Add support for validating all signatures in a document

DEVSIX-8303

Author: glenner003

sign/src/main/java/com/itextpdf/signatures/validation/v1/SignatureValidator.java

@@ -22,17 +22,20 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures.validation.v1;
 
+import com.itextpdf.commons.bouncycastle.asn1.tsp.ITSTInfo;
 import com.itextpdf.commons.utils.DateTimeUtil;
 import com.itextpdf.commons.utils.MessageFormatUtil;
 import com.itextpdf.kernel.pdf.PdfArray;
 import com.itextpdf.kernel.pdf.PdfDictionary;
 import com.itextpdf.kernel.pdf.PdfDocument;
 import com.itextpdf.kernel.pdf.PdfName;
+import com.itextpdf.kernel.pdf.PdfReader;
 import com.itextpdf.kernel.pdf.PdfStream;
 import com.itextpdf.signatures.CertificateUtil;
 import com.itextpdf.signatures.IssuingCertificateRetriever;
 import com.itextpdf.signatures.PdfPKCS7;
 import com.itextpdf.signatures.SignatureUtil;
+import com.itextpdf.signatures.TimestampConstants;
 import com.itextpdf.signatures.validation.v1.context.CertificateSource;
 import com.itextpdf.signatures.validation.v1.context.TimeBasedContext;
 import com.itextpdf.signatures.validation.v1.context.ValidationContext;
@@ -42,18 +45,21 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.v1.report.ValidationReport;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 
 /**
  * Validator class, which is expected to be used for signatures validation.
  */
 class SignatureValidator {
+    public static final String VALIDATING_SIGNATURE_NAME = "Validating signature {0}";
     static final String TIMESTAMP_VERIFICATION = "Timestamp verification check.";
     static final String SIGNATURE_VERIFICATION = "Signature verification check.";
     static final String CERTS_FROM_DSS = "Certificates from DSS check.";
@@ -62,44 +68,71 @@ class SignatureValidator {
     static final String CANNOT_VERIFY_SIGNATURE = "Signature {0} cannot be mathematically verified.";
     static final String DOCUMENT_IS_NOT_COVERED = "Signature {0} doesn't cover entire document.";
     static final String CANNOT_VERIFY_TIMESTAMP = "Signature timestamp attribute cannot be verified";
-
-    private final PdfDocument document;
+    static final String REVISIONS_RETRIEVAL_FAILED = "Wasn't possible to retrieve document revisions.";
+    private static final String TIMESTAMP_EXTRACTION_FAILED = "Unable to extract timestamp from timestamp signature";
     private final ValidationContext baseValidationContext;
     private final CertificateChainValidator certificateChainValidator;
     private final IssuingCertificateRetriever certificateRetriever;
     private final SignatureValidationProperties properties;
+    private Date lastKnownPoE = (Date) TimestampConstants.UNDEFINED_TIMESTAMP_DATE;
 
     /**
      * Create new instance of {@link SignatureValidator}.
      *
      * @param builder See {@link ValidatorChainBuilder}
      */
-    SignatureValidator(PdfDocument document, ValidatorChainBuilder builder) {
-        this.document = document;
+    SignatureValidator(ValidatorChainBuilder builder) {
         this.certificateRetriever = builder.getCertificateRetriever();
         this.properties = builder.getProperties();
         this.certificateChainValidator = builder.getCertificateChainValidator();
         this.baseValidationContext = new ValidationContext(ValidatorContext.SIGNATURE_VALIDATOR,
                 CertificateSource.SIGNER_CERT, TimeBasedContext.PRESENT);
     }
 
+    /**
+     * Validate all signatures in the document
+     *
+     * @param document the document to be validated
+     * @return {@link ValidationReport} which contains detailed validation results
+     */
+    public ValidationReport validateSignatures(PdfDocument document) {
+        ValidationReport report = new ValidationReport();
+        SignatureUtil util = new SignatureUtil(document);
+        List<String> signatureNames = util.getSignatureNames();
+        Collections.reverse(signatureNames);
+
+        for (String fieldName : signatureNames) {
+            try (PdfDocument doc = new PdfDocument(new PdfReader(util.extractRevision(fieldName)))) {
+                ValidationReport subReport = validateLatestSignature(doc);
+                report.merge(subReport);
+            } catch (IOException e) {
+                report.addReportItem(new ReportItem(SIGNATURE_VERIFICATION, REVISIONS_RETRIEVAL_FAILED,
+                        e, ReportItemStatus.INDETERMINATE));
+            }
+        }
+        return report;
+    }
+
+
     /**
      * Validate the latest signature in the document.
      *
+     * @param document the document of which to validate the latest signature
      * @return {@link ValidationReport} which contains detailed validation results
      */
-    public ValidationReport validateLatestSignature() {
+    public ValidationReport validateLatestSignature(PdfDocument document) {
         ValidationReport validationReport = new ValidationReport();
-        PdfPKCS7 pkcs7 = mathematicallyVerifySignature(validationReport);
+        PdfPKCS7 pkcs7 = mathematicallyVerifySignature(validationReport, document);
         if (stopValidation(validationReport, baseValidationContext)) {
             return validationReport;
         }
 
-        List<Certificate> certificatesFromDss = getCertificatesFromDss(validationReport);
+        List<Certificate> certificatesFromDss = getCertificatesFromDss(validationReport, document);
         certificateRetriever.addKnownCertificates(certificatesFromDss);
 
         if (pkcs7.isTsp()) {
-            return validateTimestampChain(validationReport, pkcs7.getCertificates(), pkcs7.getSigningCertificate());
+            return validateTimestampChain(validationReport, pkcs7.getTimeStampTokenInfo(), pkcs7.getCertificates(),
+                    pkcs7.getSigningCertificate());
         }
 
         Date signingDate = DateTimeUtil.getCurrentTimeDate();
@@ -117,7 +150,8 @@ public ValidationReport validateLatestSignature() {
                 return validationReport;
             }
             Certificate[] timestampCertificates = pkcs7.getTimestampCertificates();
-            validateTimestampChain(validationReport, timestampCertificates, (X509Certificate) timestampCertificates[0]);
+            validateTimestampChain(validationReport, pkcs7.getTimeStampTokenInfo(), timestampCertificates,
+                    (X509Certificate) timestampCertificates[0]);
             if (stopValidation(validationReport, baseValidationContext)) {
                 return validationReport;
             }
@@ -133,11 +167,14 @@ public ValidationReport validateLatestSignature() {
                 signingCertificate, signingDate);
     }
 
-    private PdfPKCS7 mathematicallyVerifySignature(ValidationReport validationReport) {
+    private PdfPKCS7 mathematicallyVerifySignature(ValidationReport validationReport, PdfDocument document) {
         SignatureUtil signatureUtil = new SignatureUtil(document);
         List<String> signatures = signatureUtil.getSignatureNames();
         String latestSignatureName = signatures.get(signatures.size() - 1);
         PdfPKCS7 pkcs7 = signatureUtil.readSignatureData(latestSignatureName);
+        validationReport.addReportItem(new ReportItem(SIGNATURE_VERIFICATION,
+                MessageFormatUtil.format(VALIDATING_SIGNATURE_NAME, latestSignatureName), ReportItemStatus.INFO));
+
         if (!signatureUtil.signatureCoversWholeDocument(latestSignatureName)) {
             validationReport.addReportItem(new ReportItem(SIGNATURE_VERIFICATION,
                     MessageFormatUtil.format(DOCUMENT_IS_NOT_COVERED, latestSignatureName), ReportItemStatus.INVALID));
@@ -154,17 +191,32 @@ private PdfPKCS7 mathematicallyVerifySignature(ValidationReport validationReport
         return pkcs7;
     }
 
-    private ValidationReport validateTimestampChain(ValidationReport validationReport, Certificate[] knownCerts,
-            X509Certificate signingCert) {
+    private ValidationReport validateTimestampChain(ValidationReport validationReport, ITSTInfo timeStampTokenInfo,
+                                                    Certificate[] knownCerts, X509Certificate signingCert) {
         certificateRetriever.addKnownCertificates(Arrays.asList(knownCerts));
-        Date signingDate = DateTimeUtil.getCurrentTimeDate();
+        Date signingDate = lastKnownPoE;
+        if (signingDate == TimestampConstants.UNDEFINED_TIMESTAMP_DATE) {
+            signingDate = DateTimeUtil.getCurrentTimeDate();
+        }
 
-        return certificateChainValidator.validate(validationReport,
+        ValidationReport tsValidationReport = new ValidationReport();
+
+        certificateChainValidator.validate(tsValidationReport,
                 baseValidationContext.setCertificateSource(CertificateSource.TIMESTAMP),
                 signingCert, signingDate);
+        validationReport.merge(tsValidationReport);
+        if (tsValidationReport.getValidationResult() == ValidationReport.ValidationResult.VALID) {
+            try {
+                lastKnownPoE = timeStampTokenInfo.getGenTime();
+            } catch (Exception e) {
+                validationReport.addReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e,
+                        ReportItemStatus.INDETERMINATE));
+            }
+        }
+        return validationReport;
     }
 
-    private List<Certificate> getCertificatesFromDss(ValidationReport validationReport) {
+    private List<Certificate> getCertificatesFromDss(ValidationReport validationReport, PdfDocument document) {
         PdfDictionary dss = document.getCatalog().getPdfObject().getAsDictionary(PdfName.DSS);
         List<Certificate> certificatesFromDss = new ArrayList<>();
         if (dss != null) {
@@ -190,3 +242,4 @@ private boolean stopValidation(ValidationReport result, ValidationContext valida
                 && result.getValidationResult() != ValidationReport.ValidationResult.VALID;
     }
 }
+

sign/src/main/java/com/itextpdf/signatures/validation/v1/ValidatorChainBuilder.java

@@ -22,7 +22,6 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures.validation.v1;
 
-import com.itextpdf.kernel.pdf.PdfDocument;
 import com.itextpdf.signatures.IssuingCertificateRetriever;
 
 import java.security.cert.Certificate;
@@ -45,12 +44,10 @@ public class ValidatorChainBuilder {
      * Create a new {@link SignatureValidator} instance with the current configuration.
      * This method can be used to create multiple validators.
      *
-     * @param document The {@link PdfDocument} to create the signatureValidator for.
-     *
      * @return a new instance of a signature validator
      */
-    SignatureValidator buildSignatureValidator(PdfDocument document) {
-        return new SignatureValidator(document, this);
+    SignatureValidator buildSignatureValidator() {
+        return new SignatureValidator(this);
     }
 
     /**

sign/src/main/java/com/itextpdf/signatures/validation/v1/report/ValidationReport.java

@@ -117,6 +117,12 @@ public String toString() {
         return sb.toString();
     }
 
+    public void merge(ValidationReport subReport) {
+        for (ReportItem item : subReport.getLogs()) {
+            addReportItem(item);
+        }
+    }
+
     /**
      * Enum representing possible validation results.
      */

sign/src/test/java/com/itextpdf/signatures/validation/v1/SignatureValidatorIntegrationTest.java

@@ -94,8 +94,8 @@ public void validLatestSignatureTest() throws GeneralSecurityException, IOExcept
             certificateRetriever.setTrustedCertificates(Collections.singletonList(rootCert));
             addRevDataClients();
 
-            SignatureValidator signatureValidator = builder.buildSignatureValidator(document);
-            report = signatureValidator.validateLatestSignature();
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
+            report = signatureValidator.validateLatestSignature(document);
         }
 
         AssertValidationReport.assertThat(report, a -> a
@@ -133,13 +133,13 @@ public void latestSignatureIsTimestampTest() throws GeneralSecurityException, IO
                     .setFreshness(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(),
                             Duration.ofDays(-2));
 
-            SignatureValidator signatureValidator = builder.buildSignatureValidator(document);
-            report = signatureValidator.validateLatestSignature();
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
+            report = signatureValidator.validateLatestSignature(document);
         }
 
         AssertValidationReport.assertThat(report, a -> a
                 .hasNumberOfFailures(0)
-                .hasNumberOfLogs(2)
+                .hasNumberOfLogs(3)
                 .hasLogItems(2, 2, la -> la
                         .withCheckName(CertificateChainValidator.CERTIFICATE_CHECK)
                         .withMessage(CertificateChainValidator.CERTIFICATE_TRUSTED,
@@ -157,14 +157,14 @@ public void certificatesNotInLatestSignatureTest() throws GeneralSecurityExcepti
 
         ValidationReport report;
         try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "validDocWithoutChain.pdf"))) {
-            SignatureValidator signatureValidator = builder.buildSignatureValidator(document);
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
             certificateRetriever.setTrustedCertificates(Collections.singletonList(rootCert));
             parameters.setRevocationOnlineFetching(ValidatorContexts.all(), CertificateSources.all(),
                             TimeBasedContexts.all(), SignatureValidationProperties.OnlineFetching.NEVER_FETCH)
                     .setFreshness(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(),
                             Duration.ofDays(-2));
 
-            report = signatureValidator.validateLatestSignature();
+            report = signatureValidator.validateLatestSignature(document);
         }
 
         AssertValidationReport.assertThat(report, a -> a
@@ -197,8 +197,8 @@ public void certificatesNotInLatestSignatureButSetAsKnownTest() throws GeneralSe
             certificateRetriever.addKnownCertificates(Collections.singletonList(intermediateCert));
             addRevDataClients();
 
-            SignatureValidator signatureValidator = builder.buildSignatureValidator(document);
-            report = signatureValidator.validateLatestSignature();
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
+            report = signatureValidator.validateLatestSignature(document);
         }
         AssertValidationReport.assertThat(report, a -> a
                 .hasStatus(ValidationResult.VALID)
@@ -218,13 +218,13 @@ public void rootIsNotTrustedInLatestSignatureTest() throws GeneralSecurityExcept
 
         ValidationReport report;
         try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "validDoc.pdf"))) {
-            SignatureValidator signatureValidator = builder.buildSignatureValidator(document);
+            SignatureValidator signatureValidator = builder.buildSignatureValidator();
             parameters.setRevocationOnlineFetching(ValidatorContexts.all(), CertificateSources.all(),
                             TimeBasedContexts.all(), SignatureValidationProperties.OnlineFetching.NEVER_FETCH)
                     .setFreshness(ValidatorContexts.all(), CertificateSources.all(), TimeBasedContexts.all(),
                             Duration.ofDays(-2));
 
-            report = signatureValidator.validateLatestSignature();
+            report = signatureValidator.validateLatestSignature(document);
         }
 
         AssertValidationReport.assertThat(report, a -> a