Add CMS container class for use with 2 phase signing

DEVSIX-7842

Author: glenner003

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/asn1/ASN1EncodableBC.java

@@ -24,9 +24,9 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.commons.bouncycastle.asn1.IASN1Encodable;
 import com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive;
+import org.bouncycastle.asn1.ASN1Encodable;
 
 import java.util.Objects;
-import org.bouncycastle.asn1.ASN1Encodable;
 
 /**
  * Wrapper class for {@link ASN1Encodable}.
@@ -76,9 +76,10 @@ public boolean equals(Object o) {
         if (this == o) {
             return true;
         }
-        if (o == null || getClass() != o.getClass()) {
+        if (o == null || !this.getClass().isAssignableFrom(o.getClass())) {
             return false;
         }
+
         ASN1EncodableBC that = (ASN1EncodableBC) o;
         return Objects.equals(encodable, that.encodable);
     }

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/X509CertificateHolderBC.java

@@ -22,10 +22,13 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.bouncycastle.cert;
 
+import com.itextpdf.bouncycastle.asn1.x509.AlgorithmIdentifierBC;
+import com.itextpdf.commons.bouncycastle.asn1.x509.IAlgorithmIdentifier;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 
 import java.io.IOException;
 import java.util.Objects;
+
 import org.bouncycastle.cert.X509CertificateHolder;
 
 /**
@@ -62,6 +65,16 @@ public X509CertificateHolder getCertificateHolder() {
         return certificateHolder;
     }
 
+    /**
+     * {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public IAlgorithmIdentifier getSignatureAlgorithm() {
+        return new AlgorithmIdentifierBC(certificateHolder.getSignatureAlgorithm());
+    }
+
     /**
      * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
      */

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/asn1/ASN1EncodableBCFips.java

@@ -24,9 +24,9 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.commons.bouncycastle.asn1.IASN1Encodable;
 import com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive;
+import org.bouncycastle.asn1.ASN1Encodable;
 
 import java.util.Objects;
-import org.bouncycastle.asn1.ASN1Encodable;
 
 /**
  * Wrapper class for {@link ASN1Encodable}.
@@ -76,9 +76,10 @@ public boolean equals(Object o) {
         if (this == o) {
             return true;
         }
-        if (o == null || getClass() != o.getClass()) {
+        if (o == null || !this.getClass().isAssignableFrom(o.getClass())) {
             return false;
         }
+
         ASN1EncodableBCFips that = (ASN1EncodableBCFips) o;
         return Objects.equals(encodable, that.encodable);
     }

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/cert/X509CertificateHolderBCFips.java

@@ -22,10 +22,13 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.bouncycastlefips.cert;
 
+import com.itextpdf.bouncycastlefips.asn1.x509.AlgorithmIdentifierBCFips;
+import com.itextpdf.commons.bouncycastle.asn1.x509.IAlgorithmIdentifier;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 
 import java.io.IOException;
 import java.util.Objects;
+
 import org.bouncycastle.cert.X509CertificateHolder;
 
 /**
@@ -62,6 +65,16 @@ public X509CertificateHolder getCertificateHolder() {
         return certificateHolder;
     }
 
+    /**
+     * {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public IAlgorithmIdentifier getSignatureAlgorithm() {
+        return new AlgorithmIdentifierBCFips(certificateHolder.getSignatureAlgorithm());
+    }
+
     /**
      * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
      */

commons/src/main/java/com/itextpdf/commons/bouncycastle/cert/IX509CertificateHolder.java

@@ -22,9 +22,18 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.commons.bouncycastle.cert;
 
+import com.itextpdf.commons.bouncycastle.asn1.x509.IAlgorithmIdentifier;
+
 /**
  * This interface represents the wrapper for X509CertificateHolder that provides the ability
  * to switch between bouncy-castle and bouncy-castle FIPS implementations.
  */
 public interface IX509CertificateHolder {
+
+    /**
+     * Retrieves signature algorithm identifier from the certificate.
+     *
+     * @return signature algorithm.
+     */
+    IAlgorithmIdentifier getSignatureAlgorithm();
 }

sharpenConfiguration.xml

@@ -453,6 +453,7 @@
             <fileset reason="Java.Security does not exist in .net">
                 <file path="com/itextpdf/signatures/RSASSAPSSMechanismParams.java"/>
                 <file path="com/itextpdf/signatures/sign/RSASSAPSSTest.java"/>
+                <file path="com/itextpdf/signatures/sign/TwoPhaseSigningTest.java"/>
             </fileset>
             <fileset reason="Date and DateTime UTC time constructors difference in Java and .NET">
                 <file path="com/itextpdf/signatures/testutils/TimeTestUtil.java"/>

sign/src/main/java/com/itextpdf/signatures/CertificateUtil.java

@@ -40,10 +40,12 @@ This file is part of the iText (R) project.
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CRL;
 import java.security.cert.CRLException;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
@@ -209,11 +211,24 @@ public static String getTSAURL(X509Certificate certificate) {
         }
     }
 
+    /**
+     * Generates a certificate object and initializes it with the data read from the input stream inStream.
+     *
+     * @param data the input stream with the certificates.
+     *
+     * @return a certificate object initialized with the data from the input stream.
+     *
+     * @throws CertificateException on parsing errors.
+     */
+    public static Certificate generateCertificate(InputStream data) throws CertificateException {
+        return SignUtils.generateCertificate(data, FACTORY.getProvider());
+    }
+
     /**
      * Checks if the certificate is signed by provided issuer certificate.
      *
      * @param subjectCertificate a certificate to check
-     * @param issuerCertificate an issuer certificate to check
+     * @param issuerCertificate  an issuer certificate to check
      *
      * @return true if the first passed certificate is signed by next passed certificate.
      */
@@ -240,9 +255,9 @@ static boolean isSelfSigned(X509Certificate certificate) {
      *
      * @return the extension value as an {@link IASN1Primitive} object.
      * 
-     * @throws IOException
+     * @throws IOException on processing exception
      */
-    private static IASN1Primitive getExtensionValue(X509Certificate certificate, String oid) throws IOException {
+    public static IASN1Primitive getExtensionValue(X509Certificate certificate, String oid) throws IOException {
         return getExtensionValueFromByteArray(SignUtils.getExtensionValueByOid(certificate, oid));
     }
 
@@ -252,7 +267,7 @@ private static IASN1Primitive getExtensionValue(X509Certificate certificate, Str
      *
      * @return the extension value as an {@link IASN1Primitive} object.
      *
-     * @throws IOException
+     * @throws IOException on processing exception
      */
     private static IASN1Primitive getExtensionValue(CRL crl, String oid) throws IOException {
         return getExtensionValueFromByteArray(SignUtils.getExtensionValueByOid(crl, oid));
@@ -265,7 +280,7 @@ private static IASN1Primitive getExtensionValue(CRL crl, String oid) throws IOEx
      *
      * @return the extension value as an {@link IASN1Primitive} object.
      *
-     *  @throws IOException
+     * @throws IOException on processing exception.
      */
     private static IASN1Primitive getExtensionValueFromByteArray(byte[] extensionValue) throws IOException {
         if (extensionValue == null) {
@@ -296,7 +311,7 @@ private static String getStringFromGeneralName(IASN1Primitive names) {
      * Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.
      *
      * @param extensionValue Authority Information Access extension value
-     * @param accessMethod accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp
+     * @param accessMethod   accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp
      *
      * @return the location (URI) of the information.
      */

sign/src/main/java/com/itextpdf/signatures/PdfSigner.java

@@ -60,6 +60,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.pdf.annot.PdfAnnotation;
 import com.itextpdf.kernel.pdf.annot.PdfWidgetAnnotation;
 import com.itextpdf.pdfa.PdfAAgnosticPdfDocument;
+import com.itextpdf.signatures.cms.CMSContainer;
 import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
 
 import java.io.ByteArrayOutputStream;
@@ -253,7 +254,7 @@ public PdfSigner(PdfReader reader, OutputStream outputStream, String path, Stamp
         appearance = new PdfSignatureAppearance(document, new Rectangle(0, 0), 1);
         appearance.setSignDate(signDate);
     }
-    
+
     PdfSigner(PdfDocument document, OutputStream outputStream, ByteArrayOutputStream temporaryOS, File tempFile) {
         if (tempFile == null) {
             this.temporaryOS = temporaryOS;
@@ -946,31 +947,31 @@ public void timestamp(ITSAClient tsa, String signatureName) throws IOException,
      */
     public byte[] prepareDocumentForSignature(String digestAlgorithm, PdfName filter, PdfName subFilter,
             int estimatedSize, boolean includeDate) throws IOException, GeneralSecurityException {
-        if (closed) {
-            throw new PdfException(SignExceptionMessageConstant.THIS_INSTANCE_OF_PDF_SIGNER_ALREADY_CLOSED);
-        }
-
-        cryptoDictionary = createSignatureDictionary(includeDate);
-        cryptoDictionary.put(PdfName.Filter, filter);
-        cryptoDictionary.put(PdfName.SubFilter, subFilter);
-
-
-        Map<PdfName, Integer> exc = new HashMap<>();
-        exc.put(PdfName.Contents, estimatedSize * 2 + 2);
-        preClose(exc);
-
-        InputStream data = getRangeStream();
-        byte[] digest = DigestAlgorithms.digest(data, SignUtils.getMessageDigest(digestAlgorithm));
-
-        byte[] paddedSig = new byte[estimatedSize];
-
-        PdfDictionary dic2 = new PdfDictionary();
-        dic2.put(PdfName.Contents, new PdfString(paddedSig).setHexWriting(true));
-        close(dic2);
-
-        closed = true;
+        return prepareDocumentForSignature(SignUtils.getMessageDigest(digestAlgorithm), filter, subFilter,
+                estimatedSize, includeDate);
+    }
 
-        return digest;
+    /**
+     * Prepares document for signing, calculates the document digest to sign and closes the document.
+     *
+     * @param externalDigest  an external digest to provide the MessageDigest
+     * @param digestAlgorithm the algorithm to generate the digest with
+     * @param filter          PdfName of the signature handler to use when validating this signature
+     * @param subFilter       PdfName that describes the encoding of the signature
+     * @param estimatedSize   the estimated size of the signature, this is the size of the space reserved for
+     *                        the Cryptographic Message Container
+     * @param includeDate     specifies if the signing date should be set to the signature dictionary
+     *
+     * @return the message digest of the prepared document.
+     *
+     * @throws IOException              if some I/O problem occurs.
+     * @throws GeneralSecurityException if some problem during apply security algorithms occurs.
+     */
+    public byte[] prepareDocumentForSignature(IExternalDigest externalDigest, String digestAlgorithm, PdfName filter,
+                                              PdfName subFilter, int estimatedSize, boolean includeDate)
+            throws IOException, GeneralSecurityException {
+        return prepareDocumentForSignature(externalDigest.getMessageDigest(digestAlgorithm), filter, subFilter,
+                estimatedSize, includeDate);
     }
 
     /**
@@ -985,11 +986,30 @@ public byte[] prepareDocumentForSignature(String digestAlgorithm, PdfName filter
      * @throws GeneralSecurityException if some problem during apply security algorithms occurs.
      */
     public static void addSignatureToPreparedDocument(PdfDocument document, String fieldName, OutputStream outs,
-                                                    byte[] signedContent) throws IOException, GeneralSecurityException {
+                                                      byte[] signedContent)
+            throws IOException, GeneralSecurityException {
         SignatureApplier applier = new SignatureApplier(document, fieldName, outs);
         applier.apply(a -> signedContent);
     }
 
+    /**
+     * Adds an existing signature to a PDF where space was already reserved.
+     *
+     * @param document      the original PDF
+     * @param fieldName     the field to sign. It must be the last field
+     * @param outs          the output PDF
+     * @param cmsContainer  the finalized CMS container
+     *
+     * @throws IOException              if some I/O problem occurs.
+     * @throws GeneralSecurityException if some problem during apply security algorithms occurs.
+     */
+    public static void addSignatureToPreparedDocument(PdfDocument document, String fieldName, OutputStream outs,
+                                                      CMSContainer cmsContainer)
+            throws IOException, GeneralSecurityException {
+        SignatureApplier applier = new SignatureApplier(document, fieldName, outs);
+        applier.apply(a -> cmsContainer.serialize());
+    }
+
     /**
      * Signs a PDF where space was already reserved.
      *
@@ -1057,7 +1077,8 @@ protected boolean isPreClosed() {
      * document. Note that due to the hex string coding this size should be byte_size*2+2.
      *
      * @param exclusionSizes Map with names and sizes to be excluded in the signature
-     *                       calculation. The key is a PdfName and the value an Integer. At least the /Contents must be present
+     *                       calculation. The key is a PdfName and the value an Integer.
+     *                       At least the /Contents must be present
      * @throws IOException on error
      */
     protected void preClose(Map<PdfName, Integer> exclusionSizes) throws IOException {
@@ -1470,6 +1491,34 @@ protected int getWidgetPageNumber(PdfWidgetAnnotation widget) {
         return pageNumber;
     }
 
+    private byte[] prepareDocumentForSignature(MessageDigest messageDigest, PdfName filter,
+                                               PdfName subFilter, int estimatedSize, boolean includeDate)
+            throws IOException {
+        if (closed) {
+            throw new PdfException(SignExceptionMessageConstant.THIS_INSTANCE_OF_PDF_SIGNER_ALREADY_CLOSED);
+        }
+
+        cryptoDictionary = createSignatureDictionary(includeDate);
+        cryptoDictionary.put(PdfName.Filter, filter);
+        cryptoDictionary.put(PdfName.SubFilter, subFilter);
+
+
+        Map<PdfName, Integer> exc = new HashMap<>();
+        exc.put(PdfName.Contents, estimatedSize * 2 + 2);
+        preClose(exc);
+
+        InputStream data = getRangeStream();
+        byte[] digest = DigestAlgorithms.digest(data, messageDigest);
+        byte[] paddedSig = new byte[estimatedSize];
+
+        PdfDictionary dic2 = new PdfDictionary();
+        dic2.put(PdfName.Contents, new PdfString(paddedSig).setHexWriting(true));
+        close(dic2);
+
+        closed = true;
+        return digest;
+    }
+
     private boolean isDocumentPdf2() {
         return document.getPdfVersion().compareTo(PdfVersion.PDF_2_0) >= 0;
     }

sign/src/main/java/com/itextpdf/signatures/SecurityIDs.java

@@ -35,10 +35,10 @@ public class SecurityIDs {
     public static final String ID_RSA_WITH_SHA3_512 = "2.16.840.1.101.3.4.3.16";
     public static final String ID_DSA = "1.2.840.10040.4.1";
     public static final String ID_ECDSA = "1.2.840.10045.2.1";
-
     public static final String ID_ED25519 = "1.3.101.112";
     public static final String ID_ED448 = "1.3.101.113";
     public static final String ID_SHA256 = "2.16.840.1.101.3.4.2.1";
+    public static final String ID_SHA384 = "2.16.840.1.101.3.4.2.2";
     public static final String ID_SHA512 = "2.16.840.1.101.3.4.2.3";
     public static final String ID_SHAKE256 = "2.16.840.1.101.3.4.2.12";
     public static final String ID_CONTENT_TYPE = "1.2.840.113549.1.9.3";