Difference between revisions of "Security/Digital Signatures"
From Apache OpenOffice Wiki
< Security
| Line 8: | Line 8: | ||
This is the latest draft of the proposal that we will send to the OASIS OpenDocument TC:<br> | This is the latest draft of the proposal that we will send to the OASIS OpenDocument TC:<br> | ||
| − | <blockquote>Document and Macro Signatures</blockquote><blockquote>An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package. A document signature is a digital signature that is applied to all files contained in a package, regardless whether they are defined by this specification or are application specific extensions. This also includes files which carry meta information used by the package itself, such as manifest.xml, additional signature files, but might exclude the signature file itself. Because the signature is applied to every file, applications can detect if additional files were added after the document had been signed. This applies also for additional signature files contained in META-INF, such as macrosignatures.xml. If files were added after the document signature had been created, then applications must inform the user, for example, by indicating that the signature is broken. <br>Document signatures are stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. A document signature shall be considered to be valid only if the 'XML-Digital Signature' contained in documentsignatures.xmlisvalid itself, if it is applied to all filesof thpackage, which may include the signature file itself, and if no files were added after the signature was created.A macro signature is a digital signature that is applied to macro code and other executable code that may be contained in a package. Macro signatures are stored in a file called META-INF/macrosignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. Since macro code and executable code is application specific, this specification does not define to which files a macro signature applies. However, an application shall consider a macro signature as invalid if a package contains files to which the macro signature is not applied, and which contain macro or executable code that the application is able to execute.<br>Since a document signature is applied to all files, it includes the files to which a macro signature is applied. A document may have document and macro signatures applied simultaneously, and may have further applications specific signatures applied to its package. <br> </blockquote><blockquote>2.4 Digital Signatures</blockquote><blockquote>Document files and package files, that is the files which carry meta information for the package, such as manifest.xml,imay have a digital signature applied.Digital signatures are stored in one or more files within the META-INF folder. The names of these files shall contain the term "signatures". Each of these files contains a <dsig:document-signatures> root element that serves as a container for an arbitrary <Signature> element as defined by the [xml-dsig] specification. If the <dsig:document-signatures> element contains multiple <Signature> elements, then there should be a relation between the digital signatures they define, for instance, they may all apply to the same set of files.<br>Applications may require that a digital signature includes a certain set of files. That is, they may consider a digital signature to be valid if, and only if,<br>the digital signature itself is valid, and<br>if the <Reference> child elements of the <Signature> element reference a certain set of files.<br>In particular, application may require that a digital signature references all files contained in a package.<br>The schema for digital signatures is:<br></blockquote> | + | <blockquote>Document and Macro Signatures</blockquote><blockquote>An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package. A document signature is a digital signature that is applied to all files contained in a package, regardless whether they are defined by this specification or are application specific extensions. This also includes files which carry meta information used by the package itself, such as manifest.xml, additional signature files, but might exclude the signature file itself. Because the signature is applied to every file, applications can detect if additional files were added after the document had been signed. This applies also for additional signature files contained in META-INF, such as macrosignatures.xml. If files were added after the document signature had been created, then applications must inform the user, for example, by indicating that the signature is broken. <br>Document signatures are stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. A document signature shall be considered to be valid only if the 'XML-Digital Signature' contained in documentsignatures.xmlisvalid itself, if it is applied to all filesof thpackage, which may include the signature file itself, and if no files were added after the signature was created.A macro signature is a digital signature that is applied to macro code and other executable code that may be contained in a package. Macro signatures are stored in a file called META-INF/macrosignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. Since macro code and executable code is application specific, this specification does not define to which files a macro signature applies. However, an application shall consider a macro signature as invalid if a package contains files to which the macro signature is not applied, and which contain macro or executable code that the application is able to execute.<br>Since a document signature is applied to all files, it includes the files to which a macro signature is applied. A document may have document and macro signatures applied simultaneously, and may have further applications specific signatures applied to its package. <br> </blockquote><blockquote>2.4 Digital Signatures</blockquote><blockquote>Document files and package files, that is the files which carry meta information for the package, such as manifest.xml,imay have a digital signature applied.Digital signatures are stored in one or more files within the META-INF folder. The names of these files shall contain the term "signatures". Each of these files contains a <dsig:document-signatures> root element that serves as a container for an arbitrary <Signature> element as defined by the [xml-dsig] specification. If the <dsig:document-signatures> element contains multiple <Signature> elements, then there should be a relation between the digital signatures they define, for instance, they may all apply to the same set of files.<br>Applications may require that a digital signature includes a certain set of files. That is, they may consider a digital signature to be valid if, and only if,<br>the digital signature itself is valid, and<br>if the <Reference> child elements of the <Signature> element reference a certain set of files.<br>In particular, application may require that a digital signature references all files contained in a package.<br>The schema for digital signatures is: ...<br></blockquote> |
| + | == Digital Signature Implementation in OOo 3.2<br> == | ||
| + | |||
| + | The implementation of the digital signatures need to be changed to match the updated [[Security/Digital_Signatures#Digital_Signature_Specification_for_ODF_1.2|Digital Signature Specification for ODF 1.2]].<br> | ||
| + | |||
| + | Additionally, OOo should also warn when the document contains macros which are not part of the document signature. The warning is also shown for documents created with OOo 3.0 or later, but unfortunatly not for documents created with older versions (for compatibility reasons - macros where not part of the document signature before) | ||
| + | |||
[[Category:Security]] | [[Category:Security]] | ||
Revision as of 15:56, 24 June 2009
Digital Signature Specification for ODF 1.2
Digital Signatures have already been specified in an ODF 1.2 draft from 2007 (OpenDocument-v1.2-draft6.odt).
However, after studying the Black Hat 2009 OOo Security Briefing, we feel that the final ODF 1.2 specification needs to be improved, so that the manifest.xml will also be part of a document signature.
It's not clear whether or not the document signature file itself should also always been signed, because it depends on the use case, so we want to leave this as optional.
This is the latest draft of the proposal that we will send to the OASIS OpenDocument TC:
Document and Macro Signatures
An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package. A document signature is a digital signature that is applied to all files contained in a package, regardless whether they are defined by this specification or are application specific extensions. This also includes files which carry meta information used by the package itself, such as manifest.xml, additional signature files, but might exclude the signature file itself. Because the signature is applied to every file, applications can detect if additional files were added after the document had been signed. This applies also for additional signature files contained in META-INF, such as macrosignatures.xml. If files were added after the document signature had been created, then applications must inform the user, for example, by indicating that the signature is broken.
Document signatures are stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. A document signature shall be considered to be valid only if the 'XML-Digital Signature' contained in documentsignatures.xmlisvalid itself, if it is applied to all filesof thpackage, which may include the signature file itself, and if no files were added after the signature was created.A macro signature is a digital signature that is applied to macro code and other executable code that may be contained in a package. Macro signatures are stored in a file called META-INF/macrosignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. Since macro code and executable code is application specific, this specification does not define to which files a macro signature applies. However, an application shall consider a macro signature as invalid if a package contains files to which the macro signature is not applied, and which contain macro or executable code that the application is able to execute.
Since a document signature is applied to all files, it includes the files to which a macro signature is applied. A document may have document and macro signatures applied simultaneously, and may have further applications specific signatures applied to its package.
2.4 Digital Signatures
Document files and package files, that is the files which carry meta information for the package, such as manifest.xml,imay have a digital signature applied.Digital signatures are stored in one or more files within the META-INF folder. The names of these files shall contain the term "signatures". Each of these files contains a <dsig:document-signatures> root element that serves as a container for an arbitrary <Signature> element as defined by the [xml-dsig] specification. If the <dsig:document-signatures> element contains multiple <Signature> elements, then there should be a relation between the digital signatures they define, for instance, they may all apply to the same set of files.
Applications may require that a digital signature includes a certain set of files. That is, they may consider a digital signature to be valid if, and only if,
the digital signature itself is valid, and
if the <Reference> child elements of the <Signature> element reference a certain set of files.
In particular, application may require that a digital signature references all files contained in a package.
The schema for digital signatures is: ...
Digital Signature Implementation in OOo 3.2
The implementation of the digital signatures need to be changed to match the updated Digital Signature Specification for ODF 1.2.
Additionally, OOo should also warn when the document contains macros which are not part of the document signature. The warning is also shown for documents created with OOo 3.0 or later, but unfortunatly not for documents created with older versions (for compatibility reasons - macros where not part of the document signature before)
