74,11 @@ dependencies {
     api "org.apache.logging.log4j:log4j-api:${log4jVersion}"
     api 'org.apache.commons:commons-collections4:4.4'
 
-    signingImplementation 'org.apache.santuario:xmlsec:2.2.3'
+    signingImplementation 'org.apache.santuario:xmlsec:2.3.0'
     signingImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
     signingImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
 
-    rendersignImplementation 'org.apache.santuario:xmlsec:2.2.3'
+    rendersignImplementation 'org.apache.santuario:xmlsec:2.3.0'
     rendersignImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
     rendersignImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
 

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureConfig.java

@@ -212,6 +212,14 @@ public class SignatureConfig {
      */
     private boolean allowMultipleSignatures = false;
 
+    /**
+     * Switch to enable/disable secure validation - see setter for more information
+     *
+     * @since POI 5.2.0
+     */
+    private boolean secureValidation = true;
+
+
     public SignatureConfig() {
         // OOo doesn't like ds namespaces so per default prefixing is off.
         // namespacePrefixes.put(XML_DIGSIG_NS, "");
@@ -1074,4 +1082,39 @@ public class SignatureConfig {
     public void setAllowMultipleSignatures(boolean allowMultipleSignatures) {
         this.allowMultipleSignatures = allowMultipleSignatures;
     }
+
+    /**
+     * @return is secure validation enabled?
+     *
+     * @since POI 5.2.0
+     */
+    public boolean isSecureValidation() {
+        return secureValidation;
+    }
+
+    /**
+     * Enable or disable secure validation - default is enabled.
+     * <p>
+     * Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail,
+     * because a maximum of 30 references were hard-coded allowed for secure validation to succeed.
+     * <p>
+     * Secure validation has the following features:
+     * <ul>
+     * <li>Limits the number of Transforms per Reference to a maximum of 5.
+     * <li>Does not allow XSLT transforms.
+     * <li>Does not allow a RetrievalMethod to reference another RetrievalMethod.
+     * <li>Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
+     * <li>Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
+     * <li>MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
+     * <li>Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
+     * <li>Does not allow DTDs
+     * </ul>
+     *
+     * @see <a href="https://santuario.apache.org/faq.html#faq-4.SecureValidation">XmlSec SecureValidation</a>
+     *
+     * @since POI 5.2.0
+     */
+    public void setSecureValidation(boolean secureValidation) {
+        this.secureValidation = secureValidation;
+    }
 }

poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java

@@ -56,6 +56,7 @@ import org.xml.sax.SAXException;
 public class SignaturePart {
     private static final Logger LOG = LogManager.getLogger(SignaturePart.class);
     private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
+    private static final String XMLSEC_VALIDATE_SECURE = "org.apache.jcp.xml.dsig.secureValidation";
 
 
     private final PackagePart signaturePart;
@@ -121,6 +122,7 @@ public class SignaturePart {
 
             DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
             domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
+            domValidateContext.setProperty(XMLSEC_VALIDATE_SECURE, signatureInfo.getSignatureConfig().isSecureValidation());
 
             URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer();
             domValidateContext.setURIDereferencer(uriDereferencer);

poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java

@@ -170,6 +170,7 @@ import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.w3.x2000.x09.xmldsig.ObjectType;
 import org.w3.x2000.x09.xmldsig.ReferenceType;
@@ -344,21 +345,22 @@ class TestSignatureInfo {
     }
 
     @ParameterizedTest
-    @ValueSource(strings = {
+    @CsvSource(value = {
-        "hyperlink-example-signed.docx",
+        "hyperlink-example-signed.docx, true",
-        "hello-world-signed.docx",
+        "hello-world-signed.docx, true",
-        "hello-world-signed.pptx",
+        "hello-world-signed.pptx, false",
-        "hello-world-signed.xlsx",
+        "hello-world-signed.xlsx, true",
-        "hello-world-office-2010-technical-preview.docx",
+        "hello-world-office-2010-technical-preview.docx, true",
-        "ms-office-2010-signed.docx",
+        "ms-office-2010-signed.docx, true",
-        "ms-office-2010-signed.pptx",
+        "ms-office-2010-signed.pptx, false",
-        "ms-office-2010-signed.xlsx",
+        "ms-office-2010-signed.xlsx, true",
-        "Office2010-SP1-XAdES-X-L.docx",
+        "Office2010-SP1-XAdES-X-L.docx, true",
-        "signed.docx"
+        "signed.docx, true"
     })
-    void getSigner(String testFile) throws Exception {
+    void getSigner(String testFile, boolean secureValidation) throws Exception {
         try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
             SignatureConfig sic = new SignatureConfig();
+            sic.setSecureValidation(secureValidation);
             SignatureInfo si = new SignatureInfo();
             si.setOpcPackage(pkg);
             si.setSignatureConfig(sic);
@@ -909,6 +911,10 @@ class TestSignatureInfo {
     @Test
     void testRetrieveCertificate() throws InvalidFormatException, IOException {
         SignatureConfig sic = new SignatureConfig();
+        // starting with xmlsec 2.3.0 disabling secure validation was necessary because of limitations
+        // on the amount of processed internal references (max. 30)
+        sic.setSecureValidation(false);
+
         final File file = testdata.getFile("PPT2016withComment.pptx");
         try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {
             sic.setUpdateConfigOnValidate(true);