Cover TSAClientBouncyCastle with tests

EvgenyB1001 · EvgenyB1001 · commit cb597459f549 · 2022-01-15T11:22:55.000+03:00
DEVSIX-6150
diff --git a/sign/src/test/java/com/itextpdf/signatures/TSAClientBouncyCastleTest.java b/sign/src/test/java/com/itextpdf/signatures/TSAClientBouncyCastleTest.java
@@ -0,0 +1,232 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2022 iText Group NV
+    Authors: iText Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures;
+
+import com.itextpdf.commons.utils.MessageFormatUtil;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
+import com.itextpdf.signatures.testutils.builder.TestTimestampTokenBuilder;
+import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.type.UnitTest;
+import com.itextpdf.test.signutils.Pkcs12FileHelper;
+
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.util.Arrays;
+import java.util.List;
+import org.bouncycastle.tsp.TimeStampResponse;
+import org.bouncycastle.tsp.TimeStampToken;
+import org.bouncycastle.tsp.TimeStampTokenInfo;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+@Category(UnitTest.class)
+public class TSAClientBouncyCastleTest extends ExtendedITextTest {
+
+    @Test
+    public void setTSAInfoTest() {
+        TSAClientBouncyCastle clientBouncyCastle = new TSAClientBouncyCastle("url");
+        CustomItsaInfoBouncyCastle infoBouncyCastle = new CustomItsaInfoBouncyCastle();
+        clientBouncyCastle.setTSAInfo(infoBouncyCastle);
+        Assert.assertEquals(infoBouncyCastle, clientBouncyCastle.tsaInfo);
+    }
+
+    @Test
+    public void testTsaClientBouncyCastleConstructor3Args() {
+        String userName = "user";
+        String password = "password";
+        String url = "url";
+
+        TSAClientBouncyCastle tsaClientBouncyCastle = new TSAClientBouncyCastle(url, userName, password);
+        Assert.assertEquals(url, tsaClientBouncyCastle.tsaURL);
+        Assert.assertEquals(userName, tsaClientBouncyCastle.tsaUsername);
+        Assert.assertEquals(password, tsaClientBouncyCastle.tsaPassword);
+        Assert.assertEquals(TSAClientBouncyCastle.DEFAULTTOKENSIZE, tsaClientBouncyCastle.tokenSizeEstimate);
+        Assert.assertEquals(TSAClientBouncyCastle.DEFAULTHASHALGORITHM, tsaClientBouncyCastle.digestAlgorithm);
+    }
+
+    @Test
+    public void testTsaClientBouncyCastleConstructorAllArgs() {
+        String userName = "user";
+        String password = "password";
+        String url = "url";
+        int tokenSize = 1024;
+        String digestAlgorithm = "SHA-1";
+
+        TSAClientBouncyCastle tsaClientBouncyCastle = new TSAClientBouncyCastle(url, userName, password,
+                tokenSize, digestAlgorithm);
+        Assert.assertEquals(url, tsaClientBouncyCastle.tsaURL);
+        Assert.assertEquals(userName, tsaClientBouncyCastle.tsaUsername);
+        Assert.assertEquals(password, tsaClientBouncyCastle.tsaPassword);
+        Assert.assertEquals(tokenSize, tsaClientBouncyCastle.tokenSizeEstimate);
+        Assert.assertEquals(digestAlgorithm, tsaClientBouncyCastle.digestAlgorithm);
+    }
+
+    @Test
+    public void testTsaClientBouncyCastleConstructor1Arg() {
+        String url = "url";
+
+        TSAClientBouncyCastle tsaClientBouncyCastle = new TSAClientBouncyCastle(url);
+        Assert.assertEquals(url, tsaClientBouncyCastle.tsaURL);
+        Assert.assertNull(tsaClientBouncyCastle.tsaUsername);
+        Assert.assertNull(tsaClientBouncyCastle.tsaPassword);
+        Assert.assertEquals(TSAClientBouncyCastle.DEFAULTTOKENSIZE, tsaClientBouncyCastle.tokenSizeEstimate);
+        Assert.assertEquals(TSAClientBouncyCastle.DEFAULTHASHALGORITHM, tsaClientBouncyCastle.digestAlgorithm);
+    }
+
+    @Test
+    public void getTokenSizeEstimateTest() {
+        String userName = "user";
+        String password = "password";
+        String url = "url";
+        String digestAlgorithm = "SHA-256";
+        int tokenSizeEstimate = 4096;
+
+        TSAClientBouncyCastle tsaClientBouncyCastle = new TSAClientBouncyCastle(url, userName, password,
+                tokenSizeEstimate, digestAlgorithm);
+        Assert.assertEquals(tokenSizeEstimate, tsaClientBouncyCastle.getTokenSizeEstimate());
+    }
+
+    @Test
+    public void setGetTsaReqPolicyTest() {
+        String regPolicy = "regPolicy";
+
+        TSAClientBouncyCastle clientBouncyCastle = new TSAClientBouncyCastle("url");
+        clientBouncyCastle.setTSAReqPolicy(regPolicy);
+        Assert.assertEquals(regPolicy, clientBouncyCastle.getTSAReqPolicy());
+    }
+
+    @Test
+    public void getMessageDigestTest() throws GeneralSecurityException {
+        String userName = "user";
+        String password = "password";
+        String url = "url";
+        String digestAlgorithm = "SHA-256";
+        int tokenSizeEstimate = 4096;
+
+        TSAClientBouncyCastle tsaClientBouncyCastle = new TSAClientBouncyCastle(url, userName, password,
+                tokenSizeEstimate, digestAlgorithm);
+        MessageDigest digest = tsaClientBouncyCastle.getMessageDigest();
+        Assert.assertNotNull(digest);
+        Assert.assertEquals(digestAlgorithm, digest.getAlgorithm());
+    }
+
+    @Test
+    public void getTimeStampTokenTest() throws Exception {
+        String allowedDigest = "SHA256";
+        String signatureAlgorithm = "SHA256withRSA";
+        String policyOid = "1.3.6.1.4.1.45794.1.1";
+
+        CustomTsaClientBouncyCastle tsaClientBouncyCastle = new CustomTsaClientBouncyCastle("", signatureAlgorithm,
+                allowedDigest);
+        tsaClientBouncyCastle.setTSAReqPolicy(policyOid);
+        CustomItsaInfoBouncyCastle itsaInfoBouncyCastle = new CustomItsaInfoBouncyCastle();
+        tsaClientBouncyCastle.setTSAInfo(itsaInfoBouncyCastle);
+        byte[] timestampTokenArray = tsaClientBouncyCastle.getTimeStampToken(tsaClientBouncyCastle
+                .getMessageDigest().digest());
+
+        TimeStampToken expectedToken = new TimeStampResponse(tsaClientBouncyCastle.getExpectedTsaResponseBytes())
+                .getTimeStampToken();
+        TimeStampTokenInfo expectedTsTokenInfo = expectedToken.getTimeStampInfo();
+        TimeStampTokenInfo resultTsTokenInfo = itsaInfoBouncyCastle.getTimeStampTokenInfo();
+
+        Assert.assertNotNull(timestampTokenArray);
+        Assert.assertNotNull(resultTsTokenInfo);
+        Assert.assertArrayEquals(expectedTsTokenInfo.getEncoded(), resultTsTokenInfo.getEncoded());
+        Assert.assertArrayEquals(expectedToken.getEncoded(), timestampTokenArray);
+    }
+
+    @Test
+    public void getTimeStampTokenFailureExceptionTest() throws Exception {
+        String allowedDigest = "MD5";
+        String signatureAlgorithm = "SHA256withRSA";
+        String url = "url";
+
+        CustomTsaClientBouncyCastle tsaClientBouncyCastle = new CustomTsaClientBouncyCastle(url, signatureAlgorithm,
+                allowedDigest);
+        tsaClientBouncyCastle.setTSAInfo(new CustomItsaInfoBouncyCastle());
+
+        byte[] digest = tsaClientBouncyCastle.getMessageDigest().digest();
+        Exception e = Assert.assertThrows(PdfException.class,
+                () -> tsaClientBouncyCastle.getTimeStampToken(digest)
+        );
+
+        Assert.assertEquals(MessageFormatUtil.format(SignExceptionMessageConstant.INVALID_TSA_RESPONSE, url, "128"),
+                e.getMessage());
+    }
+
+    private static final class CustomTsaClientBouncyCastle extends TSAClientBouncyCastle {
+        private static final char[] PASSWORD = "testpass".toCharArray();
+
+        private static final String CERTS_SRC = "./src/test/resources/com/itextpdf/signatures/certs/";
+
+        private final PrivateKey tsaPrivateKey;
+        private final List<Certificate> tsaCertificateChain;
+        private final String signatureAlgorithm;
+        private final String allowedDigest;
+
+        private byte[] expectedTsaResponseBytes;
+
+        public CustomTsaClientBouncyCastle(String url, String signatureAlgorithm, String allowedDigest)
+                throws Exception {
+            super(url);
+
+            this.signatureAlgorithm = signatureAlgorithm;
+            this.allowedDigest = allowedDigest;
+            tsaPrivateKey = Pkcs12FileHelper
+                    .readFirstKey(CERTS_SRC + "signCertRsa01.p12", PASSWORD, PASSWORD);
+
+            String tsaCertFileName = CERTS_SRC + "tsCertRsa.p12";
+            tsaCertificateChain = Arrays.asList(Pkcs12FileHelper.readFirstChain(tsaCertFileName, PASSWORD));
+        }
+
+        public byte[] getExpectedTsaResponseBytes() {
+            return expectedTsaResponseBytes;
+        }
+
+        @Override
+        protected byte[] getTSAResponse(byte[] requestBytes) {
+            TestTimestampTokenBuilder builder = new TestTimestampTokenBuilder(tsaCertificateChain, tsaPrivateKey);
+            expectedTsaResponseBytes = builder.createTSAResponse(requestBytes, signatureAlgorithm, allowedDigest);
+            return expectedTsaResponseBytes;
+        }
+    }
+
+    private static final class CustomItsaInfoBouncyCastle implements ITSAInfoBouncyCastle {
+
+        private TimeStampTokenInfo timeStampTokenInfo;
+
+        @Override
+        public void inspectTimeStampTokenInfo(TimeStampTokenInfo info) {
+            this.timeStampTokenInfo = info;
+        }
+
+
+        public TimeStampTokenInfo getTimeStampTokenInfo() {
+            return timeStampTokenInfo;
+        }
+    }
+}
diff --git a/sign/src/test/java/com/itextpdf/signatures/testutils/builder/TestTimestampTokenBuilder.java b/sign/src/test/java/com/itextpdf/signatures/testutils/builder/TestTimestampTokenBuilder.java
@@ -45,14 +45,18 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.utils.DateTimeUtil;
 import com.itextpdf.commons.utils.SystemUtil;
 import com.itextpdf.signatures.DigestAlgorithms;
+
 import java.io.IOException;
 import java.math.BigInteger;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
@@ -66,12 +70,16 @@ This file is part of the iText (R) project.
 import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
 import org.bouncycastle.tsp.TSPException;
 import org.bouncycastle.tsp.TimeStampRequest;
+import org.bouncycastle.tsp.TimeStampResponseGenerator;
 import org.bouncycastle.tsp.TimeStampToken;
 import org.bouncycastle.tsp.TimeStampTokenGenerator;
 
 public class TestTimestampTokenBuilder {
     private static final String SIGN_ALG = "SHA256withRSA";
 
+    // just a more or less random oid of timestamp policy
+    private static final String POLICY_OID = "1.3.6.1.4.1.45794.1.1";
+
     private List<Certificate> tsaCertificateChain;
     private PrivateKey tsaPrivateKey;
 
@@ -84,19 +92,8 @@ public TestTimestampTokenBuilder(List<Certificate> tsaCertificateChain, PrivateK
     }
 
     public byte[] createTimeStampToken(TimeStampRequest request) throws OperatorCreationException, TSPException, IOException, CertificateEncodingException {
-        ContentSigner signer = new JcaContentSignerBuilder(SIGN_ALG).build(tsaPrivateKey);
-        DigestCalculatorProvider digestCalcProviderProvider = new JcaDigestCalculatorProviderBuilder().build();
-
-        SignerInfoGenerator siGen =
-                new JcaSignerInfoGeneratorBuilder(digestCalcProviderProvider)
-                        .build(signer, (X509Certificate) tsaCertificateChain.get(0));
-
-        // just a more or less random oid of timestamp policy
-        ASN1ObjectIdentifier policy = new ASN1ObjectIdentifier("1.3.6.1.4.1.45794.1.1");
-
-        String digestForTsSigningCert = DigestAlgorithms.getAllowedDigest("SHA1");
-        DigestCalculator dgCalc = digestCalcProviderProvider.get(new AlgorithmIdentifier(new ASN1ObjectIdentifier(digestForTsSigningCert)));
-        TimeStampTokenGenerator tsTokGen = new TimeStampTokenGenerator(siGen, dgCalc, policy);
+        TimeStampTokenGenerator tsTokGen = createTimeStampTokenGenerator(tsaPrivateKey,
+                tsaCertificateChain.get(0), SIGN_ALG, "SHA1", POLICY_OID);
         tsTokGen.setAccuracySeconds(1);
 
         // TODO setting this is somewhat wrong. Acrobat and openssl recognize timestamp tokens generated with this line as corrupted
@@ -111,4 +108,35 @@ public byte[] createTimeStampToken(TimeStampRequest request) throws OperatorCrea
         TimeStampToken tsToken = tsTokGen.generate(request, serialNumber, genTime);
         return tsToken.getEncoded();
     }
+
+    public byte[] createTSAResponse(byte[] requestBytes, String signatureAlgorithm, String allowedDigest) {
+        try {
+            String digestForTsSigningCert = DigestAlgorithms.getAllowedDigest(allowedDigest);
+            TimeStampTokenGenerator tokenGenerator = createTimeStampTokenGenerator(tsaPrivateKey,
+                    tsaCertificateChain.get(0), signatureAlgorithm, allowedDigest, POLICY_OID);
+
+            Set<String> algorithms = new HashSet<>(Collections.singletonList(digestForTsSigningCert));
+            TimeStampResponseGenerator generator = new TimeStampResponseGenerator(tokenGenerator, algorithms);
+            TimeStampRequest request = new TimeStampRequest(requestBytes);
+            return generator.generate(request, request.getNonce(), new Date()).getEncoded();
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    private static TimeStampTokenGenerator createTimeStampTokenGenerator(PrivateKey pk, Certificate cert,
+            String signatureAlgorithm, String allowedDigest, String policyOid)
+            throws TSPException, OperatorCreationException, CertificateEncodingException {
+        ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(pk);
+        DigestCalculatorProvider digestCalcProviderProvider = new JcaDigestCalculatorProviderBuilder().build();
+        SignerInfoGenerator siGen =
+                new JcaSignerInfoGeneratorBuilder(digestCalcProviderProvider)
+                        .build(signer, (X509Certificate) cert);
+
+        String digestForTsSigningCert = DigestAlgorithms.getAllowedDigest(allowedDigest);
+        DigestCalculator dgCalc = digestCalcProviderProvider.get(
+                new AlgorithmIdentifier(new ASN1ObjectIdentifier(digestForTsSigningCert)));
+        ASN1ObjectIdentifier policy = new ASN1ObjectIdentifier(policyOid);
+        return new TimeStampTokenGenerator(siGen, dgCalc, policy);
+    }
 }
