Merge branch 'develop' into devsecops

itext.tests/itext.sign.tests/itext/signatures/testutils/client/TestOcspClient.cs

@@ -22,6 +22,7 @@ You should have received a copy of the GNU Affero General Public License
 */
 using System;
 using System.Collections.Generic;
+using System.IO;
 using iText.Bouncycastleconnector;
 using iText.Commons.Bouncycastle;
 using iText.Commons.Bouncycastle.Cert;
@@ -53,6 +54,15 @@ public virtual TestOcspClient AddBuilderForCertIssuer(IX509Certificate cert, Tes
         }
 
         public virtual byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate issuerCert, String url) {
+            if (url != null && !String.IsNullOrEmpty(url)) {
+                // Treat as file path
+                try {
+                    return File.ReadAllBytes(System.IO.Path.Combine(url));
+                }
+                catch (Exception) {
+                }
+            }
+            // Sometimes we pass http url here in tests (though it's not used) so skipping any errors
             byte[] bytes = null;
             try {
                 ICertID id = SignTestPortUtil.GenerateCertificateId(issuerCert, checkCert.GetSerialNumber(), BOUNCY_CASTLE_FACTORY

itext.tests/itext.sign.tests/itext/signatures/validation/OCSPValidatorIntegrationTest.cs

@@ -162,6 +162,21 @@ public virtual void AuthorizedOcspResponderDoesNotHaveOcspSigningExtensionTest()
                 ));
         }
 
+        [NUnit.Framework.Test]
+        public virtual void OcspResponseWithoutHashAlgoParametersTest() {
+            TestOcspClient ocspClient = new TestOcspClient();
+            IBasicOcspResponse caBasicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspClient
+                .GetEncoded(checkCert, caCert, SOURCE_FOLDER + "ocspResponseWithoutHashAlgoParameters.dat")));
+            ValidationReport report = new ValidationReport();
+            // Configure OCSP signing authority for the certificate in question
+            certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
+            OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
+            validator.Validate(report, baseContext, checkCert, caBasicOCSPResp.GetResponses()[0], caBasicOCSPResp, TimeTestUtil
+                .TEST_DATE_TIME, TimeTestUtil.TEST_DATE_TIME);
+            AssertValidationReport.AssertThat(report, (a) => a.HasNumberOfFailures(0).HasStatus(ValidationReport.ValidationResult
+                .VALID));
+        }
+
         private ValidationReport ValidateTest(DateTime checkDate) {
             DateTime thisUpdate = checkDate.AddDays(1);
             TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);

itext/itext.bouncy-castle-adapter/itext/bouncycastle/BouncyCastleFactory.cs

@@ -1026,7 +1026,7 @@ public IDigest CreateIDigest(string hashAlgorithm) {
 
         /// <summary><inheritDoc/></summary>
         public ICertID CreateCertificateID(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) {
-            return new CertIDBC(hashAlgorithm, issuerCert, serialNumber);
+            return new CertIDBC(new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance), issuerCert, serialNumber);
         }
 
         /// <summary><inheritDoc/></summary>

itext/itext.bouncy-castle-adapter/itext/bouncycastle/cert/ocsp/CertIDBC.cs

@@ -68,21 +68,39 @@ public CertIDBC(CertID certificateID) {
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>.
         /// </summary>
         /// <param name="hashAlgorithm">
-        /// hash algorithm to create
+        /// hash algorithm
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
         /// <param name="issuerCert">
-        /// X509Certificate wrapper to create
+        /// X509Certificate wrapper
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
         /// <param name="serialNumber">
-        /// serial number to create
+        /// serial number
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
-        public CertIDBC(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) {
-            AlgorithmIdentifier hashAlgId = new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance);
+        public CertIDBC(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) 
+            : this(new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance), issuerCert, serialNumber) {
+        }
 
+        /// <summary>
+        /// Creates new wrapper instance for
+        /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>.
+        /// </summary>
+        /// <param name="hashAlgId">
+        /// hash algorithm indentifier
+        /// <see cref="Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier"/>
+        /// </param>
+        /// <param name="issuerCert">
+        /// X509Certificate wrapper
+        /// <see cref="iText.Commons.Bouncycastle.Cert.IX509Certificate"/>
+        /// </param>
+        /// <param name="serialNumber">
+        /// serial number
+        /// </param>
+        public CertIDBC(AlgorithmIdentifier hashAlgId, IX509Certificate issuerCert, IBigInteger serialNumber) {
             X509Name issuerName = PrincipalUtilities.GetSubjectX509Principal(((X509CertificateBC)issuerCert).GetCertificate());
+            string hashAlgorithm = hashAlgId.Algorithm.Id;
             byte[] issuerNameHash = DigestUtilities.CalculateDigest(hashAlgorithm, issuerName.GetEncoded());
 
             AsymmetricKeyParameter issuerKey = ((X509CertificateBC)issuerCert).GetCertificate().GetPublicKey();
@@ -124,7 +142,7 @@ public virtual string GetHashSha1() {
 
         /// <summary><inheritDoc/></summary>
         public virtual bool MatchesIssuer(IX509Certificate issuerCert) {
-            return new CertIDBC(certificateID.HashAlgorithm.Algorithm.Id, issuerCert, new BigIntegerBC(
+            return new CertIDBC(certificateID.HashAlgorithm, issuerCert, new BigIntegerBC(
                 certificateID.SerialNumber.Value)).GetCertID().Equals(certificateID);
         }
 

itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs

@@ -1052,7 +1052,7 @@ public IDigest CreateIDigest(string hashAlgorithm) {
 
         /// <summary><inheritDoc/></summary>
         public ICertID CreateCertificateID(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) {
-            return new CertIDBCFips(hashAlgorithm, issuerCert, serialNumber);
+            return new CertIDBCFips(new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance), issuerCert, serialNumber);
         }
 
         /// <summary><inheritDoc/></summary>

itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/cert/ocsp/CertIDBCFips.cs

@@ -67,21 +67,39 @@ public CertIDBCFips(CertID certificateID) {
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>.
         /// </summary>
         /// <param name="hashAlgorithm">
-        /// hash algorithm to create
+        /// hash algorithm
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
         /// <param name="issuerCert">
-        /// X509Certificate wrapper to create
+        /// X509Certificate wrapper
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
         /// <param name="serialNumber">
-        /// serial number to create
+        /// serial number
         /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>
         /// </param>
-        public CertIDBCFips(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) {
-            AlgorithmIdentifier hashAlgId = new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance);
+        public CertIDBCFips(string hashAlgorithm, IX509Certificate issuerCert, IBigInteger serialNumber) 
+            : this(new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance), issuerCert, serialNumber) {
+        }
 
+        /// <summary>
+        /// Creates new wrapper instance for
+        /// <see cref="Org.BouncyCastle.Asn1.Ocsp.CertID"/>.
+        /// </summary>
+        /// <param name="hashAlgId">
+        /// hash algorithm identifier
+        /// <see cref="Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier"/>
+        /// </param>
+        /// <param name="issuerCert">
+        /// X509Certificate wrapper
+        /// <see cref="iText.Commons.Bouncycastle.Cert.IX509Certificate"/>
+        /// </param>
+        /// <param name="serialNumber">
+        /// serial number
+        /// </param>
+        public CertIDBCFips(AlgorithmIdentifier hashAlgId, IX509Certificate issuerCert, IBigInteger serialNumber) {
             X500Name issuerName = ((X509CertificateBCFips)issuerCert).GetCertificate().SubjectDN;
+            string hashAlgorithm = hashAlgId.Algorithm.Id;
             byte[] issuerNameHash = new DigestBCFips(hashAlgorithm).Digest(issuerName.GetEncoded());
 
             IAsymmetricPublicKey issuerKey = ((X509CertificateBCFips)issuerCert).GetCertificate().GetPublicKey();
@@ -123,7 +141,7 @@ public virtual string GetHashSha1() {
 
         /// <summary><inheritDoc/></summary>
         public virtual bool MatchesIssuer(IX509Certificate issuerCert) {
-            return new CertIDBCFips(certificateID.HashAlgorithm.Algorithm.Id, issuerCert, new BigIntegerBCFips(
+            return new CertIDBCFips(certificateID.HashAlgorithm, issuerCert, new BigIntegerBCFips(
                 certificateID.SerialNumber.Value)).GetCertificateID().Equals(certificateID);
         }
 

port-hash

@@ -1 +1 @@
-d313db98840a9c9bb563ae7c61e7e1a7b16fbf44
+988c534b726839dcf4d939206ec91b811628a709