Create and embed MAC token while signing the documents

DEVSIX-8606

Author: Eugene Bochilo

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/asn1/ASN1EncodableVectorBC.java

@@ -121,6 +121,14 @@ public void addOptional(IAlgorithmIdentifier element) {
         }
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public int size() {
+        return encodableVector.size();
+    }
+
     /**
      * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
      */

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/asn1/ASN1EncodableVectorBCFips.java

@@ -120,6 +120,14 @@ public void addOptional(IAlgorithmIdentifier element) {
         }
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public int size() {
+        return encodableVector.size();
+    }
+
     /**
      * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
      */

commons/src/main/java/com/itextpdf/commons/bouncycastle/asn1/IASN1EncodableVector.java

@@ -71,4 +71,11 @@ public interface IASN1EncodableVector {
      * @param element AlgorithmIdentifier wrapper.
      */
     void addOptional(IAlgorithmIdentifier element);
+
+    /**
+     * Calls actual {@code size} method for the wrapped ASN1EncodableVector object.
+     *
+     * @return {@code int} representing current vector size
+     */
+    int size();
 }

kernel/src/main/java/com/itextpdf/kernel/exceptions/KernelExceptionMessageConstant.java

@@ -268,11 +268,19 @@ public final class KernelExceptionMessageConstant {
     public static final String LZW_DECODER_EXCEPTION = "LZW decoder exception.";
     public static final String LZW_FLAVOUR_NOT_SUPPORTED = "LZW flavour not supported.";
     public static final String MAC_ALGORITHM_NOT_SUPPORTED = "This MAC algorithm is not supported.";
+    public static final String MAC_ATTRIBUTE_NOT_SPECIFIED =
+            "Signature doesn't contain unsigned MAC attribute, which is required in \"attached to signature\" mode.";
+    public static final String MAC_EXTRACTION_EXCEPTION =
+            "Exception occurred during signature parsing. It is not possible to extract MAC.";
+    public static final String MAC_LOCATION_NOT_SPECIFIED = "AuthCode dictionary doesn't contain MACLocation entry.";
+    public static final String MAC_NOT_SPECIFIED =
+            "AuthCode dictionary doesn't contain MAC entry, which is required in standalone mode.";
     public static final String MAC_FOR_ENCRYPTION_5 =
             "MAC integrity protection is only supported for encryption algorithms of version 5 or higher.";
     public static final String MAC_FOR_PDF_2 = "MAC integrity protection is only supported for PDF 2.0 or higher.";
     public static final String MAC_PERMS_WITHOUT_MAC = "Permissions bit 13 is set to zero, "
             + "which indicates that MAC integrity protection is enabled. However MAC container wasn't found.";
+    public static final String MAC_VALIDATION_EXCEPTION = "Unexpected exception occurred during MAC token validation.";
     public static final String MAC_VALIDATION_FAILED =
             "MAC integrity protection was compromised. Document content was modified.";
     public static final String MISSING_REQUIRED_FIELD_IN_FONT_DICTIONARY
@@ -337,6 +345,8 @@ public final class KernelExceptionMessageConstant {
     public static final String RESOURCES_DO_NOT_CONTAIN_EXTGSTATE_ENTRY_UNABLE_TO_PROCESS_THIS_OPERATOR = "Resources "
             + "do not contain ExtGState entry. Unable to process operator {0}.";
     public static final String SHADING_TYPE_NOT_FOUND = "Shading type not found.";
+    public static final String SIG_OBJ_REF_NOT_SPECIFIED =
+            "AuthCode dictionary doesn't contain SigObjRef entry, which is required in signature mode.";
     public static final String STDCF_NOT_FOUND_ENCRYPTION = "/StdCF not found (encryption)";
     public static final String STREAM_SHALL_END_WITH_ENDSTREAM = "Stream shall end with endstream keyword.";
     public static final String STRUCT_PARENT_INDEX_NOT_FOUND_IN_TAGGED_OBJECT = "StructParent index not found in "
@@ -387,7 +397,6 @@ public final class KernelExceptionMessageConstant {
             "Unknown ASN1-encoding {0}. Only DER and BER encodings are supported!";
     public static final String UNSUPPORTED_FONT_EMBEDDING_STRATEGY = "Unsupported font embedding strategy.";
     public static final String UNSUPPORTED_XOBJECT_TYPE = "Unsupported XObject type.";
-    public static final String VALIDATION_EXCEPTION = "Unexpected exception occurred during MAC token validation.";
     public static final String WHEN_ADDING_OBJECT_REFERENCE_TO_THE_TAG_TREE_IT_MUST_BE_CONNECTED_TO_NOT_FLUSHED_OBJECT =
             "When adding object reference to the tag tree, it must be connected to not flushed object.";
     public static final String WHITE_POINT_IS_INCORRECTLY_SPECIFIED = "White point is incorrectly specified.";

kernel/src/main/java/com/itextpdf/kernel/mac/MacIntegrityProtector.java renamed to kernel/src/main/java/com/itextpdf/kernel/mac/AbstractMacIntegrityProtector.java

@@ -0,0 +1,37 @@
+package com.itextpdf.kernel.mac;
+
+import com.itextpdf.kernel.pdf.PdfDictionary;
+import com.itextpdf.kernel.pdf.PdfDocument;
+
+/**
+ * Strategy interface, which is responsible for {@link AbstractMacIntegrityProtector} container location.
+ * Expected to be used in {@link com.itextpdf.commons.utils.DIContainer}.
+ */
+public interface IMacContainerLocator {
+    /**
+     * Locates {@link AbstractMacIntegrityProtector} container.
+     *
+     * @param macIntegrityProtector {@link AbstractMacIntegrityProtector} container to be located
+     */
+    void locateMacContainer(AbstractMacIntegrityProtector macIntegrityProtector);
+
+    /**
+     * Creates {@link AbstractMacIntegrityProtector} from explicitly provided MAC properties.
+     *
+     * @param document {@link PdfDocument} for which MAC container shall be created
+     * @param macProperties {@link MacProperties} to be used for MAC container creation
+     *
+     * @return {@link AbstractMacIntegrityProtector} which specific implementation depends on interface implementation.
+     */
+    AbstractMacIntegrityProtector createMacIntegrityProtector(PdfDocument document, MacProperties macProperties);
+
+    /**
+     * Creates {@link AbstractMacIntegrityProtector} from already existing AuthCode dictionary.
+     *
+     * @param document {@link PdfDocument} for which MAC container shall be created
+     * @param authDictionary AuthCode {@link PdfDictionary} which contains MAC related information
+     *
+     * @return {@link AbstractMacIntegrityProtector} which specific implementation depends on interface implementation.
+     */
+    AbstractMacIntegrityProtector createMacIntegrityProtector(PdfDocument document, PdfDictionary authDictionary);
+}

kernel/src/main/java/com/itextpdf/kernel/mac/IMacContainerLocator.java

@@ -0,0 +1,106 @@
+package com.itextpdf.kernel.mac;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1InputStream;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1ObjectIdentifier;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1OctetString;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Set;
+import com.itextpdf.kernel.exceptions.KernelExceptionMessageConstant;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.kernel.pdf.PdfDictionary;
+import com.itextpdf.kernel.pdf.PdfName;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+abstract class MacContainerReader {
+    private static final IBouncyCastleFactory BC_FACTORY = BouncyCastleFactoryCreator.getFactory();
+
+    private final byte[] macContainer;
+    private final long[] byteRange;
+    private final byte[] signature;
+
+    MacContainerReader(PdfDictionary authDictionary) {
+        this.macContainer = parseMacContainer(authDictionary);
+        this.byteRange = parseByteRange(authDictionary);
+        this.signature = parseSignature(authDictionary);
+    }
+
+    static MacContainerReader getInstance(PdfDictionary authDictionary) {
+        PdfName macLocation = authDictionary.getAsName(PdfName.MACLocation);
+        if (PdfName.Standalone.equals(macLocation)) {
+            return new MacStandaloneContainerReader(authDictionary);
+        } else if (PdfName.AttachedToSig.equals(macLocation)) {
+            return new MacSignatureContainerReader(authDictionary);
+        }
+        throw new PdfException(KernelExceptionMessageConstant.MAC_LOCATION_NOT_SPECIFIED);
+    }
+
+    abstract byte[] parseSignature(PdfDictionary authDictionary);
+
+    abstract long[] parseByteRange(PdfDictionary authDictionary);
+
+    abstract byte[] parseMacContainer(PdfDictionary authDictionary);
+
+    long[] getByteRange() {
+        return byteRange;
+    }
+
+    byte[] getSignature() {
+        return signature;
+    }
+
+    byte[] parseMac() {
+        IASN1Sequence authDataSequence = getAuthDataSequence();
+        return BC_FACTORY.createASN1OctetString(authDataSequence.getObjectAt(6)).getOctets();
+    }
+
+    IASN1Set parseAuthAttributes() {
+        IASN1Sequence authDataSequence = getAuthDataSequence();
+        return BC_FACTORY.createASN1Set(BC_FACTORY.createASN1TaggedObject(authDataSequence.getObjectAt(5)), false);
+    }
+
+    IASN1Sequence parseMessageDigest() {
+        IASN1Set authAttributes = parseAuthAttributes();
+        return BC_FACTORY.createASN1Sequence(authAttributes.getObjectAt(2));
+    }
+
+    byte[] parseMacKey() {
+        IASN1Sequence authDataSequence = getAuthDataSequence();
+        IASN1Sequence recInfo = BC_FACTORY.createASN1Sequence(BC_FACTORY.createASN1TaggedObject(
+                BC_FACTORY.createASN1Set(authDataSequence.getObjectAt(1)).getObjectAt(0)).getObject());
+        IASN1OctetString encryptedKey = BC_FACTORY.createASN1OctetString(recInfo.getObjectAt(3));
+
+        return encryptedKey.getOctets();
+    }
+
+    String parseDigestAlgorithm() {
+        IASN1Sequence authDataSequence = getAuthDataSequence();
+        IASN1Primitive digestAlgorithmContainer =
+                BC_FACTORY.createASN1TaggedObject(authDataSequence.getObjectAt(3)).getObject();
+        IASN1ObjectIdentifier digestAlgorithm;
+        if (BC_FACTORY.createASN1ObjectIdentifier(digestAlgorithmContainer) != null) {
+            digestAlgorithm = BC_FACTORY.createASN1ObjectIdentifier(digestAlgorithmContainer);
+        } else {
+            digestAlgorithm = BC_FACTORY.createASN1ObjectIdentifier(
+                    BC_FACTORY.createASN1Sequence(digestAlgorithmContainer).getObjectAt(0));
+        }
+
+        return digestAlgorithm.getId();
+    }
+
+    private IASN1Sequence getAuthDataSequence() {
+        IASN1Sequence contentInfoSequence;
+        try (IASN1InputStream din =
+                BC_FACTORY.createASN1InputStream(new ByteArrayInputStream(macContainer))) {
+            contentInfoSequence = BC_FACTORY.createASN1Sequence(din.readObject());
+        } catch (IOException e) {
+            throw new PdfException(KernelExceptionMessageConstant.CONTAINER_PARSING_EXCEPTION, e);
+        }
+        return BC_FACTORY.createASN1Sequence(BC_FACTORY.createASN1TaggedObject(
+                contentInfoSequence.getObjectAt(1)).getObject());
+    }
+}

kernel/src/main/java/com/itextpdf/kernel/mac/MacContainerReader.java

@@ -0,0 +1,119 @@
+package com.itextpdf.kernel.mac;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1InputStream;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1ObjectIdentifier;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Set;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1TaggedObject;
+import com.itextpdf.commons.bouncycastle.asn1.IDEROctetString;
+import com.itextpdf.kernel.exceptions.KernelExceptionMessageConstant;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.kernel.pdf.PdfDictionary;
+import com.itextpdf.kernel.pdf.PdfName;
+import com.itextpdf.kernel.pdf.PdfString;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+class MacSignatureContainerReader extends MacContainerReader {
+    private static final IBouncyCastleFactory BC_FACTORY = BouncyCastleFactoryCreator.getFactory();
+    private static final String ID_ATTR_PDF_MAC_DATA = "1.0.32004.1.2";
+
+    MacSignatureContainerReader(PdfDictionary authDictionary) {
+        super(authDictionary);
+    }
+
+    @Override
+    byte[] parseSignature(PdfDictionary authDictionary) {
+        PdfDictionary signatureDictionary = getSignatureDictionary(authDictionary);
+        PdfString contentsString = signatureDictionary.getAsString(PdfName.Contents);
+        contentsString.markAsUnencryptedObject();
+        return parseSignatureValueFromSignatureContainer(contentsString.getValueBytes());
+    }
+
+    @Override
+    long[] parseByteRange(PdfDictionary authDictionary) {
+        PdfDictionary signatureDictionary = getSignatureDictionary(authDictionary);
+        return signatureDictionary.getAsArray(PdfName.ByteRange).toLongArray();
+    }
+
+    @Override
+    byte[] parseMacContainer(PdfDictionary authDictionary) {
+        PdfDictionary signatureDictionary = getSignatureDictionary(authDictionary);
+        PdfString contentsString = signatureDictionary.getAsString(PdfName.Contents);
+        contentsString.markAsUnencryptedObject();
+        return parseMacContainerFromSignatureContainer(contentsString.getValueBytes());
+    }
+
+    private static byte[] parseSignatureValueFromSignatureContainer(byte[] signature) {
+        try {
+            IASN1Sequence signerInfoSeq = parseSignerInfoSequence(signature);
+
+            int signatureValueIndex = 3;
+            IASN1TaggedObject taggedSignedAttributes =
+                    BC_FACTORY.createASN1TaggedObject(signerInfoSeq.getObjectAt(signatureValueIndex));
+            if (taggedSignedAttributes != null) {
+                ++signatureValueIndex;
+            }
+            IDEROctetString signatureDataOS = BC_FACTORY.createDEROctetString(
+                    signerInfoSeq.getObjectAt(++signatureValueIndex));
+            return signatureDataOS.getOctets();
+        } catch (Exception e) {
+            throw new PdfException(KernelExceptionMessageConstant.MAC_EXTRACTION_EXCEPTION, e);
+        }
+    }
+
+    private static byte[] parseMacContainerFromSignatureContainer(byte[] signature) {
+        try {
+            IASN1Sequence signerInfoSeq = parseSignerInfoSequence(signature);
+
+            int unsignedAttributesIndex = 3;
+            IASN1TaggedObject taggedSignedAttributes =
+                    BC_FACTORY.createASN1TaggedObject(signerInfoSeq.getObjectAt(unsignedAttributesIndex));
+            if (taggedSignedAttributes != null) {
+                ++unsignedAttributesIndex;
+            }
+            unsignedAttributesIndex += 2;
+            if (signerInfoSeq.size() > unsignedAttributesIndex) {
+                IASN1Set unsignedAttributes = BC_FACTORY.createASN1Set(BC_FACTORY.createASN1TaggedObject(
+                        signerInfoSeq.getObjectAt(unsignedAttributesIndex)), false);
+                for (int i = 0; i < unsignedAttributes.size(); i++) {
+                    IASN1Sequence attrSeq = BC_FACTORY.createASN1Sequence(unsignedAttributes.getObjectAt(i));
+                    IASN1ObjectIdentifier attrType = BC_FACTORY.createASN1ObjectIdentifier(attrSeq.getObjectAt(0));
+                    if (ID_ATTR_PDF_MAC_DATA.equals(attrType.getId())) {
+                        IASN1Set macSet = BC_FACTORY.createASN1Set(attrSeq.getObjectAt(1));
+                        return macSet.getObjectAt(0).toASN1Primitive().getEncoded();
+                    }
+                }
+            }
+        } catch (Exception e) {
+            throw new PdfException(KernelExceptionMessageConstant.MAC_EXTRACTION_EXCEPTION, e);
+        }
+        throw new PdfException(KernelExceptionMessageConstant.MAC_ATTRIBUTE_NOT_SPECIFIED);
+    }
+
+    private static PdfDictionary getSignatureDictionary(PdfDictionary authDictionary) {
+        if (authDictionary.getAsDictionary(PdfName.SigObjRef) == null) {
+            throw new PdfException(KernelExceptionMessageConstant.SIG_OBJ_REF_NOT_SPECIFIED);
+        }
+        return authDictionary.getAsDictionary(PdfName.SigObjRef);
+    }
+
+    private static IASN1Sequence parseSignerInfoSequence(byte[] signature) throws IOException {
+        try (IASN1InputStream is = BC_FACTORY.createASN1InputStream(new ByteArrayInputStream(signature))) {
+            IASN1Sequence contentInfo = BC_FACTORY.createASN1Sequence(is.readObject());
+            IASN1Sequence signedData = BC_FACTORY.createASN1Sequence(
+                    BC_FACTORY.createASN1TaggedObject(contentInfo.getObjectAt(1)).getObject());
+
+            int signerInfoIndex = 4;
+            IASN1TaggedObject taggedObj = BC_FACTORY.createASN1TaggedObject(signedData.getObjectAt(signerInfoIndex));
+            if (taggedObj != null) {
+                ++signerInfoIndex;
+            }
+            return BC_FACTORY.createASN1Sequence(BC_FACTORY.createASN1Set(
+                    signedData.getObjectAt(signerInfoIndex)).getObjectAt(0));
+        }
+    }
+}

kernel/src/main/java/com/itextpdf/kernel/mac/MacSignatureContainerReader.java

@@ -0,0 +1,30 @@
+package com.itextpdf.kernel.mac;
+
+import com.itextpdf.kernel.exceptions.KernelExceptionMessageConstant;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.kernel.pdf.PdfDictionary;
+import com.itextpdf.kernel.pdf.PdfName;
+
+class MacStandaloneContainerReader extends MacContainerReader {
+    MacStandaloneContainerReader(PdfDictionary authDictionary) {
+        super(authDictionary);
+    }
+
+    @Override
+    byte[] parseSignature(PdfDictionary authDictionary) {
+        return null;
+    }
+
+    @Override
+    long[] parseByteRange(PdfDictionary authDictionary) {
+        return authDictionary.getAsArray(PdfName.ByteRange).toLongArray();
+    }
+
+    @Override
+    byte[] parseMacContainer(PdfDictionary authDictionary) {
+        if (authDictionary.getAsString(PdfName.MAC) == null) {
+            throw new PdfException(KernelExceptionMessageConstant.MAC_NOT_SPECIFIED);
+        }
+        return authDictionary.getAsString(PdfName.MAC).getValueBytes();
+    }
+}