Update bouncy castle fips to version 2.0.0

DEVSIX-8589

Author: vitali-pr

bouncy-castle-fips-adapter/pom.xml

@@ -14,8 +14,8 @@
   <url>https://itextpdf.com/</url>
 
   <properties>
-    <bouncycastleFips.version>1.0.2.4</bouncycastleFips.version>
-    <bouncycastlePkixFips.version>1.0.7</bouncycastlePkixFips.version>
+    <bouncycastleFips.version>2.0.0</bouncycastleFips.version>
+    <bouncycastlePkixFips.version>2.0.7</bouncycastlePkixFips.version>
     <sonar.coverage.exclusions>**/*</sonar.coverage.exclusions>
     <sonar.cpd.exclusions>**/*</sonar.cpd.exclusions>
   </properties>

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java

@@ -280,8 +280,6 @@ This file is part of the iText (R) project.
 import org.bouncycastle.asn1.ASN1UTCTime;
 import org.bouncycastle.asn1.DERIA5String;
 import org.bouncycastle.asn1.DEROctetString;
-import org.bouncycastle.asn1.DEROutputStream;
-import org.bouncycastle.asn1.DLOutputStream;
 import org.bouncycastle.asn1.cms.Attribute;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.esf.SigPolicyQualifierInfo;
@@ -613,12 +611,7 @@ public IASN1OutputStream createASN1OutputStream(OutputStream stream) {
      */
     @Override
     public IASN1OutputStream createASN1OutputStream(OutputStream outputStream, String asn1Encoding) {
-        if ("DER".equals(asn1Encoding)) {
-            return new ASN1OutputStreamBCFips(new DEROutputStream(outputStream));
-        } else {
-            return new ASN1OutputStreamBCFips("DL".equals(asn1Encoding) ? new DLOutputStream(outputStream)
-                    : new ASN1OutputStream(outputStream));
-        }
+        return new ASN1OutputStreamBCFips(ASN1OutputStream.create(outputStream, asn1Encoding));
     }
 
     /**

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsTestConstantsFactory.java

@@ -32,6 +32,6 @@ class BouncyCastleFipsTestConstantsFactory implements IBouncyCastleTestConstants
 
     @Override
     public String getCertificateInfoTestConst() {
-        return "DEF length 8 object truncated by 4";
+        return "corrupted stream - out of bounds length found: 8 >= 6";
     }
 }

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/asn1/ASN1OutputStreamBCFips.java

@@ -42,7 +42,7 @@ public class ASN1OutputStreamBCFips implements IASN1OutputStream {
      * @param stream OutputStream to create {@link ASN1OutputStream} to be wrapped
      */
     public ASN1OutputStreamBCFips(OutputStream stream) {
-        this.stream = new ASN1OutputStream(stream);
+        this.stream = ASN1OutputStream.create(stream);
     }
 
     /**

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/tsp/TimeStampRequestGeneratorBCFips.java

@@ -29,6 +29,7 @@ This file is part of the iText (R) project.
 
 import java.math.BigInteger;
 import java.util.Objects;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.tsp.TimeStampRequestGenerator;
 
 /**
@@ -68,7 +69,7 @@ public void setCertReq(boolean var1) {
      */
     @Override
     public void setReqPolicy(String reqPolicy) {
-        requestGenerator.setReqPolicy(reqPolicy);
+        requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(reqPolicy));
     }
 
     /**

sharpenConfiguration.xml

@@ -223,6 +223,7 @@
                 <file path="com/itextpdf/bouncycastle/tsp/TimeStampTokenGeneratorBC.java"/>
                 <file path="com/itextpdf/bouncycastle/tsp/TimeStampTokenBC.java"/>
                 <file path="com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java"/>
+                <file path="com/itextpdf/bouncycastlefips/BouncyCastleFipsTestConstantsFactory.java"/>
                 <file path="com/itextpdf/bouncycastlefips/asn1/ASN1IntegerBCFips.java"/>
                 <file path="com/itextpdf/bouncycastlefips/asn1/ASN1OctetStringBCFips.java"/>
                 <file path="com/itextpdf/bouncycastlefips/asn1/ASN1SequenceBCFips.java"/>

sign/src/test/java/com/itextpdf/signatures/DigestAlgorithmsManualTest.java

@@ -22,7 +22,10 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures;
 
+import com.itextpdf.signatures.logs.SignLogMessageConstant;
 import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.LogMessage;
+import com.itextpdf.test.annotations.LogMessages;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -32,7 +35,7 @@ This file is part of the iText (R) project.
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.Tag;
 
-@Tag("UnitTest")
+@Tag("BouncyCastleUnitTest")
 public class DigestAlgorithmsManualTest extends ExtendedITextTest {
 
     @Test
@@ -54,4 +57,13 @@ public void digestSHA256SUNTest() throws GeneralSecurityException, IOException {
                         119, -42, -59, -31, 121, -87, -82, -45, 119, 61, 92, 110, -99, 105, 4, 97, 12, 127, -62};
         Assertions.assertArrayEquals(expected, hash);
     }
+
+    @LogMessages(messages = {
+            @LogMessage(messageTemplate = SignLogMessageConstant.ALGORITHM_NOT_FROM_SPEC, ignore = true)})
+    @Test
+    public void notAllowedNameGetAllowedDigestTest() {
+        String name = "SM3";
+        String oid = "1.2.156.10197.1.401";
+        Assertions.assertEquals(oid, DigestAlgorithms.getAllowedDigest(name));
+    }
 }

sign/src/test/java/com/itextpdf/signatures/DigestAlgorithmsTest.java

@@ -80,13 +80,4 @@ public void notAllowedOidGetDigestTest() {
         String oid = "1.2.156.10197.1.401";
         Assertions.assertEquals(FIPS_MODE ? oid : name, DigestAlgorithms.getDigest(oid));
     }
-
-    @LogMessages(messages = {
-            @LogMessage(messageTemplate = SignLogMessageConstant.ALGORITHM_NOT_FROM_SPEC, ignore = true)})
-    @Test
-    public void notAllowedNameGetAllowedDigestTest() {
-        String name = "SM3";
-        String oid = "1.2.156.10197.1.401";
-        Assertions.assertEquals(FIPS_MODE ? null : oid, DigestAlgorithms.getAllowedDigest(name));
-    }
 }

sign/src/test/java/com/itextpdf/signatures/PdfPKCS7ManuallyPortedTest.java

@@ -66,4 +66,14 @@ public void verifyRsaPssSha3SignatureTest() throws IOException, GeneralSecurityE
         verifyIsoExtensionExample("RSASSA-PSS", "sample-pss-sha3_256.pdf");
     }
 
+    @Test
+    public void verifyEd448SignatureTest() throws IOException, GeneralSecurityException {
+        // Ed448 is not available in BCFIPS approved mode
+        if (BOUNCY_CASTLE_FACTORY.isInApprovedOnlyMode()) {
+            Assertions.assertThrows(PdfException.class,
+                    () -> verifyIsoExtensionExample("Ed448", "sample-ed448-shake256.pdf"));
+        } else {
+            verifyIsoExtensionExample("Ed448", "sample-ed448-shake256.pdf");
+        }
+    }
 }

sign/src/test/java/com/itextpdf/signatures/PdfPKCS7Test.java

@@ -348,17 +348,6 @@ public void getEncodedPkcs7WithRevocationInfoTest() throws NoSuchAlgorithmExcept
         Assertions.assertEquals(serializedAsString(bytes), serializedAsString(cmpBytes));
     }
 
-    @Test
-    public void verifyEd448SignatureTest() throws IOException, GeneralSecurityException {
-        // SHAKE256 is not available in BCFIPS
-        if ("BCFIPS".equals(BOUNCY_CASTLE_FACTORY.getProviderName())) {
-            Assertions.assertThrows(PdfException.class,
-                    () -> verifyIsoExtensionExample("Ed448", "sample-ed448-shake256.pdf"));
-        } else {
-            verifyIsoExtensionExample("Ed448", "sample-ed448-shake256.pdf");
-        }
-    }
-
     @Test
     public void verifyNistECDSASha2SignatureTest() throws IOException, GeneralSecurityException {
         verifyIsoExtensionExample("SHA256withECDSA", "sample-nistp256-sha256.pdf");