Adding upstream version 4:24.2.0.upstream/4%24.2.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 1704 insertions, 0 deletions

diff --git a/package/source/manifest/ManifestDefines.hxx b/package/source/manifest/ManifestDefines.hxx
new file mode 100644
index 0000000000..dbe7b985b8
--- /dev/null
+++ b/package/source/manifest/ManifestDefines.hxx
@@ -0,0 +1,102 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+#pragma once
+
+#include <rtl/ustring.hxx>
+
+inline constexpr OUString MANIFEST_NSPREFIX = u"manifest:"_ustr;
+inline constexpr OUString ELEMENT_MANIFEST = u"manifest:manifest"_ustr;
+inline constexpr OUString ATTRIBUTE_XMLNS = u"xmlns:manifest"_ustr;
+inline constexpr OUString ATTRIBUTE_XMLNS_LOEXT = u"xmlns:loext"_ustr;
+inline constexpr OUString MANIFEST_NAMESPACE = u"http://openoffice.org/2001/manifest"_ustr;
+inline constexpr OUString MANIFEST_OASIS_NAMESPACE = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"_ustr;
+inline constexpr OUString MANIFEST_LOEXT_NAMESPACE = u"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0"_ustr;
+inline constexpr OUString MANIFEST_DOCTYPE = u"<!DOCTYPE manifest:manifest PUBLIC \"-//OpenOffice.org//DTD Manifest 1.0//EN\" \"Manifest.dtd\">"_ustr;
+
+inline constexpr OUString ELEMENT_FILE_ENTRY = u"manifest:file-entry"_ustr;
+inline constexpr OUString ATTRIBUTE_FULL_PATH  = u"manifest:full-path"_ustr;
+inline constexpr OUString ATTRIBUTE_VERSION  = u"manifest:version"_ustr;
+inline constexpr OUString ATTRIBUTE_MEDIA_TYPE = u"manifest:media-type"_ustr;
+inline constexpr OUString ATTRIBUTE_SIZE  = u"manifest:size"_ustr;
+inline constexpr OUString ELEMENT_MANIFEST_KEYINFO  = u"loext:keyinfo"_ustr;
+inline constexpr OUString ELEMENT_ENCRYPTED_KEYINFO = u"loext:KeyInfo"_ustr;
+inline constexpr OUString ELEMENT_ENCRYPTEDKEY  = u"loext:encrypted-key"_ustr;
+inline constexpr OUString ELEMENT_ENCRYPTIONMETHOD = u"loext:encryption-method"_ustr;
+inline constexpr OUString ELEMENT_PGPDATA  = u"loext:PGPData"_ustr;
+inline constexpr OUString ELEMENT_PGPKEYID  = u"loext:PGPKeyID"_ustr;
+inline constexpr OUString ELEMENT_PGPKEYPACKET = u"loext:PGPKeyPacket"_ustr;
+inline constexpr OUString ATTRIBUTE_ALGORITHM = u"loext:PGPAlgorithm"_ustr;
+inline constexpr OUString ELEMENT_CIPHERDATA = u"loext:CipherData"_ustr;
+inline constexpr OUString ELEMENT_CIPHERVALUE = u"loext:CipherValue"_ustr;
+inline constexpr OUString ELEMENT_MANIFEST13_KEYINFO = u"manifest:keyinfo"_ustr;
+inline constexpr OUString ELEMENT_ENCRYPTEDKEY13 = u"manifest:encrypted-key"_ustr;
+inline constexpr OUString ELEMENT_ENCRYPTIONMETHOD13 = u"manifest:encryption-method"_ustr;
+inline constexpr OUString ELEMENT_PGPDATA13 = u"manifest:PGPData"_ustr;
+inline constexpr OUString ELEMENT_PGPKEYID13 = u"manifest:PGPKeyID"_ustr;
+inline constexpr OUString ELEMENT_PGPKEYPACKET13 = u"manifest:PGPKeyPacket"_ustr;
+inline constexpr OUString ATTRIBUTE_ALGORITHM13 = u"manifest:PGPAlgorithm"_ustr;
+inline constexpr OUString ELEMENT_CIPHERDATA13 = u"manifest:CipherData"_ustr;
+inline constexpr OUString ELEMENT_CIPHERVALUE13 = u"manifest:CipherValue"_ustr;
+
+inline constexpr OUString ELEMENT_ENCRYPTION_DATA = u"manifest:encryption-data"_ustr;
+inline constexpr OUString ATTRIBUTE_CHECKSUM_TYPE = u"manifest:checksum-type"_ustr;
+inline constexpr OUString ATTRIBUTE_CHECKSUM  = u"manifest:checksum"_ustr;
+
+inline constexpr OUString ELEMENT_ALGORITHM = u"manifest:algorithm"_ustr;
+inline constexpr OUString ATTRIBUTE_ALGORITHM_NAME = u"manifest:algorithm-name"_ustr;
+inline constexpr OUString ATTRIBUTE_INITIALISATION_VECTOR = u"manifest:initialisation-vector"_ustr;
+
+inline constexpr OUString ELEMENT_START_KEY_GENERATION  = u"manifest:start-key-generation"_ustr;
+inline constexpr OUString ATTRIBUTE_START_KEY_GENERATION_NAME  = u"manifest:start-key-generation-name"_ustr;
+inline constexpr OUString ATTRIBUTE_KEY_SIZE  = u"manifest:key-size"_ustr;
+
+inline constexpr OUString ELEMENT_KEY_DERIVATION = u"manifest:key-derivation"_ustr;
+inline constexpr OUString ATTRIBUTE_KEY_DERIVATION_NAME  = u"manifest:key-derivation-name"_ustr;
+inline constexpr OUString ATTRIBUTE_SALT  = u"manifest:salt"_ustr;
+inline constexpr OUString ATTRIBUTE_ITERATION_COUNT = u"manifest:iteration-count"_ustr;
+inline constexpr OUString ATTRIBUTE_ARGON2_T_LO= u"loext:argon2-iterations"_ustr;
+inline constexpr OUString ATTRIBUTE_ARGON2_M_LO= u"loext:argon2-memory"_ustr;
+inline constexpr OUString ATTRIBUTE_ARGON2_P_LO= u"loext:argon2-lanes"_ustr;
+
+/// OFFICE-3708: wrong URL cited in ODF 1.2 and used since OOo 3.4 beta
+inline constexpr OUString SHA256_URL_ODF12 = u"http://www.w3.org/2000/09/xmldsig#sha256"_ustr;
+inline constexpr OUString SHA256_URL = u"http://www.w3.org/2001/04/xmlenc#sha256"_ustr;
+inline constexpr OUString SHA1_NAME = u"SHA1"_ustr;
+inline constexpr OUString SHA1_URL = u"http://www.w3.org/2000/09/xmldsig#sha1"_ustr;
+
+inline constexpr OUString SHA1_1K_NAME = u"SHA1/1K"_ustr;
+inline constexpr OUString SHA1_1K_URL = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha1-1k"_ustr;
+inline constexpr OUString SHA256_1K_URL = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k"_ustr;
+
+inline constexpr OUString BLOWFISH_NAME = u"Blowfish CFB"_ustr;
+inline constexpr OUString BLOWFISH_URL = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#blowfish"_ustr;
+inline constexpr OUString AES128_URL = u"http://www.w3.org/2001/04/xmlenc#aes128-cbc"_ustr;
+inline constexpr OUString AES192_URL = u"http://www.w3.org/2001/04/xmlenc#aes192-cbc"_ustr;
+inline constexpr OUString AES256_URL = u"http://www.w3.org/2001/04/xmlenc#aes256-cbc"_ustr;
+inline constexpr OUString AESGCM128_URL = u"http://www.w3.org/2009/xmlenc11#aes128-gcm"_ustr;
+inline constexpr OUString AESGCM192_URL = u"http://www.w3.org/2009/xmlenc11#aes192-gcm"_ustr;
+inline constexpr OUString AESGCM256_URL = u"http://www.w3.org/2009/xmlenc11#aes256-gcm"_ustr;
+
+inline constexpr OUString PBKDF2_NAME = u"PBKDF2"_ustr;
+inline constexpr OUString PGP_NAME = u"PGP"_ustr;
+inline constexpr OUString PBKDF2_URL = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#pbkdf2"_ustr;
+inline constexpr OUString ARGON2ID_URL = u"urn:oasis:names:tc:opendocument:xmlns:manifest:1.5#argon2id"_ustr;
+inline constexpr OUString ARGON2ID_URL_LO = u"urn:org:documentfoundation:names:experimental:office:manifest:argon2id"_ustr;
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestExport.cxx b/package/source/manifest/ManifestExport.cxx
new file mode 100644
index 0000000000..1d51e223e4
--- /dev/null
+++ b/package/source/manifest/ManifestExport.cxx
@@ -0,0 +1,558 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#include <com/sun/star/xml/sax/XExtendedDocumentHandler.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/CipherID.hpp>
+#include <com/sun/star/xml/crypto/KDFID.hpp>
+#include <com/sun/star/beans/PropertyValue.hpp>
+#include <com/sun/star/beans/NamedValue.hpp>
+#include <com/sun/star/uno/RuntimeException.hpp>
+
+#include "ManifestDefines.hxx"
+#include "ManifestExport.hxx"
+
+#include <osl/diagnose.h>
+#include <rtl/ustrbuf.hxx>
+#include <rtl/ref.hxx>
+#include <sal/log.hxx>
+#include <comphelper/base64.hxx>
+#include <comphelper/documentconstants.hxx>
+#include <comphelper/attributelist.hxx>
+
+using namespace ::com::sun::star;
+
+#if OSL_DEBUG_LEVEL > 0
+#define THROW_WHERE SAL_WHERE
+#else
+#define THROW_WHERE ""
+#endif
+
+ManifestExport::ManifestExport( uno::Reference< xml::sax::XDocumentHandler > const & xHandler,  const uno::Sequence< uno::Sequence < beans::PropertyValue > >& rManList )
+{
+    static constexpr OUStringLiteral sKeyInfo                     ( u"KeyInfo" );
+    static constexpr OUStringLiteral sPgpKeyIDProperty            ( u"KeyId" );
+    static constexpr OUStringLiteral sPgpKeyPacketProperty        ( u"KeyPacket" );
+    static constexpr OUStringLiteral sCipherValueProperty         ( u"CipherValue" );
+    static constexpr OUString sFullPathProperty     ( u"FullPath"_ustr );
+    static constexpr OUString sVersionProperty  ( u"Version"_ustr );
+    static constexpr OUString sMediaTypeProperty    ( u"MediaType"_ustr );
+    static constexpr OUStringLiteral sIterationCountProperty   ( u"IterationCount" );
+    static constexpr OUStringLiteral sDerivedKeySizeProperty  ( u"DerivedKeySize" );
+    static constexpr OUStringLiteral sSaltProperty         ( u"Salt" );
+    static constexpr OUStringLiteral sInitialisationVectorProperty( u"InitialisationVector" );
+    static constexpr OUStringLiteral sSizeProperty         ( u"Size" );
+    static constexpr OUStringLiteral sDigestProperty       ( u"Digest" );
+    static constexpr OUStringLiteral sEncryptionAlgProperty    ( u"EncryptionAlgorithm" );
+    static constexpr OUStringLiteral sStartKeyAlgProperty  ( u"StartKeyAlgorithm" );
+    static constexpr OUStringLiteral sDigestAlgProperty    ( u"DigestAlgorithm" );
+
+    static constexpr OUString sWhiteSpace           ( u" "_ustr );
+
+    const OUString sSHA256_URL_ODF12     ( SHA256_URL_ODF12 );
+    const OUString  sSHA1_Name           ( SHA1_NAME );
+
+    const OUString  sSHA1_1k_Name        ( SHA1_1K_NAME );
+    const OUString  sSHA256_1k_URL       ( SHA256_1K_URL );
+
+    const OUString  sBlowfish_Name       ( BLOWFISH_NAME );
+    const OUString  sAES256_URL          ( AES256_URL );
+
+    const OUString  sPBKDF2_Name         ( PBKDF2_NAME );
+    const OUString  sPGP_Name            ( PGP_NAME );
+
+    rtl::Reference<::comphelper::AttributeList> pRootAttrList = new ::comphelper::AttributeList;
+
+    // find the mediatype of the document if any
+    OUString aDocMediaType;
+    OUString aDocVersion;
+    bool isWholesomeEncryption(false);
+    const uno::Sequence<beans::PropertyValue>* pRootFolderPropSeq = nullptr;
+    for (const uno::Sequence < beans::PropertyValue >& rSequence : rManList)
+    {
+        OUString aMediaType;
+        OUString aPath;
+        OUString aVersion;
+
+        for (const beans::PropertyValue& rValue : rSequence)
+        {
+            if (rValue.Name == sMediaTypeProperty )
+            {
+                rValue.Value >>= aMediaType;
+            }
+            else if (rValue.Name == sFullPathProperty )
+            {
+                rValue.Value >>= aPath;
+            }
+            else if (rValue.Name == sVersionProperty )
+            {
+                rValue.Value >>= aVersion;
+            }
+
+            if ( !aPath.isEmpty() && !aMediaType.isEmpty() && !aVersion.isEmpty() )
+                break;
+        }
+
+        if ( aPath == "/" )
+        {
+            assert(aDocMediaType.isEmpty());
+            // unfortunately no aMediaType in some cases where non-documents
+            // are stored as StorageFormats::PACKAGE instead of sensible
+            // StorageFormats::ZIP, such as SvxXMLXTableExportComponent and
+            // SwXMLTextBlocks, which results in an empty "mimetype" etc but
+            // can't be easily fixed; try to exclude these cases by checking
+            // for aVersion, but of course then forgetting to set both version
+            // and type on an actual document can't be found :(
+            assert(!aMediaType.isEmpty() || aVersion.isEmpty());
+            aDocMediaType = aMediaType;
+            aDocVersion = aVersion;
+            pRootFolderPropSeq = &rSequence;
+        }
+
+        if (aPath == "encrypted-package")
+        {
+            isWholesomeEncryption = true;
+            assert(aDocMediaType.isEmpty() || aDocMediaType == aMediaType);
+        }
+    }
+    assert(pRootFolderPropSeq);
+
+    bool bProvideDTD = false;
+    bool bAcceptNonemptyVersion = false;
+    bool bStoreStartKeyGeneration = false;
+    if ( !aDocMediaType.isEmpty() )
+    {
+        if ( aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_TEXT_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_TEXT_WEB_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_TEXT_GLOBAL_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_DRAWING_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_PRESENTATION_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_SPREADSHEET_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_CHART_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_DATABASE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_FORMULA_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_TEXT_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_TEXT_GLOBAL_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_DRAWING_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_PRESENTATION_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_SPREADSHEET_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_CHART_TEMPLATE_ASCII
+          || aDocMediaType == MIMETYPE_OASIS_OPENDOCUMENT_FORMULA_TEMPLATE_ASCII )
+
+        {
+            // oasis format
+            pRootAttrList->AddAttribute ( ATTRIBUTE_XMLNS,
+                                        MANIFEST_OASIS_NAMESPACE );
+            bAcceptNonemptyVersion = true;
+            if ( aDocVersion.compareTo( ODFVER_012_TEXT ) >= 0 )
+            {
+                // this is ODF12 or later generation, let encrypted
+                // streams contain start-key-generation entry
+                bStoreStartKeyGeneration = true;
+                pRootAttrList->AddAttribute ( ATTRIBUTE_VERSION, aDocVersion );
+                // plus gpg4libre extensions - loext NS for that
+                pRootAttrList->AddAttribute ( ATTRIBUTE_XMLNS_LOEXT,
+                                              MANIFEST_LOEXT_NAMESPACE );
+            }
+        }
+        else
+        {
+            // even if it is no SO6 format the namespace must be specified
+            // thus SO6 format is used as default one
+            pRootAttrList->AddAttribute ( ATTRIBUTE_XMLNS,
+                                        MANIFEST_NAMESPACE );
+
+            bProvideDTD = true;
+        }
+    }
+
+    xHandler->startDocument();
+    uno::Reference < xml::sax::XExtendedDocumentHandler > xExtHandler ( xHandler, uno::UNO_QUERY );
+    if ( xExtHandler.is() && bProvideDTD )
+    {
+        xExtHandler->unknown ( MANIFEST_DOCTYPE );
+        xHandler->ignorableWhitespace ( sWhiteSpace );
+    }
+    xHandler->startElement( ELEMENT_MANIFEST, pRootAttrList );
+
+    const uno::Any *pKeyInfoProperty = nullptr;
+    if ( pRootFolderPropSeq )
+    {
+        // do we have package-wide encryption info?
+        for (const beans::PropertyValue& rValue : *pRootFolderPropSeq)
+        {
+            if (rValue.Name == sKeyInfo )
+                pKeyInfoProperty = &rValue.Value;
+        }
+
+        if ( pKeyInfoProperty )
+        {
+            // no start-key-generation needed, our session key has
+            // max size already
+            bStoreStartKeyGeneration = false;
+
+            // yeah, so that goes directly below the manifest:manifest
+            // element
+            OUStringBuffer aBuffer;
+
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+
+            // ==== manifest:keyinfo & children
+            bool const isODF13(aDocVersion.compareTo(ODFVER_013_TEXT) >= 0);
+            if (!isODF13)
+            {
+                xHandler->startElement(ELEMENT_MANIFEST_KEYINFO, nullptr);
+            }
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+
+            uno::Sequence< uno::Sequence < beans::NamedValue > > aKeyInfoSequence;
+            *pKeyInfoProperty >>= aKeyInfoSequence;
+            for (const uno::Sequence<beans::NamedValue>& rKeyInfoSequence : std::as_const(aKeyInfoSequence))
+            {
+                uno::Sequence < sal_Int8 > aPgpKeyID;
+                uno::Sequence < sal_Int8 > aPgpKeyPacket;
+                uno::Sequence < sal_Int8 > aCipherValue;
+                for (const beans::NamedValue& rNValue : rKeyInfoSequence)
+                {
+                    if (rNValue.Name == sPgpKeyIDProperty )
+                        rNValue.Value >>= aPgpKeyID;
+                    else if (rNValue.Name == sPgpKeyPacketProperty )
+                        rNValue.Value >>= aPgpKeyPacket;
+                    else if (rNValue.Name == sCipherValueProperty )
+                        rNValue.Value >>= aCipherValue;
+                }
+
+                if (aPgpKeyID.hasElements() && aCipherValue.hasElements() )
+                {
+                    // ==== manifest:encrypted-key & children - one for each recipient
+                    xHandler->startElement(isODF13 ? ELEMENT_ENCRYPTEDKEY13 : ELEMENT_ENCRYPTEDKEY, nullptr);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    rtl::Reference<::comphelper::AttributeList> pNewAttrList = new ::comphelper::AttributeList;
+                    // TODO: the algorithm should rather be configurable
+                    pNewAttrList->AddAttribute(
+                        isODF13 ? ATTRIBUTE_ALGORITHM13 : ATTRIBUTE_ALGORITHM,
+                                                 "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" );
+                    xHandler->startElement(isODF13 ? ELEMENT_ENCRYPTIONMETHOD13 : ELEMENT_ENCRYPTIONMETHOD, pNewAttrList);
+                    xHandler->endElement(isODF13 ? ELEMENT_ENCRYPTIONMETHOD13 : ELEMENT_ENCRYPTIONMETHOD);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    // note: the mismatch here corresponds to ODF 1.3 cs01 schema
+                    xHandler->startElement(isODF13 ? ELEMENT_MANIFEST13_KEYINFO : ELEMENT_MANIFEST_KEYINFO, nullptr);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->startElement(isODF13 ? ELEMENT_PGPDATA13 : ELEMENT_PGPDATA, nullptr);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->startElement(isODF13 ? ELEMENT_PGPKEYID13 : ELEMENT_PGPKEYID, nullptr);
+                    ::comphelper::Base64::encode(aBuffer, aPgpKeyID);
+                    xHandler->characters( aBuffer.makeStringAndClear() );
+                    xHandler->endElement(isODF13 ? ELEMENT_PGPKEYID13 : ELEMENT_PGPKEYID);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    // key packet is optional
+                    if (aPgpKeyPacket.hasElements())
+                    {
+                        xHandler->startElement(isODF13 ? ELEMENT_PGPKEYPACKET13 : ELEMENT_PGPKEYPACKET, nullptr);
+                        ::comphelper::Base64::encode(aBuffer, aPgpKeyPacket);
+                        xHandler->characters( aBuffer.makeStringAndClear() );
+                        xHandler->endElement(isODF13 ? ELEMENT_PGPKEYPACKET13 : ELEMENT_PGPKEYPACKET);
+                        xHandler->ignorableWhitespace ( sWhiteSpace );
+                    }
+
+                    xHandler->endElement(isODF13 ? ELEMENT_PGPDATA13 : ELEMENT_PGPDATA);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->endElement(isODF13 ? ELEMENT_MANIFEST13_KEYINFO : ELEMENT_MANIFEST_KEYINFO);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->startElement(isODF13 ? ELEMENT_CIPHERDATA13 : ELEMENT_CIPHERDATA, nullptr);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->startElement(isODF13 ? ELEMENT_CIPHERVALUE13 : ELEMENT_CIPHERVALUE, nullptr);
+                    ::comphelper::Base64::encode(aBuffer, aCipherValue);
+                    xHandler->characters( aBuffer.makeStringAndClear() );
+                    xHandler->endElement(isODF13 ? ELEMENT_CIPHERVALUE13 : ELEMENT_CIPHERVALUE);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->endElement(isODF13 ? ELEMENT_CIPHERDATA13 : ELEMENT_CIPHERDATA);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+
+                    xHandler->endElement(isODF13 ? ELEMENT_ENCRYPTEDKEY13 : ELEMENT_ENCRYPTEDKEY);
+                    xHandler->ignorableWhitespace ( sWhiteSpace );
+                }
+            }
+
+            if (!isODF13)
+            {
+                xHandler->endElement(ELEMENT_MANIFEST_KEYINFO);
+            }
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+        }
+    }
+
+    // now write individual file entries
+    for (const uno::Sequence<beans::PropertyValue>& rSequence : rManList)
+    {
+        if (&rSequence == pRootFolderPropSeq && isWholesomeEncryption)
+        {
+            continue; // no root document, but embedded package => omit
+        }
+        rtl::Reference<::comphelper::AttributeList> pAttrList = new ::comphelper::AttributeList;
+        OUString fullPath;
+        OUString aString;
+        const uno::Any *pVector = nullptr, *pSalt = nullptr, *pIterationCount = nullptr, *pDigest = nullptr, *pDigestAlg = nullptr, *pEncryptAlg = nullptr, *pStartKeyAlg = nullptr, *pDerivedKeySize = nullptr;
+        uno::Any const* pKDF = nullptr;
+        uno::Any const* pArgon2Args = nullptr;
+        for (const beans::PropertyValue& rValue : rSequence)
+        {
+            if (rValue.Name == sMediaTypeProperty )
+            {
+                rValue.Value >>= aString;
+                pAttrList->AddAttribute ( ATTRIBUTE_MEDIA_TYPE, aString );
+            }
+            else if (rValue.Name == sVersionProperty )
+            {
+                rValue.Value >>= aString;
+                // the version is stored only if it is not empty
+                if ( bAcceptNonemptyVersion && !aString.isEmpty() )
+                    pAttrList->AddAttribute ( ATTRIBUTE_VERSION, aString );
+            }
+            else if (rValue.Name == sFullPathProperty )
+            {
+                rValue.Value >>= fullPath;
+                pAttrList->AddAttribute(ATTRIBUTE_FULL_PATH, fullPath);
+            }
+            else if (rValue.Name == sSizeProperty )
+            {
+                sal_Int64 nSize = 0;
+                rValue.Value >>= nSize;
+                pAttrList->AddAttribute ( ATTRIBUTE_SIZE, OUString::number( nSize ) );
+            }
+            else if (rValue.Name == sInitialisationVectorProperty )
+                pVector = &rValue.Value;
+            else if (rValue.Name == sSaltProperty )
+                pSalt = &rValue.Value;
+            else if (rValue.Name == sIterationCountProperty )
+                pIterationCount = &rValue.Value;
+            else if (rValue.Name == sDigestProperty )
+                pDigest = &rValue.Value;
+            else if (rValue.Name == sDigestAlgProperty )
+                pDigestAlg = &rValue.Value;
+            else if (rValue.Name == sEncryptionAlgProperty )
+                pEncryptAlg = &rValue.Value;
+            else if (rValue.Name == sStartKeyAlgProperty )
+                pStartKeyAlg = &rValue.Value;
+            else if (rValue.Name == sDerivedKeySizeProperty )
+                pDerivedKeySize = &rValue.Value;
+            else if (rValue.Name == "KeyDerivationFunction") {
+                pKDF = &rValue.Value;
+            } else if (rValue.Name == "Argon2Args") {
+                pArgon2Args = &rValue.Value;
+            }
+        }
+        assert(!fullPath.isEmpty());
+        if (isWholesomeEncryption)
+        {   // there may be signatures in META-INF too
+            assert(fullPath == "encrypted-package" || fullPath.startsWith("META-INF/"));
+        }
+
+        xHandler->ignorableWhitespace ( sWhiteSpace );
+        xHandler->startElement( ELEMENT_FILE_ENTRY , pAttrList);
+        if (pVector && pEncryptAlg && pDerivedKeySize && pKDF
+            && ((pSalt && pStartKeyAlg && (pIterationCount || pArgon2Args))
+                || pKeyInfoProperty))
+        {
+            // ==== Encryption Data
+            rtl::Reference<::comphelper::AttributeList> pNewAttrList = new ::comphelper::AttributeList;
+            OUStringBuffer aBuffer;
+            uno::Sequence < sal_Int8 > aSequence;
+
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+
+            // ==== Digest
+            if (pDigest && pDigestAlg && pDigestAlg->hasValue())
+            {
+                OUString sChecksumType;
+                sal_Int32 nDigestAlgID = 0;
+                *pDigestAlg >>= nDigestAlgID;
+                if ( nDigestAlgID == xml::crypto::DigestID::SHA256_1K )
+                    sChecksumType = sSHA256_1k_URL;
+                else if ( nDigestAlgID == xml::crypto::DigestID::SHA1_1K )
+                    sChecksumType = sSHA1_1k_Name;
+                else
+                    throw uno::RuntimeException( THROW_WHERE "Unexpected digest algorithm is provided!" );
+
+                pNewAttrList->AddAttribute(ATTRIBUTE_CHECKSUM_TYPE, sChecksumType);
+                *pDigest >>= aSequence;
+                ::comphelper::Base64::encode(aBuffer, aSequence);
+                pNewAttrList->AddAttribute(ATTRIBUTE_CHECKSUM, aBuffer.makeStringAndClear());
+            }
+
+            xHandler->startElement( ELEMENT_ENCRYPTION_DATA , pNewAttrList);
+
+            // ==== Algorithm
+            pNewAttrList = new ::comphelper::AttributeList;
+
+            sal_Int32 nEncAlgID = 0;
+            sal_Int32 nDerivedKeySize = 0;
+            *pEncryptAlg >>= nEncAlgID;
+            *pDerivedKeySize >>= nDerivedKeySize;
+
+            OUString sEncAlgName;
+            if ( nEncAlgID == xml::crypto::CipherID::AES_CBC_W3C_PADDING )
+            {
+                OSL_ENSURE( nDerivedKeySize, "Unexpected key size is provided!" );
+                if ( nDerivedKeySize != 32 )
+                    throw uno::RuntimeException( THROW_WHERE "Unexpected key size is provided!" );
+
+                sEncAlgName = sAES256_URL;
+            }
+            else if (nEncAlgID == xml::crypto::CipherID::AES_GCM_W3C)
+            {
+                assert(bStoreStartKeyGeneration || pKeyInfoProperty);
+                SAL_WARN_IF(nDerivedKeySize != 32, "package.manifest", "Unexpected key size is provided!");
+                if (nDerivedKeySize != 32)
+                {
+                    throw uno::RuntimeException(THROW_WHERE "Unexpected key size is provided!");
+                }
+                sEncAlgName = AESGCM256_URL;
+            }
+            else if ( nEncAlgID == xml::crypto::CipherID::BLOWFISH_CFB_8 )
+            {
+                sEncAlgName = sBlowfish_Name;
+            }
+            else
+                throw uno::RuntimeException( THROW_WHERE "Unexpected encryption algorithm is provided!" );
+
+            pNewAttrList->AddAttribute ( ATTRIBUTE_ALGORITHM_NAME, sEncAlgName );
+
+            *pVector >>= aSequence;
+            ::comphelper::Base64::encode(aBuffer, aSequence);
+            pNewAttrList->AddAttribute ( ATTRIBUTE_INITIALISATION_VECTOR, aBuffer.makeStringAndClear() );
+
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+            xHandler->startElement( ELEMENT_ALGORITHM , pNewAttrList);
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+            xHandler->endElement( ELEMENT_ALGORITHM );
+
+            if ( bStoreStartKeyGeneration )
+            {
+                // ==== Start Key Generation
+                pNewAttrList = new ::comphelper::AttributeList;
+
+                OUString sStartKeyAlg;
+                OUString sStartKeySize;
+                sal_Int32 nStartKeyAlgID = 0;
+                *pStartKeyAlg >>= nStartKeyAlgID;
+                if ( nStartKeyAlgID == xml::crypto::DigestID::SHA256 )
+                {
+                    if (nEncAlgID == xml::crypto::CipherID::AES_GCM_W3C)
+                    {   // new encryption is incompatible anyway, use W3C URL
+                        sStartKeyAlg = SHA256_URL;
+                    }
+                    else // to interop with ODF <= 1.4 consumers use bad ODF URL
+                    {
+                        sStartKeyAlg = sSHA256_URL_ODF12;
+                    }
+                    aBuffer.append( sal_Int32(32) );
+                    sStartKeySize = aBuffer.makeStringAndClear();
+                }
+                else if ( nStartKeyAlgID == xml::crypto::DigestID::SHA1 )
+                {
+                    sStartKeyAlg = sSHA1_Name;
+                    aBuffer.append( sal_Int32(20) );
+                    sStartKeySize = aBuffer.makeStringAndClear();
+                }
+                else
+                    throw uno::RuntimeException( THROW_WHERE "Unexpected start key algorithm is provided!" );
+
+                pNewAttrList->AddAttribute ( ATTRIBUTE_START_KEY_GENERATION_NAME, sStartKeyAlg );
+                pNewAttrList->AddAttribute ( ATTRIBUTE_KEY_SIZE, sStartKeySize );
+
+                xHandler->ignorableWhitespace ( sWhiteSpace );
+                xHandler->startElement( ELEMENT_START_KEY_GENERATION , pNewAttrList);
+                xHandler->ignorableWhitespace ( sWhiteSpace );
+                xHandler->endElement( ELEMENT_START_KEY_GENERATION );
+            }
+
+            // ==== Key Derivation
+            pNewAttrList = new ::comphelper::AttributeList;
+
+            if (pKeyInfoProperty)
+            {
+                assert(pKDF->get<sal_Int32>() == xml::crypto::KDFID::PGP_RSA_OAEP_MGF1P);
+                pNewAttrList->AddAttribute(ATTRIBUTE_KEY_DERIVATION_NAME,
+                                           sPGP_Name);
+            }
+            else
+            {
+                if (pKDF->get<sal_Int32>() == xml::crypto::KDFID::Argon2id)
+                {
+                    pNewAttrList->AddAttribute(ATTRIBUTE_KEY_DERIVATION_NAME,
+                                               ARGON2ID_URL_LO);
+
+                    uno::Sequence<sal_Int32> args;
+                    *pArgon2Args >>= args;
+                    assert(args.getLength() == 3);
+                    pNewAttrList->AddAttribute(ATTRIBUTE_ARGON2_T_LO, OUString::number(args[0]));
+                    pNewAttrList->AddAttribute(ATTRIBUTE_ARGON2_M_LO, OUString::number(args[1]));
+                    pNewAttrList->AddAttribute(ATTRIBUTE_ARGON2_P_LO, OUString::number(args[2]));
+                }
+                else
+                {
+                    assert(pKDF->get<sal_Int32>() == xml::crypto::KDFID::PBKDF2);
+                    pNewAttrList->AddAttribute(ATTRIBUTE_KEY_DERIVATION_NAME,
+                                               sPBKDF2_Name);
+
+                    sal_Int32 nCount = 0;
+                    *pIterationCount >>= nCount;
+                    aBuffer.append(nCount);
+                    pNewAttrList->AddAttribute(ATTRIBUTE_ITERATION_COUNT, aBuffer.makeStringAndClear());
+                }
+
+                *pSalt >>= aSequence;
+                ::comphelper::Base64::encode(aBuffer, aSequence);
+                pNewAttrList->AddAttribute ( ATTRIBUTE_SALT, aBuffer.makeStringAndClear() );
+            }
+
+            // ODF 1.3 specifies the default as 16 so have to write it for PGP
+            if (bStoreStartKeyGeneration || pKeyInfoProperty)
+            {
+                aBuffer.append(nDerivedKeySize);
+                pNewAttrList->AddAttribute(ATTRIBUTE_KEY_SIZE, aBuffer.makeStringAndClear());
+            }
+
+            xHandler->ignorableWhitespace(sWhiteSpace);
+            xHandler->startElement(ELEMENT_KEY_DERIVATION, pNewAttrList);
+            xHandler->ignorableWhitespace(sWhiteSpace);
+            xHandler->endElement(ELEMENT_KEY_DERIVATION);
+
+            xHandler->ignorableWhitespace ( sWhiteSpace );
+            xHandler->endElement( ELEMENT_ENCRYPTION_DATA );
+        }
+        xHandler->ignorableWhitespace ( sWhiteSpace );
+        xHandler->endElement( ELEMENT_FILE_ENTRY );
+    }
+    xHandler->ignorableWhitespace ( sWhiteSpace );
+    xHandler->endElement( ELEMENT_MANIFEST );
+    xHandler->endDocument();
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestExport.hxx b/package/source/manifest/ManifestExport.hxx
new file mode 100644
index 0000000000..0148ea62c8
--- /dev/null
+++ b/package/source/manifest/ManifestExport.hxx
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTEXPORT_HXX
+#define INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTEXPORT_HXX
+
+#include <com/sun/star/uno/Sequence.h>
+#include <com/sun/star/uno/Reference.h>
+
+namespace com::sun::star {
+    namespace beans { struct PropertyValue;}
+    namespace xml::sax { class XDocumentHandler; }
+}
+class ManifestExport
+{
+public:
+    ManifestExport(css::uno::Reference < css::xml::sax::XDocumentHandler > const & xHandler, const css::uno::Sequence < css::uno::Sequence < css::beans::PropertyValue > > &rManList );
+};
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestImport.cxx b/package/source/manifest/ManifestImport.cxx
new file mode 100644
index 0000000000..f6f4ce36f4
--- /dev/null
+++ b/package/source/manifest/ManifestImport.cxx
@@ -0,0 +1,599 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#include "ManifestImport.hxx"
+#include "ManifestDefines.hxx"
+#include <PackageConstants.hxx>
+#include <osl/diagnose.h>
+#include <sal/log.hxx>
+#include <com/sun/star/xml/sax/XAttributeList.hpp>
+#include <com/sun/star/xml/crypto/DigestID.hpp>
+#include <com/sun/star/xml/crypto/CipherID.hpp>
+#include <com/sun/star/xml/crypto/KDFID.hpp>
+#include <com/sun/star/beans/PropertyValue.hpp>
+#include <comphelper/base64.hxx>
+#include <comphelper/sequence.hxx>
+
+using namespace com::sun::star::uno;
+using namespace com::sun::star::beans;
+using namespace com::sun::star;
+
+constexpr OUStringLiteral gsFullPathProperty             ( u"FullPath" );
+constexpr OUStringLiteral gsMediaTypeProperty            ( u"MediaType" );
+constexpr OUStringLiteral gsVersionProperty              ( u"Version" );
+constexpr OUStringLiteral gsIterationCountProperty       ( u"IterationCount" );
+constexpr OUStringLiteral gsDerivedKeySizeProperty       ( u"DerivedKeySize" );
+constexpr OUStringLiteral gsSaltProperty                 ( u"Salt" );
+constexpr OUStringLiteral gsInitialisationVectorProperty ( u"InitialisationVector" );
+constexpr OUStringLiteral gsSizeProperty                 ( u"Size" );
+constexpr OUStringLiteral gsDigestProperty               ( u"Digest" );
+constexpr OUString gsEncryptionAlgProperty        ( u"EncryptionAlgorithm"_ustr );
+constexpr OUString gsStartKeyAlgProperty          ( u"StartKeyAlgorithm"_ustr );
+constexpr OUString gsDigestAlgProperty            ( u"DigestAlgorithm"_ustr );
+
+ManifestImport::ManifestImport( std::vector < Sequence < PropertyValue > > & rNewManVector )
+    : bIgnoreEncryptData    ( false )
+    , bPgpEncryption ( false )
+    , nDerivedKeySize( 0 )
+    , rManVector ( rNewManVector )
+{
+    aStack.reserve( 10 );
+}
+
+ManifestImport::~ManifestImport()
+{
+}
+
+void SAL_CALL ManifestImport::startDocument(  )
+{
+}
+
+void SAL_CALL ManifestImport::endDocument(  )
+{
+}
+
+void ManifestImport::doFileEntry(StringHashMap &rConvertedAttribs)
+{
+    aSequence.resize(PKG_SIZE_ENCR_MNFST);
+
+    aSequence[PKG_MNFST_FULLPATH].Name = gsFullPathProperty;
+    aSequence[PKG_MNFST_FULLPATH].Value <<= rConvertedAttribs[ATTRIBUTE_FULL_PATH];
+    aSequence[PKG_MNFST_MEDIATYPE].Name = gsMediaTypeProperty;
+    aSequence[PKG_MNFST_MEDIATYPE].Value <<= rConvertedAttribs[ATTRIBUTE_MEDIA_TYPE];
+
+    OUString sVersion = rConvertedAttribs[ATTRIBUTE_VERSION];
+    if ( sVersion.getLength() ) {
+        aSequence[PKG_MNFST_VERSION].Name = gsVersionProperty;
+        aSequence[PKG_MNFST_VERSION].Value <<= sVersion;
+    }
+
+    OUString sSize = rConvertedAttribs[ATTRIBUTE_SIZE];
+    if ( sSize.getLength() ) {
+        sal_Int64 nSize = sSize.toInt64();
+        aSequence[PKG_MNFST_UCOMPSIZE].Name = gsSizeProperty;
+        aSequence[PKG_MNFST_UCOMPSIZE].Value <<= nSize;
+    }
+}
+
+void ManifestImport::doEncryptedKey(StringHashMap &)
+{
+    aKeyInfoSequence.clear();
+    aKeyInfoSequence.resize(3);
+}
+
+void ManifestImport::doEncryptionMethod(StringHashMap &rConvertedAttribs,
+                                        const OUString& rAlgoAttrName)
+{
+    OUString aString = rConvertedAttribs[rAlgoAttrName];
+    if ( aKeyInfoSequence.size() != 3
+         || aString != "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" )
+    {
+        bIgnoreEncryptData = true;
+    }
+}
+
+void ManifestImport::doEncryptedCipherValue()
+{
+    if ( aKeyInfoSequence.size() == 3 )
+    {
+        aKeyInfoSequence[2].Name = "CipherValue";
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aCurrentCharacters);
+        aKeyInfoSequence[2].Value <<= aDecodeBuffer;
+        aCurrentCharacters.setLength(0); // consumed
+    }
+    else
+        bIgnoreEncryptData = true;
+}
+
+void ManifestImport::doEncryptedKeyId()
+{
+    if ( aKeyInfoSequence.size() == 3 )
+    {
+        aKeyInfoSequence[0].Name = "KeyId";
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aCurrentCharacters);
+        aKeyInfoSequence[0].Value <<= aDecodeBuffer;
+        aCurrentCharacters.setLength(0); // consumed
+    }
+    else
+        bIgnoreEncryptData = true;
+}
+
+void ManifestImport::doEncryptedKeyPacket()
+{
+    if ( aKeyInfoSequence.size() == 3 )
+    {
+        aKeyInfoSequence[1].Name = "KeyPacket";
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aCurrentCharacters);
+        aKeyInfoSequence[1].Value <<= aDecodeBuffer;
+        aCurrentCharacters.setLength(0); // consumed
+    }
+    else
+        bIgnoreEncryptData = true;
+}
+
+void ManifestImport::doEncryptionData(StringHashMap &rConvertedAttribs)
+{
+    // If this element exists, then this stream is encrypted and we need
+    // to import the initialisation vector, salt and iteration count used
+    nDerivedKeySize = 0;
+    OUString aString = rConvertedAttribs[ATTRIBUTE_CHECKSUM_TYPE];
+    if ( bIgnoreEncryptData )
+        return;
+
+    if ( aString == SHA1_1K_NAME || aString == SHA1_1K_URL ) {
+        aSequence[PKG_MNFST_DIGESTALG].Name = gsDigestAlgProperty;
+        aSequence[PKG_MNFST_DIGESTALG].Value <<= xml::crypto::DigestID::SHA1_1K;
+    } else if ( aString == SHA256_1K_URL ) {
+        aSequence[PKG_MNFST_DIGESTALG].Name = gsDigestAlgProperty;
+        aSequence[PKG_MNFST_DIGESTALG].Value <<= xml::crypto::DigestID::SHA256_1K;
+    }
+    // note: digest is now *optional* - expected not to be used with AEAD
+
+    if (aSequence[PKG_MNFST_DIGESTALG].Value.hasValue()) {
+        aString = rConvertedAttribs[ATTRIBUTE_CHECKSUM];
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aString);
+        aSequence[PKG_MNFST_DIGEST].Name = gsDigestProperty;
+        aSequence[PKG_MNFST_DIGEST].Value <<= aDecodeBuffer;
+    }
+}
+
+void ManifestImport::doAlgorithm(StringHashMap &rConvertedAttribs)
+{
+    if ( bIgnoreEncryptData )
+        return;
+
+    OUString aString = rConvertedAttribs[ATTRIBUTE_ALGORITHM_NAME];
+    if ( aString == BLOWFISH_NAME || aString == BLOWFISH_URL ) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::BLOWFISH_CFB_8;
+    } else if (aString == AESGCM256_URL) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_GCM_W3C;
+        SAL_INFO_IF(nDerivedKeySize != 0 && nDerivedKeySize != 32, "package.manifest", "Unexpected derived key length!");
+        nDerivedKeySize = 32;
+    } else if (aString == AESGCM192_URL) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_GCM_W3C;
+        SAL_INFO_IF(nDerivedKeySize != 0 && nDerivedKeySize != 24, "package.manifest", "Unexpected derived key length!");
+        nDerivedKeySize = 24;
+    } else if (aString == AESGCM128_URL) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_GCM_W3C;
+        SAL_INFO_IF(nDerivedKeySize != 0 && nDerivedKeySize != 16, "package.manifest", "Unexpected derived key length!");
+        nDerivedKeySize = 16;
+    } else if ( aString == AES256_URL ) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_CBC_W3C_PADDING;
+        OSL_ENSURE( !nDerivedKeySize || nDerivedKeySize == 32, "Unexpected derived key length!" );
+        nDerivedKeySize = 32;
+    } else if ( aString == AES192_URL ) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_CBC_W3C_PADDING;
+        OSL_ENSURE( !nDerivedKeySize || nDerivedKeySize == 24, "Unexpected derived key length!" );
+        nDerivedKeySize = 24;
+    } else if ( aString == AES128_URL ) {
+        aSequence[PKG_MNFST_ENCALG].Name = gsEncryptionAlgProperty;
+        aSequence[PKG_MNFST_ENCALG].Value <<= xml::crypto::CipherID::AES_CBC_W3C_PADDING;
+        OSL_ENSURE( !nDerivedKeySize || nDerivedKeySize == 16, "Unexpected derived key length!" );
+        nDerivedKeySize = 16;
+    } else
+        bIgnoreEncryptData = true;
+
+    if ( !bIgnoreEncryptData ) {
+        aString = rConvertedAttribs[ATTRIBUTE_INITIALISATION_VECTOR];
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aString);
+        aSequence[PKG_MNFST_INIVECTOR].Name = gsInitialisationVectorProperty;
+        aSequence[PKG_MNFST_INIVECTOR].Value <<= aDecodeBuffer;
+    }
+}
+
+void ManifestImport::doKeyDerivation(StringHashMap &rConvertedAttribs)
+{
+    if ( bIgnoreEncryptData )
+        return;
+
+    OUString aString = rConvertedAttribs[ATTRIBUTE_KEY_DERIVATION_NAME];
+    if (aString == PBKDF2_NAME || aString == PBKDF2_URL
+        || aString == ARGON2ID_URL || aString == ARGON2ID_URL_LO)
+    {
+        aSequence[PKG_MNFST_KDF].Name = "KeyDerivationFunction";
+        if (aString == ARGON2ID_URL || aString == ARGON2ID_URL_LO)
+        {
+            aSequence[PKG_MNFST_KDF].Value <<= xml::crypto::KDFID::Argon2id;
+
+            aString = rConvertedAttribs[ATTRIBUTE_ARGON2_T_LO];
+            sal_Int32 const t(aString.toInt32());
+            aString = rConvertedAttribs[ATTRIBUTE_ARGON2_M_LO];
+            sal_Int32 const m(aString.toInt32());
+            aString = rConvertedAttribs[ATTRIBUTE_ARGON2_P_LO];
+            sal_Int32 const p(aString.toInt32());
+            if (0 < t && 0 < m && 0 < p)
+            {
+                aSequence[PKG_MNFST_ARGON2ARGS].Name = "Argon2Args";
+                aSequence[PKG_MNFST_ARGON2ARGS].Value <<= uno::Sequence{t,m,p};
+            }
+            else
+            {
+                SAL_INFO("package.manifest", "invalid argon2 arguments");
+                bIgnoreEncryptData = true;
+            }
+        }
+        else
+        {
+            aSequence[PKG_MNFST_KDF].Value <<= xml::crypto::KDFID::PBKDF2;
+
+            aString = rConvertedAttribs[ATTRIBUTE_ITERATION_COUNT];
+            aSequence[PKG_MNFST_ITERATION].Name = gsIterationCountProperty;
+            aSequence[PKG_MNFST_ITERATION].Value <<= aString.toInt32();
+        }
+
+        aString = rConvertedAttribs[ATTRIBUTE_SALT];
+        uno::Sequence < sal_Int8 > aDecodeBuffer;
+        ::comphelper::Base64::decode(aDecodeBuffer, aString);
+        aSequence[PKG_MNFST_SALT].Name = gsSaltProperty;
+        aSequence[PKG_MNFST_SALT].Value <<= aDecodeBuffer;
+
+        aString = rConvertedAttribs[ATTRIBUTE_KEY_SIZE];
+        if ( aString.getLength() ) {
+            sal_Int32 nKey = aString.toInt32();
+            OSL_ENSURE( !nDerivedKeySize || nKey == nDerivedKeySize , "Provided derived key length differs from the expected one!" );
+            nDerivedKeySize = nKey;
+        } else if ( !nDerivedKeySize )
+            nDerivedKeySize = 16;
+        else if ( nDerivedKeySize != 16 )
+            OSL_ENSURE( false, "Default derived key length differs from the expected one!" );
+
+        aSequence[PKG_MNFST_DERKEYSIZE].Name = gsDerivedKeySizeProperty;
+        aSequence[PKG_MNFST_DERKEYSIZE].Value <<= nDerivedKeySize;
+    } else if ( bPgpEncryption ) {
+        if (aString == "PGP") {
+            aSequence[PKG_MNFST_KDF].Name = "KeyDerivationFunction";
+            aSequence[PKG_MNFST_KDF].Value <<= xml::crypto::KDFID::PGP_RSA_OAEP_MGF1P;
+        } else {
+            bIgnoreEncryptData = true;
+        }
+    } else
+        bIgnoreEncryptData = true;
+}
+
+void ManifestImport::doStartKeyAlg(StringHashMap &rConvertedAttribs)
+{
+    OUString aString = rConvertedAttribs[ATTRIBUTE_START_KEY_GENERATION_NAME];
+    if (aString == SHA256_URL || aString == SHA256_URL_ODF12) {
+        aSequence[PKG_MNFST_STARTALG].Name = gsStartKeyAlgProperty;
+        aSequence[PKG_MNFST_STARTALG].Value <<= xml::crypto::DigestID::SHA256;
+    } else if ( aString == SHA1_NAME || aString == SHA1_URL ) {
+        aSequence[PKG_MNFST_STARTALG].Name = gsStartKeyAlgProperty;
+        aSequence[PKG_MNFST_STARTALG].Value <<= xml::crypto::DigestID::SHA1;
+    } else
+        bIgnoreEncryptData = true;
+}
+
+void SAL_CALL ManifestImport::startElement( const OUString& aName, const uno::Reference< xml::sax::XAttributeList >& xAttribs )
+{
+    StringHashMap aConvertedAttribs;
+    OUString aConvertedName = PushNameAndNamespaces( aName, xAttribs, aConvertedAttribs );
+
+    size_t nLevel = aStack.size();
+
+    assert(nLevel >= 1);
+
+    switch (nLevel) {
+    case 1: {
+        if (aConvertedName != ELEMENT_MANIFEST) //manifest:manifest
+            aStack.back().m_bValid = false;
+        break;
+    }
+    case 2: {
+        if (aConvertedName == ELEMENT_FILE_ENTRY) //manifest:file-entry
+            doFileEntry(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_MANIFEST_KEYINFO) //loext:keyinfo
+            ;
+        else if (aConvertedName == ELEMENT_ENCRYPTEDKEY13)   //manifest:encrypted-key
+            doEncryptedKey(aConvertedAttribs);
+        else
+            aStack.back().m_bValid = false;
+        break;
+    }
+    case 3: {
+        ManifestStack::reverse_iterator aIter = aStack.rbegin();
+        ++aIter;
+
+        if (!aIter->m_bValid)
+            aStack.back().m_bValid = false;
+        else if (aConvertedName == ELEMENT_ENCRYPTION_DATA)   //manifest:encryption-data
+            doEncryptionData(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_ENCRYPTEDKEY)   //loext:encrypted-key
+            doEncryptedKey(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_ENCRYPTIONMETHOD13)   //manifest:encryption-method
+            doEncryptionMethod(aConvertedAttribs, ATTRIBUTE_ALGORITHM13);
+        else if (aConvertedName == ELEMENT_MANIFEST13_KEYINFO) //manifest:keyinfo
+            ;
+        else if (aConvertedName == ELEMENT_CIPHERDATA13)            //manifest:CipherData
+            ;
+        else
+            aStack.back().m_bValid = false;
+        break;
+    }
+    case 4: {
+        ManifestStack::reverse_iterator aIter = aStack.rbegin();
+        ++aIter;
+
+        if (!aIter->m_bValid)
+            aStack.back().m_bValid = false;
+        else if (aConvertedName == ELEMENT_ALGORITHM)   //manifest:algorithm,
+            doAlgorithm(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_KEY_DERIVATION) //manifest:key-derivation,
+            doKeyDerivation(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_START_KEY_GENERATION)   //manifest:start-key-generation
+            doStartKeyAlg(aConvertedAttribs);
+        else if (aConvertedName == ELEMENT_ENCRYPTIONMETHOD)   //loext:encryption-method
+            doEncryptionMethod(aConvertedAttribs, ATTRIBUTE_ALGORITHM);
+        else if (aConvertedName == ELEMENT_ENCRYPTED_KEYINFO)            //loext:KeyInfo
+            ;
+        else if (aConvertedName == ELEMENT_CIPHERDATA)            //loext:CipherData
+            ;
+        else if (aConvertedName == ELEMENT_PGPDATA13)   //manifest:PGPData
+            ;
+        else if (aConvertedName == ELEMENT_CIPHERVALUE13) //manifest:CipherValue
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else
+            aStack.back().m_bValid = false;
+        break;
+    }
+    case 5: {
+        ManifestStack::reverse_iterator aIter = aStack.rbegin();
+        ++aIter;
+
+        if (!aIter->m_bValid)
+            aStack.back().m_bValid = false;
+        else if (aConvertedName == ELEMENT_PGPDATA)   //loext:PGPData
+            ;
+        else if (aConvertedName == ELEMENT_CIPHERVALUE) //loext:CipherValue
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else if (aConvertedName == ELEMENT_PGPKEYID13)   //manifest:PGPKeyID
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else if (aConvertedName == ELEMENT_PGPKEYPACKET13) //manifest:PGPKeyPacket
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else
+            aStack.back().m_bValid = false;
+        break;
+    }
+    case 6: {
+        ManifestStack::reverse_iterator aIter = aStack.rbegin();
+        ++aIter;
+
+        if (!aIter->m_bValid)
+            aStack.back().m_bValid = false;
+        else if (aConvertedName == ELEMENT_PGPKEYID)   //loext:PGPKeyID
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else if (aConvertedName == ELEMENT_PGPKEYPACKET) //loext:PGPKeyPacket
+            // ciphervalue action happens on endElement
+            aCurrentCharacters = "";
+        else
+            aStack.back().m_bValid = false;
+        break;
+    }
+    default:
+        aStack.back().m_bValid = false;
+        break;
+    }
+}
+
+namespace
+{
+bool isEmpty(const css::beans::PropertyValue &rProp)
+{
+    return rProp.Name.isEmpty();
+}
+}
+
+void SAL_CALL ManifestImport::endElement( const OUString& aName )
+{
+    size_t nLevel = aStack.size();
+
+    assert(nLevel >= 1);
+
+    OUString aConvertedName = ConvertName( aName );
+    if ( aStack.empty() || aStack.rbegin()->m_aConvertedName != aConvertedName )
+        return;
+
+    if ( aConvertedName == ELEMENT_FILE_ENTRY && aStack.back().m_bValid ) {
+        // the first entry gets KeyInfo element if any, for PGP encryption
+        if (!bIgnoreEncryptData && !aKeys.empty() && rManVector.empty())
+        {
+            aSequence[PKG_MNFST_KEYINFO].Name = "KeyInfo";
+            aSequence[PKG_MNFST_KEYINFO].Value <<= comphelper::containerToSequence(aKeys);
+        }
+        std::erase_if(aSequence, isEmpty);
+
+        bIgnoreEncryptData = false;
+        rManVector.push_back ( comphelper::containerToSequence(aSequence) );
+
+        aSequence.clear();
+    }
+    else if ( (aConvertedName == ELEMENT_ENCRYPTEDKEY
+               || aConvertedName == ELEMENT_ENCRYPTEDKEY13)
+              && aStack.back().m_bValid ) {
+        if ( !bIgnoreEncryptData )
+        {
+            aKeys.push_back( comphelper::containerToSequence(aKeyInfoSequence) );
+            bPgpEncryption = true;
+        }
+        aKeyInfoSequence.clear();
+    }
+
+    // end element handling for elements with cdata
+    switch (nLevel) {
+        case 4: {
+            if (aConvertedName == ELEMENT_CIPHERVALUE13) //manifest:CipherValue
+                doEncryptedCipherValue();
+            else
+                aStack.back().m_bValid = false;
+            break;
+        }
+        case 5: {
+            if (aConvertedName == ELEMENT_CIPHERVALUE) //loext:CipherValue
+                doEncryptedCipherValue();
+            else if (aConvertedName == ELEMENT_PGPKEYID13)   //manifest:PGPKeyID
+                doEncryptedKeyId();
+            else if (aConvertedName == ELEMENT_PGPKEYPACKET13) //manifest:PGPKeyPacket
+                doEncryptedKeyPacket();
+            else
+                aStack.back().m_bValid = false;
+            break;
+        }
+        case 6: {
+            if (aConvertedName == ELEMENT_PGPKEYID)   //loext:PGPKeyID
+                doEncryptedKeyId();
+            else if (aConvertedName == ELEMENT_PGPKEYPACKET) //loext:PGPKeyPacket
+                doEncryptedKeyPacket();
+            else
+                aStack.back().m_bValid = false;
+            break;
+        }
+    }
+
+    aStack.pop_back();
+}
+
+void SAL_CALL ManifestImport::characters( const OUString& aChars )
+{
+    aCurrentCharacters.append(aChars);
+}
+
+void SAL_CALL ManifestImport::ignorableWhitespace( const OUString& /*aWhitespaces*/ )
+{
+}
+
+void SAL_CALL ManifestImport::processingInstruction( const OUString& /*aTarget*/, const OUString& /*aData*/ )
+{
+}
+
+void SAL_CALL ManifestImport::setDocumentLocator( const uno::Reference< xml::sax::XLocator >& /*xLocator*/ )
+{
+}
+
+OUString ManifestImport::PushNameAndNamespaces( const OUString& aName, const uno::Reference< xml::sax::XAttributeList >& xAttribs, StringHashMap& o_aConvertedAttribs )
+{
+    StringHashMap aNamespaces;
+    ::std::vector< ::std::pair< OUString, OUString > > aAttribsStrs;
+
+    if ( xAttribs.is() ) {
+        sal_Int16 nAttrCount = xAttribs.is() ? xAttribs->getLength() : 0;
+        aAttribsStrs.reserve( nAttrCount );
+
+        for( sal_Int16 nInd = 0; nInd < nAttrCount; nInd++ ) {
+            OUString aAttrName = xAttribs->getNameByIndex( nInd );
+            OUString aAttrValue = xAttribs->getValueByIndex( nInd );
+            if ( aAttrName.getLength() >= 5
+                 && aAttrName.startsWith("xmlns")
+                 && ( aAttrName.getLength() == 5 || aAttrName[5] == ':' ) ) {
+                // this is a namespace declaration
+                OUString aNsName( ( aAttrName.getLength() == 5 ) ? OUString() : aAttrName.copy( 6 ) );
+                aNamespaces[aNsName] = aAttrValue;
+            } else {
+                // this is no namespace declaration
+                aAttribsStrs.emplace_back( aAttrName, aAttrValue );
+            }
+        }
+    }
+
+    OUString aConvertedName = ConvertNameWithNamespace( aName, aNamespaces );
+    if ( !aConvertedName.getLength() )
+        aConvertedName = ConvertName( aName );
+
+    aStack.emplace_back( aConvertedName, std::move(aNamespaces) );
+
+    for (const std::pair<OUString,OUString> & rAttribsStr : aAttribsStrs) {
+        // convert the attribute names on filling
+        o_aConvertedAttribs[ConvertName( rAttribsStr.first )] = rAttribsStr.second;
+    }
+
+    return aConvertedName;
+}
+
+OUString ManifestImport::ConvertNameWithNamespace( const OUString& aName, const StringHashMap& aNamespaces )
+{
+    OUString aNsAlias;
+    OUString aPureName = aName;
+
+    sal_Int32 nInd = aName.indexOf( ':' );
+    if ( nInd != -1 && nInd < aName.getLength() ) {
+        aNsAlias = aName.copy( 0, nInd );
+        aPureName = aName.copy( nInd + 1 );
+    }
+
+    OUString aResult;
+
+    StringHashMap::const_iterator aIter = aNamespaces.find( aNsAlias );
+    if ( aIter != aNamespaces.end()
+         && ( aIter->second == MANIFEST_NAMESPACE || aIter->second == MANIFEST_OASIS_NAMESPACE ) ) {
+        // no check for manifest.xml consistency currently since the old versions have supported inconsistent documents as well
+        aResult = MANIFEST_NSPREFIX + aPureName;
+    }
+
+    return aResult;
+}
+
+OUString ManifestImport::ConvertName( const OUString& aName )
+{
+    OUString aConvertedName;
+    for ( ManifestStack::reverse_iterator aIter = aStack.rbegin(); !aConvertedName.getLength() && aIter != aStack.rend(); ++aIter ) {
+        if ( !aIter->m_aNamespaces.empty() )
+            aConvertedName = ConvertNameWithNamespace( aName, aIter->m_aNamespaces );
+    }
+
+    if ( !aConvertedName.getLength() )
+        aConvertedName = aName;
+
+    return aConvertedName;
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestImport.hxx b/package/source/manifest/ManifestImport.hxx
new file mode 100644
index 0000000000..fd86e02e4f
--- /dev/null
+++ b/package/source/manifest/ManifestImport.hxx
@@ -0,0 +1,103 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTIMPORT_HXX
+#define INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTIMPORT_HXX
+
+#include <cppuhelper/implbase.hxx>
+#include <com/sun/star/xml/sax/XDocumentHandler.hpp>
+#include <com/sun/star/beans/NamedValue.hpp>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+#include <rtl/ustrbuf.hxx>
+
+namespace com::sun::star {
+    namespace xml::sax { class XAttributeList; }
+    namespace beans { struct PropertyValue; }
+}
+
+typedef std::unordered_map< OUString, OUString > StringHashMap;
+
+struct ManifestScopeEntry
+{
+    OUString        m_aConvertedName;
+    StringHashMap   m_aNamespaces;
+    bool            m_bValid;
+
+    ManifestScopeEntry( OUString aConvertedName, StringHashMap&& aNamespaces )
+    : m_aConvertedName(std::move( aConvertedName ))
+    , m_aNamespaces( std::move(aNamespaces) )
+    , m_bValid( true )
+    {}
+};
+
+typedef ::std::vector< ManifestScopeEntry > ManifestStack;
+
+class ManifestImport final : public cppu::WeakImplHelper < css::xml::sax::XDocumentHandler >
+{
+    std::vector< css::beans::NamedValue > aKeyInfoSequence;
+    std::vector< css::uno::Sequence< css::beans::NamedValue > > aKeys;
+    std::vector< css::beans::PropertyValue > aSequence;
+    OUStringBuffer aCurrentCharacters{64};
+    ManifestStack aStack;
+    bool bIgnoreEncryptData;
+    bool bPgpEncryption;
+    sal_Int32 nDerivedKeySize;
+    ::std::vector < css::uno::Sequence < css::beans::PropertyValue > > & rManVector;
+
+
+    OUString PushNameAndNamespaces( const OUString& aName,
+                                           const css::uno::Reference< css::xml::sax::XAttributeList >& xAttribs,
+                                           StringHashMap& o_aConvertedAttribs );
+    static OUString ConvertNameWithNamespace( const OUString& aName, const StringHashMap& aNamespaces );
+    OUString ConvertName( const OUString& aName );
+
+public:
+    ManifestImport( std::vector < css::uno::Sequence < css::beans::PropertyValue > > & rNewVector );
+    virtual ~ManifestImport() override;
+    virtual void SAL_CALL startDocument(  ) override;
+    virtual void SAL_CALL endDocument(  ) override;
+    virtual void SAL_CALL startElement( const OUString& aName, const css::uno::Reference< css::xml::sax::XAttributeList >& xAttribs ) override;
+    virtual void SAL_CALL endElement( const OUString& aName ) override;
+    virtual void SAL_CALL characters( const OUString& aChars ) override;
+    virtual void SAL_CALL ignorableWhitespace( const OUString& aWhitespaces ) override;
+    virtual void SAL_CALL processingInstruction( const OUString& aTarget, const OUString& aData ) override;
+    virtual void SAL_CALL setDocumentLocator( const css::uno::Reference< css::xml::sax::XLocator >& xLocator ) override;
+
+private:
+    /// @throws css::uno::RuntimeException
+    void doFileEntry(StringHashMap &rConvertedAttribs);
+    /// @throws css::uno::RuntimeException
+    void doEncryptionData(StringHashMap &rConvertedAttribs);
+    /// @throws css::uno::RuntimeException
+    void doAlgorithm(StringHashMap &rConvertedAttribs);
+    /// @throws css::uno::RuntimeException
+    void doKeyDerivation(StringHashMap &rConvertedAttribs);
+    /// @throws css::uno::RuntimeException
+    void doStartKeyAlg(StringHashMap &rConvertedAttribs);
+    void doEncryptedKey(StringHashMap &);
+    void doEncryptionMethod(StringHashMap &, const OUString &);
+    void doEncryptedCipherValue();
+    void doEncryptedKeyId();
+    void doEncryptedKeyPacket();
+};
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestReader.cxx b/package/source/manifest/ManifestReader.cxx
new file mode 100644
index 0000000000..2a60feff02
--- /dev/null
+++ b/package/source/manifest/ManifestReader.cxx
@@ -0,0 +1,104 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#include "ManifestReader.hxx"
+#include "ManifestImport.hxx"
+#include <comphelper/diagnose_ex.hxx>
+#include <comphelper/sequence.hxx>
+#include <cppuhelper/factory.hxx>
+#include <cppuhelper/supportsservice.hxx>
+#include <com/sun/star/io/IOException.hpp>
+#include <com/sun/star/xml/sax/XDocumentHandler.hpp>
+#include <com/sun/star/xml/sax/SAXParseException.hpp>
+#include <com/sun/star/xml/sax/Parser.hpp>
+#include <vector>
+
+using namespace ::com::sun::star::uno;
+using namespace ::com::sun::star::beans;
+using namespace ::com::sun::star::io;
+using namespace ::com::sun::star::lang;
+using namespace ::com::sun::star::registry;
+using namespace ::com::sun::star::packages;
+using namespace ::com::sun::star::xml::sax;
+
+ManifestReader::ManifestReader( const Reference < XComponentContext > & xContext )
+: m_xContext ( xContext )
+{
+}
+ManifestReader::~ManifestReader()
+{
+}
+Sequence< Sequence< PropertyValue > > SAL_CALL ManifestReader::readManifestSequence( const Reference< XInputStream >& rStream )
+{
+    Sequence < Sequence < PropertyValue > > aManifestSequence;
+    Reference < XParser > xParser  = Parser::create(m_xContext);
+    try
+    {
+        std::vector < Sequence < PropertyValue > > aManVector;
+        Reference < XDocumentHandler > xFilter = new ManifestImport( aManVector );
+        InputSource aParserInput;
+        aParserInput.aInputStream = rStream;
+        aParserInput.sSystemId = "META-INF/manifest.xml";
+        xParser->setDocumentHandler ( xFilter );
+        xParser->parseStream( aParserInput );
+        aManifestSequence = comphelper::containerToSequence(aManVector);
+    }
+    catch (const SAXParseException&)
+    {
+        TOOLS_WARN_EXCEPTION("package", "ignoring");
+    }
+    catch (const SAXException&)
+    {
+        TOOLS_WARN_EXCEPTION("package", "ignoring");
+    }
+    catch (const IOException&)
+    {
+        TOOLS_WARN_EXCEPTION("package", "ignoring");
+    }
+    xParser->setDocumentHandler ( Reference < XDocumentHandler > () );
+    return aManifestSequence;
+}
+// Component functions
+
+
+OUString ManifestReader::getImplementationName()
+{
+    return "com.sun.star.packages.manifest.comp.ManifestReader";
+}
+
+sal_Bool SAL_CALL ManifestReader::supportsService(OUString const & rServiceName)
+{
+    return cppu::supportsService(this, rServiceName );
+}
+
+Sequence < OUString > ManifestReader::getSupportedServiceNames()
+{
+    return { "com.sun.star.packages.manifest.ManifestReader" };
+}
+
+
+extern "C" SAL_DLLPUBLIC_EXPORT css::uno::XInterface*
+package_ManifestReader_get_implementation(
+    css::uno::XComponentContext* context , css::uno::Sequence<css::uno::Any> const&)
+{
+    return cppu::acquire(new ManifestReader(context));
+}
+
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestReader.hxx b/package/source/manifest/ManifestReader.hxx
new file mode 100644
index 0000000000..f85644162d
--- /dev/null
+++ b/package/source/manifest/ManifestReader.hxx
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTREADER_HXX
+#define INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTREADER_HXX
+
+#include <cppuhelper/implbase.hxx>
+#include <com/sun/star/packages/manifest/XManifestReader.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+
+namespace com::sun::star {
+    namespace lang { class XSingleServiceFactory; }
+    namespace uno { class XComponentContext; }
+}
+
+class ManifestReader: public ::cppu::WeakImplHelper
+<
+    css::packages::manifest::XManifestReader,
+    css::lang::XServiceInfo
+>
+{
+private:
+    css::uno::Reference< css::uno::XComponentContext > m_xContext;
+public:
+    ManifestReader( const css::uno::Reference< css::uno::XComponentContext > & xContext );
+    virtual ~ManifestReader() override;
+
+    // XManifestReader
+    virtual css::uno::Sequence< css::uno::Sequence< css::beans::PropertyValue > > SAL_CALL readManifestSequence( const css::uno::Reference< css::io::XInputStream >& rStream ) override;
+
+    // XServiceInfo
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestWriter.cxx b/package/source/manifest/ManifestWriter.cxx
new file mode 100644
index 0000000000..5515cc26df
--- /dev/null
+++ b/package/source/manifest/ManifestWriter.cxx
@@ -0,0 +1,92 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#include "ManifestWriter.hxx"
+#include "ManifestExport.hxx"
+#include <cppuhelper/exc_hlp.hxx>
+#include <cppuhelper/factory.hxx>
+#include <cppuhelper/supportsservice.hxx>
+#include <com/sun/star/xml/sax/Writer.hpp>
+#include <com/sun/star/lang/WrappedTargetRuntimeException.hpp>
+#include <com/sun/star/xml/sax/SAXException.hpp>
+
+#include <sal/log.hxx>
+
+using namespace ::com::sun::star;
+using namespace ::com::sun::star::uno;
+using namespace ::com::sun::star::beans;
+using namespace ::com::sun::star::io;
+using namespace ::com::sun::star::lang;
+using namespace ::com::sun::star::registry;
+using namespace ::com::sun::star::packages;
+using namespace ::com::sun::star::xml::sax;
+
+#if OSL_DEBUG_LEVEL > 0
+#define THROW_WHERE SAL_WHERE
+#else
+#define THROW_WHERE ""
+#endif
+
+ManifestWriter::ManifestWriter( const Reference < XComponentContext > & xContext )
+: m_xContext ( xContext )
+{
+}
+ManifestWriter::~ManifestWriter()
+{
+}
+
+// XManifestWriter methods
+void SAL_CALL ManifestWriter::writeManifestSequence( const Reference< XOutputStream >& rStream, const Sequence< Sequence< PropertyValue > >& rSequence )
+{
+    Reference < XWriter > xSource = Writer::create( m_xContext );
+    xSource->setOutputStream ( rStream );
+    try {
+        ManifestExport( xSource, rSequence);
+    }
+    catch( SAXException& )
+    {
+        css::uno::Any anyEx = cppu::getCaughtException();
+        throw css::lang::WrappedTargetRuntimeException( THROW_WHERE,
+                        nullptr, anyEx );
+    }
+}
+
+OUString ManifestWriter::getImplementationName()
+{
+    return "com.sun.star.packages.manifest.comp.ManifestWriter";
+}
+
+sal_Bool SAL_CALL ManifestWriter::supportsService(OUString const & rServiceName)
+{
+    return cppu::supportsService(this, rServiceName);
+}
+Sequence < OUString > ManifestWriter::getSupportedServiceNames()
+{
+    return { "com.sun.star.packages.manifest.ManifestWriter" };
+}
+
+
+extern "C" SAL_DLLPUBLIC_EXPORT css::uno::XInterface*
+package_ManifestWriter_get_implementation(
+    css::uno::XComponentContext* context , css::uno::Sequence<css::uno::Any> const&)
+{
+    return cppu::acquire(new ManifestWriter(context));
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/package/source/manifest/ManifestWriter.hxx b/package/source/manifest/ManifestWriter.hxx
new file mode 100644
index 0000000000..ca08bb0e40
--- /dev/null
+++ b/package/source/manifest/ManifestWriter.hxx
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTWRITER_HXX
+#define INCLUDED_PACKAGE_SOURCE_MANIFEST_MANIFESTWRITER_HXX
+
+#include <cppuhelper/implbase.hxx>
+#include <com/sun/star/packages/manifest/XManifestWriter.hpp>
+#include <com/sun/star/lang/XServiceInfo.hpp>
+
+namespace com::sun::star {
+    namespace lang { class XSingleServiceFactory; }
+    namespace uno { class XComponentContext;  }
+}
+
+class ManifestWriter: public ::cppu::WeakImplHelper
+<
+    css::packages::manifest::XManifestWriter,
+    css::lang::XServiceInfo
+>
+{
+private:
+    css::uno::Reference< css::uno::XComponentContext > m_xContext;
+public:
+    ManifestWriter( const css::uno::Reference< css::uno::XComponentContext > & xContext );
+    virtual ~ManifestWriter() override;
+
+    // XManifestWriter
+    virtual void SAL_CALL writeManifestSequence( const css::uno::Reference< css::io::XOutputStream >& rStream, const css::uno::Sequence< css::uno::Sequence< css::beans::PropertyValue > >& rSequence ) override;
+
+    // XServiceInfo
+    virtual OUString SAL_CALL getImplementationName(  ) override;
+    virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
+    virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames(  ) override;
+};
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */