Introducing a default PKCS7 based External signature container

DEVSIX-7756

Author: glenner003

sharpenConfiguration.xml

@@ -604,6 +604,8 @@
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest2_FIPS.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest3_FIPS.pdf"/>
             <file path="com/itextpdf/signatures/sign/TimestampSigTest/cmp_timestampTest01.pdf"/>
+            <file path="com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/cmp_testTroughPdfSignerWithTsaClient.pdf"/>
+            <file path="com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/cmp_testTroughPdfSignerWithTsaClient_FIPS.pdf"/>
         </fileset>
                 <fileset reason="Bug in java version, not in sharp version, therefor a separate reference file is needed see DEVSIX-6752">
             <file path="com/itextpdf/kernel/pdf/xobject/GetImageBytesTest/grayImages.png" />

sign/src/main/java/com/itextpdf/signatures/PKCS7ExternalSignatureContainer.java

@@ -0,0 +1,162 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2023 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.kernel.pdf.PdfDictionary;
+import com.itextpdf.kernel.pdf.PdfName;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+
+public class PKCS7ExternalSignatureContainer implements IExternalSignatureContainer {
+
+    private final Certificate[] chain;
+    private final PrivateKey privateKey;
+    private final String hashAlgorithm;
+    private IOcspClient ocspClient;
+    private ICrlClient crlClient;
+    private ITSAClient tsaClient;
+    private PdfSigner.CryptoStandard sigType = PdfSigner.CryptoStandard.CMS;
+    private SignaturePolicyInfo signaturePolicy;
+
+    /**
+     * Creates an instance of PKCS7ExternalSignatureContainer
+     *
+     * @param privateKey    The private key to sign with
+     * @param chain         The certificate chain
+     * @param hashAlgorithm The hash algorithm to use
+     */
+    public PKCS7ExternalSignatureContainer(PrivateKey privateKey, Certificate[] chain, String hashAlgorithm) {
+        this.hashAlgorithm = hashAlgorithm;
+        this.chain = chain;
+        this.privateKey = privateKey;
+    }
+
+    @Override
+    public byte[] sign(InputStream data) throws GeneralSecurityException {
+        PdfPKCS7 sgn = new PdfPKCS7((PrivateKey) null, chain, hashAlgorithm, null, new BouncyCastleDigest(), false);
+        if (signaturePolicy != null) {
+            sgn.setSignaturePolicy(signaturePolicy);
+        }
+        byte[] hash;
+        try {
+            hash = DigestAlgorithms.digest(data, SignUtils.getMessageDigest(hashAlgorithm));
+        } catch (IOException e) {
+            throw new PdfException(e);
+        }
+
+        Collection<byte[]> crlBytes = null;
+        int i = 0;
+        while (crlClient != null && crlBytes == null && i < chain.length) {
+            crlBytes = crlClient.getEncoded((X509Certificate) chain[i++], null);
+        }
+
+        List<byte[]> ocspList = new ArrayList<>();
+        if (chain.length > 1 && ocspClient != null) {
+            for (int j = 0; j < chain.length - 1; ++j) {
+                byte[] ocsp = ocspClient.getEncoded((X509Certificate) chain[j], (X509Certificate) chain[j + 1], null);
+                if (ocsp != null) {
+                    ocspList.add(ocsp);
+                }
+            }
+        }
+        byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, sigType, ocspList, crlBytes);
+
+        PrivateKeySignature pkSign = new PrivateKeySignature(privateKey, hashAlgorithm,
+                BouncyCastleFactoryCreator.getFactory().getProviderName());
+        byte[] signData = pkSign.sign(sh);
+
+        sgn.setExternalSignatureValue(
+                signData,
+                null,
+                pkSign.getSignatureAlgorithmName(),
+                pkSign.getSignatureMechanismParameters()
+        );
+
+        return sgn.getEncodedPKCS7(hash, sigType, tsaClient, ocspList, crlBytes);
+    }
+
+    @Override
+    public void modifySigningDictionary(PdfDictionary signDic) {
+        signDic.put(PdfName.Filter, PdfName.Adobe_PPKLite);
+        signDic.put(PdfName.SubFilter, sigType == PdfSigner.CryptoStandard.CADES
+                ? PdfName.ETSI_CAdES_DETACHED
+                : PdfName.Adbe_pkcs7_detached);
+    }
+
+    /**
+     * Set the OcspClient if you want revocation data collected trough Ocsp to be added to the signature
+     *
+     * @param ocspClient the client to be used
+     */
+    public void setOcspClient(IOcspClient ocspClient) {
+        this.ocspClient = ocspClient;
+    }
+
+    /**
+     * Set the CrlClient if you want revocation data collected trough Crl to be added to the signature
+     *
+     * @param crlClient the client to be used
+     */
+    public void setCrlClient(ICrlClient crlClient) {
+        this.crlClient = crlClient;
+    }
+
+    /**
+     * Set the TsaClient if you want a TSA timestamp added to the signature
+     *
+     * @param tsaClient the client to use
+     */
+    public void setTsaClient(ITSAClient tsaClient) {
+        this.tsaClient = tsaClient;
+    }
+
+    /**
+     * Set the signature policy if you want it to be added to the signature
+     *
+     * @param signaturePolicy the signature to be set.
+     */
+    public void setSignaturePolicy(SignaturePolicyInfo signaturePolicy) {
+        this.signaturePolicy = signaturePolicy;
+    }
+
+    /**
+     * Set a custom signature type, default value {@link PdfSigner.CryptoStandard#CMS}
+     *
+     * @param sigType the type  of signature to be created
+     */
+    public void setSignatureType(PdfSigner.CryptoStandard sigType) {
+        this.sigType = sigType;
+    }
+
+}

sign/src/test/java/com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest.java

@@ -0,0 +1,220 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2023 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
+import com.itextpdf.commons.bouncycastle.pkcs.AbstractPKCSException;
+import com.itextpdf.commons.utils.Base64;
+import com.itextpdf.commons.utils.DateTimeUtil;
+import com.itextpdf.io.source.ByteArrayOutputStream;
+import com.itextpdf.kernel.pdf.PdfDocument;
+import com.itextpdf.kernel.pdf.PdfReader;
+import com.itextpdf.kernel.pdf.PdfVersion;
+import com.itextpdf.kernel.pdf.PdfWriter;
+import com.itextpdf.kernel.pdf.StampingProperties;
+import com.itextpdf.kernel.pdf.WriterProperties;
+import com.itextpdf.signatures.testutils.PemFileHelper;
+import com.itextpdf.signatures.testutils.SignaturesCompareTool;
+import com.itextpdf.signatures.testutils.TimeTestUtil;
+import com.itextpdf.signatures.testutils.builder.TestCrlBuilder;
+import com.itextpdf.signatures.testutils.client.TestCrlClient;
+import com.itextpdf.signatures.testutils.client.TestOcspClient;
+import com.itextpdf.signatures.testutils.client.TestTsaClient;
+import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.type.BouncyCastleUnitTest;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import java.io.ByteArrayInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+
+@Category(BouncyCastleUnitTest.class)
+public class PKCS7ExternalSignatureContainerTest extends ExtendedITextTest {
+    private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
+    private static final boolean FIPS_MODE = "BCFIPS".equals(FACTORY.getProviderName());
+
+    private static final String SOURCE_FOLDER = "./src/test/resources/com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/";
+    private static final String DESTINATION_FOLDER = "./target/test/com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/";
+    private static final String CERTS_SRC = "./src/test/resources/com/itextpdf/signatures/certs/";
+
+    private static final char[] PASSWORD = "testpassphrase".toCharArray();
+
+    private final static String POLICY_IDENTIFIER = "2.16.724.1.3.1.1.2.1.9";
+    private final static String POLICY_HASH_BASE64 = "G7roucf600+f03r/o0bAOQ6WAs0=";
+    private final static byte[] POLICY_HASH = Base64.decode(POLICY_HASH_BASE64);
+    private final static String POLICY_DIGEST_ALGORITHM = "SHA-256";
+    private final static String POLICY_URI = "https://sede.060.gob.es/politica_de_firma_anexo_1.pdf";
+
+    private Certificate[] chain;
+    private PrivateKey pk;
+
+    private X509Certificate caCert;
+    private PrivateKey caPrivateKey;
+
+    @BeforeClass
+    public static void before() {
+        Security.addProvider(FACTORY.getProvider());
+        createOrClearDestinationFolder(DESTINATION_FOLDER);
+    }
+
+    @Before
+    public void init()
+            throws IOException, CertificateException, AbstractPKCSException, AbstractOperatorCreationException {
+        pk = PemFileHelper.readFirstKey(CERTS_SRC + "signCertRsa01.pem", PASSWORD);
+        chain = PemFileHelper.readFirstChain(CERTS_SRC + "signCertRsa01.pem");
+
+        String caCertP12FileName = CERTS_SRC + "rootRsa.pem";
+        caCert = (X509Certificate) PemFileHelper.readFirstChain(caCertP12FileName)[0];
+        caPrivateKey = PemFileHelper.readFirstKey(caCertP12FileName, PASSWORD);
+    }
+
+    @Test
+    public void testTroughPdfSigner() throws IOException, GeneralSecurityException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSigner.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSigner.pdf";
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void testTroughPdfSignerWithCrlClient() throws IOException, GeneralSecurityException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSignerWithCrlClient.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSignerWithCrlClient.pdf";
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+
+        TestCrlClient crlClient = new TestCrlClient();
+
+        TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, DateTimeUtil.addDaysToDate(TimeTestUtil.TEST_DATE_TIME, -1));
+        crlClient.addBuilderForCertIssuer(crlBuilder);
+        pkcs7ExternalSignatureContainer.setCrlClient(crlClient);
+
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void testTroughPdfSignerWithOcspClient() throws IOException, GeneralSecurityException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSignerWithOcspClient.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSignerWithOcspClient.pdf";
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+
+        TestOcspClient ocspClient = new TestOcspClient();
+
+        ocspClient.addBuilderForCertIssuer(caCert, caPrivateKey);
+        pkcs7ExternalSignatureContainer.setOcspClient(ocspClient);
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void testTroughPdfSignerWithTsaClient() throws IOException, GeneralSecurityException, AbstractOperatorCreationException, AbstractPKCSException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSignerWithTsaClient.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSignerWithTsaClient.pdf";
+        if (FIPS_MODE) {
+            cmpFileName = cmpFileName.replace(".pdf", "_FIPS.pdf");
+        }
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+        String tsaCertP12FileName = CERTS_SRC + "tsCertRsa.pem";
+
+        pkcs7ExternalSignatureContainer.setTsaClient(prepareTsaClient(tsaCertP12FileName));
+
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void testTroughPdfSignerWithCadesType() throws IOException, GeneralSecurityException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSignerWithCadesType.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSignerWithCadesType.pdf";
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+        pkcs7ExternalSignatureContainer.setSignatureType(PdfSigner.CryptoStandard.CADES);
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    @Test
+    public void testTroughPdfSignerWithSignaturePolicy() throws IOException, GeneralSecurityException {
+        String outFileName = DESTINATION_FOLDER + "testTroughPdfSignerWithSignaturePolicy.pdf";
+        String cmpFileName = SOURCE_FOLDER + "cmp_testTroughPdfSignerWithSignaturePolicy.pdf";
+        PdfSigner pdfSigner = new PdfSigner(new PdfReader(createSimpleDocument()),
+                new FileOutputStream(outFileName), new StampingProperties());
+        PKCS7ExternalSignatureContainer pkcs7ExternalSignatureContainer = new PKCS7ExternalSignatureContainer(
+                pk, chain, DigestAlgorithms.SHA256);
+        SignaturePolicyInfo policy = new SignaturePolicyInfo(POLICY_IDENTIFIER, POLICY_HASH, POLICY_DIGEST_ALGORITHM, POLICY_URI);
+
+        pkcs7ExternalSignatureContainer.setSignaturePolicy(policy);
+        pdfSigner.signExternalContainer(pkcs7ExternalSignatureContainer, 12000);
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    private static ByteArrayInputStream createSimpleDocument() {
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        WriterProperties writerProperties = new WriterProperties().setPdfVersion(PdfVersion.PDF_2_0);
+        PdfDocument document = new PdfDocument(new PdfWriter(outputStream, writerProperties));
+        document.addNewPage();
+        document.close();
+        return new ByteArrayInputStream(outputStream.toByteArray());
+    }
+
+    private static TestTsaClient prepareTsaClient(String tsaCertP12FileName)
+            throws IOException, CertificateException, AbstractPKCSException, AbstractOperatorCreationException {
+        Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertP12FileName);
+        PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertP12FileName, PASSWORD);
+        return new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
+    }
+}