Skip to content

Commit bd67236

Browse files
glenner003Eugene Bochilo
glenner003
authored and
Eugene Bochilo
committed
Add exception handling around interface points
DEVSIX-8400 Autoported commit. Original commit hash: [593bfbbfb] Manual files: commons/src/main/java/com/itextpdf/commons/utils/ThrowingAction.java commons/src/main/java/com/itextpdf/commons/utils/ThrowingSupplier.java sharpenConfiguration.xml sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/ExtendedKeyUsageExtension.java
1 parent 602679e commit bd67236

26 files changed

+1426
-120
lines changed

itext.tests/itext.sign.tests/itext/signatures/testutils/client/TestCrlClientWrapper.cs

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,21 @@ public class TestCrlClientWrapper : ICrlClient {
3333
private readonly IList<TestCrlClientWrapper.CrlClientCall> calls = new List<TestCrlClientWrapper.CrlClientCall
3434
>();
3535

36+
private Func<TestCrlClientWrapper.CrlClientCall, ICollection<byte[]>> onGetEncoded;
37+
3638
public TestCrlClientWrapper(ICrlClient wrappedClient) {
3739
this.wrappedClient = wrappedClient;
3840
}
3941

4042
public virtual ICollection<byte[]> GetEncoded(IX509Certificate checkCert, String url) {
41-
ICollection<byte[]> crlBytesCollection = wrappedClient.GetEncoded(checkCert, url);
43+
TestCrlClientWrapper.CrlClientCall call = new TestCrlClientWrapper.CrlClientCall(checkCert, url);
44+
ICollection<byte[]> crlBytesCollection;
45+
if (onGetEncoded != null) {
46+
crlBytesCollection = onGetEncoded.Invoke(call);
47+
}
48+
else {
49+
crlBytesCollection = wrappedClient.GetEncoded(checkCert, url);
50+
}
4251
IList<IX509Crl> crlResponses = new List<IX509Crl>();
4352
foreach (byte[] crlBytes in crlBytesCollection) {
4453
try {
@@ -48,25 +57,35 @@ public virtual ICollection<byte[]> GetEncoded(IX509Certificate checkCert, String
4857
throw new Exception("Deserializing CRL response failed", e);
4958
}
5059
}
51-
calls.Add(new TestCrlClientWrapper.CrlClientCall(checkCert, url, crlResponses));
60+
call.SetResponses(crlResponses);
61+
calls.Add(call);
5262
return crlBytesCollection;
5363
}
5464

5565
public virtual IList<TestCrlClientWrapper.CrlClientCall> GetCalls() {
5666
return calls;
5767
}
5868

69+
public virtual iText.Signatures.Testutils.Client.TestCrlClientWrapper OnGetEncodedDo(Func<TestCrlClientWrapper.CrlClientCall
70+
, ICollection<byte[]>> callBack) {
71+
onGetEncoded = callBack;
72+
return this;
73+
}
74+
5975
public class CrlClientCall {
6076
public readonly IX509Certificate checkCert;
6177

6278
public readonly String url;
6379

64-
public readonly IList<IX509Crl> responses;
80+
public IList<IX509Crl> responses;
6581

66-
public CrlClientCall(IX509Certificate checkCert, String url, IList<IX509Crl> responses) {
82+
public CrlClientCall(IX509Certificate checkCert, String url) {
6783
this.checkCert = checkCert;
6884
this.url = url;
69-
this.responses = responses;
85+
}
86+
87+
public virtual void SetResponses(IList<IX509Crl> crlResponses) {
88+
responses = crlResponses;
7089
}
7190
}
7291
}

itext.tests/itext.sign.tests/itext/signatures/testutils/client/TestOcspClientWrapper.cs

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,16 +38,27 @@ public class TestOcspClientWrapper : IOcspClient {
3838

3939
private readonly IOcspClient wrappedClient;
4040

41+
private Func<TestOcspClientWrapper.OcspClientCall, byte[]> onGetEncoded;
42+
4143
public TestOcspClientWrapper(IOcspClient wrappedClient) {
4244
this.wrappedClient = wrappedClient;
4345
}
4446

4547
public virtual byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate issuerCert, String url) {
46-
byte[] response = wrappedClient.GetEncoded(checkCert, issuerCert, url);
48+
TestOcspClientWrapper.OcspClientCall call = new TestOcspClientWrapper.OcspClientCall(checkCert, issuerCert
49+
, url);
50+
byte[] response;
51+
if (onGetEncoded != null) {
52+
response = onGetEncoded.Invoke(call);
53+
}
54+
else {
55+
response = wrappedClient.GetEncoded(checkCert, issuerCert, url);
56+
}
4757
try {
4858
IBasicOcspResponse basicOCSPResp = BOUNCY_CASTLE_FACTORY.CreateBasicOCSPResponse(BOUNCY_CASTLE_FACTORY.CreateASN1Primitive
4959
(response));
50-
calls.Add(new TestOcspClientWrapper.OcspClientCall(checkCert, issuerCert, url, basicOCSPResp));
60+
call.SetResponce(basicOCSPResp);
61+
calls.Add(call);
5162
}
5263
catch (System.IO.IOException e) {
5364
throw new Exception("deserializing ocsp response failed", e);
@@ -59,21 +70,29 @@ public virtual byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate is
5970
return calls;
6071
}
6172

73+
public virtual iText.Signatures.Testutils.Client.TestOcspClientWrapper OnGetEncodedDo(Func<TestOcspClientWrapper.OcspClientCall
74+
, byte[]> callBack) {
75+
onGetEncoded = callBack;
76+
return this;
77+
}
78+
6279
public class OcspClientCall {
6380
public readonly IX509Certificate checkCert;
6481

6582
public readonly IX509Certificate issuerCert;
6683

6784
public readonly String url;
6885

69-
public readonly IBasicOcspResponse response;
86+
public IBasicOcspResponse response;
7087

71-
public OcspClientCall(IX509Certificate checkCert, IX509Certificate issuerCert, String url, IBasicOcspResponse
72-
response) {
88+
public OcspClientCall(IX509Certificate checkCert, IX509Certificate issuerCert, String url) {
7389
this.checkCert = checkCert;
7490
this.issuerCert = issuerCert;
7591
this.url = url;
76-
this.response = response;
92+
}
93+
94+
public virtual void SetResponce(IBasicOcspResponse basicOCSPResp) {
95+
response = basicOCSPResp;
7796
}
7897
}
7998
}

itext.tests/itext.sign.tests/itext/signatures/validation/v1/CRLValidatorTest.cs

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -326,6 +326,37 @@ public virtual void CertExpiredAfterDateFromExpiredCertOnCrlExtensionTest() {
326326
(0));
327327
}
328328

329+
[NUnit.Framework.Test]
330+
public virtual void CertificateRetrieverFailureTest() {
331+
RetrieveTestResources("happyPath");
332+
byte[] crl = CreateCrl(crlIssuerCert, crlIssuerKey, TimeTestUtil.TEST_DATE_TIME.AddDays(-5), TimeTestUtil.
333+
TEST_DATE_TIME.AddDays(+5));
334+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever();
335+
mockCertificateRetriever.OngetCrlIssuerCertificatesDo((c) => {
336+
throw new Exception("just testing");
337+
}
338+
);
339+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
340+
validatorChainBuilder.WithCRLValidator(new CRLValidator(validatorChainBuilder));
341+
ValidationReport report = PerformValidation("happyPath", TimeTestUtil.TEST_DATE_TIME, crl);
342+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
343+
).HasLogItem((l) => l.WithMessage(CRLValidator.CRL_ISSUER_REQUEST_FAILED)));
344+
}
345+
346+
[NUnit.Framework.Test]
347+
public virtual void ChainValidatorFailureTest() {
348+
RetrieveTestResources("happyPath");
349+
byte[] crl = CreateCrl(crlIssuerCert, crlIssuerKey, TimeTestUtil.TEST_DATE_TIME.AddDays(-5), TimeTestUtil.
350+
TEST_DATE_TIME.AddDays(+5));
351+
mockChainValidator.OnCallDo((c) => {
352+
throw new Exception("Just testing");
353+
}
354+
);
355+
ValidationReport report = PerformValidation("happyPath", TimeTestUtil.TEST_DATE_TIME, crl);
356+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
357+
).HasLogItem((l) => l.WithMessage(CRLValidator.CRL_ISSUER_CHAIN_FAILED)));
358+
}
359+
329360
[NUnit.Framework.Test]
330361
public virtual void ProvidedTimeIsUsedForResponderValidation() {
331362
RetrieveTestResources("happyPath");

itext.tests/itext.sign.tests/itext/signatures/validation/v1/CertificateChainValidatorTest.cs

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ You should have received a copy of the GNU Affero General Public License
2626
using iText.Commons.Utils;
2727
using iText.Signatures;
2828
using iText.Signatures.Testutils;
29+
using iText.Signatures.Testutils.Client;
2930
using iText.Signatures.Validation.V1.Context;
3031
using iText.Signatures.Validation.V1.Extensions;
3132
using iText.Signatures.Validation.V1.Mocks;
@@ -469,5 +470,110 @@ public virtual void RootCertificateTrustedForTimestampTest() {
469470
)).HasLogItem((l) => l.WithMessage(CertificateChainValidator.ISSUER_MISSING, (i) => rootCert.GetSubjectDN
470471
())));
471472
}
473+
474+
[NUnit.Framework.Test]
475+
public virtual void TrustStoreFailureTest() {
476+
String chainName = CERTS_SRC + "chain.pem";
477+
IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
478+
IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
479+
IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
480+
IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
481+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
482+
).OnGetTrustedCertificatesStoreDo(() => {
483+
throw new Exception("Test trust store failure");
484+
}
485+
);
486+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
487+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
488+
certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
489+
));
490+
certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
491+
ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
492+
);
493+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
494+
).HasLogItems(1, 10, (la) => la.WithMessage(CertificateChainValidator.TRUSTSTORE_RETRIEVAL_FAILED)));
495+
}
496+
497+
[NUnit.Framework.Test]
498+
public virtual void IssuerRetrievalFailureTest() {
499+
String chainName = CERTS_SRC + "chain.pem";
500+
IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
501+
IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
502+
IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
503+
IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
504+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
505+
).OnRetrieveIssuerCertificateDo((c) => {
506+
throw new Exception("Test issuer retrieval failure");
507+
}
508+
);
509+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
510+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
511+
certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
512+
));
513+
certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
514+
ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
515+
);
516+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
517+
).HasLogItems(1, 10, (la) => la.WithMessage(CertificateChainValidator.ISSUER_RETRIEVAL_FAILED)));
518+
}
519+
520+
[NUnit.Framework.Test]
521+
public virtual void RevocationValidationFailureTest() {
522+
String chainName = CERTS_SRC + "chain.pem";
523+
IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
524+
IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
525+
IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
526+
IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
527+
mockRevocationDataValidator.OnValidateDo((c) => {
528+
throw new Exception("Test revocation validation failure");
529+
}
530+
);
531+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
532+
certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
533+
));
534+
certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
535+
ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
536+
);
537+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
538+
).HasLogItems(1, 10, (la) => la.WithMessage(CertificateChainValidator.REVOCATION_VALIDATION_FAILED)));
539+
}
540+
541+
[NUnit.Framework.Test]
542+
public virtual void AddCrlClientPasstroughTest() {
543+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
544+
validator.AddCrlClient(new TestCrlClient());
545+
NUnit.Framework.Assert.AreEqual(1, mockRevocationDataValidator.crlClientsAdded.Count);
546+
}
547+
548+
[NUnit.Framework.Test]
549+
public virtual void AddOcdpClientPasstroughTest() {
550+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
551+
validator.AddOcspClient(new TestOcspClient());
552+
NUnit.Framework.Assert.AreEqual(1, mockRevocationDataValidator.ocspClientsAdded.Count);
553+
}
554+
555+
[NUnit.Framework.Test]
556+
public virtual void TestStopOnInvalidRevocationResultTest() {
557+
mockRevocationDataValidator.OnValidateDo((c) => c.report.AddReportItem(new ReportItem("test", "test", ReportItem.ReportItemStatus
558+
.INVALID)));
559+
String chainName = CERTS_SRC + "chain.pem";
560+
IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
561+
IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
562+
IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
563+
IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
564+
properties.SetContinueAfterFailure(ValidatorContexts.All(), CertificateSources.All(), false);
565+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
566+
);
567+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
568+
CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
569+
certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
570+
));
571+
certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
572+
ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
573+
);
574+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INVALID));
575+
NUnit.Framework.Assert.AreEqual(0, mockCertificateRetriever.getCrlIssuerCertificatesCalls.Count);
576+
NUnit.Framework.Assert.AreEqual(1, mockRevocationDataValidator.calls.Count);
577+
}
472578
}
473579
}

itext.tests/itext.sign.tests/itext/signatures/validation/v1/OCSPValidatorTest.cs

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -379,6 +379,81 @@ public virtual void CertExpiredAfterArchiveCutoffDateTest() {
379379
(0).HasNumberOfLogs(0));
380380
}
381381

382+
[NUnit.Framework.Test]
383+
public virtual void CertificateRetrieverRetrieveIssuerCertificateFailureTest() {
384+
DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
385+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever();
386+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
387+
mockCertificateRetriever.OnRetrieveIssuerCertificateDo((c) => {
388+
throw new Exception("Test retrieveMissingCertificates failure");
389+
}
390+
);
391+
ValidationReport report = ValidateTest(checkDate);
392+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
393+
).HasLogItem((l) => l.WithMessage(OCSPValidator.UNABLE_TO_RETRIEVE_ISSUER)));
394+
}
395+
396+
[NUnit.Framework.Test]
397+
public virtual void CertificateRetrieverRetrieveOCSPResponderCertificateFailureTest() {
398+
DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
399+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
400+
);
401+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
402+
mockCertificateRetriever.OnRetrieveOCSPResponderCertificateDo((c) => {
403+
throw new Exception("Test retrieveMissingCertificates failure");
404+
}
405+
);
406+
ValidationReport report = ValidateTest(checkDate);
407+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
408+
).HasLogItem((l) => l.WithMessage(OCSPValidator.OCSP_RESPONDER_NOT_RETRIEVED)));
409+
}
410+
411+
[NUnit.Framework.Test]
412+
public virtual void CertificateRetrieverIsCertificateTrustedFailureTest() {
413+
DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
414+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
415+
);
416+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
417+
mockCertificateRetriever.OnIsCertificateTrustedDo((c) => {
418+
throw new Exception("Test isCertificateTrusted failure");
419+
}
420+
);
421+
ValidationReport report = ValidateTest(checkDate);
422+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
423+
).HasLogItem((l) => l.WithMessage(OCSPValidator.OCSP_RESPONDER_TRUST_NOT_RETRIEVED)));
424+
}
425+
426+
[NUnit.Framework.Test]
427+
public virtual void CertificateRetrieverIsCertificateTrustedForOcspFailureTest() {
428+
DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
429+
MockIssuingCertificateRetriever mockCertificateRetriever = new MockIssuingCertificateRetriever(certificateRetriever
430+
);
431+
validatorChainBuilder.WithIssuingCertificateRetriever(mockCertificateRetriever);
432+
mockCertificateRetriever.OnIsCertificateTrustedDo((c) => false);
433+
MockTrustedCertificatesStore mockTrustedStore = new MockTrustedCertificatesStore(certificateRetriever.GetTrustedCertificatesStore
434+
());
435+
mockCertificateRetriever.OnGetTrustedCertificatesStoreDo(() => mockTrustedStore);
436+
mockTrustedStore.OnIsCertificateTrustedForOcspDo((c) => {
437+
throw new Exception("Test isCertificateTrustedForOcsp failure");
438+
}
439+
);
440+
ValidationReport report = ValidateTest(checkDate);
441+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
442+
).HasLogItem((l) => l.WithMessage(OCSPValidator.OCSP_RESPONDER_TRUST_NOT_RETRIEVED)));
443+
}
444+
445+
[NUnit.Framework.Test]
446+
public virtual void CertificateChainValidationFailureTest() {
447+
DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
448+
mockCertificateChainValidator.OnCallDo((c) => {
449+
throw new Exception("Test chain validation failure");
450+
}
451+
);
452+
ValidationReport report = ValidateTest(checkDate);
453+
AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
454+
).HasLogItem((l) => l.WithMessage(OCSPValidator.OCSP_RESPONDER_NOT_VERIFIED)));
455+
}
456+
382457
private ValidationReport ValidateTest(DateTime checkDate) {
383458
return ValidateTest(checkDate, checkDate.AddDays(1), 0);
384459
}

0 commit comments

Comments
 (0)