Determine the default digest algorithm based on the signature algorithm in PdfPadesSigner

DEVSIX-7961

Author: AnhelinaM

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/openssl/PEMParserBC.java

@@ -22,12 +22,15 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.bouncycastle.openssl;
 
+import com.itextpdf.bouncycastle.asn1.pcks.PrivateKeyInfoBC;
 import com.itextpdf.bouncycastle.cert.X509CertificateHolderBC;
 import com.itextpdf.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfoBC;
 import com.itextpdf.commons.bouncycastle.openssl.IPEMParser;
 
 import java.io.IOException;
 import java.util.Objects;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
@@ -68,6 +71,9 @@ public Object readObject() throws IOException {
         if (readObject instanceof PKCS8EncryptedPrivateKeyInfo) {
             return new PKCS8EncryptedPrivateKeyInfoBC((PKCS8EncryptedPrivateKeyInfo) readObject);
         }
+        if (readObject instanceof PrivateKeyInfo) {
+            return new PrivateKeyInfoBC((PrivateKeyInfo) readObject);
+        }
         return readObject;
     }
 

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/openssl/PEMParserBCFips.java

@@ -22,12 +22,15 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.bouncycastlefips.openssl;
 
+import com.itextpdf.bouncycastlefips.asn1.pcks.PrivateKeyInfoBCFips;
 import com.itextpdf.bouncycastlefips.cert.X509CertificateHolderBCFips;
 import com.itextpdf.bouncycastlefips.pkcs.PKCS8EncryptedPrivateKeyInfoBCFips;
 import com.itextpdf.commons.bouncycastle.openssl.IPEMParser;
 
 import java.io.IOException;
 import java.util.Objects;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
@@ -68,6 +71,9 @@ public Object readObject() throws IOException {
         if (readObject instanceof PKCS8EncryptedPrivateKeyInfo) {
             return new PKCS8EncryptedPrivateKeyInfoBCFips((PKCS8EncryptedPrivateKeyInfo) readObject);
         }
+        if (readObject instanceof PrivateKeyInfo) {
+            return new PrivateKeyInfoBCFips((PrivateKeyInfo) readObject);
+        }
         return readObject;
     }
 

sign/src/main/java/com/itextpdf/signatures/PdfPadesSigner.java

@@ -117,7 +117,7 @@ public void signWithBaselineBProfile(SignerProperties signerProperties, Certific
     public void signWithBaselineBProfile(SignerProperties signerProperties, Certificate[] chain, PrivateKey privateKey)
             throws GeneralSecurityException, IOException {
         IExternalSignature externalSignature =
-                new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM, FACTORY.getProviderName());
+                new PrivateKeySignature(privateKey, getDigestAlgorithm(privateKey), FACTORY.getProviderName());
         signWithBaselineBProfile(signerProperties, chain, externalSignature);
     }
 
@@ -151,7 +151,7 @@ public void signWithBaselineTProfile(SignerProperties signerProperties, Certific
     public void signWithBaselineTProfile(SignerProperties signerProperties, Certificate[] chain, PrivateKey privateKey,
             ITSAClient tsaClient) throws GeneralSecurityException, IOException {
         IExternalSignature externalSignature =
-                new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM, FACTORY.getProviderName());
+                new PrivateKeySignature(privateKey, getDigestAlgorithm(privateKey), FACTORY.getProviderName());
         signWithBaselineTProfile(signerProperties, chain, externalSignature, tsaClient);
     }
 
@@ -196,7 +196,7 @@ public void signWithBaselineLTProfile(SignerProperties signerProperties, Certifi
     public void signWithBaselineLTProfile(SignerProperties signerProperties, Certificate[] chain, PrivateKey privateKey,
             ITSAClient tsaClient) throws GeneralSecurityException, IOException {
         IExternalSignature externalSignature =
-                new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM, FACTORY.getProviderName());
+                new PrivateKeySignature(privateKey, getDigestAlgorithm(privateKey), FACTORY.getProviderName());
         signWithBaselineLTProfile(signerProperties, chain, externalSignature, tsaClient);
     }
 
@@ -242,7 +242,7 @@ public void signWithBaselineLTAProfile(SignerProperties signerProperties, Certif
     public void signWithBaselineLTAProfile(SignerProperties signerProperties, Certificate[] chain,
             PrivateKey privateKey, ITSAClient tsaClient) throws GeneralSecurityException, IOException {
         IExternalSignature externalSignature =
-                new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM, FACTORY.getProviderName());
+                new PrivateKeySignature(privateKey, getDigestAlgorithm(privateKey), FACTORY.getProviderName());
         signWithBaselineLTAProfile(signerProperties, chain, externalSignature, tsaClient);
     }
 
@@ -515,4 +515,16 @@ private void createRevocationClients(Certificate signingCert, boolean clientsReq
             ocspClient = new OcspClientBouncyCastle(null);
         }
     }
+
+    private String getDigestAlgorithm(PrivateKey privateKey) {
+        String signatureAlgorithm = SignUtils.getPrivateKeyAlgorithm(privateKey);
+        switch (signatureAlgorithm) {
+            case "Ed25519":
+                return DigestAlgorithms.SHA512;
+            case "Ed448":
+                return DigestAlgorithms.SHAKE256;
+            default:
+                return DEFAULT_DIGEST_ALGORITHM;
+        }
+    }
 }

sign/src/main/java/com/itextpdf/signatures/PrivateKeySignature.java

@@ -27,7 +27,6 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
 
 import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.Signature;
 

sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesSignerTest.java

@@ -32,7 +32,6 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.exceptions.PdfException;
 import com.itextpdf.kernel.geom.Rectangle;
 import com.itextpdf.kernel.pdf.PdfReader;
-import com.itextpdf.kernel.pdf.StampingProperties;
 import com.itextpdf.signatures.*;
 import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
 import com.itextpdf.signatures.testutils.PemFileHelper;
@@ -41,22 +40,24 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.testutils.client.TestOcspClient;
 import com.itextpdf.signatures.testutils.client.TestTsaClient;
 import com.itextpdf.test.ExtendedITextTest;
-import com.itextpdf.test.annotations.type.IntegrationTest;
+import com.itextpdf.test.annotations.type.BouncyCastleIntegrationTest;
+import org.junit.Assert;
+import org.junit.Assume;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
 
-@Category(IntegrationTest.class)
+@Category(BouncyCastleIntegrationTest.class)
 public class PdfPadesSignerTest extends ExtendedITextTest {
     private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
 
@@ -65,6 +66,8 @@ public class PdfPadesSignerTest extends ExtendedITextTest {
     private static final String destinationFolder = "./target/test/com/itextpdf/signatures/sign/PdfPadesSignerTest/";
     private static final char[] password = "testpassphrase".toCharArray();
 
+    private static final boolean FIPS_MODE = "BCFIPS".equals(FACTORY.getProviderName());
+
     @BeforeClass
     public static void before() {
         Security.addProvider(FACTORY.getProvider());
@@ -106,7 +109,7 @@ public void directoryPathIsNotADirectoryTest()
         Assert.assertEquals(MessageFormatUtil.format(SignExceptionMessageConstant.PATH_IS_NOT_DIRECTORY,
                 destinationFolder + "newPdf.pdf"), exception.getMessage());
     }
-    
+
     @Test
     public void noSignaturesToProlongTest()
             throws CertificateException, IOException, AbstractOperatorCreationException, AbstractPKCSException {
@@ -132,7 +135,7 @@ public void noSignaturesToProlongTest()
                 () -> padesSigner.prolongSignatures(testTsa));
         Assert.assertEquals(SignExceptionMessageConstant.NO_SIGNATURES_TO_PROLONG, exception.getMessage());
     }
-    
+
     @Test
     public void defaultClientsCannotBeCreated()
             throws IOException, AbstractOperatorCreationException, AbstractPKCSException, CertificateException {
@@ -189,7 +192,7 @@ public void defaultSignerPropertiesTest()
         TestTsaClient testTsa = new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
         ICrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
         TestOcspClient ocspClient = new TestOcspClient().addBuilderForCertIssuer(caCert, caPrivateKey);
-        
+
         padesSigner.setOcspClient(ocspClient).setCrlClient(crlClient);
 
         padesSigner.signWithBaselineLTAProfile(signerProperties, signRsaChain, pks, testTsa);
@@ -237,7 +240,53 @@ public int getTokenSizeEstimate() {
         Assert.assertEquals(MessageFormatUtil.format(
                 SignExceptionMessageConstant.TOKEN_ESTIMATION_SIZE_IS_NOT_LARGE_ENOUGH, 1024, 2780), e.getMessage());
     }
-    
+
+    @Test
+    public void padesSignatureEd25519Test()
+            throws IOException, GeneralSecurityException, AbstractOperatorCreationException, AbstractPKCSException {
+        Assume.assumeFalse(FACTORY.isInApprovedOnlyMode());
+        String fileName = "padesSignatureEd25519Test.pdf";
+        String outFileName = destinationFolder + fileName;
+        String cmpFileName = sourceFolder + "cmp_" + fileName;
+        String srcFileName = sourceFolder + "helloWorldDoc.pdf";
+        String signCertFileName = certsSrc + "signCertEd25519.pem";
+
+        Certificate[] signEdDSAChain = PemFileHelper.readFirstChain(signCertFileName);
+        PrivateKey signEdDSAPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
+
+        SignerProperties signerProperties = createSignerProperties();
+        PdfPadesSigner padesSigner = createPdfPadesSigner(srcFileName, outFileName);
+        padesSigner.signWithBaselineBProfile(signerProperties, signEdDSAChain, signEdDSAPrivateKey);
+        TestSignUtils.basicCheckSignedDoc(outFileName, "Signature1");
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void padesSignatureEd448Test()
+            throws IOException, GeneralSecurityException, AbstractOperatorCreationException, AbstractPKCSException {
+        Assume.assumeFalse(FACTORY.isInApprovedOnlyMode());
+        String fileName = "padesSignatureEd448Test.pdf";
+        String outFileName = destinationFolder + fileName;
+        String cmpFileName = sourceFolder + "cmp_" + fileName;
+        String srcFileName = sourceFolder + "helloWorldDoc.pdf";
+        String signCertFileName = certsSrc + "signCertEd448.pem";
+
+        Certificate[] signEdDSAChain = PemFileHelper.readFirstChain(signCertFileName);
+        PrivateKey signEdDSAPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
+
+        SignerProperties signerProperties = createSignerProperties();
+        PdfPadesSigner padesSigner = createPdfPadesSigner(srcFileName, outFileName);
+        if (FIPS_MODE) {
+            // SHAKE256 is currently not supported in BCFIPS
+            Exception exception = Assert.assertThrows(NoSuchAlgorithmException.class,
+                    () -> padesSigner.signWithBaselineBProfile(signerProperties, signEdDSAChain, signEdDSAPrivateKey));
+        } else {
+            padesSigner.signWithBaselineBProfile(signerProperties, signEdDSAChain, signEdDSAPrivateKey);
+            TestSignUtils.basicCheckSignedDoc(outFileName, "Signature1");
+            Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+        }
+    }
+
     private SignerProperties createSignerProperties() {
         SignerProperties signerProperties = new SignerProperties();
         signerProperties.setFieldName("Signature1");

sign/src/test/java/com/itextpdf/signatures/testutils/PemFileHelper.java

@@ -24,6 +24,7 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
 import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.asn1.pkcs.IPrivateKeyInfo;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 import com.itextpdf.commons.bouncycastle.cert.jcajce.IJcaX509CertificateConverter;
 import com.itextpdf.commons.bouncycastle.openssl.IPEMParser;
@@ -67,12 +68,17 @@ public static Certificate[] readFirstChain(String pemFileName) throws IOExceptio
 
     public static PrivateKey readFirstKey(String pemFileName, char[] keyPass)
             throws IOException, AbstractOperatorCreationException, AbstractPKCSException {
-        IPKCS8EncryptedPrivateKeyInfo key = readPrivateKey(pemFileName);
-        if (key != null) {
+        IPKCS8EncryptedPrivateKeyInfo pkcs8Key = readPkcs8PrivateKey(pemFileName);
+        if (pkcs8Key != null) {
             IInputDecryptorProvider decProv = FACTORY.createJceOpenSSLPKCS8DecryptorProviderBuilder()
                     .setProvider(FACTORY.getProvider()).build(keyPass);
             IJcaPEMKeyConverter keyConverter = FACTORY.createJcaPEMKeyConverter().setProvider(FACTORY.getProvider());
-            return keyConverter.getPrivateKey(key.decryptPrivateKeyInfo(decProv));
+            return keyConverter.getPrivateKey(pkcs8Key.decryptPrivateKeyInfo(decProv));
+        }
+        IPrivateKeyInfo key = readPrivateKey(pemFileName);
+        if (key != null) {
+            IJcaPEMKeyConverter keyConverter = FACTORY.createJcaPEMKeyConverter().setProvider(FACTORY.getProvider());
+            return keyConverter.getPrivateKey(key);
         }
         return null;
     }
@@ -105,7 +111,7 @@ private static List<IX509CertificateHolder> readCertificates(String pemFileName)
         }
     }
 
-    private static IPKCS8EncryptedPrivateKeyInfo readPrivateKey(String pemFileName) throws IOException {
+    private static IPKCS8EncryptedPrivateKeyInfo readPkcs8PrivateKey(String pemFileName) throws IOException {
         try (IPEMParser parser = FACTORY.createPEMParser(new FileReader(pemFileName))) {
             Object readObject = parser.readObject();
             while (!(readObject instanceof IPKCS8EncryptedPrivateKeyInfo) && readObject != null) {
@@ -114,4 +120,14 @@ private static IPKCS8EncryptedPrivateKeyInfo readPrivateKey(String pemFileName)
             return (IPKCS8EncryptedPrivateKeyInfo) readObject;
         }
     }
+
+    private static IPrivateKeyInfo readPrivateKey(String pemFileName) throws IOException {
+        try (IPEMParser parser = FACTORY.createPEMParser(new FileReader(pemFileName))) {
+            Object readObject = parser.readObject();
+            while (!(readObject instanceof IPrivateKeyInfo) && readObject != null) {
+                readObject = parser.readObject();
+            }
+            return (IPrivateKeyInfo) readObject;
+        }
+    }
 }

sign/src/test/resources/com/itextpdf/signatures/certs/signCertEd25519.pem

@@ -0,0 +1,11 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPIdKJtjErGrsgpBaM04RZa49tMWLFrKDt6fVoGDxdtZ
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBCDCBuwIUGX/b5h/jmeMPJ11mVZgEfizZc1wwBQYDK2VwMCcxCzAJBgNVBAYT
+AkJFMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMjMxMjA2MTQyNzQwWhcN
+NDMwMjA0MTQyNzQwWjAnMQswCQYDVQQGEwJCRTEYMBYGA1UEAwwPd3d3LmV4YW1w
+bGUuY29tMCowBQYDK2VwAyEAZUXx5GDu4xyo6UKEOqPaxTyna6LGoUswH2ShmyO/
+uJswBQYDK2VwA0EAV1xEcFJunwRzH9ufTGAJ362AbadF5N+hIYd5wxKES8EOkY/2
+TsMbipY6uQLQJP2alusxc5+2varXxskpNGAuDQ==
+-----END CERTIFICATE-----

sign/src/test/resources/com/itextpdf/signatures/certs/signCertEd448.pem

@@ -0,0 +1,14 @@
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOfrKlMzLC2KFud/xAxCCT9N8y2mPl8pKyUM3nT3uWYBK
+MwG7PWEKk2jVgxLBIjdRATaMFG7SrZJHQQ==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBUzCB1AIUZ3HGGxCugYIeKkQjLrCVG90vhqkwBQYDK2VxMCcxCzAJBgNVBAYT
+AkJFMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMjMxMjA2MTQ0NzE4WhcN
+NDMwMjA0MTQ0NzE4WjAnMQswCQYDVQQGEwJCRTEYMBYGA1UEAwwPd3d3LmV4YW1w
+bGUuY29tMEMwBQYDK2VxAzoAO12xP2xDv+3i6DrOUiLkKk4AYf4limP3IstJejo/
+IcL31H7oRZvtNrDlkpdjTmfgmX06KicNVBcAMAUGAytlcQNzALdSj5VltGHj/2OY
+lXLeHnwe//gUpEQQBMX+u5MHxBWApGvz1R2yrJ/NASvcQW0703M9KDGD7VY+gAYn
+mnPXaXL1RO8mcVpz29/hak6sFEVTFHvoo6NjlAXEjYtkbraf3jCIk77t9KD5oRi1
+T25XxGUUAA==
+-----END CERTIFICATE-----