Support revocation data retrieval from DSS dictionary

DEVSIX-8304

Author: Eugene Bochilo

sign/src/main/java/com/itextpdf/signatures/CertificateUtil.java

@@ -223,6 +223,20 @@ public static CRL parseCrlFromStream(InputStream input) throws CertificateExcept
         return SignUtils.parseCrlFromStream(input);
     }
 
+    /**
+     * Parses a CRL from bytes.
+     *
+     * @param crlBytes the bytes holding the unparsed CRL
+     *
+     * @return the parsed CRL object.
+     *
+     * @throws CertificateException thrown if there's no X509 implementation in the provider.
+     * @throws CRLException         thrown when encountering errors when parsing the CRL.
+     */
+    public static CRL parseCrlFromBytes(byte[] crlBytes) throws CertificateException, CRLException {
+        return SignUtils.parseCrlFromStream(new ByteArrayInputStream(crlBytes));
+    }
+
     /**
      * Retrieves the URL for the issuer certificate for the given CRL.
      *

sign/src/main/java/com/itextpdf/signatures/validation/v1/CRLValidator.java

@@ -40,6 +40,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
 import com.itextpdf.signatures.validation.v1.extensions.BasicConstraintsExtension;
 import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
+import com.itextpdf.signatures.validation.v1.report.ReportItem;
 import com.itextpdf.signatures.validation.v1.report.ReportItem.ReportItemStatus;
 import com.itextpdf.signatures.validation.v1.report.ValidationReport;
 
@@ -54,8 +55,6 @@ This file is part of the iText (R) project.
 import java.util.HashMap;
 import java.util.Map;
 
-import static com.itextpdf.signatures.validation.v1.RevocationDataValidator.SELF_SIGNED_CERTIFICATE;
-
 /**
  * Class that allows you to validate a certificate against a Certificate Revocation List (CRL) Response.
  */
@@ -79,8 +78,6 @@ public class CRLValidator {
             "not all reason codes are covered by the current CRL.";
     static final String SAME_REASONS_CHECK = "CRLs that cover the same reason codes were already verified.";
     static final String UPDATE_DATE_BEFORE_CHECK_DATE = "nextUpdate: {0} of CRLResponse is before validation date {1}.";
-    static final String NEXT_UPDATE_VALIDATION = "Using crl nextUpdate date as validation date.";
-    static final String THIS_UPDATE_VALIDATION = "Using crl thisUpdate date as validation date.";
 
     // All reasons without unspecified.
     static final int ALL_REASONS = 32895;
@@ -111,18 +108,36 @@ protected CRLValidator(ValidatorChainBuilder builder) {
      * @param certificate    the certificate to check against CRL response
      * @param crl            the crl response to be validated
      * @param validationDate validation date to check for
+     *
+     * @deprecated starting from 8.0.5. TODO DEVSIX-8398 To be removed.
      */
+    @Deprecated
     public void validate(ValidationReport report, ValidationContext context, X509Certificate certificate, X509CRL crl,
             Date validationDate) {
+        validate(report, context, certificate, crl, validationDate, DateTimeUtil.getCurrentTimeDate());
+    }
+
+    /**
+     * Validates a certificate against Certificate Revocation List (CRL) Responses.
+     *
+     * @param report                 to store all the chain verification results
+     * @param context                the context in which to perform the validation
+     * @param certificate            the certificate to check against CRL response
+     * @param crl                    the crl response to be validated
+     * @param validationDate         validation date to check for
+     * @param responseGenerationDate trusted date at which response is generated
+     */
+    public void validate(ValidationReport report, ValidationContext context, X509Certificate certificate, X509CRL crl,
+            Date validationDate, Date responseGenerationDate) {
         ValidationContext localContext = context.setValidatorContext(ValidatorContext.CRL_VALIDATOR);
         if (CertificateUtil.isSelfSigned(certificate)) {
-            report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, SELF_SIGNED_CERTIFICATE,
-                    ReportItemStatus.INFO));
+            report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK,
+                    RevocationDataValidator.SELF_SIGNED_CERTIFICATE, ReportItemStatus.INFO));
             return;
         }
-        // Check that thisUpdate >= (validationDate - freshness).
         Duration freshness = properties.getFreshness(localContext);
-        if (crl.getThisUpdate().before(DateTimeUtil.addMillisToDate(validationDate, -(long) freshness.toMillis()))) {
+        // Check that thisUpdate + freshness < validation.
+        if (DateTimeUtil.addMillisToDate(crl.getThisUpdate(), (long) freshness.toMillis()).before(validationDate)) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK,
                     MessageFormatUtil.format(FRESHNESS_CHECK, crl.getThisUpdate(), validationDate, freshness),
                     ReportItemStatus.INDETERMINATE));
@@ -175,16 +190,10 @@ public void validate(ValidationReport report, ValidationContext context, X509Cer
         Integer reasonsMask = checkedReasonsMask.get(certificate);
         if (reasonsMask != null) {
             interimReasonsMask |= (int) reasonsMask;
-
-            // Verify that interim_reasons_mask includes one or more reasons that are not included in the reasons_mask.
-            if (interimReasonsMask == reasonsMask) {
-                report.addReportItem(
-                        new CertificateReportItem(certificate, CRL_CHECK, SAME_REASONS_CHECK, ReportItemStatus.INFO));
-            }
         }
 
         // Verify the CRL issuer.
-        verifyCrlIntegrity(report, localContext, certificate, crl);
+        verifyCrlIntegrity(report, localContext, certificate, crl, responseGenerationDate);
 
         // Check the status of the certificate.
         verifyRevocation(report, certificate, validationDate, crl);
@@ -272,7 +281,7 @@ private static int computeInterimReasonsMask(IIssuingDistributionPoint issuingDi
     }
 
     private void verifyCrlIntegrity(ValidationReport report, ValidationContext context, X509Certificate certificate,
-            X509CRL crl) {
+            X509CRL crl, Date responseGenerationDate) {
         Certificate[] certs = certificateRetriever.getCrlIssuerCertificates(crl);
         if (certs.length == 0) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_NOT_FOUND,
@@ -285,6 +294,7 @@ private void verifyCrlIntegrity(ValidationReport report, ValidationContext conte
         if (!crlIssuerRoot.equals(subjectRoot)) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_NO_COMMON_ROOT,
                     ReportItemStatus.INDETERMINATE));
+            return;
         }
         try {
             crl.verify(crlIssuer.getPublicKey());
@@ -293,25 +303,23 @@ private void verifyCrlIntegrity(ValidationReport report, ValidationContext conte
                     ReportItemStatus.INDETERMINATE));
             return;
         }
-        // Ideally this date should be the date this response was retrieved from the server.
-        Date crlIssuerDate;
-        if (TimestampConstants.UNDEFINED_TIMESTAMP_DATE != crl.getNextUpdate()) {
-            crlIssuerDate = crl.getNextUpdate();
-            report.addReportItem(new CertificateReportItem((X509Certificate) crlIssuer, CRL_CHECK,
-                    NEXT_UPDATE_VALIDATION, ReportItemStatus.INFO));
-        } else {
-            crlIssuerDate = crl.getThisUpdate();
-            report.addReportItem(new CertificateReportItem((X509Certificate) crlIssuer, CRL_CHECK,
-                    THIS_UPDATE_VALIDATION, ReportItemStatus.INFO));
-        }
 
-        builder.getCertificateChainValidator().validate(report,
+        ValidationReport responderReport = new ValidationReport();
+        builder.getCertificateChainValidator().validate(responderReport,
                 context.setCertificateSource(CertificateSource.CRL_ISSUER),
-                (X509Certificate) crlIssuer, crlIssuerDate);
+                (X509Certificate) crlIssuer, responseGenerationDate);
+        addResponderValidationReport(report, responderReport);
     }
 
     private Certificate getRoot(Certificate cert) {
         Certificate[] chain = certificateRetriever.retrieveMissingCertificates(new Certificate[] {cert});
         return chain[chain.length - 1];
     }
+
+    private static void addResponderValidationReport(ValidationReport report, ValidationReport responderReport) {
+        for (ReportItem reportItem : responderReport.getLogs()) {
+            report.addReportItem(ReportItemStatus.INVALID == reportItem.getStatus() ?
+                    reportItem.setStatus(ReportItemStatus.INDETERMINATE) : reportItem);
+        }
+    }
 }

sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java

@@ -148,6 +148,11 @@ public ValidationReport validate(ValidationReport result, ValidationContext cont
 
     private boolean checkIfCertIsTrusted(ValidationReport result, ValidationContext context,
             X509Certificate certificate) {
+        if (CertificateSource.TRUSTED == context.getCertificateSource()) {
+            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
+                    CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
+            return true;
+        }
         TrustedCertificatesStore store = certificateRetriever.getTrustedCertificatesStore();
         if (store.isCertificateGenerallyTrusted(certificate)) {
             // Certificate is trusted for everything.

sign/src/main/java/com/itextpdf/signatures/validation/v1/DocumentRevisionsValidator.java

@@ -1195,8 +1195,8 @@ private static boolean comparePdfObjects(PdfObject pdfObject1, PdfObject pdfObje
         if (pdfObject1.getClass() != pdfObject2.getClass()) {
             return false;
         }
-        // We don't allow objects to be direct and indirect.
-        // Acrobat however allows it, but such change can invalidate the document.
+        // We don't allow objects to change from being direct to indirect and vice versa.
+        // Acrobat allows it, but such change can invalidate the document.
         if (pdfObject1.getIndirectReference() == null ^ pdfObject2.getIndirectReference() == null) {
             return false;
         }
@@ -1529,10 +1529,10 @@ private void addAllNestedArrayEntries(Set<PdfIndirectReference> allowedReference
             allowedReferences.add(arrayEntry.getIndirectReference());
 
             if (arrayEntry instanceof PdfDictionary) {
-                addAllNestedDictionaryEntries(allowedReferences, pdfArray.getAsDictionary(i));
+                addAllNestedDictionaryEntries(allowedReferences, (PdfDictionary) arrayEntry);
             }
             if (arrayEntry instanceof PdfArray) {
-                addAllNestedArrayEntries(allowedReferences, pdfArray.getAsArray(i));
+                addAllNestedArrayEntries(allowedReferences, (PdfArray) arrayEntry);
             }
         }
     }

sign/src/main/java/com/itextpdf/signatures/validation/v1/OCSPValidator.java

@@ -48,8 +48,6 @@ This file is part of the iText (R) project.
 import java.time.Duration;
 import java.util.Date;
 
-import static com.itextpdf.signatures.validation.v1.RevocationDataValidator.SELF_SIGNED_CERTIFICATE;
-
 /**
  * Class that allows you to validate a single OCSP response.
  */
@@ -98,13 +96,32 @@ protected OCSPValidator(ValidatorChainBuilder builder) {
      * @param singleResp     single response to check
      * @param ocspResp       basic OCSP response which contains single response to check
      * @param validationDate validation date to check for
+     *
+     * @deprecated starting from 8.0.5. TODO DEVSIX-8398 To be removed.
      */
+    @Deprecated
     public void validate(ValidationReport report, ValidationContext context, X509Certificate certificate,
             ISingleResp singleResp, IBasicOCSPResp ocspResp, Date validationDate) {
+        validate(report, context, certificate, singleResp, ocspResp, validationDate, DateTimeUtil.getCurrentTimeDate());
+    }
+
+    /**
+     * Validates a certificate against single OCSP Response.
+     *
+     * @param report                 to store all the chain verification results
+     * @param context                the context in which to perform the validation
+     * @param certificate            the certificate to check for
+     * @param singleResp             single response to check
+     * @param ocspResp               basic OCSP response which contains single response to check
+     * @param validationDate         validation date to check for
+     * @param responseGenerationDate trusted date at which response is generated
+     */
+    public void validate(ValidationReport report, ValidationContext context, X509Certificate certificate,
+            ISingleResp singleResp, IBasicOCSPResp ocspResp, Date validationDate, Date responseGenerationDate) {
         ValidationContext localContext = context.setValidatorContext(ValidatorContext.OCSP_VALIDATOR);
         if (CertificateUtil.isSelfSigned(certificate)) {
-            report.addReportItem(new CertificateReportItem(certificate, OCSP_CHECK, SELF_SIGNED_CERTIFICATE,
-                    ReportItemStatus.INFO));
+            report.addReportItem(new CertificateReportItem(certificate, OCSP_CHECK,
+                    RevocationDataValidator.SELF_SIGNED_CERTIFICATE, ReportItemStatus.INFO));
             return;
         }
         // SingleResp contains the basic information of the status of the certificate identified by the certID.
@@ -131,10 +148,10 @@ public void validate(ValidationReport report, ValidationContext context, X509Cer
         // So, since the issuer name and serial number identify a unique certificate, we found the single response
         // for the provided certificate.
 
-        // Check that thisUpdate >= (validationDate - freshness).
         Duration freshness = properties.getFreshness(localContext);
-        if (singleResp.getThisUpdate().before(
-                DateTimeUtil.addMillisToDate(validationDate, -(long)freshness.toMillis()))) {
+        // Check that thisUpdate + freshness < validation.
+        if (DateTimeUtil.addMillisToDate(singleResp.getThisUpdate(), (long) freshness.toMillis())
+                .before(validationDate)) {
             report.addReportItem(new CertificateReportItem(certificate, OCSP_CHECK,
                     MessageFormatUtil.format(FRESHNESS_CHECK, singleResp.getThisUpdate(), validationDate,
                             freshness), ReportItemStatus.INDETERMINATE));
@@ -169,7 +186,7 @@ public void validate(ValidationReport report, ValidationContext context, X509Cer
 
         if (isStatusGood || (revokedStatus != null && validationDate.before(revokedStatus.getRevocationTime()))) {
             // Check if the OCSP response is genuine.
-            verifyOcspResponder(report, localContext, ocspResp, (X509Certificate) issuerCert);
+            verifyOcspResponder(report, localContext, ocspResp, (X509Certificate) issuerCert, responseGenerationDate);
             if (!isStatusGood) {
                 report.addReportItem(new CertificateReportItem(certificate, OCSP_CHECK,
                         MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED,
@@ -195,7 +212,7 @@ public void validate(ValidationReport report, ValidationContext context, X509Cer
      * @param issuerCert the issuer of the certificate for which the OCSP is checked
      */
     private void verifyOcspResponder(ValidationReport report, ValidationContext context, IBasicOCSPResp ocspResp,
-            X509Certificate issuerCert) {
+            X509Certificate issuerCert, Date responseGenerationDate) {
         ValidationContext localContext = context.setCertificateSource(CertificateSource.OCSP_ISSUER);
         ValidationReport responderReport = new ValidationReport();
 
@@ -236,18 +253,21 @@ private void verifyOcspResponder(ValidationReport report, ValidationContext cont
                 // RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.
                 builder.getCertificateChainValidator().validate(responderReport,
                         localContext,
-                        responderCert, ocspResp.getProducedAt());
-                addResponderValidationReport(report, responderReport);
-                return;
+                        responderCert, responseGenerationDate);
+            } else {
+                builder.getCertificateChainValidator().validate(responderReport,
+                        localContext.setCertificateSource(CertificateSource.TRUSTED),
+                        responderCert, responseGenerationDate);
             }
+        } else {
+            builder.getCertificateChainValidator().validate(responderReport,
+                    localContext.setCertificateSource(CertificateSource.CERT_ISSUER),
+                    responderCert, responseGenerationDate);
         }
-        builder.getCertificateChainValidator().validate(responderReport,
-                localContext.setCertificateSource(CertificateSource.TRUSTED),
-                responderCert, ocspResp.getProducedAt());
         addResponderValidationReport(report, responderReport);
     }
 
-    private void addResponderValidationReport(ValidationReport report, ValidationReport responderReport) {
+    private static void addResponderValidationReport(ValidationReport report, ValidationReport responderReport) {
         for (ReportItem reportItem : responderReport.getLogs()) {
             report.addReportItem(ReportItemStatus.INVALID == reportItem.getStatus() ?
                     reportItem.setStatus(ReportItemStatus.INDETERMINATE) : reportItem);