POI - Intermediate patch for Windows Cert Store

1. Index: src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
2. ===================================================================
3. --- src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java    (revision 1823895)
4. +++ src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java    (working copy)
5. @@ -222,7 +222,8 @@
6.       *   which depends on a missing bouncy castle provider
7.       */
8.      public static Cipher getCipher(Key key, CipherAlgorithm cipherAlgorithm, ChainingMode chain, byte[] vec, int cipherMode, String padding) {
9. -        int keySizeInBytes = key.getEncoded().length;
10. +        // SunMSCAPI provider returns null on getEncoded()
11. +        final int keySizeInBytes = key.getEncoded() == null ? -1 : key.getEncoded().length;
12.          if (padding == null) padding = "NoPadding";
13.          
14.          try {
15. Index: src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
16. ===================================================================
17. --- src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java   (revision 1823895)
18. +++ src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java   (working copy)
19. @@ -27,6 +27,21 @@
20.  import static org.apache.poi.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;
21.  import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.XML_DIGSIG_NS;
22.  
23. +import java.io.ByteArrayOutputStream;
24. +import java.io.File;
25. +import java.io.IOException;
26. +import java.io.OutputStream;
27. +import java.security.GeneralSecurityException;
28. +import java.security.MessageDigest;
29. +import java.security.cert.X509Certificate;
30. +import java.util.ArrayList;
31. +import java.util.Collections;
32. +import java.util.HashMap;
33. +import java.util.Iterator;
34. +import java.util.List;
35. +import java.util.Map;
36. +import java.util.NoSuchElementException;
37. +
38.  import javax.crypto.Cipher;
39.  import javax.xml.crypto.MarshalException;
40.  import javax.xml.crypto.URIDereferencer;
41. @@ -41,7 +56,6 @@
42.  import javax.xml.crypto.dsig.XMLSignature;
43.  import javax.xml.crypto.dsig.XMLSignatureException;
44.  import javax.xml.crypto.dsig.XMLSignatureFactory;
45. -import javax.xml.crypto.dsig.XMLValidateContext;
46.  import javax.xml.crypto.dsig.dom.DOMSignContext;
47.  import javax.xml.crypto.dsig.dom.DOMValidateContext;
48.  import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
49. @@ -49,22 +63,6 @@
50.  import javax.xml.xpath.XPathConstants;
51.  import javax.xml.xpath.XPathExpressionException;
52.  import javax.xml.xpath.XPathFactory;
53. -import java.io.ByteArrayOutputStream;
54. -import java.io.File;
55. -import java.io.IOException;
56. -import java.io.OutputStream;
57. -import java.security.GeneralSecurityException;
58. -import java.security.MessageDigest;
59. -import java.security.Provider;
60. -import java.security.Security;
61. -import java.security.cert.X509Certificate;
62. -import java.util.ArrayList;
63. -import java.util.Collections;
64. -import java.util.HashMap;
65. -import java.util.Iterator;
66. -import java.util.List;
67. -import java.util.Map;
68. -import java.util.NoSuchElementException;
69.  
70.  import org.apache.jcp.xml.dsig.internal.dom.DOMReference;
71.  import org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo;
72. @@ -237,26 +235,10 @@
73.                  DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
74.                  domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);
75.                  domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer());
76. -                brokenJvmWorkaround(domValidateContext);
77.      
78.                  XMLSignatureFactory xmlSignatureFactory = signatureConfig.getSignatureFactory();
79.                  XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
80.                  
81. -                // TODO: replace with property when xml-sec patch is applied
82. -                // workaround added in r1637283 2014-11-07
83. -                for (Reference ref : (List<Reference>)xmlSignature.getSignedInfo().getReferences()) {
84. -                    SignatureFacet.brokenJvmWorkaround(ref);
85. -                }
86. -                for (XMLObject xo : (List<XMLObject>)xmlSignature.getObjects()) {
87. -                    for (XMLStructure xs : (List<XMLStructure>)xo.getContent()) {
88. -                        if (xs instanceof Manifest) {
89. -                           for (Reference ref : (List<Reference>)((Manifest)xs).getReferences()) {
90. -                               SignatureFacet.brokenJvmWorkaround(ref);
91. -                           }
92. -                        }
93. -                    }
94. -                }
95. -                
96.                  boolean valid = xmlSignature.validate(domValidateContext);
97.  
98.                  if (valid) {
99. @@ -465,8 +447,6 @@
100.          xmlSignContext.setDefaultNamespacePrefix("");
101.          // signatureConfig.getNamespacePrefixes().get(XML_DIGSIG_NS));
102.          
103. -        brokenJvmWorkaround(xmlSignContext);
104. -        
105.          XMLSignatureFactory signatureFactory = signatureConfig.getSignatureFactory();
106.  
107.          /*
108. @@ -681,20 +661,4 @@
109.          List<T> emptyList = Collections.emptyList();
110.          return other == null ? emptyList : other;
111.      }
112. -
113. -    private void brokenJvmWorkaround(XMLSignContext context) {
114. -        // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
115. -        Provider bcProv = Security.getProvider("BC");
116. -        if (bcProv != null) {
117. -            context.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", bcProv);
118. -        }        
119. -    }
120. -
121. -    private void brokenJvmWorkaround(XMLValidateContext context) {
122. -        // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
123. -        Provider bcProv = Security.getProvider("BC");
124. -        if (bcProv != null) {
125. -            context.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", bcProv);
126. -        }        
127. -    }
128.  }
129. Index: src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacet.java
130. ===================================================================
131. --- src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacet.java   (revision 1823895)
132. +++ src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacet.java   (working copy)
133. @@ -24,14 +24,7 @@
134.  
135.  package org.apache.poi.poifs.crypt.dsig.facets;
136.  
137. -import java.lang.reflect.Field;
138. -import java.lang.reflect.Method;
139. -import java.security.AccessController;
140.  import java.security.GeneralSecurityException;
141. -import java.security.MessageDigest;
142. -import java.security.PrivilegedAction;
143. -import java.security.Provider;
144. -import java.security.Security;
145.  import java.util.List;
146.  
147.  import javax.xml.XMLConstants;
148. @@ -45,14 +38,11 @@
149.  import javax.xml.crypto.dsig.XMLSignatureFactory;
150.  import javax.xml.crypto.dsig.spec.TransformParameterSpec;
151.  
152. -import org.apache.jcp.xml.dsig.internal.dom.DOMDigestMethod;
153. -import org.apache.jcp.xml.dsig.internal.dom.DOMReference;
154.  import org.apache.poi.openxml4j.opc.PackageNamespaces;
155.  import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
156.  import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
157.  import org.apache.poi.util.POILogFactory;
158.  import org.apache.poi.util.POILogger;
159. -import org.apache.poi.util.SuppressForbidden;
160.  import org.w3c.dom.Document;
161.  
162.  /**
163. @@ -153,38 +143,7 @@
164.              reference = sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue);
165.          }
166.          
167. -        brokenJvmWorkaround(reference);
168.  
169.          return reference;
170.      }
171. -    
172. -    // helper method ... will be removed soon
173. -    public static void brokenJvmWorkaround(final Reference reference) {
174. -        final DigestMethod digestMethod = reference.getDigestMethod();
175. -        final String digestMethodUri = digestMethod.getAlgorithm();
176. -        
177. -        final Provider bcProv = Security.getProvider("BC");
178. -        if (bcProv != null && !DigestMethod.SHA1.equals(digestMethodUri)) {
179. -            // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
180. -            // overwrite standard message digest, if a digest <> SHA1 is used
181. -            AccessController.doPrivileged(new PrivilegedAction<Void>() {
182. -                @Override
183. -                @SuppressForbidden("Workaround for a bug, needs access to private JDK members (may fail in Java 9): https://bugzilla.redhat.com/show_bug.cgi?id=1155012")
184. -                public Void run() {
185. -                    try {
186. -                        Method m = DOMDigestMethod.class.getDeclaredMethod("getMessageDigestAlgorithm");
187. -                        m.setAccessible(true);
188. -                        String mdAlgo = (String)m.invoke(digestMethod);
189. -                        MessageDigest md = MessageDigest.getInstance(mdAlgo, bcProv);
190. -                        Field f = DOMReference.class.getDeclaredField("md");
191. -                        f.setAccessible(true);
192. -                        f.set(reference, md);
193. -                    } catch (Exception e) {
194. -                        LOG.log(POILogger.WARN, "Can't overwrite message digest (workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012)", e);
195. -                    }
196. -                    return null; // Void
197. -                }
198. -            });
199. -        }
200. -    }
201.  }
202. \ No newline at end of file