Merge branch 'develop' into devsecops

aleks-ivanov · Dec 19, 2024 · 0f01922 · 0f01922
2 parents 2dd3645 + 4aec83f
commit 0f01922
Show file tree

Hide file tree

Showing 251 changed files with 1,109 additions and 311 deletions.
diff --git a/itext.tests/itext.sign.tests/itext/signatures/IssuingCertificateRetrieverTest.cs b/itext.tests/itext.sign.tests/itext/signatures/IssuingCertificateRetrieverTest.cs
@@ -0,0 +1,63 @@
+/*
+This file is part of the iText (R) project.
+Copyright (c) 1998-2024 Apryse Group NV
+Authors: Apryse Software.
+
+This program is offered under a commercial and under the AGPL license.
+For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+AGPL licensing:
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+using System;
+using System.Collections.Generic;
+using iText.Commons.Bouncycastle.Cert;
+using iText.Commons.Utils;
+using iText.Signatures.Testutils;
+using iText.Signatures.Validation;
+using iText.Signatures.Validation.Mocks;
+using iText.Test;
+
+namespace iText.Signatures {
+//\cond DO_NOT_DOCUMENT
+    internal class IssuingCertificateRetrieverTest : ExtendedITextTest {
+        private static readonly String CERTS_SRC = iText.Test.TestUtil.GetParentProjectDirectory(NUnit.Framework.TestContext
+            .CurrentContext.TestDirectory) + "/resources/itext/signatures/certs/";
+
+        private static readonly char[] PASSWORD = "testpassphrase".ToCharArray();
+
+        [NUnit.Framework.Test]
+        public virtual void TestResourceRetrieverUsage() {
+            IX509Certificate[] cert = PemFileHelper.ReadFirstChain(CERTS_SRC + "intermediate.pem");
+            IList<Uri> urlsCalled = new List<Uri>();
+            MockResourceRetriever mockRetriever = new MockResourceRetriever();
+            mockRetriever.OnGetInputStreamByUrl((u) => {
+                urlsCalled.Add(u);
+                try {
+                    return FileUtil.GetInputStreamForFile(CERTS_SRC + "root.pem");
+                }
+                catch (System.IO.IOException e) {
+                    throw new Exception("Error reading certificate.", e);
+                }
+            }
+            );
+            ValidatorChainBuilder builder = new ValidatorChainBuilder().WithResourceRetriever(() => mockRetriever);
+            builder.GetCertificateRetriever().RetrieveIssuerCertificate(cert[0]);
+            NUnit.Framework.Assert.AreEqual(1, urlsCalled.Count);
+            NUnit.Framework.Assert.AreEqual("http://test.example.com/example-ca/certs/ca/ca.crt", urlsCalled[0].ToString
+                ());
+        }
+    }
+//\endcond
+}
diff --git a/itext.tests/itext.sign.tests/itext/signatures/testutils/client/TestOcspClientWrapper.cs b/itext.tests/itext.sign.tests/itext/signatures/testutils/client/TestOcspClientWrapper.cs
@@ -29,17 +29,22 @@ You should have received a copy of the GNU Affero General Public License
 using iText.Signatures;
 
 namespace iText.Signatures.Testutils.Client {
-    public class TestOcspClientWrapper : IOcspClient {
+    public class TestOcspClientWrapper : IOcspClient, IOcspClientBouncyCastle {
         private static readonly IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.GetFactory
             ();
 
         private readonly IList<TestOcspClientWrapper.OcspClientCall> calls = new List<TestOcspClientWrapper.OcspClientCall
             >();
 
+        private readonly IList<TestOcspClientWrapper.BasicOCSPCall> basicCalls = new List<TestOcspClientWrapper.BasicOCSPCall
+            >();
+
         private readonly IOcspClient wrappedClient;
 
         private Func<TestOcspClientWrapper.OcspClientCall, byte[]> onGetEncoded;
 
+        private Func<TestOcspClientWrapper.BasicOCSPCall, IBasicOcspResponse> onGetBasicPOcspResponse;
+
         public TestOcspClientWrapper(IOcspClient wrappedClient) {
             this.wrappedClient = wrappedClient;
         }
@@ -70,12 +75,36 @@ public virtual byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate is
             return calls;
         }
 
+        public virtual IList<TestOcspClientWrapper.BasicOCSPCall> GetBasicResponceCalls() {
+            return basicCalls;
+        }
+
         public virtual iText.Signatures.Testutils.Client.TestOcspClientWrapper OnGetEncodedDo(Func<TestOcspClientWrapper.OcspClientCall
             , byte[]> callBack) {
             onGetEncoded = callBack;
             return this;
         }
 
+        public virtual IBasicOcspResponse GetBasicOCSPResp(IX509Certificate checkCert, IX509Certificate issuerCert
+            , String url) {
+            TestOcspClientWrapper.BasicOCSPCall call = new TestOcspClientWrapper.BasicOCSPCall(checkCert, issuerCert, 
+                url);
+            basicCalls.Add(call);
+            if (onGetBasicPOcspResponse != null) {
+                return onGetBasicPOcspResponse.Invoke(call);
+            }
+            if (wrappedClient is IOcspClientBouncyCastle) {
+                return ((IOcspClientBouncyCastle)wrappedClient).GetBasicOCSPResp(checkCert, issuerCert, url);
+            }
+            throw new Exception("TestOcspClientWrapper for IOcspClientBouncyCastle was expected here.");
+        }
+
+        public virtual iText.Signatures.Testutils.Client.TestOcspClientWrapper OnGetBasicOCSPRespDo(Func<TestOcspClientWrapper.BasicOCSPCall
+            , IBasicOcspResponse> callback) {
+            onGetBasicPOcspResponse = callback;
+            return this;
+        }
+
         public class OcspClientCall {
             public readonly IX509Certificate checkCert;
 
@@ -95,5 +124,19 @@ public virtual void SetResponce(IBasicOcspResponse basicOCSPResp) {
                 response = basicOCSPResp;
             }
         }
+
+        public class BasicOCSPCall {
+            public readonly IX509Certificate checkCert;
+
+            public readonly IX509Certificate issuerCert;
+
+            public readonly String url;
+
+            public BasicOCSPCall(IX509Certificate checkCert, IX509Certificate issuerCert, String url) {
+                this.checkCert = checkCert;
+                this.issuerCert = issuerCert;
+                this.url = url;
+            }
+        }
     }
 }
diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/RevocationDataValidatorTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/RevocationDataValidatorTest.cs
@@ -411,7 +411,7 @@ public virtual void CrlEncodingErrorTest() {
             parameters.SetFreshness(ValidatorContexts.All(), CertificateSources.All(), TimeBasedContexts.All(), TimeSpan.FromDays
                 (2));
             RevocationDataValidator validator = validatorChainBuilder.BuildRevocationDataValidator();
-            validator.AddCrlClient(new _ICrlClient_557(crl)).Validate(report, baseContext, checkCert, TimeTestUtil.TEST_DATE_TIME
+            validator.AddCrlClient(new _ICrlClient_561(crl)).Validate(report, baseContext, checkCert, TimeTestUtil.TEST_DATE_TIME
                 );
             AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INDETERMINATE
                 ).HasLogItem((la) => la.WithCheckName(RevocationDataValidator.REVOCATION_DATA_CHECK).WithMessage(MessageFormatUtil
@@ -420,8 +420,8 @@ public virtual void CrlEncodingErrorTest() {
                 )));
         }
 
-        private sealed class _ICrlClient_557 : ICrlClient {
-            public _ICrlClient_557(byte[] crl) {
+        private sealed class _ICrlClient_561 : ICrlClient {
+            public _ICrlClient_561(byte[] crl) {
                 this.crl = crl;
             }
 
@@ -519,15 +519,15 @@ public virtual void ResponsesFromValidationClientArePassedTest() {
             mockCrlValidator.OnCallDo((c) => NUnit.Framework.Assert.AreEqual(crlGeneration, c.responseGenerationDate));
             ValidationReport report = new ValidationReport();
             RevocationDataValidator validator = validatorChainBuilder.GetRevocationDataValidator();
-            ValidationOcspClient ocspClient = new _ValidationOcspClient_676();
+            ValidationOcspClient ocspClient = new _ValidationOcspClient_680();
             TestOcspResponseBuilder ocspBuilder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
             byte[] ocspResponseBytes = new TestOcspClient().AddBuilderForCertIssuer(caCert, ocspBuilder).GetEncoded(checkCert
                 , caCert, null);
             IBasicOcspResponse basicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspResponseBytes
                 ));
             ocspClient.AddResponse(basicOCSPResp, ocspGeneration, TimeBasedContext.HISTORICAL);
             validator.AddOcspClient(ocspClient);
-            ValidationCrlClient crlClient = new _ValidationCrlClient_691();
+            ValidationCrlClient crlClient = new _ValidationCrlClient_695();
             TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, checkDate);
             byte[] crlResponseBytes = new List<byte[]>(new TestCrlClient().AddBuilderForCertIssuer(crlBuilder).GetEncoded
                 (checkCert, null))[0];
@@ -537,8 +537,8 @@ public virtual void ResponsesFromValidationClientArePassedTest() {
             validator.Validate(report, baseContext, checkCert, checkDate);
         }
 
-        private sealed class _ValidationOcspClient_676 : ValidationOcspClient {
-            public _ValidationOcspClient_676() {
+        private sealed class _ValidationOcspClient_680 : ValidationOcspClient {
+            public _ValidationOcspClient_680() {
             }
 
             public override byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate issuerCert, String url) {
@@ -547,8 +547,8 @@ public override byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate i
             }
         }
 
-        private sealed class _ValidationCrlClient_691 : ValidationCrlClient {
-            public _ValidationCrlClient_691() {
+        private sealed class _ValidationCrlClient_695 : ValidationCrlClient {
+            public _ValidationCrlClient_695() {
             }
 
             public override ICollection<byte[]> GetEncoded(IX509Certificate checkCert, String url) {
@@ -614,18 +614,18 @@ public virtual void TimeBasedContextProperlySetOnlineClientsTest() {
             RevocationDataValidator validator = validatorChainBuilder.GetRevocationDataValidator();
             TestOcspResponseBuilder ocspBuilder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
             TestOcspClient testOcspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, ocspBuilder);
-            OcspClientBouncyCastle ocspClient = new _OcspClientBouncyCastle_770(testOcspClient);
+            OcspClientBouncyCastle ocspClient = new _OcspClientBouncyCastle_774(testOcspClient);
             validator.AddOcspClient(ocspClient);
             TestCrlBuilder crlBuilder = new TestCrlBuilder(caCert, caPrivateKey, checkDate);
             TestCrlClient testCrlClient = new TestCrlClient().AddBuilderForCertIssuer(crlBuilder);
-            CrlClientOnline crlClient = new _CrlClientOnline_780(testCrlClient);
+            CrlClientOnline crlClient = new _CrlClientOnline_784(testCrlClient);
             validator.AddCrlClient(crlClient);
             validator.Validate(report, baseContext.SetTimeBasedContext(TimeBasedContext.HISTORICAL), checkCert, checkDate
                 );
         }
 
-        private sealed class _OcspClientBouncyCastle_770 : OcspClientBouncyCastle {
-            public _OcspClientBouncyCastle_770(TestOcspClient testOcspClient) {
+        private sealed class _OcspClientBouncyCastle_774 : OcspClientBouncyCastle {
+            public _OcspClientBouncyCastle_774(TestOcspClient testOcspClient) {
                 this.testOcspClient = testOcspClient;
             }
 
@@ -636,8 +636,8 @@ public override byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate r
             private readonly TestOcspClient testOcspClient;
         }
 
-        private sealed class _CrlClientOnline_780 : CrlClientOnline {
-            public _CrlClientOnline_780(TestCrlClient testCrlClient) {
+        private sealed class _CrlClientOnline_784 : CrlClientOnline {
+            public _CrlClientOnline_784(TestCrlClient testCrlClient) {
                 this.testCrlClient = testCrlClient;
             }
 
@@ -802,5 +802,40 @@ public virtual void CrlClientGetEncodedFailureTest() {
                 ).HasLogItem((l) => l.WithMessage(RevocationDataValidator.CRL_CLIENT_FAILURE, (p) => crlClient.ToString
                 ())));
         }
+
+        [NUnit.Framework.Test]
+        public virtual void TestCrlClientInjection() {
+            TestCrlClient testCrlClient = new TestCrlClient();
+            TestCrlClientWrapper mockCrlClient = new TestCrlClientWrapper(testCrlClient);
+            validatorChainBuilder.WithCrlClient(() => mockCrlClient);
+            testCrlClient.AddBuilderForCertIssuer(caCert, caPrivateKey);
+            ValidationReport report = new ValidationReport();
+            ValidationContext context = new ValidationContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR, CertificateSource
+                .SIGNER_CERT, TimeBasedContext.HISTORICAL);
+            validatorChainBuilder.BuildRevocationDataValidator().Validate(report, context, checkCert, TimeTestUtil.TEST_DATE_TIME
+                );
+            NUnit.Framework.Assert.AreEqual(1, mockCrlClient.GetCalls().Count);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void TestOcspClientInjection() {
+            DateTime checkDate = TimeTestUtil.TEST_DATE_TIME;
+            TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
+            builder.SetProducedAt(checkDate.AddDays(5));
+            builder.SetThisUpdate(DateTimeUtil.GetCalendar(checkDate.AddDays(5)));
+            builder.SetNextUpdate(DateTimeUtil.GetCalendar(checkDate.AddDays(10)));
+            TestOcspClientWrapper mockOcspClient = new TestOcspClientWrapper(new TestOcspClient().AddBuilderForCertIssuer
+                (caCert, builder));
+            validatorChainBuilder.WithOcspClient(() => mockOcspClient);
+            mockParameters.AddRevocationOnlineFetchingResponse(SignatureValidationProperties.OnlineFetching.ALWAYS_FETCH
+                );
+            certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(caCert, trustedOcspResponderCert));
+            ValidationReport report = new ValidationReport();
+            ValidationContext context = new ValidationContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR, CertificateSource
+                .SIGNER_CERT, TimeBasedContext.HISTORICAL);
+            validatorChainBuilder.BuildRevocationDataValidator().Validate(report, context, checkCert, TimeTestUtil.TEST_DATE_TIME
+                );
+            NUnit.Framework.Assert.AreEqual(2, mockOcspClient.GetBasicResponceCalls().Count);
+        }
     }
 }
diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/mocks/MockResourceRetriever.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/mocks/MockResourceRetriever.cs
@@ -0,0 +1,51 @@
+/*
+This file is part of the iText (R) project.
+Copyright (c) 1998-2024 Apryse Group NV
+Authors: Apryse Software.
+
+This program is offered under a commercial and under the AGPL license.
+For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+AGPL licensing:
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+using System;
+using System.IO;
+using iText.StyledXmlParser.Resolver.Resource;
+
+namespace iText.Signatures.Validation.Mocks {
+    public class MockResourceRetriever : IResourceRetriever {
+        private Func<Uri, byte[]> getByteArrayByUrlHandler = (u) => null;
+
+        private Func<Uri, Stream> getInputStreamByUrlHandler = (u) => null;
+
+        public virtual Stream GetInputStreamByUrl(Uri url) {
+            return getInputStreamByUrlHandler.Invoke(url);
+        }
+
+        public virtual byte[] GetByteArrayByUrl(Uri url) {
+            return getByteArrayByUrlHandler.Invoke(url);
+        }
+
+        public virtual MockResourceRetriever OnGetInputStreamByUrl(Func<Uri, Stream> handler) {
+            getInputStreamByUrlHandler = handler;
+            return this;
+        }
+
+        public virtual MockResourceRetriever OnGetByteArrayByUrl(Func<Uri, byte[]> handler) {
+            getByteArrayByUrlHandler = handler;
+            return this;
+        }
+    }
+}