Add the ability to set trusted certificates store for getting missing certificates

DEVSIX-7934

Author: AnhelinaM

sign/src/main/java/com/itextpdf/signatures/DefaultIssuingCertificateRetriever.java

@@ -24,6 +24,7 @@ This file is part of the iText (R) project.
 
 import java.security.cert.CRL;
 import java.security.cert.Certificate;
+import java.util.Collection;
 
 /**
  * Empty {@link IIssuingCertificateRetriever} implementation for compatibility with the older code.
@@ -58,4 +59,14 @@ public Certificate[] retrieveMissingCertificates(Certificate[] chain) {
     public Certificate[] getCrlIssuerCertificates(CRL crl) {
         return new Certificate[0];
     }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @param certificates {@inheritDoc}
+     */
+    @Override
+    public void setTrustedCertificates(Collection<Certificate> certificates) {
+        // Do nothing.
+    }
 }

sign/src/main/java/com/itextpdf/signatures/IIssuingCertificateRetriever.java

@@ -24,6 +24,7 @@ This file is part of the iText (R) project.
 
 import java.security.cert.CRL;
 import java.security.cert.Certificate;
+import java.util.Collection;
 
 /**
  * Interface helper to support retrieving CAIssuers certificates from Authority Information Access (AIA) Extension in
@@ -49,4 +50,12 @@ public interface IIssuingCertificateRetriever {
      * @return certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.
      */
     Certificate[] getCrlIssuerCertificates(CRL crl);
+
+    /**
+     * Sets trusted certificate list to be used for the missing certificates retrieving by the issuer name.
+     *
+     * @param certificates certificate list for getting missing certificates in chain
+     *                     or CRL response issuer certificates.
+     */
+    void setTrustedCertificates(Collection<Certificate> certificates);
 }

sign/src/main/java/com/itextpdf/signatures/IssuingCertificateRetriever.java

@@ -30,20 +30,25 @@ This file is part of the iText (R) project.
 import java.security.cert.CRL;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * {@link IIssuingCertificateRetriever} default implementation.
  */
 public class IssuingCertificateRetriever implements IIssuingCertificateRetriever {
-    
+
     private static final Logger LOGGER = LoggerFactory.getLogger(IssuingCertificateRetriever.class);
 
+    private final Map<String, Certificate> certificateMap = new HashMap<>();
+
     /**
      * Creates {@link IssuingCertificateRetriever} instance.
      */
@@ -65,28 +70,34 @@ public Certificate[] retrieveMissingCertificates(Certificate[] chain) {
         fullChain.add(signingCertificate);
 
         int i = 1;
-        Certificate lastAddedCert = signingCertificate;
-        while (!CertificateUtil.isSelfSigned((X509Certificate) lastAddedCert)) {
+        X509Certificate lastAddedCert = signingCertificate;
+        while (!CertificateUtil.isSelfSigned(lastAddedCert)) {
             //  Check if there are any missing certificates with isSignedByNext
             if (i < chain.length &&
-                    CertificateUtil.isIssuerCertificate((X509Certificate) lastAddedCert, (X509Certificate) chain[i])) {
+                    CertificateUtil.isIssuerCertificate(lastAddedCert, (X509Certificate) chain[i])) {
                 fullChain.add(chain[i]);
                 i++;
             } else {
                 // Get missing certificates using AIA Extensions
-                String url = CertificateUtil.getIssuerCertURL((X509Certificate) lastAddedCert);
+                String url = CertificateUtil.getIssuerCertURL(lastAddedCert);
                 Collection<Certificate> certificatesFromAIA = processCertificatesFromAIA(url);
                 if (certificatesFromAIA == null || certificatesFromAIA.isEmpty()) {
-                    // Unable to retrieve missing certificates
-                    while (i < chain.length) {
-                        fullChain.add(chain[i]);
-                        i++;
+                    // Retrieve Issuer from the certificate store
+                    Certificate issuer = certificateMap.get(lastAddedCert.getIssuerX500Principal().getName());
+                    if (issuer == null) {
+                        // Unable to retrieve missing certificates
+                        while (i < chain.length) {
+                            fullChain.add(chain[i]);
+                            i++;
+                        }
+                        return fullChain.toArray(new Certificate[0]);
                     }
-                    return fullChain.toArray(new Certificate[0]);
+                    fullChain.add(issuer);
+                } else {
+                    fullChain.addAll(certificatesFromAIA);
                 }
-                fullChain.addAll(certificatesFromAIA);
             }
-            lastAddedCert = fullChain.get(fullChain.size() - 1);
+            lastAddedCert = (X509Certificate) fullChain.get(fullChain.size() - 1);
         }
 
         return fullChain.toArray(new Certificate[0]);
@@ -110,8 +121,28 @@ public Certificate[] getCrlIssuerCertificates(CRL crl) {
         // AIA Extension
         String url = CertificateUtil.getIssuerCertURL(crl);
         List<Certificate> certificatesFromAIA = (List<Certificate>) processCertificatesFromAIA(url);
-        return certificatesFromAIA == null ? new Certificate[0] :
-                retrieveMissingCertificates(certificatesFromAIA.toArray(new Certificate[0]));
+        if (certificatesFromAIA == null) {
+            // Retrieve Issuer from the certificate store
+            Certificate issuer = certificateMap.get(((X509CRL) crl).getIssuerX500Principal().getName());
+            if (issuer == null) {
+                // Unable to retrieve CRL issuer
+                return new Certificate[0];
+            }
+            return retrieveMissingCertificates(new Certificate[]{issuer});
+        }
+        return retrieveMissingCertificates(certificatesFromAIA.toArray(new Certificate[0]));
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @param certificates {@inheritDoc}
+     */
+    @Override
+    public void setTrustedCertificates(Collection<Certificate> certificates) {
+        for (Certificate certificate : certificates) {
+            certificateMap.put(((X509Certificate) certificate).getSubjectX500Principal().getName(), certificate);
+        }
     }
 
     /**

sign/src/main/java/com/itextpdf/signatures/PdfPadesSigner.java

@@ -399,13 +399,27 @@ public PdfPadesSigner setExternalDigest(IExternalDigest externalDigest) {
      *
      * @param issuingCertificateRetriever {@link IIssuingCertificateRetriever} instance to be used for getting missing
      *                                 certificates in chain or CRL response issuer certificates.
+     *
      * @return same instance of {@link PdfPadesSigner}.
      */
     public PdfPadesSigner setIssuingCertificateRetriever(IIssuingCertificateRetriever issuingCertificateRetriever) {
         this.issuingCertificateRetriever = issuingCertificateRetriever;
         return this;
     }
 
+    /**
+     * Set certificate list to be used by the {@link IIssuingCertificateRetriever} to retrieve missing certificates.
+     *
+     * @param certificateList certificate list for getting missing certificates in chain
+     *                        or CRL response issuer certificates.
+     *
+     * @return same instance of {@link PdfPadesSigner}.
+     */
+    public PdfPadesSigner setTrustedCertificates(List<Certificate> certificateList) {
+        this.issuingCertificateRetriever.setTrustedCertificates(certificateList);
+        return this;
+    }
+
     private void performTimestamping(PdfDocument document, OutputStream outputStream, ITSAClient tsaClient)
             throws IOException, GeneralSecurityException {
         PdfSigner timestampSigner = new PdfSigner(document, outputStream, tempOutputStream, tempFile);

sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesMissingCertificatesTest.java

@@ -42,9 +42,6 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.testutils.client.TestTsaClient;
 import com.itextpdf.test.ExtendedITextTest;
 import com.itextpdf.test.annotations.type.IntegrationTest;
-
-import java.util.Collections;
-import java.util.List;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
@@ -59,8 +56,11 @@ This file is part of the iText (R) project.
 import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 @Category(IntegrationTest.class)
@@ -125,7 +125,7 @@ protected InputStream getCrlResponse(X509Certificate cert, URL urlt) throws IOEx
         X509Certificate crlIntermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateCrlFileName)[0];
         X509Certificate ocspIntermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateOscpFileName)[0];
         X509Certificate tsaIntermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateTsaFileName)[0];
-        X509Certificate intermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateCertFileName)[0]; 
+        X509Certificate intermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateCertFileName)[0];
 
         AdvancedTestOcspClient ocspClient = new AdvancedTestOcspClient(null);
         ocspClient.addBuilderForCertIssuer(signCert, ocspCert, ocspPrivateKey);
@@ -198,6 +198,69 @@ protected InputStream getIssuerCertByURI(String uri) throws IOException {
                 expectedNumberOfCrls, expectedNumberOfOcsps, certs);
     }
 
+    @Test
+    public void retrieveMissingCertificatesUsingTrustedStoreTest() throws GeneralSecurityException, IOException,
+            AbstractOperatorCreationException, AbstractPKCSException, AbstractOCSPException {
+        String srcFileName = sourceFolder + "helloWorldDoc.pdf";
+        String rootCertFileName = sourceFolder + "root.pem";
+        String signCertFileName = sourceFolder + "sign.pem";
+        String rootCrlFileName = sourceFolder + "crlRoot.pem";
+        String crlCertFileName = sourceFolder + "crlCert.pem";
+        String tsaCertFileName = sourceFolder + "tsCert.pem";
+        String crlSignedByCA = sourceFolder + "crlWithRootIssuer.crl";
+        String crlSignedByCrlCert = sourceFolder + "crlWithCrlIssuer.crl";
+
+        X509Certificate signCert = (X509Certificate) PemFileHelper.readFirstChain(signCertFileName)[0];
+        PrivateKey signPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
+        X509Certificate crlCert = (X509Certificate) PemFileHelper.readFirstChain(crlCertFileName)[0];
+        X509Certificate tsaCert = (X509Certificate) PemFileHelper.readFirstChain(tsaCertFileName)[0];
+        PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, password);
+
+        SignerProperties signerProperties = createSignerProperties();
+        TestTsaClient testTsa = new TestTsaClient(Collections.singletonList(tsaCert), tsaPrivateKey);
+
+        CrlClientOnline testCrlClient = new CrlClientOnline() {
+            @Override
+            protected InputStream getCrlResponse(X509Certificate cert, URL urlt) throws IOException {
+                if (urlt.toString().contains("cert-crl")) {
+                    return FileUtil.getInputStreamForFile(crlSignedByCrlCert);
+                }
+                return FileUtil.getInputStreamForFile(crlSignedByCA);
+            }
+        };
+
+        X509Certificate rootCert = (X509Certificate) PemFileHelper.readFirstChain(rootCertFileName)[0];
+        X509Certificate crlRootCert = (X509Certificate) PemFileHelper.readFirstChain(rootCrlFileName)[0];
+
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        PdfPadesSigner padesSigner =
+                new PdfPadesSigner(new PdfReader(FileUtil.getInputStreamForFile(srcFileName)), outputStream);
+        padesSigner.setCrlClient(testCrlClient);
+
+        List<Certificate> trustedCertificates = new ArrayList<>();
+        trustedCertificates.add(rootCert);
+        trustedCertificates.add(crlRootCert);
+        trustedCertificates.add(crlCert);
+        padesSigner.setTrustedCertificates(trustedCertificates);
+
+        Certificate[] signChain = new Certificate[]{signCert};
+        padesSigner.signWithBaselineLTProfile(signerProperties, signChain, signPrivateKey, testTsa);
+
+        outputStream.close();
+
+        TestSignUtils.basicCheckSignedDoc(new ByteArrayInputStream(outputStream.toByteArray()), "Signature1");
+
+        Map<String, Integer> expectedNumberOfCrls = new HashMap<>();
+        Map<String, Integer> expectedNumberOfOcsps = new HashMap<>();
+        // It is expected to have two CRL responses, one for signing cert and another for CRL response.
+        expectedNumberOfCrls.put(crlCert.getSubjectX500Principal().getName(), 1);
+        expectedNumberOfCrls.put(rootCert.getSubjectX500Principal().getName(), 1);
+        List<String> certs = Arrays.asList(getCertName(rootCert), getCertName(crlRootCert), getCertName(crlCert),
+                getCertName(signCert), getCertName(tsaCert));
+        TestSignUtils.assertDssDict(new ByteArrayInputStream(outputStream.toByteArray()),
+                expectedNumberOfCrls, expectedNumberOfOcsps, certs);
+    }
+
     private String getCertName(X509Certificate certificate) {
         return certificate.getSubjectX500Principal().getName();
     }

sign/src/test/resources/com/itextpdf/signatures/sign/PdfPadesMissingCertificatesTest/crlCert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAqSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MTAwLgYDVQQDDCdpVGV4dE1pc3NpbmdDZXJ0aWZpY2F0
+ZXNUZXN0Q1JMUm9vdENlcnQwIBcNMjAwMTAxMDAwMDAwWhgPMjQwMDAxMDEwMDAw
+MDBaME8xCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDEwMC4GA1UEAwwnaVRl
+eHRNaXNzaW5nQ2VydGlmaWNhdGVzVGVzdENSTFNpZ25DZXJ0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk0rgFNDp8zelAj9o73RqZUK6pStgVbBL0Zn9
+HhM5O0e3OuWEgJtOm+foMayksOQHESxS6t/AiKdkTQc6nVl8cXncZURnsEi6SpHo
+r/WMkOmKUvnYdXda2mPuRmxRopG4TMqW6S0A9N8E29+xdG3LcmV/HP4MU78nRoOH
+WGi+Op1I4tyC9i8CfoRJcq7WI51fyh87TrxITS80Cjq9AXoBvmJrx90DgP7u7WUT
+NAPvVayapLG3VtnexSDuM/7+73dT15a4QxPdLmFUYbyhSfH77iI11FZd/06i9v/f
+uRcVZBobCs8+FzmN1OhSs1Uk7aAj/QkQkuyvVyK6uhrstfT4GwIDAQABo4GfMIGc
+MB0GA1UdDgQWBBT3CXRcQ9OYneGbRjM5g/NWB0LT4DAfBgNVHSMEGDAWgBTDTbEm
+iGJjiJdOu6soHhD/ha1kGjAOBgNVHQ8BAf8EBAMCBeAwSgYDVR0fBEMwQTA/oD2g
+O4Y5aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vZXhhbXBsZS1jYS9jcmxzL2NhLWNy
+bC9sYXRlc3QuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAhTj5txV1IAyfe7K/bxDlK
+nKRJYYLsY8iTCu3dNF7mjSD7eZf7wWvGdfR2a910uS6U0/ZDIYyKSOnxdlRvNrU5
+nGxk48JuUZgSlSmzq1RmvdPx6dBLJT3Dctm7hkzQHemYNNAlkvDVX2GMPrEgcoTY
+S5gwKOvoQi5hXIYNxX43CaxVGyForNBMBn4502ThTs/M58EKNEZvUaNbYs2iLNkS
+CU1M0KZ4fMlihP9xtAhTBeqHUqEubKP45T0KzqWOZPH/WyQPeIrNAnXk2H0gIZP5
+ElI5Wm7r+EhCWTDfaBK3OormNoBOYKU0tawzzKVh1MHOg+31BqJud7H+t5REbTck
+-----END CERTIFICATE-----

sign/src/test/resources/com/itextpdf/signatures/sign/PdfPadesMissingCertificatesTest/crlRoot.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MTAwLgYDVQQDDCdpVGV4dE1pc3NpbmdDZXJ0aWZpY2F0
+ZXNUZXN0Q1JMUm9vdENlcnQwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAw
+MDBaME8xCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDEwMC4GA1UEAwwnaVRl
+eHRNaXNzaW5nQ2VydGlmaWNhdGVzVGVzdENSTFJvb3RDZXJ0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8ePfGsGJ2JOMKSzy1vSZW0vutjJCdi5mW+Y
+vqYJ+kQLOr0+gb3Wu0BonyFzl8wF9ogfaAyBqjzswaKw9uGfhHanzh5vqNwSHNlR
+/2aa56I1GidrprnaMSZiNy4lFAGxajFfb0D++UNjdLrkARjVcKenrwauR+GbT5bM
+tQw3yJVyMzAA6uy4xGMMNW/ZZwEUmKvWPNXqJHq0BvJICWWlZFQI2dMQo4DR7Npk
+D8dVd/Fdwtpp59E6xGz6WDk9/x6NH7wcZGW8xjZTtkrTOoppMG6A7Wrb+VWrXVbT
+lKaCo/1DY4whfnkKUwDsNXIk4vn9sU6PRvp0iEZGqk5Z25wQJwIDAQABo2MwYTAd
+BgNVHQ4EFgQUw02xJohiY4iXTrurKB4Q/4WtZBowHwYDVR0jBBgwFoAUw02xJohi
+Y4iXTrurKB4Q/4WtZBowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYw
+DQYJKoZIhvcNAQELBQADggEBAC5DclkIZBL7k5uqMA+TwzwwPSE0pCNrN0wLMy8I
+qaooT3IKuLLjo7FLH28ZRkrUYBdrg7W60NZfbDNcLoVSEyyOFMrplQNdUDPByrTU
+BUERxQ7r+7g+pHuF93o/3DbwvN8fykm4pC7d0JlFwge+LOu7pICHa8Ctj6K+C0kN
+lwhoz3Rafg+1tj5GUoGj2ZX82yXwb+rnSIn0hj6HhDpPXYRn2GssOqkOs1MJElw+
+GPn8vD7a3wI++4alki52TuR1Ydu41z4lQjfy3JSaFuflsPFf0KjNeCkH/D6PgwZg
+KCcD7fbk2IcIj70d5xye3v53wkbc9wZhqYm9CtKYunrKGoM=
+-----END CERTIFICATE-----

sign/src/test/resources/com/itextpdf/signatures/sign/PdfPadesMissingCertificatesTest/crlWithCrlIssuer.crl

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAlmgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MSkwJwYDVQQDDCBpVGV4dE1pc3NpbmdDZXJ0aWZpY2F0
+ZXNUZXN0Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yNTAwMDEwMTAwMDAwMFowSDEL
+MAkGA1UEBhMCQkUxDjAMBgNVBAoMBWlUZXh0MSkwJwYDVQQDDCBpVGV4dE1pc3Np
+bmdDZXJ0aWZpY2F0ZXNUZXN0Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKuwJdoMeFrmWbyg8GXSy/bcZbJ6UlcHpc6wn8vxm7UqU8ZXewFTfJMe
+gCHHD0TdqR15mJVVD1Vc8HL0+zlQlzVz7aXLJg99O8jAmSCmMY5/6MlsnfvLeygl
+XcP4TzaWQJ+KQSeD75hFvFh4YMArThstRAjHtBCvpBqOAQfmsGYqKHfyNJlD4laC
+Dgi3NunTbh8ZDaBekrqBHdjp34hE01vbildqX4HRhYHPwJI0VqEXcvxWoLRTHqn7
+bDjAJCnSfeFKDZhAaFbGJYzIE2JNh1uIAYtfe5SzWoyjUnmhQ9vYQkZd0ORMDBvt
+moEj3oTAA0wf5AWUgn4GOKb3g7Wk8vUCAwEAAaNjMGEwHQYDVR0OBBYEFDxxMpGA
+5p+6Ft7i/hg+29HlL/l2MB8GA1UdIwQYMBaAFDxxMpGA5p+6Ft7i/hg+29HlL/l2
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHmMA0GCSqGSIb3DQEBCwUA
+A4IBAQCmiT5fzeV9PEQ6d+YG8RpQ98UQp4Xl0fPzMSchyUa1YdV9C18qBqQUSaeb
+fcae5banYh9Pv6A68K+fh+qkJ86nVo3XeD8so4Y/+2JdmSZaoLgNNkX1EYpFNm4z
+1wS9pYYmsFKGMzZbSJh76QB4GQApgWrqTtYI8ndHtTPHcwwrIPJviu5TxrYtBcQD
+sJ7qnOS9xbp9M1/+1zcACF4Ge0jN0/QD99+DmFfxm/op2nICHMvR1HrKEX2F1ivT
+N07kGwS5eBRm1LqvHtHl2yroNPe8Dan5gpm/U0Dc2bnwsP3r33yXqHK5XdE0JBKz
+55MJ1G/ZYdACX/CIFoHlpsihhJ7T
+-----END CERTIFICATE-----