Description: EU has developed the opensource tool https://github.com/esig/dss to verify different Digital Signatures including ASiC-E type = ODT container. But while trying to use LibreOffice to created signed AdES document, DSS tool can't verify ODT signature. Details - https://ec.europa.eu/cefdigital/tracker/browse/DSS-1473 Way to reproduce 1 Sign odt with libreoffice 2 Use online tool https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation to validate odt object (simply upload under Signed file) According to recommendations, we must add type="http://uri.etsi.org/01903#SignedProperties" to ds:Reffernce object Steps to Reproduce: 1 Sign odt with libreoffice 2 Use online tool https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation to validate odt object (simply upload under Signed file) Actual Results: invalid XAdES signature Expected Results: XAdES signature according ETSI EN 319 132-1 V1.1.1 (2016-04) + packed as ASiC ETSI EN 319 162-1 V1.1.1 (2016-04) Reproducible: Always User Profile Reset: Yes OpenGL enabled: Yes Additional Info:
Miklos/Samuel: thought you might be interested in this one since it concerns ODT signature.
FYI online app is not correct yet, according to DSS app comment (https://ec.europa.eu/cefdigital/tracker/browse/DSS-1473 ) " I'll need to adapt DSS to fix the "signatures cover the mimetype file and manifest file(s). I'm not sure that these files require to be covered. I'll need to contact experts to confirm." (I sent an email and I'm waiting for their reply). For now, DSS will always conclude with INDETERMINATE / SIGNED_DATA_NOT_FOUND."
FWIW our implementation covers both and there is a good reason for that: if that's not the case then you only sign part of the document, which is quite misleading. Needinfo till there are known problems with the validation tool.
Hello, I'll keep you informed about the files covering. IMO, if we refer to ETSI EN 319 162-1 ch 4.4.3.3, the META-INF/manifest.xml could be covered but the mimetype file is not in the scope of the signature. Anyway, there's another issue with the XAdES building. The reference which points to the SignedProperties shall have this specific type : http://uri.etsi.org/01903#SignedProperties. (rf : ETSI EN 319 132-1 ch 4.4.2). This point was also specified in the previous standard ETSI TS 101 903 ch 6.3.1. Regards, Pierrick
Hi, No problem if you don't warn on that, my worry is if you reject a signature because it covers the mimetype file. That would be unfortunate, as reducing the data we sign is not great, but otherwise the signatures we generate won't pass your validation. Regards, Miklos
Hi, The second point is much more important (missing type attribute). If DSS (and probably other tools) doesn't validate your files, that will be the main cause. I invite you to test the conformance of your XAdES files with the ETSI conformance checker (http://signatures-conformance-checker.etsi.org). Regards, Pierrick
Oh, I'm just stupid. We already do what you say for OOXML signatures, we should do the same for ODF. I'll take care of this.
Miklos Vajna committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=ea3a5036d23081b6e8eb38a399ff8ef5acd8adc7 tdf#119309 xmlsecurity xades: missing XML attribute on idSignedProperties ref It will be available in 6.2.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
^ this improves the DSS validator output, so that "Qualification Signature" section is no longer just a red "N/A" but an orange "Indeterminate QESig" for me. Please open follow-up bugs if anything else is still needed (i.e. not something that should be fixed in the validator). Thanks!
Hello, I have tested the version 6.2 from daily builds. The type attribute is well present. Which is the followed specifications to select covered files ? ODF 1.2 ch 3.16 specifies all files except META-INF/documentsignatures.xml and external-data/. Regards, Pierrick
Hi Pierrick, It's correct to expect we follow what's in ODF 1.2. When we append META-INF/documentsignatures.xml to a previously unsigned document, we sign all the existing streams, which in practice matches what you write. If some of the streams (except the signature stream itself) is not signed, then we don't consider the signature valid. Regards, Miklos
Hi Miklos, Thanks for your reply. In the signed ODT that I generated, the files in the Configurations2 folder are not covered. Does it the expected behavior ? Regards, Pierrick
As long as you only have empty subfolders in the Configurations2 folder, yes. The signatures stream is supposed to sign files only, not folders.
Ok, thanks for the clarification. You are right, this folder only has empty sub-folders.
*** Bug 105856 has been marked as a duplicate of this bug. ***