Support signatures prolongation

DEVSIX-7772

Author: Eugene Bochilo

sharpenConfiguration.xml

@@ -471,6 +471,7 @@
             </fileset>
             <fileset reason="Different implementation on .NET and java">
                 <file path="com/itextpdf/signatures/sign/IsoSignatureExtensionsRoundtripTest.java"/>
+                <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest.java"/>
             </fileset>
             <fileset reason=".pem files reading logic is different in java and .net">
                 <file path="com/itextpdf/signatures/testutils/PemFileHelper.java"/>
@@ -570,6 +571,12 @@
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelTTest1.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelTTest2.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelTTest3.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest1.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest2.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest3.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest1_FIPS.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest2_FIPS.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest3_FIPS.pdf"/>
             <file path="com/itextpdf/signatures/sign/TimestampSigTest/cmp_timestampTest01.pdf"/>
         </fileset>
                 <fileset reason="Bug in java version, not in sharp version, therefor a separate reference file is needed see DEVSIX-6752">

sign/src/main/java/com/itextpdf/signatures/PdfPadesSigner.java

@@ -199,12 +199,12 @@ public enum CryptoStandard {
     /**
      * Holds value of property signDate.
      */
-    protected Calendar signDate;
+    protected Calendar signDate = DateTimeUtil.getCurrentTimeCalendar();
 
     /**
      * Boolean to check if this PdfSigner instance has been closed already or not.
      */
-    protected boolean closed;
+    protected boolean closed = false;
 
     /**
      * Creates a PdfSigner instance. Uses a {@link java.io.ByteArrayOutputStream} instead of a temporary file.
@@ -241,12 +241,22 @@ public PdfSigner(PdfReader reader, OutputStream outputStream, String path, Stamp
         }
 
         originalOS = outputStream;
-        signDate = DateTimeUtil.getCurrentTimeCalendar();
         fieldName = getNewSigFieldName();
         appearance = new PdfSignatureAppearance(document, new Rectangle(0, 0), 1);
         appearance.setSignDate(signDate);
-
-        closed = false;
+    }
+    
+    PdfSigner(PdfDocument document, OutputStream outputStream, ByteArrayOutputStream temporaryOS, File tempFile) {
+        if (tempFile == null) {
+            this.temporaryOS = temporaryOS;
+        } else {
+            this.tempFile = tempFile;
+        }
+        this.document = document;
+        this.originalOS = outputStream;
+        this.fieldName = getNewSigFieldName();
+        this.appearance = new PdfSignatureAppearance(document, new Rectangle(0, 0), 1);
+        this.appearance.setSignDate(this.signDate);
     }
 
     protected PdfDocument initDocument(PdfReader reader, PdfWriter writer, StampingProperties properties) {

sign/src/main/java/com/itextpdf/signatures/PdfSigner.java

@@ -41,10 +41,11 @@ public final class SignExceptionMessageConstant {
             + "signature creation failed. Document shall not contain any certification or approval signatures before "
             + "signing with certification signature.";
     public static final String CERTIFICATE_TEMPLATE_FOR_EXCEPTION_MESSAGE = "Certificate {0} failed: {1}";
+    public static final String DEFAULT_CLIENTS_CANNOT_BE_CREATED = "Default implementation of OCSP and CRL clients " 
+            + "cannot be created, because signing certificate doesn't contain revocation data sources. " 
+            + "Please try to explicitly add OCSP or CRL client.";
     public static final String DICTIONARY_THIS_KEY_IS_NOT_A_NAME = "Dictionary key {0} is not a name.";
     public static final String DOCUMENT_ALREADY_PRE_CLOSED = "Document has been already pre closed.";
-    public static final String DOCUMENT_CANNOT_BE_SIGNED = "Document cannot be signed with this PaDES profile level, " 
-            + "because {0} is null. Please, provide {0} using corresponding setter method.";
     public static final String DOCUMENT_MUST_BE_PRE_CLOSED = "Document must be preClosed.";
     public static final String DOCUMENT_MUST_HAVE_READER = "Document must have reader.";
     public static final String FAILED_TO_GET_TSA_RESPONSE = "Failed to get TSA response from {0}.";
@@ -56,6 +57,7 @@ public final class SignExceptionMessageConstant {
             + "certificate chain.";
     public static final String INVALID_TSA_RESPONSE = "Invalid TSA {0} response code {1}.";
     public static final String NO_CRYPTO_DICTIONARY_DEFINED = "No crypto dictionary defined.";
+    public static final String NO_SIGNATURES_TO_PROLONG = "Document doesn't contain any signatures to prolong.";
     public static final String NOT_A_VALID_PKCS7_OBJECT_NOT_A_SEQUENCE = "Not a valid PKCS#7 object - not a sequence";
     public static final String NOT_A_VALID_PKCS7_OBJECT_NOT_SIGNED_DATA = "Not a valid PKCS#7 object - not signed "
             + "data.";

sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java

@@ -26,6 +26,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
 import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
 import com.itextpdf.commons.bouncycastle.pkcs.AbstractPKCSException;
+import com.itextpdf.commons.utils.FileUtil;
 import com.itextpdf.kernel.geom.Rectangle;
 import com.itextpdf.kernel.pdf.PdfReader;
 import com.itextpdf.kernel.pdf.StampingProperties;
@@ -42,9 +43,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.testutils.client.TestTsaClient;
 import com.itextpdf.test.ExtendedITextTest;
 import com.itextpdf.test.annotations.type.BouncyCastleIntegrationTest;
-import com.itextpdf.test.annotations.type.IntegrationTest;
 
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
@@ -65,6 +64,8 @@ public class PdfPadesSignerLevelsTest extends ExtendedITextTest {
 
     private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
 
+    private static final boolean FIPS_MODE = "BCFIPS".equals(FACTORY.getProviderName());
+
     private static final String certsSrc = "./src/test/resources/com/itextpdf/signatures/certs/";
     private static final String sourceFolder = "./src/test/resources/com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/";
     private static final String destinationFolder = "./target/test/com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/";
@@ -87,7 +88,7 @@ public PdfPadesSignerLevelsTest(Object useTempFolder, Object useSignature, Objec
         this.comparisonPdfId = (Integer) comparisonPdfId;
     }
 
-    @Parameterized.Parameters(name = "{index}: folder path: {0}; pass whole signature: {1}")
+    @Parameterized.Parameters(name = "{2}: folder path: {0}; pass whole signature: {1}")
     public static Iterable<Object[]> createParameters() {
         return Arrays.asList(new Object[] {true, true, 1},
                 new Object[] {false, true, 2},
@@ -105,16 +106,20 @@ public void padesSignatureLevelBTest()
 
         Certificate[] signRsaChain = PemFileHelper.readFirstChain(signCertFileName);
         PrivateKey signRsaPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
-        IExternalSignature pks =
-                new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
 
         PdfSigner signer = createPdfSigner(srcFileName, outFileName);
 
-        PdfPadesSigner padesSigner = createPdfPadesSigner(signer, pks, signRsaPrivateKey);
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
         if ((boolean) useTempFolder) {
             padesSigner.setTemporaryDirectoryPath(destinationFolder);
         }
-        padesSigner.signWithBaselineBProfile(signRsaChain);
+        if ((boolean) useSignature) {
+            IExternalSignature pks =
+                    new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
+            padesSigner.signWithBaselineBProfile(signer, signRsaChain, pks);
+        } else {
+            padesSigner.signWithBaselineBProfile(signer, signRsaChain, signRsaPrivateKey);
+        }
 
         PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
 
@@ -133,21 +138,24 @@ public void padesSignatureLevelTTest()
 
         Certificate[] signRsaChain = PemFileHelper.readFirstChain(signCertFileName);
         PrivateKey signRsaPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
-        IExternalSignature pks =
-                new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
         Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertFileName);
         PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, password);
 
         PdfSigner signer = createPdfSigner(srcFileName, outFileName);
 
         TestTsaClient testTsa = new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
 
-        PdfPadesSigner padesSigner = createPdfPadesSigner(signer, pks, signRsaPrivateKey);
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
         if ((boolean) useTempFolder) {
             padesSigner.setTemporaryDirectoryPath(destinationFolder);
         }
-        padesSigner.setTsaClient(testTsa);
-        padesSigner.signWithBaselineTProfile(signRsaChain);
+        if ((boolean) useSignature) {
+            IExternalSignature pks =
+                    new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
+            padesSigner.signWithBaselineTProfile(signer, signRsaChain, pks, testTsa);
+        } else {
+            padesSigner.signWithBaselineTProfile(signer, signRsaChain, signRsaPrivateKey, testTsa);
+        }
 
         PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
 
@@ -167,8 +175,6 @@ public void padesSignatureLevelLTTest()
 
         Certificate[] signRsaChain = PemFileHelper.readFirstChain(signCertFileName);
         PrivateKey signRsaPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
-        IExternalSignature pks =
-                new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
         Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertFileName);
         PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, password);
         X509Certificate caCert = (X509Certificate) PemFileHelper.readFirstChain(caCertFileName)[0];
@@ -180,12 +186,18 @@ public void padesSignatureLevelLTTest()
         ICrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
         TestOcspClient ocspClient = new TestOcspClient().addBuilderForCertIssuer(caCert, caPrivateKey);
 
-        PdfPadesSigner padesSigner = createPdfPadesSigner(signer, pks, signRsaPrivateKey);
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
         if ((boolean) useTempFolder) {
             padesSigner.setTemporaryDirectoryPath(destinationFolder);
         }
-        padesSigner.setTsaClient(testTsa).setOcspClient(ocspClient).setCrlClient(crlClient);
-        padesSigner.signWithBaselineLTProfile(signRsaChain);
+        padesSigner.setOcspClient(ocspClient).setCrlClient(crlClient);
+        if ((boolean) useSignature) {
+            IExternalSignature pks =
+                    new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
+            padesSigner.signWithBaselineLTProfile(signer, signRsaChain, pks, testTsa);
+        } else {
+            padesSigner.signWithBaselineLTProfile(signer, signRsaChain, signRsaPrivateKey, testTsa);
+        }
 
         PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
 
@@ -205,8 +217,6 @@ public void padesSignatureLevelLTATest()
 
         Certificate[] signRsaChain = PemFileHelper.readFirstChain(signCertFileName);
         PrivateKey signRsaPrivateKey = PemFileHelper.readFirstKey(signCertFileName, password);
-        IExternalSignature pks =
-                new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
         Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertFileName);
         PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, password);
         X509Certificate caCert = (X509Certificate) PemFileHelper.readFirstChain(caCertFileName)[0];
@@ -218,29 +228,64 @@ public void padesSignatureLevelLTATest()
         ICrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
         TestOcspClient ocspClient = new TestOcspClient().addBuilderForCertIssuer(caCert, caPrivateKey);
 
-        PdfPadesSigner padesSigner = createPdfPadesSigner(signer, pks, signRsaPrivateKey);
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
         if ((boolean) useTempFolder) {
             padesSigner.setTemporaryDirectoryPath(destinationFolder);
         }
-        padesSigner.setTsaClient(testTsa).setOcspClient(ocspClient).setCrlClient(crlClient)
+        padesSigner.setOcspClient(ocspClient).setCrlClient(crlClient)
                 .setTimestampSignatureName("timestampSig1");
-        padesSigner.signWithBaselineLTAProfile(signRsaChain);
+        if ((boolean) useSignature) {
+            IExternalSignature pks =
+                    new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
+            padesSigner.signWithBaselineLTAProfile(signer, signRsaChain, pks, testTsa);
+        } else {
+            padesSigner.signWithBaselineLTAProfile(signer, signRsaChain, signRsaPrivateKey, testTsa);
+        }
 
         PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
 
         Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
     }
 
-    private PdfPadesSigner createPdfPadesSigner(PdfSigner signer, IExternalSignature externalSignature,
-            PrivateKey privateKey) {
+    @Test
+    public void prolongDocumentSignaturesTest()
+            throws GeneralSecurityException, IOException, AbstractOperatorCreationException, AbstractPKCSException {
+        String fileName = "prolongDocumentSignaturesTest" + comparisonPdfId + (FIPS_MODE ? "_FIPS.pdf" : ".pdf");
+        String outFileName = destinationFolder + fileName;
+        String cmpFileName = sourceFolder + "cmp_" + fileName;
+        String srcFileName = sourceFolder + "padesSignatureLevelLTA.pdf";
+        String tsaCertFileName = certsSrc + "tsCertRsa.pem";
+        String caCertFileName = certsSrc + "rootRsa.pem";
+
+        Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertFileName);
+        PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, password);
+        X509Certificate caCert = (X509Certificate) PemFileHelper.readFirstChain(caCertFileName)[0];
+        PrivateKey caPrivateKey = PemFileHelper.readFirstKey(caCertFileName, password);
+
+        TestTsaClient testTsa = new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
+        ICrlClient crlClient = new TestCrlClient().addBuilderForCertIssuer(caCert, caPrivateKey);
+        TestOcspClient ocspClient = new TestOcspClient().addBuilderForCertIssuer(caCert, caPrivateKey);
+
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
+        if ((boolean) useTempFolder) {
+            padesSigner.setTemporaryDirectoryPath(destinationFolder);
+        }
+        padesSigner.setOcspClient(ocspClient).setCrlClient(crlClient);
         if ((boolean) useSignature) {
-            return new PdfPadesSigner(signer, externalSignature);
+            padesSigner.prolongSignatures(new PdfReader(FileUtil.getInputStreamForFile(srcFileName)),
+                    FileUtil.getFileOutputStream(outFileName), testTsa);
+        } else {
+            padesSigner.prolongSignatures(new PdfReader(FileUtil.getInputStreamForFile(srcFileName)),
+                    FileUtil.getFileOutputStream(outFileName));
         }
-        return new PdfPadesSigner(signer, privateKey);
+
+        PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
     }
 
     private PdfSigner createPdfSigner(String srcFileName, String outFileName) throws IOException {
-        PdfSigner signer = new PdfSigner(new PdfReader(srcFileName), new FileOutputStream(outFileName), new StampingProperties());
+        PdfSigner signer = new PdfSigner(new PdfReader(srcFileName), FileUtil.getFileOutputStream(outFileName),
+                new StampingProperties());
         signer.setFieldName("Signature1");
         signer.getSignatureAppearance()
                 .setPageRect(new Rectangle(50, 650, 200, 100))