Add test for PdfSigner#signDetached with crl and no ocsp

yulian-gaponenko · Ubuntu · commit 19dee4f93a0a · 2022-02-11T14:38:16.000Z
DEVSIX-6151
diff --git a/sign/src/main/java/com/itextpdf/signatures/CrlClientOnline.java b/sign/src/main/java/com/itextpdf/signatures/CrlClientOnline.java
@@ -136,8 +136,8 @@ public Collection<byte[]> getEncoded(X509Certificate checkCert, String url) {
         if (checkCert == null) {
             return null;
         }
-        List<URL> urllist = new ArrayList<>(urls);
-        if (urllist.size() == 0) {
+        List<URL> urlList = new ArrayList<>(urls);
+        if (urlList.size() == 0) {
             LOGGER.info("Looking for CRL for certificate " + checkCert.getSubjectDN());
             try {
                 if (url == null) {
@@ -146,14 +146,14 @@ public Collection<byte[]> getEncoded(X509Certificate checkCert, String url) {
                 if (url == null) {
                     throw new IllegalArgumentException("Passed url can not be null.");
                 }
-                urllist.add(new URL(url));
+                urlList.add(new URL(url));
                 LOGGER.info("Found CRL url: " + url);
             } catch (Exception e) {
                 LOGGER.info("Skipped CRL url: " + e.getMessage());
             }
         }
         List<byte[]> ar = new ArrayList<>();
-        for (URL urlt : urllist) {
+        for (URL urlt : urlList) {
             try {
                 LOGGER.info("Checking CRL: " + urlt);
                 InputStream inp = SignUtils.getHttpResponse(urlt);
diff --git a/sign/src/main/java/com/itextpdf/signatures/PdfPKCS7.java b/sign/src/main/java/com/itextpdf/signatures/PdfPKCS7.java
@@ -1063,8 +1063,9 @@ private DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Collection<byte
                 if (haveCrl) {
                     ASN1EncodableVector v2 = new ASN1EncodableVector();
                     for (byte[] bCrl : crlBytes) {
-                        if (bCrl == null)
+                        if (bCrl == null) {
                             continue;
+                        }
                         ASN1InputStream t = new ASN1InputStream(new ByteArrayInputStream(bCrl));
                         v2.add(t.readObject());
                     }
diff --git a/sign/src/main/java/com/itextpdf/signatures/PdfSigner.java b/sign/src/main/java/com/itextpdf/signatures/PdfSigner.java
@@ -820,17 +820,16 @@ protected Collection<byte[]> processCrl(Certificate cert, Collection<ICrlClient>
         }
         List<byte[]> crlBytes = new ArrayList<>();
         for (ICrlClient cc : crlList) {
-            if (cc == null)
+            if (cc == null) {
                 continue;
+            }
             Collection<byte[]> b = cc.getEncoded((X509Certificate) cert, null);
-            if (b == null)
+            if (b == null) {
                 continue;
+            }
             crlBytes.addAll(b);
         }
-        if (crlBytes.size() == 0)
-            return null;
-        else
-            return crlBytes;
+        return crlBytes.size() == 0 ? null : crlBytes;
     }
 
     protected void addDeveloperExtension(PdfDeveloperExtension extension) {
diff --git a/sign/src/test/java/com/itextpdf/signatures/LtvVerificationTest.java b/sign/src/test/java/com/itextpdf/signatures/LtvVerificationTest.java
@@ -110,7 +110,7 @@ public void addVerificationToDocumentWithAlreadyExistedDss() throws IOException,
             X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(rootCertPath, PASSWORD)[0];
             PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(rootCertPath, PASSWORD, PASSWORD);
 
-            verification.addVerification("TestSignature", null, new TestCrlClient(caCert, caPrivateKey),
+            verification.addVerification("TestSignature", null, new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey),
                     CertificateOption.SIGNING_CERTIFICATE, Level.CRL, CertificateInclusion.NO);
 
             verification.merge();
diff --git a/sign/src/test/java/com/itextpdf/signatures/sign/LtvSigTest.java b/sign/src/test/java/com/itextpdf/signatures/sign/LtvSigTest.java
diff --git a/sign/src/test/java/com/itextpdf/signatures/sign/LtvWithTwoSignaturesTest.java b/sign/src/test/java/com/itextpdf/signatures/sign/LtvWithTwoSignaturesTest.java
@@ -98,7 +98,7 @@ public void addLtvInfo() throws GeneralSecurityException, java.io.IOException {
         TestOcspClient testOcspClient = new TestOcspClient()
                 .addBuilderForCertIssuer(interCert, interPrivateKey)
                 .addBuilderForCertIssuer(caCert, caPrivateKey);
-        TestCrlClient testCrlClient = new TestCrlClient(caCert, caPrivateKey);
+        TestCrlClient testCrlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
 
         addLtvInfo(srcFileName, ltvFileName, "Signature1", testOcspClient, testCrlClient);
         addLtvInfo(ltvFileName, ltvFileName2, "Signature2", testOcspClient, testCrlClient);
diff --git a/sign/src/test/java/com/itextpdf/signatures/sign/PadesSignatureLevelTest.java b/sign/src/test/java/com/itextpdf/signatures/sign/PadesSignatureLevelTest.java
@@ -134,7 +134,7 @@ public void padesSignatureLevelLTTest01() throws GeneralSecurityException, IOExc
         X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertFileName, password)[0];
         PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertFileName, password, password);
 
-        ICrlClient crlClient = new TestCrlClient(caCert, caPrivateKey);
+        ICrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
         TestOcspClient ocspClient = new TestOcspClient().addBuilderForCertIssuer(caCert, caPrivateKey);
 
         PdfDocument document = new PdfDocument(new PdfReader(srcFileName), new PdfWriter(outFileName), new StampingProperties().useAppendMode());
diff --git a/sign/src/test/java/com/itextpdf/signatures/testutils/builder/TestCrlBuilder.java b/sign/src/test/java/com/itextpdf/signatures/testutils/builder/TestCrlBuilder.java
@@ -42,8 +42,8 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures.testutils.builder;
 
-
 import com.itextpdf.commons.utils.DateTimeUtil;
+
 import java.io.IOException;
 import java.security.PrivateKey;
 import java.security.cert.CertificateEncodingException;
@@ -62,12 +62,15 @@ public class TestCrlBuilder {
 
     private static final String SIGN_ALG = "SHA256withRSA";
 
-    private X509v2CRLBuilder crlBuilder;
+    private final PrivateKey issuerPrivateKey;
+    private final X509v2CRLBuilder crlBuilder;
     private Date nextUpdate = DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), 30);
 
-    public TestCrlBuilder(X509Certificate caCert, Date thisUpdate) throws CertificateEncodingException {
-        X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
-        crlBuilder = new X509v2CRLBuilder(issuerDN, thisUpdate);
+    public TestCrlBuilder(X509Certificate issuerCert, PrivateKey issuerPrivateKey, Date thisUpdate)
+            throws CertificateEncodingException {
+        String issuerCertSubjectDn = PrincipalUtil.getSubjectX509Principal(issuerCert).getName();
+        this.crlBuilder = new X509v2CRLBuilder(new X500Name(issuerCertSubjectDn), thisUpdate);
+        this.issuerPrivateKey = issuerPrivateKey;
     }
 
     public void setNextUpdate(Date nextUpdate) {
@@ -81,8 +84,10 @@ public void addCrlEntry(X509Certificate certificate, Date revocationDate, int re
         crlBuilder.addCRLEntry(certificate.getSerialNumber(), revocationDate, reason);
     }
 
-    public byte[] makeCrl(PrivateKey caPrivateKey) throws IOException, OperatorCreationException {
-        ContentSigner signer = new JcaContentSignerBuilder(SIGN_ALG).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(caPrivateKey);
+    public byte[] makeCrl() throws IOException, OperatorCreationException {
+        ContentSigner signer =
+                new JcaContentSignerBuilder(SIGN_ALG).setProvider(BouncyCastleProvider.PROVIDER_NAME)
+                        .build(issuerPrivateKey);
         crlBuilder.setNextUpdate(nextUpdate);
         X509CRLHolder crl = crlBuilder.build(signer);
         return crl.getEncoded();
diff --git a/sign/src/test/java/com/itextpdf/signatures/testutils/client/TestCrlClient.java b/sign/src/test/java/com/itextpdf/signatures/testutils/client/TestCrlClient.java
@@ -46,36 +46,46 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.exceptions.PdfException;
 import com.itextpdf.signatures.ICrlClient;
 import com.itextpdf.signatures.testutils.builder.TestCrlBuilder;
+
 import java.security.PrivateKey;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.stream.Collectors;
 
 public class TestCrlClient implements ICrlClient {
 
-    private final TestCrlBuilder crlBuilder;
-    private final PrivateKey caPrivateKey;
+    private final List<TestCrlBuilder> crlBuilders;
+
+    public TestCrlClient() {
+        crlBuilders = new ArrayList<>();
+    }
 
-    public TestCrlClient(TestCrlBuilder crlBuilder, PrivateKey caPrivateKey) {
-        this.crlBuilder = crlBuilder;
-        this.caPrivateKey = caPrivateKey;
+    public TestCrlClient addBuilderForCertIssuer(TestCrlBuilder crlBuilder) {
+        crlBuilders.add(crlBuilder);
+        return this;
     }
 
-    public TestCrlClient(X509Certificate caCert, PrivateKey caPrivateKey) throws CertificateEncodingException {
-        this.crlBuilder = new TestCrlBuilder(caCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
-        this.caPrivateKey = caPrivateKey;
+    public TestCrlClient addBuilderForCertIssuer(X509Certificate issuerCert, PrivateKey issuerPrivateKey)
+            throws CertificateEncodingException {
+        Date yesterday = DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1);
+        crlBuilders.add(new TestCrlBuilder(issuerCert, issuerPrivateKey, yesterday));
+        return this;
     }
 
     @Override
     public Collection<byte[]> getEncoded(X509Certificate checkCert, String url) {
-        Collection<byte[]> crls = null;
-        try {
-            byte[] crl = crlBuilder.makeCrl(caPrivateKey);
-            crls = Collections.singletonList(crl);
-        } catch (Exception ignore) {
-            throw new PdfException(ignore);
-        }
-        return crls;
+        return crlBuilders.stream()
+                .map(testCrlBuilder -> {
+                    try {
+                        return testCrlBuilder.makeCrl();
+                    } catch (Exception ignore) {
+                        throw new PdfException(ignore);
+                    }
+                })
+                .collect(Collectors.toList());
     }
 }
diff --git a/sign/src/test/java/com/itextpdf/signatures/verify/CertificateVerificationClassTest.java b/sign/src/test/java/com/itextpdf/signatures/verify/CertificateVerificationClassTest.java
@@ -94,6 +94,7 @@ public class CertificateVerificationClassTest extends ExtendedITextTest {
 
     // Such messageTemplate is equal to any log message. This is required for porting reasons.
     private static final String ANY_LOG_MESSAGE = "{0}";
+    private static final int COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME = -1;
 
     private static final String CERTS_SRC = "./src/test/resources/com/itextpdf/signatures/certs/";
     private static final char[] PASSWORD = "testpass".toCharArray();
@@ -178,28 +179,30 @@ public void unsupportedCriticalExtensionTest()
     public void clrWithGivenCertificateTest()
             throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException,
             UnrecoverableKeyException, CRLException {
-        final int COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME = -1;
+
         final String caCertFileName = CERTS_SRC + "rootRsa.p12";
         X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertFileName, PASSWORD)[0];
-        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert,
-                DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
-                        COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME));
+        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertFileName, PASSWORD, PASSWORD);
 
         final String checkCertFileName = CERTS_SRC + "signCertRsa01.p12";
         X509Certificate checkCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(checkCertFileName, PASSWORD)[0];
-        TestCrlBuilder crlForCheckBuilder = new TestCrlBuilder(caCert,
+
+        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey,
                 DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
                         COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME));
         crlBuilder.addCrlEntry(caCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
                         COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME),
                 CRLReason.keyCompromise);
+
+        TestCrlBuilder crlForCheckBuilder = new TestCrlBuilder(caCert, caPrivateKey,
+                DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
+                        COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME));
         crlForCheckBuilder.addCrlEntry(checkCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
                         COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME),
                 CRLReason.keyCompromise);
 
-        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertFileName, PASSWORD, PASSWORD);
-        TestCrlClient crlClient = new TestCrlClient(crlBuilder, caPrivateKey);
-        TestCrlClient crlForCheckClient = new TestCrlClient(crlForCheckBuilder, caPrivateKey);
+        TestCrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(crlBuilder);
+        TestCrlClient crlForCheckClient = new TestCrlClient().addBuilderForCertIssuer(crlForCheckBuilder);
 
         Collection<byte[]> crlBytesForRootCertCollection = crlClient.getEncoded(caCert, null);
         Collection<byte[]> crlBytesForCheckCertCollection = crlForCheckClient.getEncoded(checkCert, null);
@@ -239,12 +242,13 @@ public void validCertWithCrlDoesNotContainCertTest()
         final String certForAddingToCrlName = CERTS_SRC + "signCertRsa01.p12";
         X509Certificate certForCrl = (X509Certificate) Pkcs12FileHelper.readFirstChain(certForAddingToCrlName,
                 PASSWORD)[0];
-        TestCrlBuilder crlForCheckBuilder = new TestCrlBuilder(certForCrl,
+        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(certForAddingToCrlName, PASSWORD, PASSWORD);
+
+        TestCrlBuilder crlForCheckBuilder = new TestCrlBuilder(certForCrl, caPrivateKey,
                 DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(),
                         COUNTER_TO_MAKE_CRL_AVAILABLE_AT_THE_CURRENT_TIME));
 
-        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(rootCertFileName, PASSWORD, PASSWORD);
-        TestCrlClient crlClient = new TestCrlClient(crlForCheckBuilder, caPrivateKey);
+        TestCrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(crlForCheckBuilder);
 
         Collection<byte[]> crlBytesForRootCertCollection = crlClient.getEncoded(certForCrl, null);
 
diff --git a/sign/src/test/java/com/itextpdf/signatures/verify/CrlVerifierTest.java b/sign/src/test/java/com/itextpdf/signatures/verify/CrlVerifierTest.java
@@ -79,15 +79,19 @@ public static void before() {
 
     @Test
     public void validCrl01() throws GeneralSecurityException, IOException {
-        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(certsSrc + "rootRsa.p12", password)[0];
-        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
+        String caCertP12FileName = certsSrc + "rootRsa.p12";
+        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertP12FileName, password)[0];
+        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertP12FileName, password, password);
+        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
         Assert.assertTrue(verifyTest(crlBuilder));
     }
 
     @Test
     public void invalidRevokedCrl01() throws GeneralSecurityException, IOException {
-        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(certsSrc + "rootRsa.p12", password)[0];
-        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
+        String caCertP12FileName = certsSrc + "rootRsa.p12";
+        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertP12FileName, password)[0];
+        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertP12FileName, password, password);
+        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
 
         String checkCertFileName = certsSrc + "signCertRsa01.p12";
         X509Certificate checkCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(checkCertFileName, password)[0];
@@ -98,8 +102,10 @@ public void invalidRevokedCrl01() throws GeneralSecurityException, IOException {
 
     @Test
     public void invalidOutdatedCrl01() throws GeneralSecurityException, IOException {
-        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(certsSrc + "rootRsa.p12", password)[0];
-        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -2));
+        String caCertP12FileName = certsSrc + "rootRsa.p12";
+        X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertP12FileName, password)[0];
+        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertP12FileName, password, password);
+        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -2));
         crlBuilder.setNextUpdate(DateTimeUtil.addDaysToDate(DateTimeUtil.getCurrentTimeDate(), -1));
 
         Assert.assertFalse(verifyTest(crlBuilder));
@@ -108,12 +114,11 @@ public void invalidOutdatedCrl01() throws GeneralSecurityException, IOException
     private boolean verifyTest(TestCrlBuilder crlBuilder) throws GeneralSecurityException, IOException {
         String caCertFileName = certsSrc + "rootRsa.p12";
         X509Certificate caCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(caCertFileName, password)[0];
-        PrivateKey caPrivateKey = Pkcs12FileHelper.readFirstKey(caCertFileName, password, password);
         String checkCertFileName = certsSrc + "signCertRsa01.p12";
         X509Certificate checkCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(checkCertFileName, password)[0];
 
 
-        TestCrlClient crlClient = new TestCrlClient(crlBuilder, caPrivateKey);
+        TestCrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(crlBuilder);
         Collection<byte[]> crlBytesCollection = crlClient.getEncoded(checkCert, null);
 
         boolean verify = false;
diff --git a/sign/src/test/resources/com/itextpdf/signatures/sign/LtvSigTest/cmp_ltvEnabledSingleSignatureNoCrlDataTest.pdf b/sign/src/test/resources/com/itextpdf/signatures/sign/LtvSigTest/cmp_ltvEnabledSingleSignatureNoCrlDataTest.pdf
diff --git a/sign/src/test/resources/com/itextpdf/signatures/sign/LtvSigTest/cmp_ltvEnabledSingleSignatureNoOcspDataTest.pdf b/sign/src/test/resources/com/itextpdf/signatures/sign/LtvSigTest/cmp_ltvEnabledSingleSignatureNoOcspDataTest.pdf
