diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs index aec85c685..1e67d2899 100644 --- a/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs +++ b/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs @@ -140,6 +140,58 @@ public virtual void ShortValidityCertsWithCrlTest() { ).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => tsRootCert.GetSubjectDN()))); } + [NUnit.Framework.Test] + public virtual void RetrieveRevocationDataFromTheSignatureContainerTest() { + String rootCertName = CERTS_SRC + "rootRsa.pem"; + IX509Certificate rootCert = (IX509Certificate)PemFileHelper.ReadFirstChain(rootCertName)[0]; + // We need to set infinite freshness for the signature validation. Otherwise, test will fail. + builder.GetProperties().SetFreshness(ValidatorContexts.Of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext + .CRL_VALIDATOR), CertificateSources.Of(CertificateSource.SIGNER_CERT), TimeBasedContexts.Of(TimeBasedContext + .PRESENT), TimeSpan.FromDays(999999)); + ValidationReport report; + // Signature container stores OCSP response with indeterminate status and less fresh but valid CRL response. + using (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "revDataInTheSignatureContainer.pdf" + ))) { + certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList(rootCert)); + SignatureValidator signatureValidator = builder.BuildSignatureValidator(); + report = signatureValidator.ValidateSignatures(document); + } + AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasNumberOfLogs + (4).HasNumberOfFailures(0).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION + ).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, (i) => "Signature1")).HasLogItem((al) => al + .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN).WithStatus( + ReportItem.ReportItemStatus.INFO)).HasLogItems(2, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator + .CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN + ()))); + } + + [NUnit.Framework.Test] + public virtual void RetrieveRevocationDataStoredInTheSignerInfoTest() { + String rootCertName = CERTS_SRC + "rootRsa.pem"; + IX509Certificate rootCert = (IX509Certificate)PemFileHelper.ReadFirstChain(rootCertName)[0]; + // We need to set infinite freshness for the embedded timestamp validation. Otherwise, test will fail. + builder.GetProperties().SetFreshness(ValidatorContexts.Of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext + .CRL_VALIDATOR), CertificateSources.Of(CertificateSource.TIMESTAMP), TimeBasedContexts.Of(TimeBasedContext + .PRESENT), TimeSpan.FromDays(999999)).SetFreshness(ValidatorContexts.Of(ValidatorContext.CRL_VALIDATOR + ), CertificateSources.Of(CertificateSource.SIGNER_CERT), TimeBasedContexts.Of(TimeBasedContext.HISTORICAL + ), TimeSpan.FromDays(2)); + ValidationReport report; + // Signer info authenticated attributes store OCSP response with indeterminate status and valid CRL response. + using (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "revDataInTheSignerInfo.pdf")) + ) { + certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList(rootCert)); + SignatureValidator signatureValidator = builder.BuildSignatureValidator(); + report = signatureValidator.ValidateSignatures(document); + } + AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasNumberOfLogs + (6).HasNumberOfFailures(0).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION + ).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, (i) => "Signature1")).HasLogItem((al) => al + .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN).WithStatus( + ReportItem.ReportItemStatus.INFO)).HasLogItems(4, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator + .CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN + ()))); + } + [NUnit.Framework.Test] public virtual void LatestSignatureIsTimestampTest() { String chainName = CERTS_SRC + "validCertsChain.pem"; diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem new file mode 100644 index 000000000..26ccc747e --- /dev/null +++ b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem @@ -0,0 +1,53 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQed2OhiJqKregwesf +Q7qbJAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEGezm1YV51PeoC8M +MG+1yVcEggTQqO38B271mogM524SNQRRAhqoY7bw5c1G+O6iKJk08VkA82R42OpV +DndjibcLuC+JxkbxGD55MDKV3xfYa3c6dYCTPJ/yqx3XK2eRkRVvbAEAO+3JgNeh +lSRffQklSyjj4n9tVZNaaCfeEJMVj5yZWEc4K8l8ddNOMMx7qK9qedBG4nfNVqkX +cAZycTPUuDIgA8Q6GLHNjDgxwOsi0L5LsGsWI0yY02dTcU5lS04/xyT850xIfkkn +si5QBahVRJLQCFxa2Abl8zzpTIBScVICNlcXLlpPJfEAAwP7/ksaMvAnPDS0GeR9 +5CBjeHznUJDjODubbrGg64uij4eTe5MrMQKcjNIl8UhN9Fy/W/SCehS+Dc/1d3Xf +cyuigeI01+d1FxzTXslL91PToyehSXcyykBPd69tDv/R7Zk8D4ouVOX4YXiSnnA+ +WiuuLyXQU9ABlEkQrTWftcEgYbJqIcjUHku6CApGQnTgD300zoAm37BY7x15oJ/T +reAs7Bf+bv68xvJUh9aOOvqcJdzhDeR59CZFOu6q6wTZTSoJeqTRVXIxGsH36Kna +Hgl4nipmIqkGI7fRMfHL7k4DTcSEC8FFBdzUqAqShj2qxxb7LTFUs4N45diAEhzo +AqEDXe80o2xBZZwkLLilLrH3BGCQiBH5ow8wl7G3v5fFXmeQfaEQGbmGM0p3pk9A +SfcKpdzgYDBH9Oc/I3b6LL+Lpfd74kNVq3s8GGkKFVP84TlmmE7apkPFcnKfYKRC +itLBOT25DYM9zZGPrnnEF5AI/MoIgZfwrrptZgqMj+XxE/9gy7KEZt2jxzw+T8EA +DZvEMVxAMAggZ44udrMIHIOAy60aSIGPiHOs0XhW7pbWps4+75HXQmYXsWN8u3Zh +P5genGXu+GrGs8IRUbiilJVn07ZGLT199rpAFx3t1eS2mskf0IuYSqureFhUNx1l +u0uycC/Uz6b5WBPhUP7/fM+jhOIkCti7DdzTRf+0N1m35+JOC4TuD6kUfm84GAQK +9+iXgpel0B2iJ7jSU5gtVic03Jk5yIZ7iO7xLrSFJOEJ9itKQGxL+GDPzHyRphpg +0m/8CcYJHa/FygYwKmJzzS+WOLY+lSp+fwF8OWnnByeJXPdFq+snj4AA7WXk5jeT +omNEZBWcaX7P6enfwK9iVLFISkdgLy0X+l44b3pgtR4g+Km1Pl+vVz8BGe9J2mGX +zRsD4q8hcCoEnqyNSTveM34jIQ3cWvKSII/OlD9Xd6lyy/qk06oMQ89IzVXjPDAz +AfjXMiDG0WJCfXXY7+WPWCIdLDQvCwWm8JJW728QqfG3tKCPYe09BWvSs1VxUKZg +u7Oy6RzosVX0PKv20uIhUiizFZCEpM833orpUGvdVbeNVsKQMWSScc0Pfkjo8miY +U7482QwfQ4Bq15MtpfkZXI4WzrpVgUJi3QuMj+5LRFsG04VVDy/1dt5EH0N04ZHR +/+uoGJDNRUsfAJzs7DwzMh9J2l7MQG8JJUy7j4ZbC3cE/nJ9KcEb3ZgO4RX3WJX7 +XxDMbmFgrX40hDThY27K/1cdFynH+dlOdrhOreO2p4CcdpjXeRDFPgyUasw47TY6 +NaP5kfqotdESs1cGO7FD92et8C/j44y7XTwxXg7EZbDqjSt92XL6IRY= +-----END ENCRYPTED PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID6jCCAtKgAwIBAgIEWOeR1jANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJC +WTEOMAwGA1UEBwwFTWluc2sxDjAMBgNVBAoMBWlUZXh0MQ0wCwYDVQQLDAR0ZXN0 +MRYwFAYDVQQDDA1pVGV4dFRlc3RSb290MCAXDTE3MDQwNzEzMjAwMVoYDzIxMTcw +NDA3MTMyMDAxWjBUMQswCQYDVQQGEwJCWTEOMAwGA1UEBwwFTWluc2sxDjAMBgNV +BAoMBWlUZXh0MQ0wCwYDVQQLDAR0ZXN0MRYwFAYDVQQDDA1pVGV4dFRlc3RSb290 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/fz7iq1wzhMMYcGfmMm +teCY/ZtdE26PB1OTTBuDSN86sVNmur5FV/mLPU9ZK2ofrs+wMrqn0agmFlRl4dTh +f5u5WSEQ/ARwXzYOn2uEkwR/0dwwZUL3VWhrPSD5SxX5MzFo8UXTNlXW2bClLC0F +QU2qLjIwwRFwwWDSQPR8r/Mv181RljVpEjPk6DfkDtHWWA4daGlQU0nXbuZszplv +iPafXmyKn+2w4G9Jw/8pHIK2VhWYstLI+bUZk662ZVldNvnpMyHn12FfB0Nbf/Z6 +V2WTGviEr8EEE2cA7I+H7ZGUDzug7umNCCJn3ilC6vAt9i9OLaZRDh6jPMOjMUiz +TwIDAQABo4HBMIG+MA8GA1UdEwEB/wQFMAMBAf8wfwYDVR0jBHgwdoAUXSpxda7d +2L5ZuiCxZpHJdjZTXO6hWKRWMFQxCzAJBgNVBAYTAkJZMQ4wDAYDVQQHDAVNaW5z +azEOMAwGA1UECgwFaVRleHQxDTALBgNVBAsMBHRlc3QxFjAUBgNVBAMMDWlUZXh0 +VGVzdFJvb3SCBFjnkdYwHQYDVR0OBBYEFF0qcXWu3di+WbogsWaRyXY2U1zuMAsG +A1UdDwQEAwIB9jANBgkqhkiG9w0BAQsFAAOCAQEAdhby6EaopoUF8j7oR44Mhe/N +3y9hzGb/zLmmgTavPd2plv6NlAPt9W+8rezKO6jQCsBRFw8JY+Lx6j3W0K6rWigB +pPGU/B/0bXLlOIv2a4uW8nBmq6jxAe5Xbtwm8HcKOOLMzxPIChHJIJy5NWw9ArD4 +Ul+FEt/VuEW1NfPZm1U5ixMOrBfn0C8pxIX4+VSHN9I8WoFjSfYX4Y3ldRLTeqxQ +rhZQlbhGNymp3Kcvtuq5At6vopskyB8Q1b7L4e+hRWK2prz/7p4Bdhu2TmkEfWZc +YKpgrkVFqa/Z1uZ0q4KVBOP3cyaQmqRXTV37SfpNyHAJdol5ueF68VVVNZFRXw== +-----END CERTIFICATE----- diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf new file mode 100644 index 000000000..a7cef0bd0 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf differ diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignerInfo.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignerInfo.pdf new file mode 100644 index 000000000..83c046624 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignerInfo.pdf differ diff --git a/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs b/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs index 73c20a594..60456da35 100644 --- a/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs +++ b/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs @@ -26,6 +26,7 @@ You should have received a copy of the GNU Affero General Public License using iText.Bouncycastleconnector; using iText.Commons.Actions.Contexts; using iText.Commons.Bouncycastle; +using iText.Commons.Bouncycastle.Asn1.Ocsp; using iText.Commons.Bouncycastle.Asn1.Tsp; using iText.Commons.Bouncycastle.Cert; using iText.Commons.Bouncycastle.Cert.Ocsp; @@ -181,72 +182,51 @@ public virtual ValidationReport ValidateSignatures(PdfDocument document) { //\cond DO_NOT_DOCUMENT internal virtual ValidationReport ValidateLatestSignature(PdfDocument document) { ValidationReport validationReport = new ValidationReport(); - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); PdfPKCS7 pkcs7 = MathematicallyVerifySignature(validationReport, document); + UpdateValidationClients(pkcs7, validationReport, validationContext, document); + // We only retrieve not signed revocation data at the very beginning of signature processing. + RetrieveNotSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext); if (StopValidation(validationReport, validationContext)) { return validationReport; } IList certificatesFromDss = GetCertificatesFromDss(validationReport, document); certificateRetriever.AddKnownCertificates(certificatesFromDss); if (pkcs7.IsTsp()) { - ValidateTimestampChain(validationReport, pkcs7.GetTimeStampTokenInfo(), pkcs7.GetCertificates(), pkcs7.GetSigningCertificate - ()); - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); + ValidateTimestampChain(validationReport, pkcs7.GetCertificates(), pkcs7.GetSigningCertificate()); + if (UpdateLastKnownPoE(validationReport, pkcs7.GetTimeStampTokenInfo())) { + UpdateValidationClients(pkcs7, validationReport, validationContext, document); + } return validationReport; } + bool isPoEUpdated = false; DateTime previousLastKnowPoE = lastKnownPoE; ValidationContext previousValidationContext = validationContext; if (pkcs7.GetTimeStampTokenInfo() != null) { - try { - if (!pkcs7.VerifyTimestampImprint()) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus - .INVALID)); - } - } - catch (AbstractGeneralSecurityException e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus - .INVALID)); - } - if (StopValidation(validationReport, validationContext)) { - return validationReport; - } - PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); - try { - if (!timestampSignatureContainer.VerifySignatureIntegrityAndAuthenticity()) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus - .INVALID)); - } - } - catch (AbstractGeneralSecurityException e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus - .INVALID)); + ValidationReport tsValidationReport = ValidateEmbeddedTimestamp(pkcs7); + isPoEUpdated = UpdateLastKnownPoE(tsValidationReport, pkcs7.GetTimeStampTokenInfo()); + if (isPoEUpdated) { + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + UpdateValidationClients(pkcs7, tsValidationReport, validationContext, document); } - if (StopValidation(validationReport, validationContext)) { - return validationReport; - } - IX509Certificate[] timestampCertificates = timestampSignatureContainer.GetCertificates(); - ValidateTimestampChain(validationReport, pkcs7.GetTimeStampTokenInfo(), timestampCertificates, timestampSignatureContainer - .GetSigningCertificate()); - if (StopValidation(validationReport, validationContext)) { + validationReport.Merge(tsValidationReport); + if (StopValidation(tsValidationReport, validationContext)) { return validationReport; } } - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); IX509Certificate[] certificates = pkcs7.GetCertificates(); certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(certificates)); IX509Certificate signingCertificate = pkcs7.GetSigningCertificate(); ValidationReport signatureReport = new ValidationReport(); certificateChainValidator.Validate(signatureReport, validationContext, signingCertificate, lastKnownPoE); - if (signatureReport.GetValidationResult() != ValidationReport.ValidationResult.VALID) { + if (isPoEUpdated && signatureReport.GetValidationResult() != ValidationReport.ValidationResult.VALID) { // We can only use PoE retrieved from timestamp attribute in case main signature validation is successful. - // That's why if the result is not valid, we set back lastKnownPoE value, validation context and DSS. + // That's why if the result is not valid, we set back lastKnownPoE value, validation context and rev data. lastKnownPoE = previousLastKnowPoE; validationContext = previousValidationContext; - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + UpdateValidationClients(pkcs7, validationReport, validationContext, document); } return validationReport.Merge(signatureReport); } @@ -276,29 +256,96 @@ private PdfPKCS7 MathematicallyVerifySignature(ValidationReport validationReport return pkcs7; } - private ValidationReport ValidateTimestampChain(ValidationReport validationReport, ITstInfo timeStampTokenInfo - , IX509Certificate[] knownCerts, IX509Certificate signingCert) { - certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(knownCerts)); + private ValidationReport ValidateEmbeddedTimestamp(PdfPKCS7 pkcs7) { ValidationReport tsValidationReport = new ValidationReport(); - certificateChainValidator.Validate(tsValidationReport, validationContext.SetCertificateSource(CertificateSource + try { + if (!pkcs7.VerifyTimestampImprint()) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus + .INVALID)); + } + } + catch (AbstractGeneralSecurityException e) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus + .INVALID)); + } + if (StopValidation(tsValidationReport, validationContext)) { + return tsValidationReport; + } + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + try { + if (!timestampSignatureContainer.VerifySignatureIntegrityAndAuthenticity()) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus + .INVALID)); + } + } + catch (AbstractGeneralSecurityException e) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus + .INVALID)); + } + if (StopValidation(tsValidationReport, validationContext)) { + return tsValidationReport; + } + IX509Certificate[] timestampCertificates = timestampSignatureContainer.GetCertificates(); + ValidateTimestampChain(tsValidationReport, timestampCertificates, timestampSignatureContainer.GetSigningCertificate + ()); + return tsValidationReport; + } + + private void ValidateTimestampChain(ValidationReport validationReport, IX509Certificate[] knownCerts, IX509Certificate + signingCert) { + certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(knownCerts)); + certificateChainValidator.Validate(validationReport, validationContext.SetCertificateSource(CertificateSource .TIMESTAMP), signingCert, lastKnownPoE); - validationReport.Merge(tsValidationReport); + } + + private bool UpdateLastKnownPoE(ValidationReport tsValidationReport, ITstInfo timeStampTokenInfo) { if (tsValidationReport.GetValidationResult() == ValidationReport.ValidationResult.VALID) { try { lastKnownPoE = timeStampTokenInfo.GetGenTime(); if (validationContext.GetTimeBasedContext() == TimeBasedContext.PRESENT) { validationContext = validationContext.SetTimeBasedContext(TimeBasedContext.HISTORICAL); } + return true; } catch (Exception e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e, ReportItem.ReportItemStatus + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e, ReportItem.ReportItemStatus .INDETERMINATE)); } } - return validationReport; + return false; + } + + private void UpdateValidationClients(PdfPKCS7 pkcs7, ValidationReport validationReport, ValidationContext + validationContext, PdfDocument document) { + RetrieveOcspResponsesFromDss(validationReport, validationContext, document); + RetrieveCrlResponsesFromDss(validationReport, validationContext, document); + RetrieveSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext); + } + + private void RetrieveSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7, ValidationContext validationContext + ) { + if (pkcs7.GetCRLs() != null) { + foreach (IX509Crl crl in pkcs7.GetCRLs()) { + validationCrlClient.AddCrl((IX509Crl)crl, lastKnownPoE, validationContext.GetTimeBasedContext()); + } + } + if (pkcs7.GetOcsp() != null) { + validationOcspClient.AddResponse(pkcs7.GetOcsp(), lastKnownPoE, validationContext.GetTimeBasedContext()); + } + } + + private void RetrieveNotSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7, ValidationContext validationContext + ) { + foreach (IX509Crl crl in pkcs7.GetSignedDataCRLs()) { + validationCrlClient.AddCrl((IX509Crl)crl, lastKnownPoE, validationContext.GetTimeBasedContext()); + } + foreach (IBasicOcspResponse oscp in pkcs7.GetSignedDataOcsps()) { + validationOcspClient.AddResponse(oscp, lastKnownPoE, validationContext.GetTimeBasedContext()); + } } - private void UpdateValidationOcspClient(ValidationReport validationReport, ValidationContext context, PdfDocument + private void RetrieveOcspResponsesFromDss(ValidationReport validationReport, ValidationContext context, PdfDocument document) { PdfDictionary dss = document.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.DSS); if (dss != null) { @@ -323,7 +370,7 @@ private void UpdateValidationOcspClient(ValidationReport validationReport, Valid } } - private void UpdateValidationCrlClient(ValidationReport validationReport, ValidationContext context, PdfDocument + private void RetrieveCrlResponsesFromDss(ValidationReport validationReport, ValidationContext context, PdfDocument document) { PdfDictionary dss = document.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.DSS); if (dss != null) { diff --git a/port-hash b/port-hash index 1207cb84a..6c31ceae0 100644 --- a/port-hash +++ b/port-hash @@ -1 +1 @@ -174e3e01db8fc32c3cc06e043b36de249f7a45c8 +b6139dd529e7df47bdcdc5c8673f6e786e4e9844