"Dennis E. Hamilton" <dennis.hamilton@acm.org> wrote on 2011-08-16 01:59:01:

> From: "Dennis E. Hamilton" <dennis.hamilton@acm.org>

> To: "odf-dev ODF Toolkit Incubator" <odf-dev@incubator.apache.org>
> Date: 2011-08-16 01:58
> Subject: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
>
> Now that the list exists, ...
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Wednesday, August 10, 2011 08:42
> To: 'Biao Han'
> Subject: RE: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
>
> Nicely done.  Thanks for being so visible.
>
> Another thing you can do is set up an ODFtoolkit blog at Apache.  
> Ideally, the mailing lists will appear soon.
>
> Two Questions:
>
>  1.   My impression is that the signatures from OO.o are correct.  
> They do specify namespaces, but use default namespace declarations
> instead of prefixes.
>   In what way is the signature document incorrect?


The signature document always work. The question is the realization detail. Duplicate X.509 certificate info and without namespace prefix.

>   Also, what versions of OpenOffice.org/LibreOffice are you checking
> signatures against?
>   I have signatures from LibreOffice 3.4 that do not appear to
> duplicate X.509 certificates and that seem to use namespaces
> correctly, although dsig namespace is
> declared with default xmlns declaration.


I attach a sample file. I am sure there are duplicate X.509 certificate info in it.

You can also reference http://openoffice.org/bugzilla/show_bug.cgi?id=66276, they face the same issue.

>  2.   Does ODFDOM fail because of namespace being declared as
> default or because of something to do with canonicalization?  If the
> XML Digital Signature specification requires default namespace, it
> may be that ODF specification is incorrect.
>   Have you found expert appraisal of what XML Digital Signature requires?
ODFDOM fails, because the signature file without namespace prefix.ĦĦThis maybe considered as a bug of ODFDOM.

But all of the other xml files, content.xml, styles.xml. meta.xml, settings.xml and manifest.xml have namespace prefix. Even the schema of documentsingature.xml has namespace prefix. But the OpenOffice generated file doesn't have. I suggest OpenOffice should follow this.

<define name="dsig-document-signatures">
<element name="dsig:document-signatures">
<ref name="dsig-document-signatures-attlist"/>
<oneOrMore>
<ref name="ds-signature"/>
</oneOrMore>
</element>
</define>
<define name="dsig-document-signatures-attlist">
<attribute name="dsig:version">
<value>1.2</value>
</attribute>
</define>
<define name="ds-signature">
<element name="ds:Signature">
<!-- The permitted content of this element is the permitted -->
<!-- content of the Signature element defined by W3C XML -->
<!-- Signature Syntax and Processing (Second Edition). -->
<!-- See OpenDocument v1.2 part 3, section 4.3. -->
<ref name="dsMarkup"/>
</element>
</define>


>  - Dennis
>
> -----Original Message-----
> From: Biao Han [mailto:hanbiao@cn.ibm.com]
> Sent: Wednesday, August 10, 2011 08:14
> To: dev@simple.odftoolkit.org; dev@odfdom.odftoolkit.org;
> dev@odftoolkit.odftoolkit.org
> Cc: general@incubator.apache.org
> Subject: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
>
> [ ... ]
>
>    ODFDOM
>    1. Working on data signature. There are two issues caused by OpenOffice
>    block the process.
>        (1) OpenOffice.org generate a Namespace unaware signature document.
>    ODFDOM loads it fails.
>        (2) OpenOffice.org creates multiple X509Certificates instead of the
>    correct certification chain under ds:KeyInfo.
>        see also:
>          https://bugs.freedesktop.org/show_bug.cgi?id=39657 (ds namespace
>          in LibreOffice)
>          http://openoffice.org/bugzilla/show_bug.cgi?id=107864 (ds
>          namespace in OOo)
>          http://openoffice.org/bugzilla/show_bug.cgi?id=66276 (multiple
>          X509Certificate  in OOo)
>          http://openoffice.org/bugzilla/show_bug.cgi?id=108286
>        We have to supply two modes to fix it. One follows ODF
>    specification, the other follows Open Office. The question is which is
>    the default?
> [ ... ]
>
> Regards
>
> Biao Han (Devin)
> SOA Standards Growth, Emerging Technology Institute(ETI), IBM China
> Software Development Laboratory
> Tel:(86-10)82450541
> Email: hanbiao@cn.ibm.com
> Address: 3/F Ring Building, No.28 Building, Zhong Guan Cun Software Park,
> No. 8 Dong Bei Wang West Road, ShangDi, Haidian District, Beijing,
> P.R.C.100193
>
(See attached file: documentsignatures-openoffice.xml)