Cover CertificateVerification#verifyTimestampCertificates with tests

Eugene Bochilo · Eugene Bochilo · commit 22758a9a14a1 · 2021-11-29T15:35:40.000+03:00
DEVSIX-6100
diff --git a/sign/src/main/java/com/itextpdf/signatures/CertificateVerification.java b/sign/src/main/java/com/itextpdf/signatures/CertificateVerification.java
@@ -64,7 +64,6 @@ This file is part of the iText (R) project.
  */
 public class CertificateVerification {
 
-
     /**
      * The Logger instance.
      */
@@ -244,16 +243,14 @@ public static boolean verifyTimestampCertificates(TimeStampToken ts, KeyStore ke
         try {
             for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
                 try {
-
                     SignUtils.isSignatureValid(ts, certStoreX509, provider);
                     return true;
                 } catch (Exception ex) {
                     exceptionsThrown.add(ex);
-
                 }
             }
         } catch (Exception e) {
-            exceptionsThrown.add(e);
+            LOGGER.error("Unexpected exception was thrown during keystore processing", e);
         }
 
         for (Exception ex : exceptionsThrown) {
diff --git a/sign/src/test/java/com/itextpdf/signatures/verify/CertificateVerificationClassTest.java b/sign/src/test/java/com/itextpdf/signatures/verify/CertificateVerificationClassTest.java
@@ -44,6 +44,9 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.signatures.CertificateVerification;
 import com.itextpdf.signatures.VerificationException;
+import com.itextpdf.signatures.testutils.client.TestTsaClient;
+import com.itextpdf.test.annotations.LogMessage;
+import com.itextpdf.test.annotations.LogMessages;
 import com.itextpdf.test.signutils.Pkcs12FileHelper;
 import com.itextpdf.test.ExtendedITextTest;
 import com.itextpdf.test.ITextTest;
@@ -53,12 +56,17 @@ This file is part of the iText (R) project.
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
 import java.security.Security;
-import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.util.Arrays;
 import java.util.List;
+
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.tsp.TimeStampToken;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
@@ -92,4 +100,45 @@ public void validCertificateChain01() throws CertificateException, NoSuchAlgorit
 
         Assert.assertTrue(verificationExceptions.isEmpty());
     }
+
+    @Test
+    public void timestampCertificateAndKeyStoreCorrespondTest() throws Exception {
+        String tsaCertFileName = certsSrc + "tsCertRsa.p12";
+
+        KeyStore caKeyStore = Pkcs12FileHelper.initStore(tsaCertFileName, password);
+
+        Assert.assertTrue(verifyTimestampCertificates(tsaCertFileName, caKeyStore));
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = "certificate hash does not match certID hash."))
+    public void timestampCertificateAndKeyStoreDoNotCorrespondTest() throws Exception {
+        String tsaCertFileName = certsSrc + "tsCertRsa.p12";
+        String notTsaCertFileName = certsSrc + "rootRsa.p12";
+
+        KeyStore caKeyStore = Pkcs12FileHelper.initStore(notTsaCertFileName, password);
+
+        Assert.assertFalse(verifyTimestampCertificates(tsaCertFileName, caKeyStore));
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = "Unexpected exception was thrown during keystore processing"))
+    public void keyStoreWithoutCertificatesTest() throws Exception {
+        String tsaCertFileName = certsSrc + "tsCertRsa.p12";
+
+        Assert.assertFalse(verifyTimestampCertificates(tsaCertFileName, null));
+    }
+
+    private static boolean verifyTimestampCertificates(String tsaClientCertificate, KeyStore caKeyStore) throws Exception {
+        Certificate[] tsaChain = Pkcs12FileHelper.readFirstChain(tsaClientCertificate, password);
+        PrivateKey tsaPrivateKey = Pkcs12FileHelper.readFirstKey(tsaClientCertificate, password, password);
+
+        TestTsaClient testTsaClient = new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
+
+        byte[] tsaCertificateBytes = testTsaClient.getTimeStampToken(testTsaClient.getMessageDigest().digest());
+        TimeStampToken timeStampToken = new TimeStampToken(
+                ContentInfo.getInstance(ASN1Sequence.getInstance(tsaCertificateBytes)));
+
+        return CertificateVerification.verifyTimestampCertificates(timeStampToken, caKeyStore, null);
+    }
 }
