Apache POI

[Ugo Cei]

Hello,

please let me introduce myself. My name is Ugo Cei and I am an ASF
member and committer for the Apache POI project. I found the eid-
applet project while looking for a headstart in implementing digital
signature features for the OOXML format (which by the way is supported
in the just released version 3.5 of Apache POI). What I found in this
project is actually much more than a headstart, but a solution that is
almost complete, so congratulations for your effort!

The reason I am writing this message is that I would like to ask what
your thoughts are concerning a possible donation of the OOXML digital
signature bits of the eid-applet project to Apache POI. I think that
having them as part of POI would be very useful to POI users and, at
the same time, you would gain a number of users and committers who
could work on maintaining and enhancing the code.

From a technical point of view, I have already managed to extract the
relevants classes and build them separately, so I don't foresee any
problems with this. In the process, I have also rewritten some code to
use the OpenXML4J classes (now part of POI) instead of ZipFile
directly, which lead to a nice reduction in code size.

From a legal point of view, you would need to relicense the code
under the Apache License, since it is not permissible to mix (L)GPL
code with AL code in Apache projects. I hope this is not a problem for
you.

If you are interested in discussing this, please let me know. I am
monitoring this list but you can also reach me at my ASF address <u...@apache.org
>.

Regards,

Ugo

[Cornelis Frank]

Hi Ugo,


Thanks for your interest in the eID Applet project. As the Belgian Federal Government (FedICT) is copyright holder of the eID Applet project I'll have to discuss a possible dual-licensing of the OOXML digital signature bits here internally first. Relicense the entire eID Applet under AL is for sure out of the question as this would no longer be in-line with our strategy towards commercial business entities.


Kind Regards,
Frank.
________________________________________
Van: eid-a...@googlegroups.com [eid-a...@googlegroups.com] namens Ugo Cei [ugo...@gmail.com]
Verzonden: dinsdag 29 september 2009 14:43
Aan: eid-a...@googlegroups.com
Onderwerp: [bulk] [eid-applet] Apache POI

[Ugo Cei]

On Oct 2, 2009, at 10:15 AM, Cornelis Frank wrote:

> Thanks for your interest in the eID Applet project. As the Belgian
> Federal Government (FedICT) is copyright holder of the eID Applet
> project I'll have to discuss a possible dual-licensing of the OOXML
> digital signature bits here internally first. Relicense the entire
> eID Applet under AL is for sure out of the question as this would no
> longer be in-line with our strategy towards commercial business
> entities.

Thanks for your reply, Frank. Looking forward to hear from you again
when you have discussed the issue.

Ugo

[fcorneli]

Hi Ugo,


I've discussed the license issue here at FedICT. We're willing to dual-
license (LGPL/AL) the Java source code files concerning the creation
and validation of OOXML signatures as found under the eid-applet-
service-signer artifact. The headers on these Java source files have
been adopted accordingly.
Check it out at:
http://code.google.com/p/eid-applet/source/detail?r=204


Kind Regards,
Frank.

[Ugo Cei]

On Oct 7, 2009, at 12:34 PM, fcorneli wrote:

> I've discussed the license issue here at FedICT. We're willing to
> dual-
> license (LGPL/AL) the Java source code files concerning the creation
> and validation of OOXML signatures as found under the eid-applet-
> service-signer artifact. The headers on these Java source files have
> been adopted accordingly.

Frank,

thanks for your kind support. The following sources, with some
modifications, together with data files used for tests, have been
committed to the POI project:

A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
TemporaryDataStorage.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
AbstractXmlSignatureService.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
KeyInfoKeySelector.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
NoCloseInputStream.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/OOXMLSignatureAspect.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/package-info.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/AbstractOOXMLSignatureService.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/OOXMLURIDereferencer.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/OOXMLProvider.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/RelationshipComparator.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/RelationshipTransformParameterSpec.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/OOXMLSignatureVerifier.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/signer/
ooxml/RelationshipTransformService.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
AuthenticationService.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
InsecureClientEnvironmentException.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
SignatureService.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
package-info.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
DigestInfo.java
A src/ooxml/java/org/apache/poi/ooxml/signature/service/spi/
SecureClientEnvironmentService.java
A src/ooxml/testcases/org/apache/poi/ooxml/signature/service/
signer/TemporaryTestDataStorage.java
A src/ooxml/testcases/org/apache/poi/ooxml/signature/service/
signer/PkiTestUtils.java
A src/ooxml/testcases/org/apache/poi/ooxml/signature/service/
signer/TestAbstractOOXMLSignatureService.java
A src/ooxml/testcases/org/apache/poi/ooxml/signature/service/
signer/TestAbstractXmlSignatureService.java
A src/ooxml/testcases/org/apache/poi/ooxml/signature/service/
signer/TestOOXMLSignatureVerifier.java

Package names have been changed to reflect the structure of POI
sources. A notice about the source of those files has been added to
the NOTICE document:

This product contains parts that were originally based on the eID
Applet project
(http://code.google.com/p/eid-applet/). Copyright (C) 2008-2009 FedICT.

Let me know if there's anything else that you would like me to do.

Regards,

Ugo

[Ugo Cei]

Frank et. al.,

as I previously wrote, the code is now included in POI, so big thanks
again.

There's a couple more things that I would like to ask from you. First,
would it be possible to state on the home page or the README.txt file
that the parts relating to digital signatures in OOXML files are dual-
licensed?

Second, I think the headers for the test cases haven't been updated
yet. Of course, we would like to have the tests together with the
code. Would you be so kind as to add the Apache License header to
those as well?

Thanks,

Ugo

[Cornelis Frank]

Hi Ugo,


No problem. Check it out at:
http://code.google.com/p/eid-applet/source/detail?r=213

During the last couple of days I've refactored the XML signature code quite heavily (adding a XAdES signature facet), so you might want to sync.

Kind Regards,
Frank.
________________________________________
Van: eid-a...@googlegroups.com [eid-a...@googlegroups.com] namens Ugo Cei [ugo...@gmail.com]

Verzonden: woensdag 14 oktober 2009 17:40
Aan: eid-a...@googlegroups.com
Onderwerp: [bulk] [eid-applet] Re: Apache POI

[andreas...@gmx.de]

Hi Frank,

after the original code has been removed from the POI repository [2],
I've migrated a recent version again [1]

I did quite some modification to it, so the original class names don't correspond in every case.

As for the discussed license issue above, I would need to have the below new classes
dual licensed.

It would be really great to include that functionality in POI.

If only a partial licensing would be possible, I would remove the non-conforming parts from the
patch.

Thank you and best wishes,

Andi

in eid-applet-service-spi\src\main\java\be\fedict\eid\applet\service\spi:

AddressDTO.java

DigestInfo.java

IdentityDTO.java

SignatureService.java

in eid-applet-service-signer\src\main\java\be\fedict\eid\applet\service\signer\ooxml:

OPCKeySelector.java

Office2010SignatureFacet.java

in eid-applet-service-signer\src\main\java\be\fedict\eid\applet\service\signer\time:

TSPTimeStampService.java

TimeStampServiceValidator.java

TimeStampService.java

in eid-applet-service-signer\src\main\java\be\fedict\eid\applet\service\signer\facets:

RevocationData.java

XAdESSignatureFacet.java

SignaturePolicyService.java

RevocationDataService.java

XAdESNamespacePrefixMapper.java

XAdESXLSignatureFacet.java

in eid-applet-service-signer\src\test\java\test\unit\be\fedict\eid\applet\service\signer:

XAdESSignatureFacetTest.java

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=56836

[2] http://apache-poi.1045710.n5.nabble.com/Recent-additions-to-POI-quot-Added-implementation-of-Digital-Signature-support-quot-td2339353.html

[Frank Cornelis]

Hi Andreas,


The eID Applet copyright holders are:
* me; I'm also going to transfer the copyright to my company
e-Contract.be BVBA.
* FedICT, federal ICT department of Belgium.
* Bart Hanssens who also worked on the eID Applet after hours (while at
FedICT) and thus can claim copyright.

As I finally got rid of the SignatureService.preSign/postSign crap as
part of my new DSS product,
http://www.e-contract.be/
I'm definitely interested in moving the OOXML signing logic to Apache
POI and to see a refactoring towards a plain JCA API
(PrivateKey/X509Certificate parameters instead of the preSign/postSign
mess).

So, dual licensing of the relevant Java class files is OK for
me/e-Contract.be BVBA.

I'll contact FedICT and Bart Hanssens for their approval.


Kind Regards,
Frank.

[BartHanssens]

No problem as far as I'm concerned.

I hereby (dual-)license my parts of the code under the Apache 2.0 license.

Feel free to contact me if you need a more formal statement

Bart Hanssens

Op dinsdag 29 september 2009 14:43:09 UTC+2 schreef Ugo Cei:

[andreas...@gmx.de]

On Tuesday, August 26, 2014 11:26:19 AM UTC+2, BartHanssens wrote:

No problem as far as I'm concerned.

I hereby (dual-)license my parts of the code under the Apache 2.0 license.

Feel free to contact me if you need a more formal statement

Thank you very much. As the dual license is also mentioned in the code base, I don't think it needs to be more formal than this.

Before I move the branch into the trunk, I'll wait a bit for the FedICT response.
Currently most of the functionality works now also with my modifications, but there are still a few bits, e.g. timestamping,
which need to be modified ... so it's anyway not ready for prime time yet ..

[andreas...@gmx.de]

Are there any news from FedICT?

[Frank Cornelis]

Hi Andreas,


Not yet. I'll poke them again.


Kind Regards,
Frank.

On 09/17/2014 01:02 AM, andreas...@gmx.de wrote:

Are there any news from FedICT?

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-applet+...@googlegroups.com.
To post to this group, send email to eid-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/eid-applet.
For more options, visit https://groups.google.com/d/optout.