Check wether the validated certificate is part of the crl issuer chain

DEVSIX-8568

Author: glenner003

sign/src/main/java/com/itextpdf/signatures/validation/CRLValidator.java

@@ -51,6 +51,7 @@ This file is part of the iText (R) project.
 import java.security.cert.X509CRLEntry;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
@@ -85,6 +86,8 @@ public class CRLValidator {
             "not all reason codes are covered by the current CRL.";
     static final String SAME_REASONS_CHECK = "CRLs that cover the same reason codes were already verified.";
     static final String UPDATE_DATE_BEFORE_CHECK_DATE = "nextUpdate: {0} of CRLResponse is before validation date {1}.";
+    static final String CERTIFICATE_IN_ISSUER_CHAIN = "Unable to validate CRL response: validated certificate is"
+            + " part of issuer certificate chain.";
 
     // All reasons without unspecified.
     static final int ALL_REASONS = 32895;
@@ -120,6 +123,7 @@ protected CRLValidator(ValidatorChainBuilder builder) {
     public void validate(ValidationReport report, ValidationContext context, X509Certificate certificate, X509CRL crl,
             Date validationDate, Date responseGenerationDate) {
         ValidationContext localContext = context.setValidatorContext(ValidatorContext.CRL_VALIDATOR);
+
         if (CertificateUtil.isSelfSigned(certificate)) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK,
                     RevocationDataValidator.SELF_SIGNED_CERTIFICATE, ReportItemStatus.INFO));
@@ -281,13 +285,17 @@ private void verifyCrlIntegrity(ValidationReport report, ValidationContext conte
                     ReportItemStatus.INDETERMINATE));
             return;
         }
-
         if (certs == null || certs.length == 0) {
             report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CRL_ISSUER_NOT_FOUND,
                     ReportItemStatus.INDETERMINATE));
             return;
         }
 
+        if (Arrays.stream(certs).anyMatch(c -> c.equals(certificate))) {
+            report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK, CERTIFICATE_IN_ISSUER_CHAIN,
+                    ReportItemStatus.INDETERMINATE));
+            return;
+        }
         Certificate crlIssuer = certs[0];
         Certificate crlIssuerRoot = getRoot(crlIssuer);
         Certificate subjectRoot = getRoot(certificate);

sign/src/test/java/com/itextpdf/signatures/validation/RevocationDataValidatorIntegrationTest.java

@@ -27,13 +27,15 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
 import com.itextpdf.commons.bouncycastle.pkcs.AbstractPKCSException;
 import com.itextpdf.commons.utils.DateTimeUtil;
+import com.itextpdf.signatures.CertificateUtil;
 import com.itextpdf.signatures.IssuingCertificateRetriever;
 import com.itextpdf.signatures.testutils.PemFileHelper;
 import com.itextpdf.signatures.testutils.TimeTestUtil;
 import com.itextpdf.signatures.testutils.builder.TestCrlBuilder;
 import com.itextpdf.signatures.testutils.builder.TestOcspResponseBuilder;
 import com.itextpdf.signatures.testutils.client.TestCrlClient;
 import com.itextpdf.signatures.testutils.client.TestOcspClient;
+import com.itextpdf.signatures.validation.SignatureValidationProperties.OnlineFetching;
 import com.itextpdf.signatures.validation.context.CertificateSource;
 import com.itextpdf.signatures.validation.context.CertificateSources;
 import com.itextpdf.signatures.validation.context.TimeBasedContext;
@@ -44,6 +46,10 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.report.ReportItem;
 import com.itextpdf.signatures.validation.report.ValidationReport;
 import com.itextpdf.test.ExtendedITextTest;
+
+import java.security.cert.X509CRL;
+import java.time.Duration;
+import java.util.Date;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -61,6 +67,10 @@ public class RevocationDataValidatorIntegrationTest extends ExtendedITextTest {
     private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
     private static final String SOURCE_FOLDER =
             "./src/test/resources/com/itextpdf/signatures/validation/RevocationDataValidatorTest/";
+
+    private static final String CRL_TEST_SOURCE_FOLDER =
+            "./src/test/resources/com/itextpdf/signatures/validation/CRLValidatorTest/";
+
     private static final char[] PASSWORD = "testpassphrase".toCharArray();
 
 
@@ -140,4 +150,101 @@ public void crlWithOnlySomeReasonsTest() throws Exception {
                 ));
 
     }
+
+    @Test
+    public void crlSignerIsValidatedCertificate() throws Exception {
+
+        String rootCertFileName = CRL_TEST_SOURCE_FOLDER + "happyPath/ca.cert.pem";
+        String crlSignerKeyFileName = CRL_TEST_SOURCE_FOLDER + "keys/crl-key.pem";
+        String crlSignerFileName = CRL_TEST_SOURCE_FOLDER + "happyPath/crl-issuer.cert.pem";
+        String checkCertFileName = CRL_TEST_SOURCE_FOLDER + "happyPath/sign.cert.pem";
+
+        X509Certificate caCert = (X509Certificate) PemFileHelper.readFirstChain(rootCertFileName)[0];
+        X509Certificate crlSigner = (X509Certificate) PemFileHelper.readFirstChain(crlSignerFileName)[0];
+        PrivateKey crlPrivateKey = PemFileHelper.readFirstKey(crlSignerKeyFileName, PASSWORD);
+        X509Certificate checkCert = (X509Certificate) PemFileHelper.readFirstChain(checkCertFileName)[0];
+
+
+        certificateRetriever.addTrustedCertificates(Collections.singletonList(caCert));
+        certificateRetriever.addKnownCertificates(Collections.singletonList(crlSigner));
+
+        Date checkDate = TimeTestUtil.TEST_DATE_TIME;
+        Date revocationDate = DateTimeUtil.addDaysToDate(checkDate, -1);
+        TestCrlBuilder builder = new TestCrlBuilder(crlSigner, crlPrivateKey, checkDate);
+        builder.setNextUpdate(DateTimeUtil.addDaysToDate(checkDate, 10));
+        //builder.addCrlEntry(caCert, revocationDate, FACTORY.createCRLReason().getKeyCompromise());
+        //TestCrlClientWrapper crlClient = new TestCrlClientWrapper(new TestCrlClient().addBuilderForCertIssuer(builder));
+
+        ValidationCrlClient crlClient = (ValidationCrlClient) parameters.getCrlClients().get(0);
+        crlClient.addCrl((X509CRL) CertificateUtil.parseCrlFromBytes(builder.makeCrl()), checkDate, TimeBasedContext.HISTORICAL );
+
+        ValidationReport report = new ValidationReport();
+        certificateRetriever.addTrustedCertificates(Collections.singletonList(caCert));
+
+        parameters.setRevocationOnlineFetching(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(), OnlineFetching.FETCH_IF_NO_OTHER_DATA_AVAILABLE);
+        parameters.setFreshness(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(),Duration.ofDays(0));
+
+
+        RevocationDataValidator validator = validatorChainBuilder.buildRevocationDataValidator();
+        validatorChainBuilder.withRevocationDataValidatorFactory(()->validator);
+
+        validator.validate(report, baseContext, crlSigner, checkDate);
+
+        AssertValidationReport.assertThat(report, a -> a
+                .hasNumberOfFailures(1)
+                        .hasLogItem(l-> l.withMessage(CRLValidator.CERTIFICATE_IN_ISSUER_CHAIN))
+                );
+    }
+
+    @Test
+    public void crlSignerIssuerIsValidatedCertificate() throws Exception {
+
+        String rootCertFileName = CRL_TEST_SOURCE_FOLDER + "crlSignerInValidatedChain/ca.cert.pem";
+        String intermediateFileName = CRL_TEST_SOURCE_FOLDER + "crlSignerInValidatedChain/intermediate.cert.pem";
+        String intermediate2FileName = CRL_TEST_SOURCE_FOLDER + "crlSignerInValidatedChain/intermediate2.cert.pem";
+        String crlSignerKeyFileName = CRL_TEST_SOURCE_FOLDER + "keys/crl-key.pem";
+        String crlSignerFileName = CRL_TEST_SOURCE_FOLDER + "crlSignerInValidatedChain/crl-issuer.cert.pem";
+        String checkCertFileName = CRL_TEST_SOURCE_FOLDER + "crlSignerInValidatedChain/sign.cert.pem";
+
+        X509Certificate caCert = (X509Certificate) PemFileHelper.readFirstChain(rootCertFileName)[0];
+        X509Certificate intermediateCert = (X509Certificate) PemFileHelper.readFirstChain(intermediateFileName)[0];
+        X509Certificate intermediate2Cert = (X509Certificate) PemFileHelper.readFirstChain(intermediate2FileName)[0];
+        X509Certificate crlSigner = (X509Certificate) PemFileHelper.readFirstChain(crlSignerFileName)[0];
+        PrivateKey crlPrivateKey = PemFileHelper.readFirstKey(crlSignerKeyFileName, PASSWORD);
+        X509Certificate checkCert = (X509Certificate) PemFileHelper.readFirstChain(checkCertFileName)[0];
+
+
+        certificateRetriever.addTrustedCertificates(Collections.singletonList(caCert));
+        certificateRetriever.addKnownCertificates(Collections.singletonList(crlSigner));
+        certificateRetriever.addKnownCertificates(Collections.singletonList(intermediateCert));
+        certificateRetriever.addKnownCertificates(Collections.singletonList(intermediate2Cert));
+
+        Date checkDate = TimeTestUtil.TEST_DATE_TIME;
+        Date revocationDate = DateTimeUtil.addDaysToDate(checkDate, -1);
+        TestCrlBuilder builder = new TestCrlBuilder(crlSigner, crlPrivateKey, checkDate);
+        builder.setNextUpdate(DateTimeUtil.addDaysToDate(checkDate, 10));
+        //builder.addCrlEntry(caCert, revocationDate, FACTORY.createCRLReason().getKeyCompromise());
+        //TestCrlClientWrapper crlClient = new TestCrlClientWrapper(new TestCrlClient().addBuilderForCertIssuer(builder));
+
+        ValidationCrlClient crlClient = (ValidationCrlClient) parameters.getCrlClients().get(0);
+        crlClient.addCrl((X509CRL) CertificateUtil.parseCrlFromBytes(builder.makeCrl()), checkDate, TimeBasedContext.HISTORICAL );
+
+        ValidationReport report = new ValidationReport();
+        //certificateRetriever.addTrustedCertificates(Collections.singletonList(caCert));
+
+        parameters.setRevocationOnlineFetching(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(), OnlineFetching.FETCH_IF_NO_OTHER_DATA_AVAILABLE);
+        parameters.setFreshness(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(),Duration.ofDays(0));
+
+
+        RevocationDataValidator validator = validatorChainBuilder.buildRevocationDataValidator();
+        validatorChainBuilder.withRevocationDataValidatorFactory(()->validator);
+
+        validator.validate(report, baseContext, intermediateCert, checkDate);
+
+        AssertValidationReport.assertThat(report, a -> a
+                .hasNumberOfFailures(1)
+                .hasLogItem(l-> l.withMessage(CRLValidator.CERTIFICATE_IN_ISSUER_CHAIN))
+        );
+    }
 }
+

sign/src/test/resources/com/itextpdf/signatures/validation/CRLValidatorTest/createTestData.cmd

@@ -1,15 +1,17 @@
 REM create the test keys
 IF [%1] == [] goto continue
 md keys
-openssl genrsa -out keys/root_key.pem -passout pass:testpassphrase 2048
-openssl genrsa -out keys/im_key.pem -passout pass:testpassphrase 2048
-openssl genrsa -out keys/sign-key.pem -passout pass:testpassphrase 2048
-openssl genrsa -out keys/crl-key.pem -passout pass:testpassphrase 2048
+openssl genrsa -out keys/root_key.pem -aes256 -passout pass:testpassphrase 2048
+openssl genrsa -out keys/im_key.pem -aes256 -passout pass:testpassphrase 2048
+openssl genrsa -out keys/im2_key.pem -aes256 -passout pass:testpassphrase 2048
+openssl genrsa -out keys/sign-key.pem -aes256 -passout pass:testpassphrase 2048
+openssl genrsa -out keys/crl-key.pem -aes256 -passout pass:testpassphrase 2048
 :continue
 
 call :runTestCase happyPath
 call :runTestCase crlIssuerRevokedBeforeSigningDate
 call :runTestCase crlIssuerAndSignCertHaveNoSharedRoot
+call :runTestCase crlSignerInValidatedChain
 EXIT
 
 :runTestCase

sign/src/test/resources/com/itextpdf/signatures/validation/CRLValidatorTest/crlIssuerAndSignCertHaveNoSharedRoot/ca.cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MRYwFAYDVQQDDA1pVGV4dFRlc3RSb290MCAXDTAwMDEw
+MTAwMDAwMFoYDzI1MDAwMTAxMDAwMDAwWjA1MQswCQYDVQQGEwJCRTEOMAwGA1UE
+CgwFaVRleHQxFjAUBgNVBAMMDWlUZXh0VGVzdFJvb3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDYxUs+SgZkRkOhOfddCnPeuE1QP2kAm6gAsg4qjNzr
+rZpZvwziyWaz6bXXq8fATjXEAdypAiWL/BDZscdCM/M11jds9mMv7dMvCtLns6Oe
+4GbChYxxloN2rVxElFPK2siKBaEeWyItr2Ms0P+hSR5uHjFt+krzl2zv828fyEnH
+fPvln42SAcuCKsLmfjtutus5jFKBFF8oiqDFlI2eXYggKV7JELttgPLobv2ZyFa5
+nXo/xbtzlPb8AvV3/mxpX4prFhBXupJXuCwmqmzVRqGbwKSz/Bewb/4aJGSpg32x
+yIWeXTld58f+Jntfes8xHwK0aJB/Tm2WrH+RWoV+TN/pAgMBAAGjYzBhMB0GA1Ud
+DgQWBBR0MlTFwFzoq8mPVusDjIEnL5avqzAfBgNVHSMEGDAWgBR0MlTFwFzoq8mP
+VusDjIEnL5avqzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIC5DANBgkq
+hkiG9w0BAQsFAAOCAQEAK2dbxbQ7jEdtqvnMpKOZsB55PDO5OZ2hPYilT5ZVZNt1
+jdE94HdCBHED3upmOeBH+XtsK/MLk+eYICM5SZwWVCBY0aQQR0URyTsX4SA/12A5
+VhrnP6bqy4b+3mO3J9s0go59cZOtSkxQ7191teEQMsDeh8GxXGLW/7Tf4x6v7U34
+B7UghMhUD2bHJ7U8MOqto9fVar/9S93tc9vRtYOXZbfRwjFKOYD4IFm7cH3VnrX7
+od3KUEKGKhQ2ZaqrtnW19xNTbdRcMT3+8QSai9DLV0kGGSSY09AHDO3WvxkAs9ZI
+cIsMM/n+mLK0Km9fh5uE3k6NmiN3GV+QMyjbmFnVNg==
+-----END CERTIFICATE-----