itext
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/LtvVerification.java
Lines changed: 46 additions & 8 deletions b/‎sign/src/main/java/com/itextpdf/signatures/LtvVerification.java
Lines changed: 46 additions & 8 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/OCSPVerifier.java
Lines changed: 2 additions & 2 deletions b/‎sign/src/main/java/com/itextpdf/signatures/OCSPVerifier.java
Lines changed: 2 additions & 2 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/OID.java
Lines changed: 5 additions & 0 deletions b/‎sign/src/main/java/com/itextpdf/signatures/OID.java
Lines changed: 5 additions & 0 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/PdfPadesSigner.java
Lines changed: 12 additions & 15 deletions b/‎sign/src/main/java/com/itextpdf/signatures/PdfPadesSigner.java
Lines changed: 12 additions & 15 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/logs/SignLogMessageConstant.java
Lines changed: 3 additions & 0 deletions b/‎sign/src/main/java/com/itextpdf/signatures/logs/SignLogMessageConstant.java
Lines changed: 3 additions & 0 deletions
diff --git a/‎sign/src/test/java/com/itextpdf/signatures/TestSignUtils.java
Lines changed: 33 additions & 3 deletions b/‎sign/src/test/java/com/itextpdf/signatures/TestSignUtils.java
Lines changed: 33 additions & 3 deletions
diff --git a/‎sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesAdvancedTest.java
Lines changed: 11 additions & 3 deletions b/‎sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesAdvancedTest.java
Lines changed: 11 additions & 3 deletions
@@ -30,6 +30,9 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.asn1.ocsp.IOCSPResponse;
 import com.itextpdf.commons.bouncycastle.asn1.ocsp.IOCSPResponseStatus;
 import com.itextpdf.commons.bouncycastle.asn1.ocsp.IResponseBytes;
+import com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException;
+import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
+import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
 import com.itextpdf.commons.utils.MessageFormatUtil;
 import com.itextpdf.io.font.PdfEncodings;
 import com.itextpdf.io.source.ByteBuffer;
@@ -46,7 +49,9 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.pdf.PdfStream;
 import com.itextpdf.kernel.pdf.PdfString;
 import com.itextpdf.kernel.pdf.PdfVersion;
+import com.itextpdf.signatures.OID.X509Extensions;
 import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
+import com.itextpdf.signatures.logs.SignLogMessageConstant;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -249,6 +254,11 @@ public boolean addVerification(String signatureName, IOcspClient ocsp, ICrlClien
             addRevocationDataForChain(signingCert, timestampCertsChain, ocsp, crl, level, certInclude, certOption,
                     validationData, processedCerts);
         }
+        if (certInclude == CertificateInclusion.YES) {
+            for (X509Certificate processedCert : processedCerts) {
+                validationData.certs.add(processedCert.getEncoded());
+            }
+        }
 
         if (validationData.crls.size() == 0 && validationData.ocsps.size() == 0) {
             return false;
@@ -372,6 +382,12 @@ private void addRevocationDataForCertificate(X509Certificate signingCert, Certif
             CertificateOption certOption, ValidationData validationData, Set<X509Certificate> processedCerts)
             throws IOException, CertificateException, CRLException {
         processedCerts.add(cert);
+        byte[] validityAssured = SignUtils.getExtensionValueByOid(cert, X509Extensions.VALIDITY_ASSURED_SHORT_TERM);
+        if (validityAssured != null) {
+            LOGGER.info(MessageFormatUtil.format(SignLogMessageConstant.REVOCATION_DATA_NOT_ADDED_VALIDITY_ASSURED,
+                    cert.getSubjectX500Principal()));
+            return;
+        }
         byte[] ocspEnc = null;
         boolean revocationDataAdded = false;
         if (ocsp != null && level != Level.CRL) {
@@ -381,12 +397,8 @@ private void addRevocationDataForCertificate(X509Certificate signingCert, Certif
                 revocationDataAdded = true;
                 LOGGER.info("OCSP added");
                 if (certOption == CertificateOption.ALL_CERTIFICATES) {
-                    Iterable<X509Certificate> certs = SignUtils.getCertsFromOcspResponse(
-                            BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(
-                                    BOUNCY_CASTLE_FACTORY.createBasicOCSPResponse(ocspEnc)));
-                    List<X509Certificate> certsList = iterableToList(certs);
-                    addRevocationDataForChain(signingCert, certsList.toArray(new X509Certificate[0]),
-                            ocsp, crl, level, certInclude, certOption, validationData, processedCerts);
+                    addRevocationDataForOcspCert(ocspEnc, signingCert, ocsp, crl, level, certInclude, certOption,
+                            validationData, processedCerts);
                 }
             }
         }
@@ -421,9 +433,35 @@ private void addRevocationDataForCertificate(X509Certificate signingCert, Certif
                 signingCert.equals(cert) && !revocationDataAdded) {
             throw new PdfException(SignExceptionMessageConstant.NO_REVOCATION_DATA_FOR_SIGNING_CERTIFICATE);
         }
-        if (certInclude == CertificateInclusion.YES) {
-            validationData.certs.add(cert.getEncoded());
+    }
+    
+    private void addRevocationDataForOcspCert(byte[] ocspEnc, X509Certificate signingCert, IOcspClient ocsp,
+            ICrlClient crl, Level level, CertificateInclusion certInclude, CertificateOption certOption,
+            ValidationData validationData, Set<X509Certificate> processedCerts)
+            throws CertificateException, IOException, CRLException {
+        IBasicOCSPResp ocspResp = BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(
+                BOUNCY_CASTLE_FACTORY.createBasicOCSPResponse(ocspEnc));
+        Iterable<X509Certificate> certs = SignUtils.getCertsFromOcspResponse(ocspResp);
+        List<X509Certificate> ocspCertsList = iterableToList(certs);
+        X509Certificate ocspSigningCert = null;
+        for (X509Certificate ocspCert : ocspCertsList) {
+            try {
+                if (SignUtils.isSignatureValid(ocspResp, ocspCert, BOUNCY_CASTLE_FACTORY.getProviderName())) {
+                    ocspSigningCert = ocspCert;
+                    break;
+                }
+            } catch (AbstractOperatorCreationException | AbstractOCSPException ignored) {
+                // Wasn't possible to check if this cert is signing one, skip.
+            }
+        }
+        if (ocspSigningCert != null && SignUtils.getExtensionValueByOid(
+                ocspSigningCert, X509Extensions.ID_PKIX_OCSP_NOCHECK) != null) {
+            // If ocsp_no_check extension is set on OCSP signing cert we shan't collect revocation data for this cert.
+            ocspCertsList.remove(ocspSigningCert);
+            processedCerts.add(ocspSigningCert);
         }
+        addRevocationDataForChain(signingCert, ocspCertsList.toArray(new X509Certificate[0]),
+                ocsp, crl, level, certInclude, certOption, validationData, processedCerts);
     }
 
     private static List<X509Certificate> iterableToList(Iterable<X509Certificate> iterable) {
 
@@ -241,8 +241,8 @@ && isSignatureValid(ocspResp, cert)) {
                 // validating ocsp signers certificate
                 // Check if responders certificate has id-pkix-ocsp-nocheck extension,
                 // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
-                if (responderCert.getExtensionValue(
-                        BOUNCY_CASTLE_FACTORY.createOCSPObjectIdentifiers().getIdPkixOcspNoCheck().getId()) == null) {
+                if (SignUtils.getExtensionValueByOid(responderCert, BOUNCY_CASTLE_FACTORY.createOCSPObjectIdentifiers()
+                        .getIdPkixOcspNoCheck().getId()) == null) {
                     CRL crl;
                     try {
                         // TODO DEVSIX-5210 Implement a check heck for Authority Information Access according to
 
@@ -135,6 +135,11 @@ public static final class X509Extensions {
          */
         public static final String ID_PKIX_OCSP_NOCHECK = "1.3.6.1.5.5.7.48.1.5";
 
+        /**
+         * Extension for certificates from ETSI EN 319 412-1 V1.4.4.
+         */
+        public static final String VALIDITY_ASSURED_SHORT_TERM = "0.4.0.194121.2.1";
+
 
         /**
          * According to https://tools.ietf.org/html/rfc5280 4.2. "Certificate Extensions":
 
@@ -101,8 +101,7 @@ public PdfPadesSigner(PdfReader reader, OutputStream outputStream) {
      */
     public void signWithBaselineBProfile(SignerProperties signerProperties, Certificate[] chain,
            IExternalSignature externalSignature) throws GeneralSecurityException, IOException {
-        Certificate[] fullChain = issuingCertificateRetriever.retrieveMissingCertificates(chain);
-        performSignDetached(signerProperties, true, externalSignature, fullChain, null);
+        performSignDetached(signerProperties, true, externalSignature, chain, null);
     }
 
     /**
@@ -135,8 +134,7 @@ public void signWithBaselineBProfile(SignerProperties signerProperties, Certific
      */
     public void signWithBaselineTProfile(SignerProperties signerProperties, Certificate[] chain,
             IExternalSignature externalSignature, ITSAClient tsaClient) throws GeneralSecurityException, IOException {
-        Certificate[] fullChain = issuingCertificateRetriever.retrieveMissingCertificates(chain);
-        performSignDetached(signerProperties, true, externalSignature, fullChain, tsaClient);
+        performSignDetached(signerProperties, true, externalSignature, chain, tsaClient);
     }
 
     /**
@@ -170,10 +168,9 @@ public void signWithBaselineTProfile(SignerProperties signerProperties, Certific
      */
     public void signWithBaselineLTProfile(SignerProperties signerProperties, Certificate[] chain,
             IExternalSignature externalSignature, ITSAClient tsaClient) throws GeneralSecurityException, IOException {
-        Certificate[] fullChain = issuingCertificateRetriever.retrieveMissingCertificates(chain);
-        createRevocationClients(fullChain, true);
+        createRevocationClients(chain[0], true);
         try {
-            performSignDetached(signerProperties, false, externalSignature, fullChain, tsaClient);
+            performSignDetached(signerProperties, false, externalSignature, chain, tsaClient);
             try (InputStream inputStream = createInputStream();
                     PdfDocument pdfDocument = new PdfDocument(new PdfReader(inputStream),
                             new PdfWriter(outputStream), new StampingProperties().useAppendMode())) {
@@ -216,10 +213,9 @@ public void signWithBaselineLTProfile(SignerProperties signerProperties, Certifi
      */
     public void signWithBaselineLTAProfile(SignerProperties signerProperties, Certificate[] chain,
             IExternalSignature externalSignature, ITSAClient tsaClient) throws IOException, GeneralSecurityException {
-        Certificate[] fullChain = issuingCertificateRetriever.retrieveMissingCertificates(chain);
-        createRevocationClients(fullChain, true);
+        createRevocationClients(chain[0], true);
         try {
-            performSignDetached(signerProperties, false, externalSignature, fullChain, tsaClient);
+            performSignDetached(signerProperties, false, externalSignature, chain, tsaClient);
             try (InputStream inputStream = createInputStream();
                     PdfDocument pdfDocument = new PdfDocument(new PdfReader(inputStream),
                             new PdfWriter(createOutputStream()), new StampingProperties().useAppendMode())) {
@@ -269,7 +265,7 @@ public void prolongSignatures(ITSAClient tsaClient)
             if (signatureNames.isEmpty()) {
                 throw new PdfException(SignExceptionMessageConstant.NO_SIGNATURES_TO_PROLONG);
             }
-            createRevocationClients(new Certificate[0], false);
+            createRevocationClients(null, false);
             performLtvVerification(pdfDocument, signatureNames, LtvVerification.RevocationDataNecessity.OPTIONAL);
             if (tsaClient != null) {
                 performTimestamping(pdfDocument, outputStream, tsaClient);
@@ -419,9 +415,10 @@ private void performTimestamping(PdfDocument document, OutputStream outputStream
     private void performSignDetached(SignerProperties signerProperties, boolean isFinal,
             IExternalSignature externalSignature, Certificate[] chain, ITSAClient tsaClient)
             throws GeneralSecurityException, IOException {
+        Certificate[] fullChain = issuingCertificateRetriever.retrieveMissingCertificates(chain);
         PdfSigner signer = createPdfSigner(signerProperties, isFinal);
         try {
-            signer.signDetached(externalDigest, externalSignature, chain, null, null, tsaClient,
+            signer.signDetached(externalDigest, externalSignature, fullChain, null, null, tsaClient,
                     estimatedSize, CryptoStandard.CADES);
         } finally {
             signer.originalOS.close();
@@ -503,16 +500,16 @@ private File getNextTempFile() {
         return tempFile;
     }
 
-    private void createRevocationClients(Certificate[] chain, boolean clientsRequired) {
+    private void createRevocationClients(Certificate signingCert, boolean clientsRequired) {
         if (crlClient == null && ocspClient == null && clientsRequired) {
-            X509Certificate signingCertificate = (X509Certificate) chain[0];
+            X509Certificate signingCertificate = (X509Certificate) signingCert;
             if (CertificateUtil.getOCSPURL(signingCertificate) == null &&
                     CertificateUtil.getCRLURL(signingCertificate) == null) {
                 throw new PdfException(SignExceptionMessageConstant.DEFAULT_CLIENTS_CANNOT_BE_CREATED);
             }
         }
         if (crlClient == null) {
-            crlClient = new CrlClientOnline(chain);
+            crlClient = new CrlClientOnline();
         }
         if (ocspClient == null) {
             ocspClient = new OcspClientBouncyCastle(null);
 
@@ -33,6 +33,9 @@ public final class SignLogMessageConstant {
             "Unexpected exception without message was thrown during keystore processing";
     public static final String UNABLE_TO_PARSE_AIA_CERT = "Unable to parse certificates coming from authority info "
             + "access extension. Those won't be included into the certificate chain.";
+    
+    public static final String REVOCATION_DATA_NOT_ADDED_VALIDITY_ASSURED =
+            "Revocation data for certificate: \"{0}\" is not added due to validity assured - short term extension.";
 
     private SignLogMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly
 
@@ -46,6 +46,7 @@ This file is part of the iText (R) project.
 import java.security.cert.CertificateException;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
@@ -56,23 +57,40 @@ public final class TestSignUtils {
     private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
 
     public static void assertDssDict(InputStream inputStream, Map<String, Integer> expectedNumberOfCrls,
-            Map<String, Integer> expectedNumberOfOcsp)
+            Map<String, Integer> expectedNumberOfOcsp, List<String> expectedCerts)
             throws IOException, CertificateException, CRLException, AbstractOCSPException {
         try (PdfDocument outDocument = new PdfDocument(new PdfReader(inputStream))) {
             PdfDictionary dss = outDocument.getCatalog().getPdfObject().getAsDictionary(PdfName.DSS);
+            
+            PdfArray certs = dss.getAsArray(PdfName.Certs) == null ? new PdfArray() : dss.getAsArray(PdfName.Certs);
+            List<String> realCertificates = createCertsList(certs);
 
             PdfArray crls = dss.getAsArray(PdfName.CRLs) == null ? new PdfArray() : dss.getAsArray(PdfName.CRLs);
             Map<String, Integer> realNumberOfCrls = createCrlMap(crls);
 
             PdfArray ocsps = dss.getAsArray(PdfName.OCSPs) == null ? new PdfArray() : dss.getAsArray(PdfName.OCSPs);
             Map<String, Integer> realNumberOfOcsp = createOcspMap(ocsps);
 
+            if (expectedCerts != null) {
+                Assert.assertEquals("Certs entry in DSS dictionary isn't correct", realCertificates.size(),
+                        expectedCerts.size());
+                // Order agnostic list comparison.
+                for (String expectedCert : expectedCerts) {
+                    Assert.assertTrue(realCertificates.stream().anyMatch(cert -> cert.equals(expectedCert)));
+                }
+            }
             Assert.assertTrue("CRLs entry in DSS dictionary isn't correct",
                     MapUtil.equals(expectedNumberOfCrls, realNumberOfCrls));
             Assert.assertTrue("OCSPs entry in DSS dictionary isn't correct",
                     MapUtil.equals(expectedNumberOfOcsp, realNumberOfOcsp));
         }
     }
+
+    public static void assertDssDict(InputStream inputStream, Map<String, Integer> expectedNumberOfCrls,
+            Map<String, Integer> expectedNumberOfOcsp)
+            throws IOException, CertificateException, CRLException, AbstractOCSPException {
+        assertDssDict(inputStream, expectedNumberOfCrls, expectedNumberOfOcsp, null);
+    }
 
     public static void basicCheckSignedDoc(String filePath, String signatureName) throws GeneralSecurityException, IOException {
         try (InputStream inputStream = FileUtil.getInputStreamForFile(filePath)) {
@@ -88,11 +106,12 @@ public static void basicCheckSignedDoc(InputStream inputStream, String signature
         }
     }
 
-    public static void signedDocumentContainsCerts(InputStream inputStream, List<X509Certificate> expectedCertificates)
+    public static void signedDocumentContainsCerts(InputStream inputStream, List<X509Certificate> expectedCertificates,
+            String signatureName)
             throws IOException {
         try (PdfDocument outDocument = new PdfDocument(new PdfReader(inputStream))) {
             SignatureUtil sigUtil = new SignatureUtil(outDocument);
-            List<Certificate> actualCertificates = Arrays.asList(sigUtil.readSignatureData("Signature1").getCertificates());
+            List<Certificate> actualCertificates = Arrays.asList(sigUtil.readSignatureData(signatureName).getCertificates());
             // Searching for every certificate we expect should be in the resulting document.
             Assert.assertEquals(expectedCertificates.size(), actualCertificates.size());
             for (X509Certificate expectedCert : expectedCertificates) {
@@ -101,6 +120,17 @@ public static void signedDocumentContainsCerts(InputStream inputStream, List<X50
             }
         }
     }
+    
+    private static List<String> createCertsList(PdfArray certs) throws CertificateException {
+        List<String> certsNames = new ArrayList<>();
+        for (PdfObject cert : certs) {
+            PdfStream certStream = (PdfStream) cert;
+            byte[] certBytes = certStream.getBytes();
+            X509Certificate certificate = (X509Certificate) SignUtils.readAllCerts(certBytes).toArray(new Certificate[0])[0];
+            certsNames.add(certificate.getSubjectX500Principal().getName());
+        }
+        return certsNames;
+    }
 
     private static Map<String, Integer> createCrlMap(PdfArray crls) throws CertificateException, CRLException {
         Map<String, Integer> realNumberOfCrls = new HashMap<>();
 
@@ -203,11 +203,12 @@ public void signWithAdvancedClientsTest()
             padesSigner.signWithBaselineLTAProfile(signerProperties, signRsaChain, pks, testTsa);
 
             TestSignUtils.basicCheckSignedDoc(new ByteArrayInputStream(outputStream.toByteArray()), "Signature1");
-            assertDss(outputStream, rootCert);
+            assertDss(outputStream, rootCert, signRsaCert, (X509Certificate) tsaChain[0], (X509Certificate) tsaChain[1]);
         }
     }
 
-    private void assertDss(ByteArrayOutputStream outputStream, X509Certificate rootCert)
+    private void assertDss(ByteArrayOutputStream outputStream, X509Certificate rootCert, X509Certificate signRsaCert,
+            X509Certificate tsaCert, X509Certificate rootTsaCert)
             throws AbstractOCSPException, CertificateException, IOException, CRLException {
         Map<String, Integer> expectedNumberOfCrls = new HashMap<>();
         if (amountOfCrlsForRoot + amountOfCrlsForSign != 0) {
@@ -217,7 +218,14 @@ private void assertDss(ByteArrayOutputStream outputStream, X509Certificate rootC
         if (amountOfOcspsForRoot + amountOfOcspsForSign != 0) {
             expectedNumberOfOcsps.put(rootCert.getSubjectX500Principal().getName(), amountOfOcspsForRoot + amountOfOcspsForSign);
         }
-        TestSignUtils.assertDssDict(new ByteArrayInputStream(outputStream.toByteArray()), expectedNumberOfCrls, expectedNumberOfOcsps);
+        List<String> expectedCerts = Arrays.asList(getCertName(rootCert), getCertName(signRsaCert),
+                getCertName(tsaCert), getCertName(rootTsaCert));
+        TestSignUtils.assertDssDict(new ByteArrayInputStream(outputStream.toByteArray()), expectedNumberOfCrls,
+                expectedNumberOfOcsps, expectedCerts);
+    }
+
+    private String getCertName(X509Certificate certificate) {
+        return certificate.getSubjectX500Principal().getName();
     }
 
     private SignerProperties createSignerProperties() {