Support qualified profile

DEVSIX-9481

Author: Eugene Bochilo

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/BouncyCastleFactory.java

@@ -88,6 +88,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.bouncycastle.asn1.x509.SubjectPublicKeyInfoBC;
 import com.itextpdf.bouncycastle.asn1.x509.TBSCertificateBC;
 import com.itextpdf.bouncycastle.asn1.x509.TimeBC;
+import com.itextpdf.bouncycastle.asn1.x509.qualified.QCStatementBC;
 import com.itextpdf.bouncycastle.cert.X509CertificateHolderBC;
 import com.itextpdf.bouncycastle.cert.X509ExtensionUtilsBC;
 import com.itextpdf.bouncycastle.cert.X509v2CRLBuilderBC;
@@ -197,6 +198,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.asn1.x509.ISubjectPublicKeyInfo;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITBSCertificate;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITime;
+import com.itextpdf.commons.bouncycastle.asn1.x509.qualified.IQCStatement;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 import com.itextpdf.commons.bouncycastle.cert.IX509ExtensionUtils;
 import com.itextpdf.commons.bouncycastle.cert.IX509v2CRLBuilder;
@@ -240,6 +242,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampToken;
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampTokenGenerator;
 
+import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -257,15 +260,19 @@ This file is part of the iText (R) project.
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.Set;
 import javax.crypto.Cipher;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
+
 import org.bouncycastle.asn1.ASN1BitString;
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1Enumerated;
 import org.bouncycastle.asn1.ASN1GeneralizedTime;
+import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1OctetString;
@@ -292,16 +299,19 @@ This file is part of the iText (R) project.
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.CertificatePolicies;
 import org.bouncycastle.asn1.x509.DistributionPointName;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.Extensions;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.PolicyInformation;
 import org.bouncycastle.asn1.x509.ReasonFlags;
 import org.bouncycastle.asn1.x509.TBSCertificate;
 import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.asn1.x509.qualified.QCStatement;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
@@ -1935,4 +1945,49 @@ public IGCMBlockCipher createGCMBlockCipher() {
         GCMBlockCipher cipher = (GCMBlockCipher) GCMBlockCipher.newInstance(AESEngine.newInstance());
         return new GCMBlockCipherBC(cipher);
     }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public List<String> getPoliciesIds(byte[] policyExtension) throws IOException {
+        try (ASN1InputStream inputStream = new ASN1InputStream(policyExtension)) {
+            ASN1OctetString octetString = (ASN1OctetString) inputStream.readObject();
+            try (ASN1InputStream innerInputStream = new ASN1InputStream(octetString.getOctets())) {
+                CertificatePolicies certificatePolicies =
+                        CertificatePolicies.getInstance(innerInputStream.readObject());
+
+                PolicyInformation[] policies = certificatePolicies.getPolicyInformation();
+                List<String> policyIds = new ArrayList<>(policies.length);
+                for (PolicyInformation policy : policies) {
+                    policyIds.add(policy.getPolicyIdentifier().getId());
+                }
+                return policyIds;
+            }
+        }
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public List<IQCStatement> parseQcStatement(byte[] qcStatementsExtensionValue) throws IOException {
+        List<IQCStatement> qcStatements = new ArrayList<>();
+        if (qcStatementsExtensionValue != null) {
+            ASN1OctetString octs;
+            try (ASN1InputStream aIn = new ASN1InputStream(qcStatementsExtensionValue)) {
+                octs = (ASN1OctetString) aIn.readObject();
+            }
+            ASN1Primitive primitive;
+            try (ASN1InputStream aIn = new ASN1InputStream(octs.getOctets())) {
+                primitive = aIn.readObject();
+            }
+            ASN1Sequence qcStatementsSequence = ASN1Sequence.getInstance(primitive);
+            for (ASN1Encodable qcStatementEncodable : qcStatementsSequence) {
+                QCStatement qcStatement = QCStatement.getInstance(qcStatementEncodable);
+                qcStatements.add(new QCStatementBC(qcStatement));
+            }
+        }
+        return qcStatements;
+    }
 }

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/asn1/x509/qualified/QCStatementBC.java

@@ -0,0 +1,73 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.bouncycastle.asn1.x509.qualified;
+
+import com.itextpdf.bouncycastle.asn1.ASN1EncodableBC;
+import com.itextpdf.bouncycastle.asn1.ASN1ObjectIdentifierBC;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Encodable;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1ObjectIdentifier;
+import com.itextpdf.commons.bouncycastle.asn1.x509.qualified.IQCStatement;
+import org.bouncycastle.asn1.x509.qualified.QCStatement;
+
+/**
+ * Wrapper class for QCStatement.
+ */
+public class QCStatementBC extends ASN1EncodableBC implements IQCStatement {
+    /**
+     * Creates a new wrapper instance for {@link QCStatement}.
+     *
+     * @param qcStatement {@link QCStatement} to be wrapped
+     */
+    public QCStatementBC(QCStatement qcStatement) {
+        super(qcStatement);
+    }
+
+    /**
+     * Gets actual {@link QCStatement} object being wrapped.
+     *
+     * @return wrapped {@link QCStatement}.
+     */
+    public QCStatement getQCStatement() {
+        return (QCStatement) getEncodable();
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public IASN1ObjectIdentifier getStatementId() {
+        return new ASN1ObjectIdentifierBC(getQCStatement().getStatementId());
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public IASN1Encodable getStatementInfo() {
+        return new ASN1EncodableBC(getQCStatement().getStatementInfo());
+    }
+}

bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/X509CertificateHolderBC.java

@@ -22,13 +22,16 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.bouncycastle.cert;
 
+import com.itextpdf.bouncycastle.asn1.ASN1ObjectIdentifierBC;
 import com.itextpdf.bouncycastle.asn1.x509.AlgorithmIdentifierBC;
+import com.itextpdf.commons.bouncycastle.asn1.IASN1ObjectIdentifier;
 import com.itextpdf.commons.bouncycastle.asn1.x509.IAlgorithmIdentifier;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 
 import java.io.IOException;
 import java.util.Objects;
 
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.cert.X509CertificateHolder;
 
 /**
@@ -75,6 +78,21 @@ public IAlgorithmIdentifier getSignatureAlgorithm() {
         return new AlgorithmIdentifierBC(certificateHolder.getSignatureAlgorithm());
     }
 
+    /**
+     * {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public IASN1ObjectIdentifier[] getSubjectAttributeTypes() {
+        ASN1ObjectIdentifier[] subjectAttributeTypes = certificateHolder.getSubject().getAttributeTypes();
+        IASN1ObjectIdentifier[] subjectAttributeTypesWrapper = new IASN1ObjectIdentifier[subjectAttributeTypes.length];
+        for (int i = 0; i < subjectAttributeTypes.length; ++i) {
+            subjectAttributeTypesWrapper[i] = new ASN1ObjectIdentifierBC(subjectAttributeTypes[i]);
+        }
+        return subjectAttributeTypesWrapper;
+    }
+
     /**
      * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
      */

bouncy-castle-adapter/src/sharpenconfig/java/com/itextpdf/bouncycastle/SharpenConfigMapping.java

@@ -120,6 +120,8 @@ public void applyMappingConfiguration(MappingConfigurator configurator) {
         configurator.mapType("com.itextpdf.bouncycastle.asn1.x509.CRLDistPointBC", "iText.Bouncycastle.Asn1.X509.CrlDistPointBC");
         configurator.mapType("com.itextpdf.bouncycastle.asn1.x509.CRLReasonBC", "iText.Bouncycastle.Asn1.X509.CrlReasonBC");
         configurator.mapType("com.itextpdf.bouncycastle.asn1.x509.KeyPurposeIdBC", "iText.Bouncycastle.Asn1.X509.KeyPurposeIDBC");
+        configurator.mapProperty("org.bouncycastle.asn1.x509.qualified.QCStatement.getStatementId", "StatementId");
+        configurator.mapProperty("org.bouncycastle.asn1.x509.qualified.QCStatement.getStatementInfo", "StatementInfo");
     }
 
     @Override

bouncy-castle-connector/src/main/java/com/itextpdf/bouncycastleconnector/BouncyCastleDefaultFactory.java

@@ -91,6 +91,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.asn1.x509.ISubjectPublicKeyInfo;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITBSCertificate;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITime;
+import com.itextpdf.commons.bouncycastle.asn1.x509.qualified.IQCStatement;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 import com.itextpdf.commons.bouncycastle.cert.IX509ExtensionUtils;
 import com.itextpdf.commons.bouncycastle.cert.IX509v2CRLBuilder;
@@ -133,6 +134,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampToken;
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampTokenGenerator;
 
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.Reader;
@@ -1028,4 +1030,14 @@ public byte[] generateDecryptedKeyWithAES256NoPad(byte[] key, byte[] kek) {
     public IGCMBlockCipher createGCMBlockCipher() {
         throw new UnsupportedOperationException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
     }
+
+    @Override
+    public List<String> getPoliciesIds(byte[] policyExtension) throws IOException {
+        throw new UnsupportedOperationException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+    }
+
+    @Override
+    public List<IQCStatement> parseQcStatement(byte[] qcStatementsExtensionValue) throws IOException {
+        throw new UnsupportedOperationException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+    }
 }

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java

@@ -88,6 +88,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.bouncycastlefips.asn1.x509.SubjectPublicKeyInfoBCFips;
 import com.itextpdf.bouncycastlefips.asn1.x509.TBSCertificateBCFips;
 import com.itextpdf.bouncycastlefips.asn1.x509.TimeBCFips;
+import com.itextpdf.bouncycastlefips.asn1.x509.qualified.QCStatementBCFips;
 import com.itextpdf.bouncycastlefips.cert.X509CertificateHolderBCFips;
 import com.itextpdf.bouncycastlefips.cert.X509ExtensionUtilsBCFips;
 import com.itextpdf.bouncycastlefips.cert.X509v2CRLBuilderBCFips;
@@ -198,6 +199,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.asn1.x509.ISubjectPublicKeyInfo;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITBSCertificate;
 import com.itextpdf.commons.bouncycastle.asn1.x509.ITime;
+import com.itextpdf.commons.bouncycastle.asn1.x509.qualified.IQCStatement;
 import com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder;
 import com.itextpdf.commons.bouncycastle.cert.IX509ExtensionUtils;
 import com.itextpdf.commons.bouncycastle.cert.IX509v2CRLBuilder;
@@ -241,6 +243,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampToken;
 import com.itextpdf.commons.bouncycastle.tsp.ITimeStampTokenGenerator;
 
+import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -259,16 +262,20 @@ This file is part of the iText (R) project.
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.Set;
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
+
 import org.bouncycastle.asn1.ASN1BitString;
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1Enumerated;
 import org.bouncycastle.asn1.ASN1GeneralizedTime;
+import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1OctetString;
@@ -295,16 +302,19 @@ This file is part of the iText (R) project.
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.CertificatePolicies;
 import org.bouncycastle.asn1.x509.DistributionPointName;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.Extensions;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.PolicyInformation;
 import org.bouncycastle.asn1.x509.ReasonFlags;
 import org.bouncycastle.asn1.x509.TBSCertificate;
 import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.asn1.x509.qualified.QCStatement;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
@@ -1951,4 +1961,49 @@ public IGCMBlockCipher createGCMBlockCipher() {
         }
         return new GCMBlockCipherBCFips(cipher);
     }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public List<String> getPoliciesIds(byte[] policyExtension) throws IOException {
+        try (ASN1InputStream inputStream = new ASN1InputStream(policyExtension)) {
+            ASN1OctetString octetString = (ASN1OctetString) inputStream.readObject();
+            try (ASN1InputStream innerInputStream = new ASN1InputStream(octetString.getOctets())) {
+                CertificatePolicies certificatePolicies =
+                        CertificatePolicies.getInstance(innerInputStream.readObject());
+
+                PolicyInformation[] policies = certificatePolicies.getPolicyInformation();
+                List<String> policyIds = new ArrayList<>(policies.length);
+                for (PolicyInformation policy : policies) {
+                    policyIds.add(policy.getPolicyIdentifier().getId());
+                }
+                return policyIds;
+            }
+        }
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public List<IQCStatement> parseQcStatement(byte[] qcStatementsExtensionValue) throws IOException {
+        List<IQCStatement> qcStatements = new ArrayList<>();
+        if (qcStatementsExtensionValue != null) {
+            ASN1OctetString octs;
+            try (ASN1InputStream aIn = new ASN1InputStream(qcStatementsExtensionValue)) {
+                octs = (ASN1OctetString) aIn.readObject();
+            }
+            ASN1Primitive primitive;
+            try (ASN1InputStream aIn = new ASN1InputStream(octs.getOctets())) {
+                primitive = aIn.readObject();
+            }
+            ASN1Sequence qcStatementsSequence = ASN1Sequence.getInstance(primitive);
+            for (ASN1Encodable qcStatementEncodable : qcStatementsSequence) {
+                QCStatement qcStatement = QCStatement.getInstance(qcStatementEncodable);
+                qcStatements.add(new QCStatementBCFips(qcStatement));
+            }
+        }
+        return qcStatements;
+    }
 }