Bug 105856 - XAdES signature created via LibreOffice is not compliant (SignedProperties reference is missing Type attribute).
Summary: XAdES signature created via LibreOffice is not compliant (SignedProperties re...
Status: RESOLVED DUPLICATE of bug 119309
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.3.0.3 release
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
: 124768 (view as bug list)
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2017-02-08 12:30 UTC by T. H.
Modified: 2021-10-29 18:29 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:
Regression By:


Attachments
Signed OpenDocument with eSignature DSS library (28.71 KB, application/pdf)
2020-07-16 00:52 UTC, Francisco de la Peña
Details
Signed OpenDocument with eSignature DSS library (fixed) (24.64 KB, application/vnd.oasis.opendocument.text)
2020-07-16 00:55 UTC, Francisco de la Peña
Details
Example file signed with 6.2 (22.24 KB, application/vnd.oasis.opendocument.text)
2021-10-29 15:05 UTC, Gabor Kelemen (allotropia)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description T. H. 2017-02-08 12:30:35 UTC
XAdES signature created via LibreOffice does not confirm to specifications.
A reference to SignedProperties (Reference with URI="#idSignedProperties") is missing a Type attribute (shall be Type="http://uri.etsi.org/01903#SignedProperties").

Check specification ETSI EN 319 132-1 V1.1.1 (2016-04), section 4.4.2, which mentions exactly that. Link to specs: http://www.etsi.org/deliver/etsi_en/319100_319199/31913201/01.01.01_60/en_31913201v010101p.pdf

Validation of such documents (signatures) might be difficult, because its not immediately clear which reference is which.
Comment 1 Cor Nouws 2017-02-08 13:36:19 UTC
thanks for filing hlavnicka.
@miklos: can you please have a look?
Comment 2 QA Administrators 2018-02-19 03:34:34 UTC Comment hidden (obsolete)
Comment 3 T. H. 2018-03-29 13:37:40 UTC
Bug is still present, application incorrectly gives user a choice to select "AdES-compliant" signature that in fact is not compliant (conflict with specification ETSI EN 319 132-1 V1.1.1 (2016-04), section 4.4.2)

Tested again in version:

Version: 6.0.2.1 (x64)
Build ID: f7f06a8f319e4b62f9bc5095aa112a65d2f3ac89
CPU threads: 4; OS: Windows 6.1; UI render: default; 
Locale: cs-CZ (cs_CZ); Calc: CL
Comment 4 QA Administrators 2019-03-30 06:12:53 UTC Comment hidden (obsolete)
Comment 5 Olivia Reed 2020-05-17 10:08:09 UTC Comment hidden (spam)
Comment 6 Francisco de la Peña 2020-07-16 00:52:43 UTC
Created attachment 163087 [details]
Signed OpenDocument with eSignature DSS library

The attached document is signed with a XAdES signature, but not detected by LibreOffice because it does not support the XML namespaces. Tested with latest Libreoffice 6.4.5.2 and 7.0.0.1
Comment 7 Francisco de la Peña 2020-07-16 00:55:50 UTC
Created attachment 163088 [details]
Signed OpenDocument with eSignature DSS library (fixed)

Apologies for the previous attachment, it was the wrong file.
Comment 8 Timur 2020-09-18 07:08:58 UTC
*** Bug 124768 has been marked as a duplicate of this bug. ***
Comment 9 Gabor Kelemen (allotropia) 2021-10-29 14:09:42 UTC
(In reply to Francisco de la Peña from comment #7)
> Created attachment 163088 [details]
> Signed OpenDocument with eSignature DSS library (fixed)
> 
> Apologies for the previous attachment, it was the wrong file.

LibreOffice started to detect the presence of this signature in 7.1 after:

https://git.libreoffice.org/core/+/d92235df75829a8cf2ee8cc7b0b76063093b6cc2

author	Michael Stahl <michael.stahl@allotropia.de>	Fri Feb 12 16:42:51 2021 +0100
committer	Caolán McNamara <caolanm@redhat.com>	Thu Mar 04 12:50:18 2021 +0100

xmlsecurity: replace XSecParser implementation

So this part is already solved.
Comment 10 Gabor Kelemen (allotropia) 2021-10-29 15:05:38 UTC
Created attachment 176003 [details]
Example file signed with 6.2

Looks like the missing Type="http://uri.etsi.org/01903#SignedProperties attribute is added at least since 6.2 - but it was not added in 6.1
Comment 11 Gabor Kelemen (allotropia) 2021-10-29 18:29:55 UTC
(In reply to Gabor Kelemen (allotropia) from comment #10)
> Created attachment 176003 [details]
> Example file signed with 6.2
> 
> Looks like the missing Type="http://uri.etsi.org/01903#SignedProperties
> attribute is added at least since 6.2 - but it was not added in 6.1

Since:

https://git.libreoffice.org/core/+/ea3a5036d23081b6e8eb38a399ff8ef5acd8adc7

author	Miklos Vajna <vmiklos@collabora.co.uk>	Mon Aug 27 09:15:16 2018 +0200
committer	Miklos Vajna <vmiklos@collabora.co.uk>	Mon Aug 27 19:15:55 2018 +0200

tdf#119309 xmlsecurity xades: missing XML attribute on idSignedProperties ref

*** This bug has been marked as a duplicate of bug 119309 ***