Description: When you apply multiple (two and more) XAdES signature to the odt document - they don't comply with XdES standard (my assumption) and validation with https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation fails. Steps to Reproduce: 1.Import pfx file into MS windows certmgr.msc tool 2.Save odt document 3.Apply the first signature 4. Apply the second signature 5. Open https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation 6. Upload signed document 7. Validation fails Actual Results: Validation failed Expected Results: Two signatures are passes validation and marked valid Reproducible: Always User Profile Reset: No Additional Info: Validate XAdES signatures
Created attachment 164102 [details] Sample odt that fails validation
Created attachment 164103 [details] Sample p12 from DSS lib to sign ODT p12 passowrd: password
Created attachment 164104 [details] DSS Report with faild XAdES signatures
I made request to DSS lib tech team to figure out the issue - https://ec.europa.eu/cefdigital/tracker/browse/DSS-2183
My assumption was proven by DSS team: their comment The problem is that both signatures in your file contain references to SignedProperties with the same Id "idSignedProperties". Conversely, the element with the Id "idSignedProperties" itself is present in the file two times. This is not valid XML structure and an identifier cannot be duplicated in a file. Because of this the DSS validation correctly fails with the result SIGNED_DATA_NOT_FOUND (unable to determine the referenced object). By default DSS creates a unique deterministic identifier for each signed element, including SignedProperties. This allows avoiding of conflicts between references. In the attachment you can find an example of a valid double-signed ODT document created with DSS. I hope this clarifies. Best regards, Aleksandr.
Can I help with comments?
FYI There is possible issue with ECDSA in Microsoft Crypto libes, it's a theory now. More details - https://ec.europa.eu/cefdigital/tracker/browse/DSS-2191?focusedCommentId=95743&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-95743
UP Is there way to fund resolution of this bug?
I'm not an expert with digital signatures, but bug 105856 might be realted to the bug you reported. Might be worth to have a look at it.
Up
Created attachment 175990 [details] Example file with text and no signature
Created attachment 175991 [details] The previous document signed twice with two different X.509 certificates
Created attachment 175992 [details] DSS report on the signed file Seems to work fine with current master: Version: 7.3.0.0.alpha0+ / LibreOffice Community Build ID: 5b0ae3b59cd2cccfb72d991657366eb2a69bff49 CPU threads: 8; OS: Linux 5.4; UI render: default; VCL: gtk3 Locale: hu-HU (hu_HU.UTF-8); UI: en-US Calc: threaded
(In reply to Gabor Kelemen (allotropia) from comment #13) > Created attachment 175992 [details] > DSS report on the signed file > > Seems to work fine with current master: > > Version: 7.3.0.0.alpha0+ / LibreOffice Community > Build ID: 5b0ae3b59cd2cccfb72d991657366eb2a69bff49 > CPU threads: 8; OS: Linux 5.4; UI render: default; VCL: gtk3 > Locale: hu-HU (hu_HU.UTF-8); UI: en-US > Calc: threaded Thank you! I'll test it and let you know the result with a valid EU DSS signature, I mean signature certificate issued with QTSP
Created attachment 175993 [details] The example file with 3 bad signatures This seems to have been fixed by: https://git.libreoffice.org/core/+/fd5463343ab7f784070f1ab87a345eed20803d07%5E%21 author Tomaž Vajngerl <tomaz.vajngerl@collabora.co.uk> Wed Oct 27 14:15:17 2021 +0200 committer Tomaž Vajngerl <quikee@gmail.com> Thu Oct 28 08:49:57 2021 +0200 xmlsec: signing the document fails the 3rd time (invalid signature) The commit right before this produced the attached file, which fails completely the DSS check.
Created attachment 175994 [details] DSS report on the bad signed file
Thanks Tomaž for fixing this!
It's fixed Thx Tomaž