Cover CertificateVerification#verifyOcspCertificates with tests

DEVSIX-6099

Author: Eugene Bochilo

sign/src/main/java/com/itextpdf/signatures/CertificateVerification.java

@@ -44,6 +44,7 @@ This file is part of the iText (R) project.
 package com.itextpdf.signatures;
 
 import com.itextpdf.commons.utils.DateTimeUtil;
+import com.itextpdf.signatures.logs.SignLogMessageConstant;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.tsp.TimeStampToken;
 import org.slf4j.Logger;
@@ -67,7 +68,7 @@ public class CertificateVerification {
     /**
      * The Logger instance.
      */
-    private static final Logger LOGGER = LoggerFactory.getLogger(CrlClientOnline.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(CertificateVerification.class);
 
     /**
      * Verifies a single certificate for the current date.
@@ -216,17 +217,18 @@ public static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keysto
         try {
             for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
                 try {
-                    return SignUtils.isSignatureValid(ocsp, certStoreX509, provider);
+                    if (SignUtils.isSignatureValid(ocsp, certStoreX509, provider)) {
+                        return true;
+                    }
                 } catch (Exception ex) {
                     exceptionsThrown.add(ex);
                 }
             }
         } catch (Exception e) {
             exceptionsThrown.add(e);
         }
-        for (Exception ex : exceptionsThrown) {
-            LOGGER.error(ex.getMessage(), ex);
-        }
+
+        logExceptionMessages(exceptionsThrown);
         return false;
     }
 
@@ -250,13 +252,18 @@ public static boolean verifyTimestampCertificates(TimeStampToken ts, KeyStore ke
                 }
             }
         } catch (Exception e) {
-            LOGGER.error("Unexpected exception was thrown during keystore processing", e);
+            exceptionsThrown.add(e);
         }
 
+        logExceptionMessages(exceptionsThrown);
+        return false;
+    }
+
+    private static void logExceptionMessages(List<Exception> exceptionsThrown) {
         for (Exception ex : exceptionsThrown) {
-            LOGGER.error(ex.getMessage(), ex);
+            LOGGER.error(ex.getMessage() == null ?
+                    SignLogMessageConstant.EXCEPTION_WITHOUT_MESSAGE : ex.getMessage(), ex);
         }
-        return false;
     }
 
 }

sign/src/main/java/com/itextpdf/signatures/logs/SignLogMessageConstant.java

@@ -0,0 +1,14 @@
+package com.itextpdf.signatures.logs;
+
+/**
+ * Class which contains constants to be used in logging inside sign module.
+ */
+public final class SignLogMessageConstant {
+
+    public static final String EXCEPTION_WITHOUT_MESSAGE =
+            "Unexpected exception without message was thrown during keystore processing";
+
+    private SignLogMessageConstant() {
+        // Private constructor will prevent the instantiation of this class directly
+    }
+}

sign/src/test/java/com/itextpdf/signatures/verify/CertificateVerificationClassTest.java

@@ -75,6 +75,10 @@ This file is part of the iText (R) project.
 
 @Category(UnitTest.class)
 public class CertificateVerificationClassTest extends ExtendedITextTest {
+
+    // Such messageTemplate is equal to any log message. This is required for porting reasons.
+    private static final String ANY_LOG_MESSAGE = "{0}";
+
     private static final String certsSrc = "./src/test/resources/com/itextpdf/signatures/certs/";
     private static final char[] password = "testpass".toCharArray();
 
@@ -122,7 +126,7 @@ public void timestampCertificateAndKeyStoreDoNotCorrespondTest() throws Exceptio
     }
 
     @Test
-    @LogMessages(messages = @LogMessage(messageTemplate = "Unexpected exception was thrown during keystore processing"))
+    @LogMessages(messages = @LogMessage(messageTemplate = ANY_LOG_MESSAGE))
     public void keyStoreWithoutCertificatesTest() throws Exception {
         String tsaCertFileName = certsSrc + "tsCertRsa.p12";
 

sign/src/test/java/com/itextpdf/signatures/verify/OcspCertificateVerificationTest.java

@@ -0,0 +1,87 @@
+package com.itextpdf.signatures.verify;
+
+import com.itextpdf.signatures.CertificateVerification;
+import com.itextpdf.signatures.testutils.client.TestOcspClient;
+import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.LogMessage;
+import com.itextpdf.test.annotations.LogMessages;
+import com.itextpdf.test.annotations.type.UnitTest;
+import com.itextpdf.test.signutils.Pkcs12FileHelper;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.ocsp.BasicOCSPResponse;
+import org.bouncycastle.cert.ocsp.BasicOCSPResp;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+
+@Category(UnitTest.class)
+public class OcspCertificateVerificationTest extends ExtendedITextTest {
+
+    // Such messageTemplate is equal to any log message. This is required for porting reasons.
+    private static final String ANY_LOG_MESSAGE = "{0}";
+
+    private static final String ocspCertsSrc = "./src/test/resources/com/itextpdf/signatures/verify/OcspCertificateVerificationTest/";
+
+    private static final String rootOcspCert = ocspCertsSrc + "ocspRootRsa.p12";
+    private static final String signOcspCert = ocspCertsSrc + "ocspSignRsa.p12";
+    private static final String notOcspAndOcspCert = ocspCertsSrc + "notOcspAndOcspCertificates.p12";
+
+    private static final char[] password = "testpass".toCharArray();
+    private static final String ocspServiceUrl = "http://localhost:9000/demo/ocsp/ocsp-service";
+
+    private static X509Certificate checkCert;
+    private static X509Certificate rootCert;
+
+    @BeforeClass
+    public static void before() throws Exception {
+        Security.addProvider(new BouncyCastleProvider());
+        checkCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(signOcspCert, password)[0];
+        rootCert = (X509Certificate) Pkcs12FileHelper.readFirstChain(rootOcspCert, password)[0];
+    }
+
+    @Test
+    public void keyStoreWithRootOcspCertificateTest() throws Exception {
+        BasicOCSPResp response = getOcspResponse();
+
+        Assert.assertTrue(CertificateVerification.verifyOcspCertificates(
+                response, Pkcs12FileHelper.initStore(rootOcspCert, password), null));
+    }
+
+    @Test
+    public void keyStoreWithSignOcspCertificateTest() throws Exception {
+        BasicOCSPResp response = getOcspResponse();
+
+        Assert.assertFalse(CertificateVerification.verifyOcspCertificates(
+                response, Pkcs12FileHelper.initStore(signOcspCert, password), null));
+    }
+
+    @Test
+    public void keyStoreWithNotOcspAndOcspCertificatesTest() throws Exception {
+        BasicOCSPResp response = getOcspResponse();
+
+        Assert.assertTrue(CertificateVerification.verifyOcspCertificates(
+                response, Pkcs12FileHelper.initStore(notOcspAndOcspCert, password), null));
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = ANY_LOG_MESSAGE))
+    public void keyStoreWithNotOcspCertificateTest() throws Exception {
+        Assert.assertFalse(CertificateVerification.verifyOcspCertificates(
+                null, Pkcs12FileHelper.initStore(signOcspCert, password), null));
+    }
+
+    private static BasicOCSPResp getOcspResponse() throws Exception {
+        TestOcspClient testClient = new TestOcspClient();
+        PrivateKey key = Pkcs12FileHelper.readFirstKey(rootOcspCert, password, password);
+        testClient.addBuilderForCertIssuer(rootCert, key);
+        byte[] ocspResponseBytes = testClient.getEncoded(checkCert, rootCert, ocspServiceUrl);
+        ASN1Primitive var2 = ASN1Primitive.fromByteArray(ocspResponseBytes);
+        return new BasicOCSPResp(BasicOCSPResponse.getInstance(var2));
+    }
+}