itext
diff --git a/‎commons/src/main/java/com/itextpdf/commons/utils/ThrowingAction.java‎
Lines changed: 15 additions & 0 deletions b/‎commons/src/main/java/com/itextpdf/commons/utils/ThrowingAction.java‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎commons/src/main/java/com/itextpdf/commons/utils/ThrowingSupplier.java‎
Lines changed: 16 additions & 0 deletions b/‎commons/src/main/java/com/itextpdf/commons/utils/ThrowingSupplier.java‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎sharpenConfiguration.xml‎
Lines changed: 5 additions & 0 deletions b/‎sharpenConfiguration.xml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/cms/SignerInfo.java‎
Lines changed: 9 additions & 0 deletions b/‎sign/src/main/java/com/itextpdf/signatures/cms/SignerInfo.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/validation/v1/CRLValidator.java‎
Lines changed: 26 additions & 14 deletions b/‎sign/src/main/java/com/itextpdf/signatures/validation/v1/CRLValidator.java‎
Lines changed: 26 additions & 14 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java‎
Lines changed: 50 additions & 14 deletions b/‎sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java‎
Lines changed: 50 additions & 14 deletions
@@ -0,0 +1,15 @@
+package com.itextpdf.commons.utils;
+
+
+/**
+ * Functional interface which takes 0 parameters and returns nothing and can throw a checked exception.
+ */
+@FunctionalInterface
+public interface ThrowingAction {
+    /**
+     * Execute action.
+     *
+     * @throws Exception any exception thrown by the encapsulated code
+     */
+    void execute() throws Exception;
+}
@@ -0,0 +1,16 @@
+package com.itextpdf.commons.utils;
+
+/**
+ * Functional interface which takes 0 parameters and returns T and can throw a checked exception.
+ */
+@FunctionalInterface
+public interface ThrowingSupplier<T> {
+
+    /**
+     * Gets a result.
+     *
+     * @return a result
+     * @throws Exception any exception thrown by the encapsulated code
+     */
+    T get() throws Exception;
+}
@@ -4,6 +4,11 @@
     <ignored>
         <java>
             <!-- commons -->
+            <fileset reason="Delegates already exist in .net">
+                <file path="com/itextpdf/commons/utils/Action.java"/>
+                <file path="com/itextpdf/commons/utils/ThrowingSupplier.java"/>
+                <file path="com/itextpdf/commons/utils/ThrowingAction.java"/>
+            </fileset>
             <fileset reason="Namespaces differs in Java an .NET, so it can't be ported automatically">
                 <file path="com/itextpdf/commons/actions/NamespaceConstant.java"/>
             </fileset>
 
@@ -210,6 +210,15 @@ public X509Certificate getSigningCertificate() {
         return signerCertificate;
     }
 
+    /**
+     * Gets the signature data.
+     *
+     * @return the signature data.
+     */
+    public byte[] getSignatureData() {
+        return signatureData;
+    }
+
     /**
      * Sets the certificate that is used to sign a document and adds it to the signed attributes.
      *
 
@@ -55,6 +55,8 @@ This file is part of the iText (R) project.
 import java.util.HashMap;
 import java.util.Map;
 
+import static com.itextpdf.signatures.validation.v1.SafeCalling.onExceptionLog;
+
 /**
  * Class that allows you to validate a certificate against a Certificate Revocation List (CRL) Response.
  */
@@ -69,6 +71,11 @@ public class CRLValidator {
     static final String CERTIFICATE_IS_NOT_IN_THE_CRL_SCOPE = "Certificate isn't in the current CRL scope.";
     static final String CERTIFICATE_REVOKED = "Certificate was revoked by {0} on {1}.";
     static final String CRL_ISSUER_NOT_FOUND = "Unable to validate CRL response: no issuer certificate found.";
+    static final String CRL_ISSUER_REQUEST_FAILED =
+            "Unable to validate CRL response: Unexpected exception occurred retrieving issuer certificate.";
+    static final String CRL_ISSUER_CHAIN_FAILED =
+            "Unable to validate CRL response: Unexpected exception occurred validating issuer certificate.";
+
     static final String CRL_ISSUER_NO_COMMON_ROOT =
             "The CRL issuer does not share the root of the inspected certificate.";
     static final String CRL_INVALID = "CRL response is invalid.";
@@ -236,7 +243,7 @@ private static IIssuingDistributionPoint getIssuingDistributionPointExtension(X5
         try {
             issuingDistPointExtension = CertificateUtil.getExtensionValue(crl,
                     FACTORY.createExtension().getIssuingDistributionPoint().getId());
-        } catch (IOException e) {
+        } catch (IOException | RuntimeException e) {
             // Ignore exception.
         }
         return FACTORY.createIssuingDistributionPoint(issuingDistPointExtension);
@@ -249,7 +256,7 @@ private static Date getExpiredCertsOnCRLExtensionDate(X509CRL crl) {
             // certificates that expired after the date specified in ExpiredCertsOnCRL or at that date.
             expiredCertsOnCRL = CertificateUtil.getExtensionValue(crl,
                     FACTORY.createExtension().getExpiredCertsOnCRL().getId());
-        } catch (IOException e) {
+        } catch (IOException | RuntimeException e) {
             // Ignore exception.
         }
         if (expiredCertsOnCRL != null) {
@@ -282,12 +289,21 @@ private static int computeInterimReasonsMask(IIssuingDistributionPoint issuingDi
 
     private void verifyCrlIntegrity(ValidationReport report, ValidationContext context, X509Certificate certificate,
             X509CRL crl, Date responseGenerationDate) {
-        Certificate[] certs = certificateRetriever.getCrlIssuerCertificates(crl);
-        if (certs.length == 0) {
+        Certificate[] certs = null;
+        try {
+            certs = certificateRetriever.getCrlIssuerCertificates(crl);
+        } catch (RuntimeException e) {
+            report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_REQUEST_FAILED, e,
+                    ReportItemStatus.INDETERMINATE));
+            return;
+        }
+
+        if (certs == null || certs.length == 0) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_NOT_FOUND,
                     ReportItemStatus.INDETERMINATE));
             return;
         }
+
         Certificate crlIssuer = certs[0];
         Certificate crlIssuerRoot = getRoot(crlIssuer);
         Certificate subjectRoot = getRoot(certificate);
@@ -296,18 +312,14 @@ private void verifyCrlIntegrity(ValidationReport report, ValidationContext conte
                     ReportItemStatus.INDETERMINATE));
             return;
         }
-        try {
-            crl.verify(crlIssuer.getPublicKey());
-        } catch (Exception e) {
-            report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_INVALID, e,
-                    ReportItemStatus.INDETERMINATE));
-            return;
-        }
-
+        onExceptionLog(() -> crl.verify(crlIssuer.getPublicKey()), report,
+                e -> new CertificateReportItem(certificate, CRL_CHECK, CRL_INVALID, e, ReportItemStatus.INDETERMINATE));
         ValidationReport responderReport = new ValidationReport();
-        builder.getCertificateChainValidator().validate(responderReport,
+        onExceptionLog(() -> builder.getCertificateChainValidator().validate(responderReport,
                 context.setCertificateSource(CertificateSource.CRL_ISSUER),
-                (X509Certificate) crlIssuer, responseGenerationDate);
+                (X509Certificate) crlIssuer, responseGenerationDate), report, e ->
+                new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_CHAIN_FAILED, e,
+                        ReportItemStatus.INDETERMINATE));
         addResponderValidationReport(report, responderReport);
     }
 
 
@@ -41,6 +41,9 @@ This file is part of the iText (R) project.
 import java.util.Date;
 import java.util.List;
 
+import static com.itextpdf.signatures.validation.v1.SafeCalling.onExceptionLog;
+import static com.itextpdf.signatures.validation.v1.SafeCalling.onRuntimeExceptionLog;
+
 /**
  * Validator class, which is expected to be used for certificates chain validation.
  */
@@ -60,6 +63,18 @@ public class CertificateChainValidator {
     static final String ISSUER_CANNOT_BE_VERIFIED =
             "Issuer certificate {0} for subject certificate {1} cannot be mathematically verified.";
 
+    static final String ISSUER_VERIFICATION_FAILED =
+            "Unexpected exception occurred while verifying issuer certificate.";
+    static final String ISSUER_RETRIEVAL_FAILED =
+            "Unexpected exception occurred while retrieving certificate issuer from IssuingCertificateRetriever.";
+    static final String TRUSTSTORE_RETRIEVAL_FAILED =
+            "Unexpected exception occurred while retrieving trust store from IssuingCertificateRetriever.";
+    static final String REVOCATION_VALIDATION_FAILED =
+            "Unexpected exception occurred while validating certificate revocation.";
+    static final String VALIDITY_PERIOD_CHECK_FAILED =
+            "Unexpected exception occurred while validating certificate validity period.";
+
+
     private final SignatureValidationProperties properties;
     private final IssuingCertificateRetriever certificateRetriever;
     private final RevocationDataValidator revocationDataValidator;
@@ -102,15 +117,15 @@ public CertificateChainValidator addOcspClient(IOcspClient ocpsClient) {
     /**
      * Validate given certificate using provided validation date and required extensions.
      *
-     * @param context            the validation context in which to validate the certificate chain
-     * @param certificate        {@link X509Certificate} to be validated
-     * @param validationDate     {@link Date} against which certificate is expected to be validated. Usually signing
-     *                           date
+     * @param context        the validation context in which to validate the certificate chain
+     * @param certificate    {@link X509Certificate} to be validated
+     * @param validationDate {@link Date} against which certificate is expected to be validated. Usually signing
+     *                       date
      *
      * @return {@link ValidationReport} which contains detailed validation results
      */
     public ValidationReport validateCertificate(ValidationContext context, X509Certificate certificate,
-                                                Date validationDate) {
+            Date validationDate) {
         ValidationReport result = new ValidationReport();
         return validate(result, context, certificate, validationDate);
     }
@@ -119,11 +134,11 @@ public ValidationReport validateCertificate(ValidationContext context, X509Certi
      * Validate given certificate using provided validation date and required extensions.
      * Result is added into provided report.
      *
-     * @param result             {@link ValidationReport} which is populated with detailed validation results
-     * @param context            the context in which to perform the validation
-     * @param certificate        {@link X509Certificate} to be validated
-     * @param validationDate     {@link Date} against which certificate is expected to be validated. Usually signing
-     *                           date
+     * @param result         {@link ValidationReport} which is populated with detailed validation results
+     * @param context        the context in which to perform the validation
+     * @param certificate    {@link X509Certificate} to be validated
+     * @param validationDate {@link Date} against which certificate is expected to be validated. Usually signing
+     *                       date
      *
      * @return {@link ValidationReport} which contains both provided and new validation results
      */
@@ -135,9 +150,12 @@ public ValidationReport validate(ValidationReport result, ValidationContext cont
         if (stopValidation(result, localContext)) {
             return result;
         }
-        if (checkIfCertIsTrusted(result, localContext, certificate)) {
+        if (onExceptionLog(() -> checkIfCertIsTrusted(result, localContext, certificate), Boolean.FALSE, result,
+                e -> new CertificateReportItem(certificate, CERTIFICATE_CHECK, TRUSTSTORE_RETRIEVAL_FAILED,
+                        e, ReportItemStatus.INFO))) {
             return result;
         }
+
         validateRevocationData(result, localContext, certificate, validationDate);
         if (stopValidation(result, localContext)) {
             return result;
@@ -230,6 +248,9 @@ private void validateValidityPeriod(ValidationReport result, X509Certificate cer
         } catch (CertificateNotYetValidException e) {
             result.addReportItem(new CertificateReportItem(certificate, VALIDITY_CHECK, MessageFormatUtil.format(
                     NOT_YET_VALID_CERTIFICATE, certificate.getSubjectX500Principal()), e, ReportItemStatus.INVALID));
+        } catch (RuntimeException e) {
+            result.addReportItem(new CertificateReportItem(certificate, VALIDITY_CHECK, MessageFormatUtil.format(
+                    VALIDITY_PERIOD_CHECK_FAILED, certificate.getSubjectX500Principal()), e, ReportItemStatus.INVALID));
         }
     }
 
@@ -249,13 +270,23 @@ private void validateRequiredExtensions(ValidationReport result, ValidationConte
 
     private void validateRevocationData(ValidationReport report, ValidationContext context, X509Certificate certificate,
             Date validationDate) {
-        revocationDataValidator.validate(report, context, certificate, validationDate);
+        onRuntimeExceptionLog(() ->
+                revocationDataValidator.validate(report, context, certificate, validationDate), report, e ->
+                new CertificateReportItem(certificate, CERTIFICATE_CHECK,
+                        REVOCATION_VALIDATION_FAILED, e, ReportItemStatus.INDETERMINATE));
     }
 
     private void validateChain(ValidationReport result, ValidationContext context, X509Certificate certificate,
             Date validationDate) {
-        X509Certificate issuerCertificate =
-                (X509Certificate) certificateRetriever.retrieveIssuerCertificate(certificate);
+        X509Certificate issuerCertificate = null;
+        try {
+            issuerCertificate =
+                    (X509Certificate) certificateRetriever.retrieveIssuerCertificate(certificate);
+        } catch (RuntimeException e) {
+            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK,
+                    ISSUER_RETRIEVAL_FAILED, e, ReportItemStatus.INDETERMINATE));
+            return;
+        }
         if (issuerCertificate == null) {
             result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
                     ISSUER_MISSING, certificate.getSubjectX500Principal()), ReportItemStatus.INDETERMINATE));
@@ -268,6 +299,11 @@ private void validateChain(ValidationReport result, ValidationContext context, X
                     MessageFormatUtil.format(ISSUER_CANNOT_BE_VERIFIED, issuerCertificate.getSubjectX500Principal(),
                             certificate.getSubjectX500Principal()), e, ReportItemStatus.INVALID));
             return;
+        } catch (RuntimeException e) {
+            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK,
+                    MessageFormatUtil.format(ISSUER_VERIFICATION_FAILED, issuerCertificate.getSubjectX500Principal(),
+                            certificate.getSubjectX500Principal()), e, ReportItemStatus.INVALID));
+            return;
         }
         this.validate(result, context.setCertificateSource(CertificateSource.CERT_ISSUER),
                 issuerCertificate, validationDate);