OASIS Open Document Format for Office Applications (OpenDocument) TC

 View Only
  • 1.  XAdES support in ODF

    Posted 09-24-2010 17:12
    Hi,
    
    
    at Fedict, Frank is working very hard on all the eID goodies, including signing XML-documents
    like ODF with the eID.
    
    I signed an ODF document (in attachment) with my Belgian eID card. While the signature file
    might not be 100% in line with the latest 1.2 draft, it does contain XAdES 1.4.1 elements that are
    worth looking at.
    
    Feedback is welcome of course, and hopefully it is useful for nailing down the signature support
    in ODF.
    
    
    Best regards
    
    Bart
    


  • 2.  RE: XAdES support in ODF

    Posted 09-24-2010 19:26
    Interesting - several comments, in no particular order:
    
    You didn't sign everything in the file, especially in Configurations2/* - why not?
    
    The Reference URIs have to have some way of knowing which are package files and which are internal references and which are external references. In my proposal, I'd suggested basing this off the Type attribute. Alternately, you can make another Object element with a Manifest that plays by different rules, since an Object element is implementation dependent. I don't think that what you have here is legal XmlDSig as a result. Though this is easily enough fixed.
    
    I don't think an Id attribute is needed on SignatureValue - we know what it is signing.
    
    I'd also suggest making your Reference for the time SignatureProperty element just cover SignatureProperties instead. I'd also suggest putting an Id on the Object element so that we know how to parse it. You can end up with several Object elements, and this is one that's required for compatibility with existing signatures, so we need to be able to find it.
    
    Also a good idea to put an Id on the XAdES Object, though this one can be identified by looking for a Reference with a specific Type attribute, and then finding it from there.
    
    I think your namespace declaration is incorrect, in that you only need to use the 1.4.1 namespace on 1.4.1-specific elements. We should double-check the XAdES standard to be sure.
    
    You don't have any CertValues in your TimestampValidationData elements - why? (If the timestamp cert is self-signed, that would be one reason.)
    
    Because Id attributes have to be unique in a document, you've nicely made the Id random and unique to each Signature. I don't think I have creating these covered in my proposal. It might be a good idea to specify how these should be created.
    
    The canonicalization method used for the time stamp is different than for the rest of the Reference elements. Why is this different?
    
    
    


  • 3.  RE: XAdES support in ODF

    Posted 09-24-2010 23:56
    Thanks David, very useful remarks.
    
    A few questions though, to check if I fully understand them.
    
    
    > You didn't sign everything in the file, especially in Configurations2/* - why not?
    
    You mean empty things like Configuration/menubar ? The latest ODF draft spec says:
    "Document signatures shall contain a 


  • 4.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 00:54
    Bart,
    
    There are no Zip entries for empty directory structures or directory
    structures of any kind.  I think you mean 


  • 5.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 04:13
    I was looking at the directory structure in the zip file. Current spec says that everything has to be signed, and if it is of zero length, then something that made it not zero length would possibly change the content or appearance, and should then break the signature.
    
    If there are things that do not change the content or appearance, then perhaps they shouldn't be signed, and the constraint that everything should be signed (other than documentsignature.xml) is too broad. In OOXML documents, we don't sign everything, and have some areas meant for things that can change without breaking the signature.
    
    ________________________________________
    From: Dennis E. Hamilton [dennis.hamilton@acm.org]
    Sent: Friday, September 24, 2010 5:53 PM
    To: 'Hanssens Bart'; David LeBlanc; office@lists.oasis-open.org
    Cc: 'Cornelis Frank'
    Subject: RE: [office] RE: XAdES support in ODF
    
    Bart,
    
    There are no Zip entries for empty directory structures or directory
    structures of any kind.  I think you mean 


  • 6.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 05:07
    You're right, the Configurations2\accelerator\current.xml should have been
    signed, and it was.  Oddly, they used the default transformation, but I
    guess that is tolerable considering it is a 0-length file.  
    
    So I don't think they missed any that they weren't supposed to.  They even
    signed the mimetype, Thumbnails/thumbnail.png, manifest.rdf and
    META-INF/manifest.xml.  It looks like everything was signed that could be.  
    
     - Dennis
    
    
    


  • 7.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 09:11
    Hi,
    
    > You're right, the Configurations2\accelerator\current.xml should have been
    > signed, and it was.  Oddly, they used the default transformation, but I
    > guess that is tolerable considering it is a 0-length file.
    
    The ...current.xml is indeed signed, using the default transformation because
    another transformation will throw an exception (Java 6)
    
    (Is a 0-length xml file valid XML by the way ?)
    
    
    Bart
    
    


  • 8.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 16:35
    Good point.  No, a 0-length file is not a valid XML document.  It is not
    even well-formed.  The syntax rule for document requires that there be a
    root element.  (See [XML1.0] section 2.1 and the rule for element in section
    3.)
    
    So it seems appropriate that canonicalization will fail and treating the
    file as a 0-length raw binary is an useful fall-back in a signature
    application, since we don't want the signing to fail over such a thing.
    
    On the other hand, this looks like something an ODF validator should catch.
    
     - Dennis
    
    


  • 9.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 17:53
    Oh ... just noticed:
    
    It seems we have no right to assume that the 0-length
    Configurations2/accelerator/current.xml is an XML file.  Note that it has no
    recognizable media-type (and that is another validator-catchable problem,
    though):
    
       


  • 10.  RE: [office] RE: XAdES support in ODF

    Posted 09-25-2010 18:28
    Several more detailed answers when my wife isn't waiting on me - 
    
    Why would you even write a 0-length file into the archive? Seems an odd thing to do. 
    
    I'll get back to the rest of it later.
    
    ________________________________________
    From: Dennis E. Hamilton [dennis.hamilton@acm.org]
    Sent: Saturday, September 25, 2010 10:53 AM
    To: 'Hanssens Bart'; office@lists.oasis-open.org
    Cc: 'Cornelis Frank'
    Subject: RE: [office] RE: XAdES support in ODF
    
    Oh ... just noticed:
    
    It seems we have no right to assume that the 0-length
    Configurations2/accelerator/current.xml is an XML file.  Note that it has no
    recognizable media-type (and that is another validator-catchable problem,
    though):