Open-XML-SDK icon indicating copy to clipboard operation
Open-XML-SDK copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Cloning a package breaks digital signatures.

Open petarpetrovt opened this issue 2 years ago • 1 comments

Describe the bug Cloning a package via OpenXmlPackage Clone(Stream stream) method breaks digital signatures.

Screenshots documentrels rels

To Reproduce

using var document = WordprocessingDocument.Open("valid.docx", isEditable: false);
using var clonedStream = File.Open("invalid.docx", FileMode.Create, FileAccess.ReadWrite);
using var clone = document.Clone(clonedStream);

Steps to reproduce the behavior:

  1. Create .docx file using Microsoft Word and add digital signature or signature line and sign it.
  2. Open via WordprocessingDocument and Clone into new file.

Observed behavior Some XML parts gets reordered, / added to Target attribute in Relationship URIs, standalone XML declaration is added some parts.

Expected behavior No changes should happen in part that are used in signature digests.

Desktop (please complete the following information):

  • OS: Windows
  • .NET Target: net6.0
  • DocumentFormat.OpenXml Version: 2.19.0

petarpetrovt avatar Mar 20 '23 12:03 petarpetrovt

I'm not sure how much we can do with this as this is how System.IO.Packaging writes it out. I've recently inserted an abstraction between the main SDK and System.IO.Packaging, but we still rely on this behavior.

For background, the cloning is done by loading things and writing out to a new package. They are semantically cloned, but as you see, they do not have the same exact structure so signatures would not work. If that is necessary, I'd suggest clone them at the stream/file level first.

twsouthwick avatar Mar 22 '23 01:03 twsouthwick