Support revocation data retrieval from the signature container

DEVSIX-8388

Author: AnhelinaM

sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java

@@ -249,8 +249,7 @@ private void validateRequiredExtensions(ValidationReport result, ValidationConte
 
     private void validateRevocationData(ValidationReport report, ValidationContext context, X509Certificate certificate,
             Date validationDate) {
-        revocationDataValidator.validate(report,
-                context, certificate, validationDate);
+        revocationDataValidator.validate(report, context, certificate, validationDate);
     }
 
     private void validateChain(ValidationReport result, ValidationContext context, X509Certificate certificate,

sign/src/main/java/com/itextpdf/signatures/validation/v1/SignatureValidator.java

@@ -25,6 +25,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.actions.contexts.IMetaInfo;
 import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
 import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse;
 import com.itextpdf.commons.bouncycastle.asn1.tsp.ITSTInfo;
 import com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException;
 import com.itextpdf.commons.utils.DateTimeUtil;
@@ -52,6 +53,7 @@ This file is part of the iText (R) project.
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.cert.CRL;
 import java.security.cert.Certificate;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
@@ -156,9 +158,10 @@ public ValidationReport validateSignatures(PdfDocument document) {
 
     ValidationReport validateLatestSignature(PdfDocument document) {
         ValidationReport validationReport = new ValidationReport();
-        updateValidationOcspClient(validationReport, validationContext, document);
-        updateValidationCrlClient(validationReport, validationContext, document);
         PdfPKCS7 pkcs7 = mathematicallyVerifySignature(validationReport, document);
+        updateValidationClients(pkcs7, validationReport, validationContext, document);
+        // We only retrieve not signed revocation data at the very beginning of signature processing.
+        retrieveNotSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext);
         if (stopValidation(validationReport, validationContext)) {
             return validationReport;
         }
@@ -167,66 +170,44 @@ ValidationReport validateLatestSignature(PdfDocument document) {
         certificateRetriever.addKnownCertificates(certificatesFromDss);
 
         if (pkcs7.isTsp()) {
-            validateTimestampChain(validationReport, pkcs7.getTimeStampTokenInfo(), pkcs7.getCertificates(),
-                    pkcs7.getSigningCertificate());
-            updateValidationOcspClient(validationReport, validationContext, document);
-            updateValidationCrlClient(validationReport, validationContext, document);
+            validateTimestampChain(validationReport, pkcs7.getCertificates(), pkcs7.getSigningCertificate());
+            if (updateLastKnownPoE(validationReport, pkcs7.getTimeStampTokenInfo())) {
+                updateValidationClients(pkcs7, validationReport, validationContext, document);
+            }
             return validationReport;
         }
 
+        boolean isPoEUpdated = false;
         Date previousLastKnowPoE = lastKnownPoE;
         ValidationContext previousValidationContext = validationContext;
         if (pkcs7.getTimeStampTokenInfo() != null) {
-            try {
-                if (!pkcs7.verifyTimestampImprint()) {
-                    validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP,
-                            ReportItemStatus.INVALID));
-                }
-            } catch (GeneralSecurityException e) {
-                validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e,
-                        ReportItemStatus.INVALID));
-            }
-            if (stopValidation(validationReport, validationContext)) {
-                return validationReport;
-            }
-
-            PdfPKCS7 timestampSignatureContainer = pkcs7.getTimestampSignatureContainer();
-            try {
-                if (!timestampSignatureContainer.verifySignatureIntegrityAndAuthenticity()) {
-                    validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION,
-                            CANNOT_VERIFY_TIMESTAMP, ReportItemStatus.INVALID));
-                }
-            } catch (GeneralSecurityException e) {
-                validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION,
-                        CANNOT_VERIFY_TIMESTAMP, e, ReportItemStatus.INVALID));
-            }
-            if (stopValidation(validationReport, validationContext)) {
-                return validationReport;
+            ValidationReport tsValidationReport = validateEmbeddedTimestamp(pkcs7);
+            isPoEUpdated = updateLastKnownPoE(tsValidationReport, pkcs7.getTimeStampTokenInfo());
+            if (isPoEUpdated) {
+                PdfPKCS7 timestampSignatureContainer = pkcs7.getTimestampSignatureContainer();
+                retrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext);
+                updateValidationClients(pkcs7, tsValidationReport, validationContext, document);
             }
-
-            Certificate[] timestampCertificates = timestampSignatureContainer.getCertificates();
-            validateTimestampChain(validationReport, pkcs7.getTimeStampTokenInfo(), timestampCertificates,
-                    timestampSignatureContainer.getSigningCertificate());
-            if (stopValidation(validationReport, validationContext)) {
+            validationReport.merge(tsValidationReport);
+            if (stopValidation(tsValidationReport, validationContext)) {
                 return validationReport;
             }
         }
-        updateValidationOcspClient(validationReport, validationContext, document);
-        updateValidationCrlClient(validationReport, validationContext, document);
 
         Certificate[] certificates = pkcs7.getCertificates();
         certificateRetriever.addKnownCertificates(Arrays.asList(certificates));
         X509Certificate signingCertificate = pkcs7.getSigningCertificate();
 
         ValidationReport signatureReport = new ValidationReport();
         certificateChainValidator.validate(signatureReport, validationContext, signingCertificate, lastKnownPoE);
-        if (signatureReport.getValidationResult() != ValidationResult.VALID) {
+        if (isPoEUpdated && signatureReport.getValidationResult() != ValidationResult.VALID) {
             // We can only use PoE retrieved from timestamp attribute in case main signature validation is successful.
-            // That's why if the result is not valid, we set back lastKnownPoE value, validation context and DSS.
+            // That's why if the result is not valid, we set back lastKnownPoE value, validation context and rev data.
             lastKnownPoE = previousLastKnowPoE;
             validationContext = previousValidationContext;
-            updateValidationOcspClient(validationReport, validationContext, document);
-            updateValidationCrlClient(validationReport, validationContext, document);
+            PdfPKCS7 timestampSignatureContainer = pkcs7.getTimestampSignatureContainer();
+            retrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext);
+            updateValidationClients(pkcs7, validationReport, validationContext, document);
         }
         return validationReport.merge(signatureReport);
     }
@@ -255,32 +236,100 @@ private PdfPKCS7 mathematicallyVerifySignature(ValidationReport validationReport
         return pkcs7;
     }
 
-    private ValidationReport validateTimestampChain(ValidationReport validationReport, ITSTInfo timeStampTokenInfo,
-                                                    Certificate[] knownCerts, X509Certificate signingCert) {
-        certificateRetriever.addKnownCertificates(Arrays.asList(knownCerts));
-
+    private ValidationReport validateEmbeddedTimestamp(PdfPKCS7 pkcs7) {
         ValidationReport tsValidationReport = new ValidationReport();
+        try {
+            if (!pkcs7.verifyTimestampImprint()) {
+                tsValidationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP,
+                        ReportItemStatus.INVALID));
+            }
+        } catch (GeneralSecurityException e) {
+            tsValidationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e,
+                    ReportItemStatus.INVALID));
+        }
+        if (stopValidation(tsValidationReport, validationContext)) {
+            return tsValidationReport;
+        }
 
-        certificateChainValidator.validate(tsValidationReport,
+        PdfPKCS7 timestampSignatureContainer = pkcs7.getTimestampSignatureContainer();
+        retrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext);
+        try {
+            if (!timestampSignatureContainer.verifySignatureIntegrityAndAuthenticity()) {
+                tsValidationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION,
+                        CANNOT_VERIFY_TIMESTAMP, ReportItemStatus.INVALID));
+            }
+        } catch (GeneralSecurityException e) {
+            tsValidationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION,
+                    CANNOT_VERIFY_TIMESTAMP, e, ReportItemStatus.INVALID));
+        }
+        if (stopValidation(tsValidationReport, validationContext)) {
+            return tsValidationReport;
+        }
+
+        Certificate[] timestampCertificates = timestampSignatureContainer.getCertificates();
+        validateTimestampChain(tsValidationReport, timestampCertificates,
+                timestampSignatureContainer.getSigningCertificate());
+        return tsValidationReport;
+    }
+
+    private void validateTimestampChain(ValidationReport validationReport, Certificate[] knownCerts,
+                                        X509Certificate signingCert) {
+        certificateRetriever.addKnownCertificates(Arrays.asList(knownCerts));
+
+        certificateChainValidator.validate(validationReport,
                 validationContext.setCertificateSource(CertificateSource.TIMESTAMP),
                 signingCert, lastKnownPoE);
-        validationReport.merge(tsValidationReport);
-        if (tsValidationReport.getValidationResult() == ValidationReport.ValidationResult.VALID) {
+    }
+
+    private boolean updateLastKnownPoE(ValidationReport tsValidationReport, ITSTInfo timeStampTokenInfo) {
+        if (tsValidationReport.getValidationResult() == ValidationResult.VALID) {
             try {
                 lastKnownPoE = timeStampTokenInfo.getGenTime();
                 if (validationContext.getTimeBasedContext() == TimeBasedContext.PRESENT) {
                     validationContext = validationContext.setTimeBasedContext(TimeBasedContext.HISTORICAL);
                 }
+                return true;
             } catch (Exception e) {
-                validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e,
+                tsValidationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e,
                         ReportItemStatus.INDETERMINATE));
             }
         }
-        return validationReport;
+        return false;
     }
 
-    private void updateValidationOcspClient(ValidationReport validationReport, ValidationContext context,
-            PdfDocument document) {
+    private void updateValidationClients(PdfPKCS7 pkcs7, ValidationReport validationReport,
+                                         ValidationContext validationContext, PdfDocument document) {
+        retrieveOcspResponsesFromDss(validationReport, validationContext, document);
+        retrieveCrlResponsesFromDss(validationReport, validationContext, document);
+        retrieveSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext);
+    }
+
+    private void retrieveSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7,
+            ValidationContext validationContext) {
+        if (pkcs7.getCRLs() != null) {
+            for (CRL crl : pkcs7.getCRLs()) {
+                validationCrlClient.addCrl((X509CRL) crl, lastKnownPoE, validationContext.getTimeBasedContext());
+            }
+        }
+        if (pkcs7.getOcsp() != null) {
+            validationOcspClient.addResponse(BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(pkcs7.getOcsp()), lastKnownPoE,
+                    validationContext.getTimeBasedContext());
+        }
+    }
+
+    private void retrieveNotSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7,
+            ValidationContext validationContext) {
+        for (CRL crl : pkcs7.getSignedDataCRLs()) {
+            validationCrlClient.addCrl((X509CRL) crl, lastKnownPoE, validationContext.getTimeBasedContext());
+        }
+        for (IBasicOCSPResponse oscp : pkcs7.getSignedDataOcsps()) {
+            validationOcspClient.addResponse(BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(oscp), lastKnownPoE,
+                    validationContext.getTimeBasedContext());
+        }
+    }
+
+    private void retrieveOcspResponsesFromDss(ValidationReport validationReport, ValidationContext context,
+                                              PdfDocument document) {
         PdfDictionary dss = document.getCatalog().getPdfObject().getAsDictionary(PdfName.DSS);
         if (dss != null) {
             PdfArray ocsps = dss.getAsArray(PdfName.OCSPs);
@@ -300,8 +349,8 @@ private void updateValidationOcspClient(ValidationReport validationReport, Valid
         }
     }
 
-    private void updateValidationCrlClient(ValidationReport validationReport, ValidationContext context,
-            PdfDocument document) {
+    private void retrieveCrlResponsesFromDss(ValidationReport validationReport, ValidationContext context,
+                                             PdfDocument document) {
         PdfDictionary dss = document.getCatalog().getPdfObject().getAsDictionary(PdfName.DSS);
         if (dss != null) {
             PdfArray crls = dss.getAsArray(PdfName.CRLs);
@@ -346,4 +395,3 @@ private boolean stopValidation(ValidationReport result, ValidationContext valida
                 && result.getValidationResult() == ValidationResult.INVALID;
     }
 }
-

sign/src/test/java/com/itextpdf/signatures/validation/v1/SignatureValidatorIntegrationTest.java

@@ -195,6 +195,87 @@ public void shortValidityCertsWithCrlTest() throws GeneralSecurityException, IOE
         );
     }
 
+    @Test
+    public void retrieveRevocationDataFromTheSignatureContainerTest() throws GeneralSecurityException, IOException {
+        String rootCertName = CERTS_SRC + "rootRsa.pem";
+        X509Certificate rootCert = (X509Certificate) PemFileHelper.readFirstChain(rootCertName)[0];
+
+        // We need to set infinite freshness for the signature validation. Otherwise, test will fail.
+        builder.getProperties().setFreshness(
+                ValidatorContexts.of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext.CRL_VALIDATOR),
+                CertificateSources.of(CertificateSource.SIGNER_CERT),
+                TimeBasedContexts.of(TimeBasedContext.PRESENT), Duration.ofDays(999999));
+
+        ValidationReport report;
+        // Signature container stores OCSP response with indeterminate status and less fresh but valid CRL response.
+        try (PdfDocument document = new PdfDocument(
+                new PdfReader(SOURCE_FOLDER + "revDataInTheSignatureContainer.pdf"))) {
+            certificateRetriever.setTrustedCertificates(Collections.singletonList(rootCert));
+
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
+            report = signatureValidator.validateSignatures(document);
+        }
+
+        AssertValidationReport.assertThat(report, a -> a
+                .hasStatus(ValidationResult.VALID)
+                .hasNumberOfLogs(4).hasNumberOfFailures(0)
+                .hasLogItem(al -> al
+                        .withCheckName(SignatureValidator.SIGNATURE_VERIFICATION)
+                        .withMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, i -> "Signature1"))
+                .hasLogItem(al -> al
+                        .withCheckName(OCSPValidator.OCSP_CHECK)
+                        .withMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN)
+                        .withStatus(ReportItem.ReportItemStatus.INFO))
+                .hasLogItems(2, al -> al
+                        .withCertificate(rootCert)
+                        .withCheckName(CertificateChainValidator.CERTIFICATE_CHECK)
+                        .withMessage(CertificateChainValidator.CERTIFICATE_TRUSTED,
+                                i -> rootCert.getSubjectX500Principal()))
+        );
+    }
+
+    @Test
+    public void retrieveRevocationDataStoredInTheSignerInfoTest() throws GeneralSecurityException, IOException {
+        String rootCertName = CERTS_SRC + "rootRsa.pem";
+        X509Certificate rootCert = (X509Certificate) PemFileHelper.readFirstChain(rootCertName)[0];
+
+        // We need to set infinite freshness for the embedded timestamp validation. Otherwise, test will fail.
+        builder.getProperties().setFreshness(
+                        ValidatorContexts.of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext.CRL_VALIDATOR),
+                        CertificateSources.of(CertificateSource.TIMESTAMP),
+                        TimeBasedContexts.of(TimeBasedContext.PRESENT), Duration.ofDays(999999))
+                .setFreshness(
+                        ValidatorContexts.of(ValidatorContext.CRL_VALIDATOR),
+                        CertificateSources.of(CertificateSource.SIGNER_CERT),
+                        TimeBasedContexts.of(TimeBasedContext.HISTORICAL), Duration.ofDays(2));
+
+        ValidationReport report;
+        // Signer info authenticated attributes store OCSP response with indeterminate status and valid CRL response.
+        try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "revDataInTheSignerInfo.pdf"))) {
+            certificateRetriever.setTrustedCertificates(Collections.singletonList(rootCert));
+
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
+            report = signatureValidator.validateSignatures(document);
+        }
+
+        AssertValidationReport.assertThat(report, a -> a
+                .hasStatus(ValidationResult.VALID)
+                .hasNumberOfLogs(6).hasNumberOfFailures(0)
+                .hasLogItem(al -> al
+                        .withCheckName(SignatureValidator.SIGNATURE_VERIFICATION)
+                        .withMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, i -> "Signature1"))
+                .hasLogItem(al -> al
+                        .withCheckName(OCSPValidator.OCSP_CHECK)
+                        .withMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN)
+                        .withStatus(ReportItem.ReportItemStatus.INFO))
+                .hasLogItems(4, al -> al
+                        .withCertificate(rootCert)
+                        .withCheckName(CertificateChainValidator.CERTIFICATE_CHECK)
+                        .withMessage(CertificateChainValidator.CERTIFICATE_TRUSTED,
+                                i -> rootCert.getSubjectX500Principal()))
+        );
+    }
+
     @Test
     public void latestSignatureIsTimestampTest() throws GeneralSecurityException, IOException,
             AbstractOperatorCreationException, AbstractPKCSException {