Signature process in LibreOffice 6.3

classic Classic list List threaded Threaded
6 messages Options
Kaleun Kaleun
Reply | Threaded
Open this post in threaded view
|

Signature process in LibreOffice 6.3

Hello,

my name is Steve Martin and I am an enrolled student at the Ruhr
University Bochum. I have a question regarding the implementation of the
signature process in LibreOffice.

I use a self-created X.509 certificate for signing my ODT documents.

As soon as I sign my ODT document, the file "documentsignatures.xml" is
created in the META-INF folder in the OpenDocument package. Before I
signed my ODT document, I had decompressed the ODT document and added an
additional file entry in META-INF/manifest.xml:

<manifest:file-entry manifest:full-path="Thumbnails/meta.xml"
manifest:media-type="text/xml"/>

Then I saved the manifest.xml file and compressed all the files back
into a ZIP package. I can now open this file with LibreOffice and sign
it with my X.509 certificate.

After I signed the document, I decompressed it again and copied the
meta.xml file into the Thumbnails directory. Thanks to the previously
added file entry in the manifest.xml file, I can now compress all the
partial files back into a ZIP archive and open the document with
LibreOffice as normal, without being shown the message that the file is
corrupted.

However, I don't understand why do I get now the message that the
signature is not valid? I decompressed the ODT document with the invalid
signature and compared the documentsignatures.xml file contained in the
META-INF folder with the documentsignatures.xml file that was created
immediately after the signature was created. Both files are exactly the
same and neither contain the value "Thumbnails/meta.xml" in the URI
attribute in the <Reference> elements.

Since none of the files that are listed in the documentsignatures.xml
were manipulated, the signature should be valid? Or is there another
signature somewhere besides the XML signature about the file structure
of the ODT document?

Thanks many for your help

Steve
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Mike Kaganski Mike Kaganski
Reply | Threaded
Open this post in threaded view
|

Re: Signature process in LibreOffice 6.3

Hi,

On 2020-02-07 18:46, Steve Martin wrote:

> After I signed the document, I decompressed it again and copied the
> meta.xml file into the Thumbnails directory. Thanks to the previously
> added file entry in the manifest.xml file, I can now compress all the
> partial files back into a ZIP archive and open the document with
> LibreOffice as normal, without being shown the message that the file is
> corrupted.
>
> However, I don't understand why do I get now the message that the
> signature is not valid? I decompressed the ODT document with the invalid
> signature and compared the documentsignatures.xml file contained in the
> META-INF folder with the documentsignatures.xml file that was created
> immediately after the signature was created. Both files are exactly the
> same and neither contain the value "Thumbnails/meta.xml" in the URI
> attribute in the <Reference> elements.
>
> Since none of the files that are listed in the documentsignatures.xml
> were manipulated, the signature should be valid? Or is there another
> signature somewhere besides the XML signature about the file structure
> of the ODT document?

OASIS OpenDocument version 1.2 sect. 3.16 Document Signatures [1] :

> Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 3.5 of the OpenDocument specification part 3. Document signatures shall contain a <ds:Reference> element for each file within the package, with the exception that <ds:Reference> elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted.

Note that "Document signatures shall contain a <ds:Reference> element
*for each file within the package*", and the contents of Thumbnails is
not listed aming the exceptions.

[1]
http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415062_253892949

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Oliver Brinzing Oliver Brinzing
Reply | Threaded
Open this post in threaded view
|

Re: Signature process in LibreOffice 6.3

In reply to this post by Kaleun
Hi Steve,

you added a new file into the zip package *after* signing the document.

I *guess* (did not check the source code) LO checks all files inside the zip package during opening
and if it finds a changed file or a file which is not listed in "documentsignatures.xml" it will
invalidate the signature.

Regards
Oliver
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Kaleun Kaleun
Reply | Threaded
Open this post in threaded view
|

Re: Signature process in LibreOffice 6.3

In reply to this post by Mike Kaganski
Hi Mike,

thanks for your fast reply.

> Note that "Document signatures shall contain a <ds:Reference> element
> *for each file within the package*", and the contents of Thumbnails is
> not listed aming the exceptions.

I've understood. The file documentsignatures.xml needs a <ds:Reference>
element for my "Thumbnails/meta.xml" file. Therefore the signature fails
because the corresponding entry in the documentsignatures.xml file is
missing.

> Document signatures shall be stored in a file called
> META-INF/documentsignatures.xml in the package as described in section
> 3.5 of the OpenDocument specification part 3. Document signatures shall
> contain a <ds:Reference> element for each file within the package, with
> the exception that <ds:Reference> elements for the
> META-INF/documentsignatures.xml file containing the signature, and any
> files contained in the package whose relative path starts with
> "external-data/" should be omitted.

I understand it in that way: If I create a directory with the name
"external-data" and put files into that directory, these files remain
unaffected by the signature check (unlike my file
"Thumbnails/meta.xml"). Is this correct? Or are these files just not a
part of the signature while generating the signature value?*

I repeated my test scenario and adjusted the manifest.xml file
accordingly:

<manifest:file-entry manifest:full-path="external-data/meta.xml"
manifest:media-type="text/xml"/>

If I now copy the meta.xml file into the "external-data" folder after
creating the signature, I still get the message that the signature is
invalid. None of the URI attributes of the <Reference> elements contain
the value "external-data/meta.xml".


*(By the way: If I create the folder "external-data" and create an empty
file "test.xml" in this directory with the corresponding adjustment of
the manifest.xml file:

<manifest:file-entry manifest:full-path="external-data/test.xml"
manifest:media-type="text/xml"/>

After the compression I don't have the option to sign my ODT document
(no action when I click on the "Sign document" button, the window in
which I can select the certificates with which I can sign my document
simply closes.))

Thanks in advance for your help

Steve
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Kaleun Kaleun
Reply | Threaded
Open this post in threaded view
|

Re: Signature process in LibreOffice 6.3

In reply to this post by Oliver Brinzing
Hi Oliver,


Oliver Brinzing wrote
> you added a new file into the zip package *after* signing the document.

Yeah, thats correct.


Oliver Brinzing wrote
> [...] LO checks all files inside the zip package during opening
> and if it finds a changed file or a file which is not listed in
> "documentsignatures.xml" it will
> invalidate the signature.

Perhaps. As a result, LibreOffice does not only use the XML signatures but
also checks additional things. Is that correct?

Regards

Steve



--
Sent from: http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.html
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Michael Stahl-3 Michael Stahl-3
Reply | Threaded
Open this post in threaded view
|

Re: Signature process in LibreOffice 6.3

In reply to this post by Kaleun
On 07.02.20 20:13, Steve Martin wrote:
>
>> Document signatures shall be stored in a file called
>> META-INF/documentsignatures.xml in the package as described in section
>> 3.5 of the OpenDocument specification part 3. Document signatures
>> shall contain a <ds:Reference> element for each file within the
>> package, with the exception that <ds:Reference> elements for the
>> META-INF/documentsignatures.xml file containing the signature, and any
>> files contained in the package whose relative path starts with
>> "external-data/" should be omitted.

interesting, i hadn't noticed that... apparently it was added with
https://issues.oasis-open.org/browse/OFFICE-3028

> I understand it in that way: If I create a directory with the name
> "external-data" and put files into that directory, these files remain
> unaffected by the signature check (unlike my file
> "Thumbnails/meta.xml"). Is this correct? Or are these files just not a
> part of the signature while generating the signature value?*
>
> I repeated my test scenario and adjusted the manifest.xml file accordingly:
>
> <manifest:file-entry manifest:full-path="external-data/meta.xml"
> manifest:media-type="text/xml"/>
>
> If I now copy the meta.xml file into the "external-data" folder after
> creating the signature, I still get the message that the signature is
> invalid. None of the URI attributes of the <Reference> elements contain
> the value "external-data/meta.xml".

git grep "external-data" indicates that this feature remains
unimplemented in LO.
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice