incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 119214] New: Saving in ODF 1.1/1.2 Default Encryptions should omit optional items defined by default
Date Wed, 11 Apr 2012 01:40:23 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=119214

             Bug #: 119214
        Issue Type: DEFECT
           Summary: Saving in ODF 1.1/1.2 Default Encryptions should omit
                    optional items defined by default
    Classification: Code
           Product: security
           Version: AOO340-dev
          Platform: PC
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: www
        AssignedTo: issues@security.openoffice.org
        ReportedBy: orcmid@apache.org
                CC: ooo-issues@incubator.apache.org


Apache OpenOffice 3.4.0 r1309668 will produce the ODF 1.1/1.2 default Blowfish
encryption with SHA1 digests.  (It is the default in accordance with the
resolution of issue #119090.).  However, elements and attributes are used which
are not defined for ODF 1.1 documents and are not recognized by OpenOffice.org
releases that precede the establishment of these optional elements in the ODF
1.2 specification.

RECOMMENDATION

Whenever the SHA1 digests and Blowfish encryption are used and the parameters
are those understood by default for ODF 1.2 (and as exclusive cases for ODF
1.1), the explicit setting of those parameters should not be performed.

Specifically:

The <manifest:start-key-generation> element should not be produced when the the
digest is the default "SHA1" and the key-size is the default 20.  This is an
optional element in ODF 1.2. It does not exist in ODF 1.0/1.1.  In ODF 1.0/1.1
the ODF 1.2 default parameters are tacit.

The <manifest:key-derivation> manifest:key-size should be omitted when the
default value of 16 is expected.  This is an optional attribute in ODEF 1.2  It
does not exist in ODF 1.0/1.1.  In ODF 1.0/1.1, the size of 16 is understood.

EXAMPLE

When the fully-explicit case is of this form:

    <manifest:file-entry manifest:media-type="text/xml"
             manifest:full-path="content.xml" manifest:size="3587">
        <manifest:encryption-data manifest:checksum-type="SHA1/1K"
                manifest:checksum="x6qqlWMYrhuzxAqPcO8niNZOWIc=">
            <manifest:algorithm manifest:algorithm-name="Blowfish CFB"
                    manifest:initialisation-vector="1u3Zg9iEHQQ="  />
            <manifest:key-derivation manifest:key-derivation-name="PBKDF2"
                    manifest:key-size="16" manifest:iteration-count="1024"
                    manifest:salt="O4elKYLGe3qqLjIXEO3NXQ=="  />
            <manifest:start-key-generation
                    manifest:start-key-generation-name="SHA1"
                    manifest:key-size="20"    />
        </manifest:encryption-data>
    </manifest:file-entry>

It should be abbreviated to this form, providing the maximum safe downward
compatibility by achieving the same effect using the default definitions:

    <manifest:file-entry manifest:media-type="text/xml"
            manifest:full-path="content.xml" manifest:size="5427">
        <manifest:encryption-data manifest:checksum-type="SHA1/1K"
                manifest:checksum="c3hAKVVsQkDjjumyfU8/pECHfZA=">
            <manifest:algorithm manifest:algorithm-name="Blowfish CFB"
                    manifest:initialisation-vector="4QYt5d5RrQ4="/>
            <manifest:key-derivation manifest:key-derivation-name="PBKDF2"
                    manifest:iteration-count="1024"
                    manifest:salt="ieDfP45urTGFmp6rb4gIAw=="/>
        </manifest:encryption-data>
    </manifest:file-entry>

-- 
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message