itext
diff --git a/‎sharpenConfiguration.xml
Lines changed: 33 additions & 1 deletion b/‎sharpenConfiguration.xml
Lines changed: 33 additions & 1 deletion
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/CrlClientOnline.java
Lines changed: 16 additions & 1 deletion b/‎sign/src/main/java/com/itextpdf/signatures/CrlClientOnline.java
Lines changed: 16 additions & 1 deletion
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/OcspClientBouncyCastle.java
Lines changed: 24 additions & 3 deletions b/‎sign/src/main/java/com/itextpdf/signatures/OcspClientBouncyCastle.java
Lines changed: 24 additions & 3 deletions
diff --git a/‎sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesAdvancedTest.java
Lines changed: 188 additions & 0 deletions b/‎sign/src/test/java/com/itextpdf/signatures/sign/PdfPadesAdvancedTest.java
Lines changed: 188 additions & 0 deletions
@@ -479,7 +479,7 @@
                 <file path="com/itextpdf/signatures/sign/IsoSignatureExtensionsRoundtripTest.java"/>
                 <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest.java"/>
                 <file path="com/itextpdf/signatures/sign/LtvSigTest.java"/>
-                <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest.java"/>
+                <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest.java"/>
                 <file path="com/itextpdf/signatures/sign/PadesSignatureLevelTest.java"/>
                 <file path="com/itextpdf/signatures/sign/TimestampSigTest.java"/>
             </fileset>
@@ -585,6 +585,7 @@
             <file path="com/itextpdf/signatures/sign/PadesSignatureLevelTest/helloWorldDoc.pdf"/>
             <file path="com/itextpdf/signatures/sign/PadesSignatureLevelTest/signedPAdES-LT.pdf"/>
             <file path="com/itextpdf/signatures/sign/PadesSignatureLevelTest/signedPAdES-T.pdf"/>
+
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelBTest1.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelBTest2.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_padesSignatureLevelBTest3.pdf"/>
@@ -603,6 +604,37 @@
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest1_FIPS.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest2_FIPS.pdf"/>
             <file path="com/itextpdf/signatures/sign/PdfPadesSignerLevelsTest/cmp_prolongDocumentSignaturesTest3_FIPS.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlNoOcsp_rootCertCrlNoOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlNoOcsp_rootCertCrlOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlNoOcsp_rootCertOcspNoCrl.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlNoOcsp_rootCertNoCrlNoOcsp.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertCrlNoOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertCrlOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertOcspNoCrl.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertNoCrlNoOcsp.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertCrlNoOcsp_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertCrlOcsp_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertOcspNoCrl_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertCrlOcsp_rootCertNoCrlNoOcsp_revoked.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertNoOcspNoCrl_rootCertCrlNoOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertNoOcspNoCrl_rootCertCrlOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertNoOcspNoCrl_rootCertOcspNoCrl.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertNoOcspNoCrl_rootCertNoCrlNoOcsp.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertCrlNoOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertCrlOcsp.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertOcspNoCrl.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertNoCrlNoOcsp.pdf"/>
+
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertCrlNoOcsp_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertCrlOcsp_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertOcspNoCrl_revoked.pdf"/>
+            <file path="com/itextpdf/signatures/sign/PdfPadesAdvancedTest/cmp_signedWith_signCertOcspNoCrl_rootCertNoCrlNoOcsp_revoked.pdf"/>
+
             <file path="com/itextpdf/signatures/sign/TimestampSigTest/cmp_timestampTest01.pdf"/>
             <file path="com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/cmp_testTroughPdfSignerWithTsaClient.pdf"/>
             <file path="com/itextpdf/signatures/PKCS7ExternalSignatureContainerTest/cmp_testTroughPdfSignerWithTsaClient_FIPS.pdf"/>
 
@@ -28,6 +28,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.commons.utils.MessageFormatUtil;
 
 import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
@@ -139,7 +140,7 @@ public Collection<byte[]> getEncoded(X509Certificate checkCert, String url) thro
         for (URL urlt : urlList) {
             try {
                 LOGGER.info("Checking CRL: " + urlt);
-                InputStream inp = SignUtils.getHttpResponse(urlt);
+                InputStream inp = getCrlResponse(checkCert, urlt);
                 byte[] buf = new byte[1024];
                 ByteArrayOutputStream bout = new ByteArrayOutputStream();
                 while (true) {
@@ -160,6 +161,20 @@ public Collection<byte[]> getEncoded(X509Certificate checkCert, String url) thro
         return ar;
     }
 
+    /**
+     * Get CRL response represented as {@link InputStream}.
+     * 
+     * @param cert {@link X509Certificate} certificate to get CRL response for
+     * @param urlt {@link URL} link, which is expected to be used to get CRL response from
+     * 
+     * @return CRL response bytes, represented as {@link InputStream}
+     * 
+     * @throws IOException if an I/O error occurs
+     */
+    protected InputStream getCrlResponse(X509Certificate cert, URL urlt) throws IOException {
+        return SignUtils.getHttpResponse(urlt);
+    }
+
     /**
      * Adds an URL to the list of CRL URLs
      *
 
@@ -140,8 +140,10 @@ public byte[] getEncoded(X509Certificate checkCert, X509Certificate rootCert, St
      *
      * @throws AbstractOCSPException is thrown if any errors occur while handling OCSP requests/responses
      * @throws IOException           signals that an I/O exception has occurred
+     * @throws CertificateEncodingException is thrown if any errors occur while handling OCSP requests/responses
+     * @throws AbstractOperatorCreationException is thrown if any errors occur while handling OCSP requests/responses
      */
-    private static IOCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
+    protected static IOCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
             throws AbstractOCSPException, IOException, CertificateEncodingException, AbstractOperatorCreationException {
         //Add provider BC
         Security.addProvider(BOUNCY_CASTLE_FACTORY.getProvider());
@@ -180,11 +182,30 @@ IOCSPResp getOcspResponse(X509Certificate checkCert, X509Certificate rootCert, S
         if (url == null) {
             return null;
         }
+        InputStream in = createRequestAndResponse(checkCert, rootCert, url);
+        return BOUNCY_CASTLE_FACTORY.createOCSPResp(StreamUtil.inputStreamToArray(in));
+    }
+
+    /**
+     * Create OCSP request and get the response for this request, represented as {@link InputStream}.
+     * 
+     * @param checkCert {@link X509Certificate} certificate to get OCSP response for
+     * @param rootCert {@link X509Certificate} root certificate from which OCSP request will be built
+     * @param url {@link URL} link, which is expected to be used to get OCSP response from
+     * 
+     * @return OCSP response bytes, represented as {@link InputStream}
+     * 
+     * @throws IOException if an I/O error occurs
+     * @throws AbstractOperatorCreationException is thrown if any errors occur while handling OCSP requests/responses
+     * @throws AbstractOCSPException is thrown if any errors occur while handling OCSP requests/responses
+     * @throws CertificateEncodingException is thrown if any errors occur while handling OCSP requests/responses
+     */
+    protected InputStream createRequestAndResponse(X509Certificate checkCert, X509Certificate rootCert, String url)
+            throws IOException, AbstractOperatorCreationException, AbstractOCSPException, CertificateEncodingException {
         LOGGER.info("Getting OCSP from " + url);
         IOCSPReq request = generateOCSPRequest(rootCert, checkCert.getSerialNumber());
         byte[] array = request.getEncoded();
         URL urlt = new URL(url);
-        InputStream in = SignUtils.getHttpResponseForOcspRequest(array, urlt);
-        return BOUNCY_CASTLE_FACTORY.createOCSPResp(StreamUtil.inputStreamToArray(in));
+        return SignUtils.getHttpResponseForOcspRequest(array, urlt);
     }
 }
@@ -0,0 +1,188 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2023 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.sign;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
+import com.itextpdf.commons.bouncycastle.pkcs.AbstractPKCSException;
+import com.itextpdf.commons.utils.FileUtil;
+import com.itextpdf.io.logs.IoLogMessageConstant;
+import com.itextpdf.kernel.geom.Rectangle;
+import com.itextpdf.kernel.pdf.PdfReader;
+import com.itextpdf.kernel.pdf.StampingProperties;
+import com.itextpdf.signatures.DigestAlgorithms;
+import com.itextpdf.signatures.IExternalSignature;
+import com.itextpdf.signatures.PdfPadesSigner;
+import com.itextpdf.signatures.PdfSigner;
+import com.itextpdf.signatures.PrivateKeySignature;
+import com.itextpdf.signatures.testutils.PemFileHelper;
+import com.itextpdf.signatures.testutils.SignaturesCompareTool;
+import com.itextpdf.signatures.testutils.TimeTestUtil;
+import com.itextpdf.signatures.testutils.builder.TestCrlBuilder;
+import com.itextpdf.signatures.testutils.builder.TestOcspResponseBuilder;
+import com.itextpdf.signatures.testutils.client.AdvancedTestCrlClient;
+import com.itextpdf.signatures.testutils.client.AdvancedTestOcspClient;
+import com.itextpdf.signatures.testutils.client.TestTsaClient;
+import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.LogMessage;
+import com.itextpdf.test.annotations.LogMessages;
+import com.itextpdf.test.annotations.type.BouncyCastleIntegrationTest;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+@Category(BouncyCastleIntegrationTest.class)
+public class PdfPadesAdvancedTest extends ExtendedITextTest {
+    private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
+    private static final String CERTS_SRC = "./src/test/resources/com/itextpdf/signatures/sign/PdfPadesAdvancedTest/certs/";
+    private static final String SOURCE_FOLDER = "./src/test/resources/com/itextpdf/signatures/sign/PdfPadesAdvancedTest/";
+    private static final String DESTINATION_FOLDER = "./target/test/com/itextpdf/signatures/sign/PdfPadesAdvancedTest/";
+
+    private static final char[] PASSWORD = "testpassphrase".toCharArray();
+    
+    private final String signingCertName;
+    private final String rootCertName;
+    private final Boolean isOcspRevoked;
+    private final String cmpFilePostfix;
+
+    @BeforeClass
+    public static void before() {
+        Security.addProvider(FACTORY.getProvider());
+        createOrClearDestinationFolder(DESTINATION_FOLDER);
+    }
+
+    public PdfPadesAdvancedTest(Object signingCertName, Object rootCertName, Object isOcspRevoked, Object cmpFilePostfix) {
+        this.signingCertName = (String) signingCertName;
+        this.rootCertName = (String) rootCertName;
+        this.isOcspRevoked = (Boolean) isOcspRevoked;
+        this.cmpFilePostfix = (String) cmpFilePostfix;
+    }
+
+    @Parameterized.Parameters(name = "{3}: signing cert: {0}; root cert: {1}; revoked: {2}")
+    public static Iterable<Object[]> createParameters() {
+        List<Object[]> parameters = new ArrayList<>();
+        parameters.addAll(createParametersUsingRootName("rootCertNoCrlNoOcsp"));
+        parameters.addAll(createParametersUsingRootName("rootCertCrlOcsp"));
+        parameters.addAll(createParametersUsingRootName("rootCertCrlNoOcsp"));
+        parameters.addAll(createParametersUsingRootName("rootCertOcspNoCrl"));
+        return parameters;
+    }
+    
+    private static List<Object[]> createParametersUsingRootName(String rootCertName) {
+        return Arrays.asList(
+                new Object[] {"signCertCrlOcsp.pem", rootCertName + ".pem", false, "_signCertCrlOcsp_" + rootCertName},
+                new Object[] {"signCertCrlOcsp.pem", rootCertName + ".pem", true, "_signCertCrlOcsp_" + rootCertName + "_revoked"},
+                new Object[] {"signCertOcspNoCrl.pem", rootCertName + ".pem", false, "_signCertOcspNoCrl_" + rootCertName},
+                new Object[] {"signCertOcspNoCrl.pem", rootCertName + ".pem", true, "_signCertOcspNoCrl_" + rootCertName + "_revoked"},
+                new Object[] {"signCertNoOcspNoCrl.pem", rootCertName + ".pem", false, "_signCertNoOcspNoCrl_" + rootCertName},
+                new Object[] {"signCertCrlNoOcsp.pem", rootCertName + ".pem", false, "_signCertCrlNoOcsp_" + rootCertName}
+        );
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = IoLogMessageConstant.OCSP_STATUS_IS_REVOKED), ignore = true)
+    public void signWithAdvancedClientsTest()
+            throws IOException, GeneralSecurityException, AbstractOperatorCreationException, AbstractPKCSException {
+        String fileName = "signedWith" + cmpFilePostfix + ".pdf";
+        String outFileName = DESTINATION_FOLDER + fileName;
+        String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+        String srcFileName = SOURCE_FOLDER + "helloWorldDoc.pdf";
+        String signCertFileName = CERTS_SRC + signingCertName;
+        String rootCertFileName = CERTS_SRC + rootCertName;
+        String tsaCertFileName = CERTS_SRC + "tsCertRsa.pem";
+
+        Certificate signRsaCert = PemFileHelper.readFirstChain(signCertFileName)[0];
+        Certificate rootCert = PemFileHelper.readFirstChain(rootCertFileName)[0];
+        Certificate[] signRsaChain = new Certificate[2];
+        signRsaChain[0] = signRsaCert;
+        signRsaChain[1] = rootCert;
+        
+        PrivateKey signRsaPrivateKey = PemFileHelper.readFirstKey(signCertFileName, PASSWORD);
+        PrivateKey rootPrivateKey = PemFileHelper.readFirstKey(rootCertFileName, PASSWORD);
+        Certificate[] tsaChain = PemFileHelper.readFirstChain(tsaCertFileName);
+        PrivateKey tsaPrivateKey = PemFileHelper.readFirstKey(tsaCertFileName, PASSWORD);
+
+        TestTsaClient testTsa = new TestTsaClient(Arrays.asList(tsaChain), tsaPrivateKey);
+
+        AdvancedTestOcspClient testOcspClient = new AdvancedTestOcspClient(null);
+        TestOcspResponseBuilder ocspBuilderMainCert = new TestOcspResponseBuilder((X509Certificate) signRsaChain[1], rootPrivateKey);
+        if ((boolean) isOcspRevoked) {
+            ocspBuilderMainCert.setCertificateStatus(FACTORY.createRevokedStatus(TimeTestUtil.TEST_DATE_TIME,
+                    FACTORY.createCRLReason().getKeyCompromise()));
+        }
+        TestOcspResponseBuilder ocspBuilderRootCert = new TestOcspResponseBuilder((X509Certificate) signRsaChain[1], rootPrivateKey);
+        testOcspClient.addBuilderForCertIssuer((X509Certificate) signRsaChain[0], ocspBuilderMainCert);
+        testOcspClient.addBuilderForCertIssuer((X509Certificate) signRsaChain[1], ocspBuilderRootCert);
+
+        AdvancedTestCrlClient testCrlClient = new AdvancedTestCrlClient();
+        TestCrlBuilder crlBuilderMainCert = new TestCrlBuilder((X509Certificate) signRsaChain[1], rootPrivateKey);
+        crlBuilderMainCert.addCrlEntry((X509Certificate) signRsaChain[0], FACTORY.createCRLReason().getKeyCompromise());
+        crlBuilderMainCert.addCrlEntry((X509Certificate) signRsaChain[1], FACTORY.createCRLReason().getKeyCompromise());
+        
+        TestCrlBuilder crlBuilderRootCert = new TestCrlBuilder((X509Certificate) signRsaChain[1], rootPrivateKey);
+        crlBuilderRootCert.addCrlEntry((X509Certificate) signRsaChain[1], FACTORY.createCRLReason().getKeyCompromise());
+        testCrlClient.addBuilderForCertIssuer((X509Certificate) signRsaChain[0], crlBuilderMainCert);
+        testCrlClient.addBuilderForCertIssuer((X509Certificate) signRsaChain[1], crlBuilderRootCert);
+
+        PdfSigner signer = createPdfSigner(srcFileName, outFileName);
+
+        PdfPadesSigner padesSigner = new PdfPadesSigner();
+        padesSigner.setOcspClient(testOcspClient);
+        padesSigner.setCrlClient(testCrlClient);
+
+        IExternalSignature pks =
+                new PrivateKeySignature(signRsaPrivateKey, DigestAlgorithms.SHA256, FACTORY.getProviderName());
+        padesSigner.signWithBaselineLTAProfile(signer, signRsaChain, pks, testTsa);
+
+        PadesSigTest.basicCheckSignedDoc(outFileName, "Signature1");
+
+        Assert.assertNull(SignaturesCompareTool.compareSignatures(outFileName, cmpFileName));
+    }
+
+    private PdfSigner createPdfSigner(String srcFileName, String outFileName) throws IOException {
+        PdfSigner signer = new PdfSigner(new PdfReader(srcFileName), FileUtil.getFileOutputStream(outFileName),
+                new StampingProperties());
+        signer.setFieldName("Signature1");
+        signer.getSignatureAppearance()
+                .setPageRect(new Rectangle(50, 650, 200, 100))
+                .setReason("Test")
+                .setLocation("TestCity")
+                .setLayer2Text("Approval test signature.\nCreated by iText.");
+        return signer;
+    }
+}