Cover CertificateVerification#verifyOcspCertificates with tests

DEVSIX-6099

Autoported commit.
Original commit hash: [fce60d8fa]

Author: Eugene Bochilo

itext.tests/itext.sign.tests/itext/signatures/verify/CertificateVerificationClassTest.cs

@@ -56,6 +56,9 @@ source product.
 
 namespace iText.Signatures.Verify {
     public class CertificateVerificationClassTest : ExtendedITextTest {
+        // Such messageTemplate is equal to any log message. This is required for porting reasons.
+        private const String ANY_LOG_MESSAGE = "{0}";
+
         private static readonly String certsSrc = iText.Test.TestUtil.GetParentProjectDirectory(NUnit.Framework.TestContext
             .CurrentContext.TestDirectory) + "/resources/itext/signatures/certs/";
 
@@ -97,7 +100,7 @@ public virtual void TimestampCertificateAndKeyStoreDoNotCorrespondTest() {
         }
 
         [NUnit.Framework.Test]
-        [LogMessage("Unexpected exception was thrown during keystore processing")]
+        [LogMessage(ANY_LOG_MESSAGE)]
         public virtual void KeyStoreWithoutCertificatesTest() {
             String tsaCertFileName = certsSrc + "tsCertRsa.p12";
             NUnit.Framework.Assert.IsFalse(VerifyTimestampCertificates(tsaCertFileName, null));

itext.tests/itext.sign.tests/itext/signatures/verify/OcspCertificateVerificationTest.cs

@@ -0,0 +1,78 @@
+using System;
+using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.Ocsp;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Ocsp;
+using Org.BouncyCastle.X509;
+using iText.Signatures;
+using iText.Signatures.Testutils.Client;
+using iText.Test;
+using iText.Test.Attributes;
+using iText.Test.Signutils;
+
+namespace iText.Signatures.Verify {
+    public class OcspCertificateVerificationTest : ExtendedITextTest {
+        // Such messageTemplate is equal to any log message. This is required for porting reasons.
+        private const String ANY_LOG_MESSAGE = "{0}";
+
+        private static readonly String ocspCertsSrc = iText.Test.TestUtil.GetParentProjectDirectory(NUnit.Framework.TestContext
+            .CurrentContext.TestDirectory) + "/resources/itext/signatures/verify/OcspCertificateVerificationTest/";
+
+        private static readonly String rootOcspCert = ocspCertsSrc + "ocspRootRsa.p12";
+
+        private static readonly String signOcspCert = ocspCertsSrc + "ocspSignRsa.p12";
+
+        private static readonly String notOcspAndOcspCert = ocspCertsSrc + "notOcspAndOcspCertificates.p12";
+
+        private static readonly char[] password = "testpass".ToCharArray();
+
+        private const String ocspServiceUrl = "http://localhost:9000/demo/ocsp/ocsp-service";
+
+        private static X509Certificate checkCert;
+
+        private static X509Certificate rootCert;
+
+        [NUnit.Framework.OneTimeSetUp]
+        public static void Before() {
+            checkCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(signOcspCert, password)[0];
+            rootCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(rootOcspCert, password)[0];
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void KeyStoreWithRootOcspCertificateTest() {
+            BasicOcspResp response = GetOcspResponse();
+            NUnit.Framework.Assert.IsTrue(CertificateVerification.VerifyOcspCertificates(response, Pkcs12FileHelper.InitStore
+                (rootOcspCert, password)));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void KeyStoreWithSignOcspCertificateTest() {
+            BasicOcspResp response = GetOcspResponse();
+            NUnit.Framework.Assert.IsFalse(CertificateVerification.VerifyOcspCertificates(response, Pkcs12FileHelper.InitStore
+                (signOcspCert, password)));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void KeyStoreWithNotOcspAndOcspCertificatesTest() {
+            BasicOcspResp response = GetOcspResponse();
+            NUnit.Framework.Assert.IsTrue(CertificateVerification.VerifyOcspCertificates(response, Pkcs12FileHelper.InitStore
+                (notOcspAndOcspCert, password)));
+        }
+
+        [NUnit.Framework.Test]
+        [LogMessage(ANY_LOG_MESSAGE)]
+        public virtual void KeyStoreWithNotOcspCertificateTest() {
+            NUnit.Framework.Assert.IsFalse(CertificateVerification.VerifyOcspCertificates(null, Pkcs12FileHelper.InitStore
+                (signOcspCert, password)));
+        }
+
+        private static BasicOcspResp GetOcspResponse() {
+            TestOcspClient testClient = new TestOcspClient();
+            ICipherParameters key = Pkcs12FileHelper.ReadFirstKey(rootOcspCert, password, password);
+            testClient.AddBuilderForCertIssuer(rootCert, key);
+            byte[] ocspResponseBytes = testClient.GetEncoded(checkCert, rootCert, ocspServiceUrl);
+            Asn1Object var2 = Asn1Object.FromByteArray(ocspResponseBytes);
+            return new BasicOcspResp(BasicOcspResponse.GetInstance(var2));
+        }
+    }
+}

itext.tests/itext.sign.tests/resources/itext/signatures/verify/OcspCertificateVerificationTest/notOcspAndOcspCertificates.p12

@@ -49,12 +49,13 @@ source product.
 using Org.BouncyCastle.X509;
 using iText.Commons;
 using iText.Commons.Utils;
+using iText.Signatures.Logs;
 
 namespace iText.Signatures {
     /// <summary>This class consists of some methods that allow you to verify certificates.</summary>
     public class CertificateVerification {
         /// <summary>The Logger instance.</summary>
-        private static readonly ILogger LOGGER = ITextLogManager.GetLogger(typeof(CrlClientOnline));
+        private static readonly ILogger LOGGER = ITextLogManager.GetLogger(typeof(CertificateVerification));
 
         /// <summary>Verifies a single certificate for the current date.</summary>
         /// <param name="cert">the certificate to verify</param>
@@ -209,7 +210,9 @@ public static bool VerifyOcspCertificates(BasicOcspResp ocsp, List<X509Certifica
             try {
                 foreach (X509Certificate certStoreX509 in SignUtils.GetCertificates(keystore)) {
                     try {
-                        return SignUtils.IsSignatureValid(ocsp, certStoreX509);
+                        if (SignUtils.IsSignatureValid(ocsp, certStoreX509)) {
+                            return true;
+                        }
                     }
                     catch (Exception ex) {
                         exceptionsThrown.Add(ex);
@@ -219,9 +222,7 @@ public static bool VerifyOcspCertificates(BasicOcspResp ocsp, List<X509Certifica
             catch (Exception e) {
                 exceptionsThrown.Add(e);
             }
-            foreach (Exception ex in exceptionsThrown) {
-                LOGGER.LogError(ex, ex.Message);
-            }
+            LogExceptionMessages(exceptionsThrown);
             return false;
         }
 
@@ -243,12 +244,16 @@ public static bool VerifyTimestampCertificates(TimeStampToken ts, List<X509Certi
                 }
             }
             catch (Exception e) {
-                LOGGER.LogError(e, "Unexpected exception was thrown during keystore processing");
+                exceptionsThrown.Add(e);
             }
+            LogExceptionMessages(exceptionsThrown);
+            return false;
+        }
+
+        private static void LogExceptionMessages(IList<Exception> exceptionsThrown) {
             foreach (Exception ex in exceptionsThrown) {
-                LOGGER.LogError(ex, ex.Message);
+                LOGGER.LogError(ex, ex.Message == null ? SignLogMessageConstant.EXCEPTION_WITHOUT_MESSAGE : ex.Message);
             }
-            return false;
         }
     }
 }

itext.tests/itext.sign.tests/resources/itext/signatures/verify/OcspCertificateVerificationTest/ocspRootRsa.p12

@@ -0,0 +1,12 @@
+using System;
+
+namespace iText.Signatures.Logs {
+    /// <summary>Class which contains constants to be used in logging inside sign module.</summary>
+    public sealed class SignLogMessageConstant {
+        public const String EXCEPTION_WITHOUT_MESSAGE = "Unexpected exception without message was thrown during keystore processing";
+
+        private SignLogMessageConstant() {
+        }
+        // Private constructor will prevent the instantiation of this class directly
+    }
+}

itext.tests/itext.sign.tests/resources/itext/signatures/verify/OcspCertificateVerificationTest/ocspSignRsa.p12

@@ -1 +1 @@
-3578748626f7e3c0b910f50baebb96f5783e3c02 
+fce60d8fad64657b947cd4f245cd63e232cbce3d