From 12bf1875681b01d69973a775d908882990cccc66 Mon Sep 17 00:00:00 2001 From: Angelina Pavlovets Date: Thu, 20 Jun 2024 00:39:44 +0000 Subject: [PATCH] Support revocation data retrieval from the signature container DEVSIX-8388 Autoported commit. Original commit hash: [b6139dd52] --- .../v1/SignatureValidatorIntegrationTest.cs | 52 ++++++ .../certs/rootRsa.pem | 53 +++++++ .../revDataInTheSignatureContainer.pdf | Bin 0 -> 22823 bytes .../revDataInTheSignerInfo.pdf | Bin 0 -> 35881 bytes .../validation/v1/SignatureValidator.cs | 149 ++++++++++++------ port-hash | 2 +- 6 files changed, 204 insertions(+), 52 deletions(-) create mode 100644 itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem create mode 100644 itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf create mode 100644 itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignerInfo.pdf diff --git a/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs b/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs index aec85c685..1e67d2899 100644 --- a/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs +++ b/itext.tests/itext.sign.tests/itext/signatures/validation/v1/SignatureValidatorIntegrationTest.cs @@ -140,6 +140,58 @@ public virtual void ShortValidityCertsWithCrlTest() { ).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => tsRootCert.GetSubjectDN()))); } + [NUnit.Framework.Test] + public virtual void RetrieveRevocationDataFromTheSignatureContainerTest() { + String rootCertName = CERTS_SRC + "rootRsa.pem"; + IX509Certificate rootCert = (IX509Certificate)PemFileHelper.ReadFirstChain(rootCertName)[0]; + // We need to set infinite freshness for the signature validation. Otherwise, test will fail. + builder.GetProperties().SetFreshness(ValidatorContexts.Of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext + .CRL_VALIDATOR), CertificateSources.Of(CertificateSource.SIGNER_CERT), TimeBasedContexts.Of(TimeBasedContext + .PRESENT), TimeSpan.FromDays(999999)); + ValidationReport report; + // Signature container stores OCSP response with indeterminate status and less fresh but valid CRL response. + using (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "revDataInTheSignatureContainer.pdf" + ))) { + certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList(rootCert)); + SignatureValidator signatureValidator = builder.BuildSignatureValidator(); + report = signatureValidator.ValidateSignatures(document); + } + AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasNumberOfLogs + (4).HasNumberOfFailures(0).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION + ).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, (i) => "Signature1")).HasLogItem((al) => al + .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN).WithStatus( + ReportItem.ReportItemStatus.INFO)).HasLogItems(2, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator + .CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN + ()))); + } + + [NUnit.Framework.Test] + public virtual void RetrieveRevocationDataStoredInTheSignerInfoTest() { + String rootCertName = CERTS_SRC + "rootRsa.pem"; + IX509Certificate rootCert = (IX509Certificate)PemFileHelper.ReadFirstChain(rootCertName)[0]; + // We need to set infinite freshness for the embedded timestamp validation. Otherwise, test will fail. + builder.GetProperties().SetFreshness(ValidatorContexts.Of(ValidatorContext.OCSP_VALIDATOR, ValidatorContext + .CRL_VALIDATOR), CertificateSources.Of(CertificateSource.TIMESTAMP), TimeBasedContexts.Of(TimeBasedContext + .PRESENT), TimeSpan.FromDays(999999)).SetFreshness(ValidatorContexts.Of(ValidatorContext.CRL_VALIDATOR + ), CertificateSources.Of(CertificateSource.SIGNER_CERT), TimeBasedContexts.Of(TimeBasedContext.HISTORICAL + ), TimeSpan.FromDays(2)); + ValidationReport report; + // Signer info authenticated attributes store OCSP response with indeterminate status and valid CRL response. + using (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "revDataInTheSignerInfo.pdf")) + ) { + certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList(rootCert)); + SignatureValidator signatureValidator = builder.BuildSignatureValidator(); + report = signatureValidator.ValidateSignatures(document); + } + AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasNumberOfLogs + (6).HasNumberOfFailures(0).HasLogItem((al) => al.WithCheckName(SignatureValidator.SIGNATURE_VERIFICATION + ).WithMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, (i) => "Signature1")).HasLogItem((al) => al + .WithCheckName(OCSPValidator.OCSP_CHECK).WithMessage(OCSPValidator.CERT_STATUS_IS_UNKNOWN).WithStatus( + ReportItem.ReportItemStatus.INFO)).HasLogItems(4, (al) => al.WithCertificate(rootCert).WithCheckName(CertificateChainValidator + .CERTIFICATE_CHECK).WithMessage(CertificateChainValidator.CERTIFICATE_TRUSTED, (i) => rootCert.GetSubjectDN + ()))); + } + [NUnit.Framework.Test] public virtual void LatestSignatureIsTimestampTest() { String chainName = CERTS_SRC + "validCertsChain.pem"; diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem new file mode 100644 index 000000000..26ccc747e --- /dev/null +++ b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/certs/rootRsa.pem @@ -0,0 +1,53 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQed2OhiJqKregwesf +Q7qbJAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEGezm1YV51PeoC8M +MG+1yVcEggTQqO38B271mogM524SNQRRAhqoY7bw5c1G+O6iKJk08VkA82R42OpV +DndjibcLuC+JxkbxGD55MDKV3xfYa3c6dYCTPJ/yqx3XK2eRkRVvbAEAO+3JgNeh +lSRffQklSyjj4n9tVZNaaCfeEJMVj5yZWEc4K8l8ddNOMMx7qK9qedBG4nfNVqkX +cAZycTPUuDIgA8Q6GLHNjDgxwOsi0L5LsGsWI0yY02dTcU5lS04/xyT850xIfkkn +si5QBahVRJLQCFxa2Abl8zzpTIBScVICNlcXLlpPJfEAAwP7/ksaMvAnPDS0GeR9 +5CBjeHznUJDjODubbrGg64uij4eTe5MrMQKcjNIl8UhN9Fy/W/SCehS+Dc/1d3Xf +cyuigeI01+d1FxzTXslL91PToyehSXcyykBPd69tDv/R7Zk8D4ouVOX4YXiSnnA+ +WiuuLyXQU9ABlEkQrTWftcEgYbJqIcjUHku6CApGQnTgD300zoAm37BY7x15oJ/T +reAs7Bf+bv68xvJUh9aOOvqcJdzhDeR59CZFOu6q6wTZTSoJeqTRVXIxGsH36Kna +Hgl4nipmIqkGI7fRMfHL7k4DTcSEC8FFBdzUqAqShj2qxxb7LTFUs4N45diAEhzo +AqEDXe80o2xBZZwkLLilLrH3BGCQiBH5ow8wl7G3v5fFXmeQfaEQGbmGM0p3pk9A +SfcKpdzgYDBH9Oc/I3b6LL+Lpfd74kNVq3s8GGkKFVP84TlmmE7apkPFcnKfYKRC +itLBOT25DYM9zZGPrnnEF5AI/MoIgZfwrrptZgqMj+XxE/9gy7KEZt2jxzw+T8EA +DZvEMVxAMAggZ44udrMIHIOAy60aSIGPiHOs0XhW7pbWps4+75HXQmYXsWN8u3Zh +P5genGXu+GrGs8IRUbiilJVn07ZGLT199rpAFx3t1eS2mskf0IuYSqureFhUNx1l +u0uycC/Uz6b5WBPhUP7/fM+jhOIkCti7DdzTRf+0N1m35+JOC4TuD6kUfm84GAQK +9+iXgpel0B2iJ7jSU5gtVic03Jk5yIZ7iO7xLrSFJOEJ9itKQGxL+GDPzHyRphpg +0m/8CcYJHa/FygYwKmJzzS+WOLY+lSp+fwF8OWnnByeJXPdFq+snj4AA7WXk5jeT +omNEZBWcaX7P6enfwK9iVLFISkdgLy0X+l44b3pgtR4g+Km1Pl+vVz8BGe9J2mGX +zRsD4q8hcCoEnqyNSTveM34jIQ3cWvKSII/OlD9Xd6lyy/qk06oMQ89IzVXjPDAz +AfjXMiDG0WJCfXXY7+WPWCIdLDQvCwWm8JJW728QqfG3tKCPYe09BWvSs1VxUKZg +u7Oy6RzosVX0PKv20uIhUiizFZCEpM833orpUGvdVbeNVsKQMWSScc0Pfkjo8miY +U7482QwfQ4Bq15MtpfkZXI4WzrpVgUJi3QuMj+5LRFsG04VVDy/1dt5EH0N04ZHR +/+uoGJDNRUsfAJzs7DwzMh9J2l7MQG8JJUy7j4ZbC3cE/nJ9KcEb3ZgO4RX3WJX7 +XxDMbmFgrX40hDThY27K/1cdFynH+dlOdrhOreO2p4CcdpjXeRDFPgyUasw47TY6 +NaP5kfqotdESs1cGO7FD92et8C/j44y7XTwxXg7EZbDqjSt92XL6IRY= +-----END ENCRYPTED PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID6jCCAtKgAwIBAgIEWOeR1jANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJC +WTEOMAwGA1UEBwwFTWluc2sxDjAMBgNVBAoMBWlUZXh0MQ0wCwYDVQQLDAR0ZXN0 +MRYwFAYDVQQDDA1pVGV4dFRlc3RSb290MCAXDTE3MDQwNzEzMjAwMVoYDzIxMTcw +NDA3MTMyMDAxWjBUMQswCQYDVQQGEwJCWTEOMAwGA1UEBwwFTWluc2sxDjAMBgNV +BAoMBWlUZXh0MQ0wCwYDVQQLDAR0ZXN0MRYwFAYDVQQDDA1pVGV4dFRlc3RSb290 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/fz7iq1wzhMMYcGfmMm +teCY/ZtdE26PB1OTTBuDSN86sVNmur5FV/mLPU9ZK2ofrs+wMrqn0agmFlRl4dTh +f5u5WSEQ/ARwXzYOn2uEkwR/0dwwZUL3VWhrPSD5SxX5MzFo8UXTNlXW2bClLC0F +QU2qLjIwwRFwwWDSQPR8r/Mv181RljVpEjPk6DfkDtHWWA4daGlQU0nXbuZszplv +iPafXmyKn+2w4G9Jw/8pHIK2VhWYstLI+bUZk662ZVldNvnpMyHn12FfB0Nbf/Z6 +V2WTGviEr8EEE2cA7I+H7ZGUDzug7umNCCJn3ilC6vAt9i9OLaZRDh6jPMOjMUiz +TwIDAQABo4HBMIG+MA8GA1UdEwEB/wQFMAMBAf8wfwYDVR0jBHgwdoAUXSpxda7d +2L5ZuiCxZpHJdjZTXO6hWKRWMFQxCzAJBgNVBAYTAkJZMQ4wDAYDVQQHDAVNaW5z +azEOMAwGA1UECgwFaVRleHQxDTALBgNVBAsMBHRlc3QxFjAUBgNVBAMMDWlUZXh0 +VGVzdFJvb3SCBFjnkdYwHQYDVR0OBBYEFF0qcXWu3di+WbogsWaRyXY2U1zuMAsG +A1UdDwQEAwIB9jANBgkqhkiG9w0BAQsFAAOCAQEAdhby6EaopoUF8j7oR44Mhe/N +3y9hzGb/zLmmgTavPd2plv6NlAPt9W+8rezKO6jQCsBRFw8JY+Lx6j3W0K6rWigB +pPGU/B/0bXLlOIv2a4uW8nBmq6jxAe5Xbtwm8HcKOOLMzxPIChHJIJy5NWw9ArD4 +Ul+FEt/VuEW1NfPZm1U5ixMOrBfn0C8pxIX4+VSHN9I8WoFjSfYX4Y3ldRLTeqxQ +rhZQlbhGNymp3Kcvtuq5At6vopskyB8Q1b7L4e+hRWK2prz/7p4Bdhu2TmkEfWZc +YKpgrkVFqa/Z1uZ0q4KVBOP3cyaQmqRXTV37SfpNyHAJdol5ueF68VVVNZFRXw== +-----END CERTIFICATE----- diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/SignatureValidatorIntegrationTest/revDataInTheSignatureContainer.pdf new file mode 100644 index 0000000000000000000000000000000000000000..a7cef0bd0ed6d32b2614359c7a79a8f80c7f9b8e GIT binary patch literal 22823 zcmeI4*^V5^b%t&DuAd@r2$2xj75gF+4R9Gs15untlNuYK2q9KZ$z&H%Rh;4YS^NUN z@vHd4Z(zNMzNoHV*j$Fd7?LSu5$x*DjLe8QahCu5k$G+$KX`as9{PhD|NH0v{+|Oo ziD{Mpba3a+;^Fe;wyhTrU#4w)(8{W|#iMrmV*A|`j*d3lbxW@f-u}lw{R5wWJZPtN ze~9144b0_@?ypX_?R2}D#?4O_ziV}w?ycTF6Z~nToq|!%7sqK$n@R1OoV3mA&APPB zojXTIi>K@5tM}SJ{qc3blc_X^Z{eP`QTSdC@qEb(itJtFNOMr z5Wl#!_}!|0y20^!Ro|4hzPWtb-fsVEy1!btDIAJJb^FQVyT?y{^Uc%g4>#}r`uNfG zeOqtn@DI19|5QSV+oQ|r?(6lBn>PJ=y?XO{di?FJ%dyJKv5rY>_7mUD>VDd$m#Y_- zjfYV7i*kSU1}VwKZZJ`Qkzpo6Aeyu3JA4lRIE6`_JU8)pqLB`7!NTknx#L zFOC_-s$4s!1d_dWOoZ_MF?r>F+jUyLZ0n&&Uq6_h-ATgv>}_*3ho+3LvgYWrvc|Mn zmG4zp+p3Qxm>8ptBKjCy6(-6alMXRwuXVRlt6qBYuBV`iP(s=yg6KU4lVx-v3hrE` zlFG`SvevP6QI7uhBY3{}`n0d6p{6H`lhulK-2M7w`R{FVtlf>Bn%y2+cKcl|JJ@W~ zdb?Xxczbux9udIzGxF>B}I^v;-{XZH)47|{fy6Im~SfEG4`9c zc7N@R`HmJrNy)l75mgG#gy6atRY>85Vof;P+F7fX#zF~+6;>@o9@jWAt`X8%p@reR zIzRK?-Q>8N@HLOS3EkrETUCy8?YJ{n3u8m`S+v4^J~S#xzjj<;4ddWmA~FtbExkL* zeT=e^GmKf3i!+|zt*I`$=C#Z3oloPui`F>ngCBQ3pW)e^Gv|#TXZ1KMofeY*_Wf$k za_{r2ci*(L%5{Wkc9TPTfk)`jwY*X1-E= zXuil+8jY0Hm^HH*D=pQ~i4U)(9BV1`XeIhs)!lFC+3s7ixIJ~Jn|D63q`74iL(rIy z%Z4vJNDiut6pE0I&V_G9$%^+brZ!f>d1*xxR#&g0?ZqpTRFcx_Fn-NGN0D<51+B|m z(qbrP+&B~)tj@i-s;lk}H`iU!I5CGRG^MO6wWOlySC^W(NVn!(ZM_AdR6tLCuozb= zsS2im0+br0ZmNdjY-K9km3DNIqPH>nT$1*^*raj`#$g7Lq2}a;cP_OWv*iw5>r#R= zlG*8ukI=f+YGg|eJM@l$XPKNeT`13tkwZ=lT%vY#(@jm;siae3va)wXpo~qW6p7Ib zO8&B7TvZ4y*@|qvVA`^X>`E@o(MHD5 zbc!`r#2jjB!gSLcfkIT3uzMLz^QC$;qUWkj3SBw|hEkvhLXPq0;X7mwmsT$;N`~Lz z2n~Hdvq=u&;hc=63(wS%V67oH8#7&IvU-OWFC% zDC_V_!_M$od?R6rs!CIOK-ZEUOU;_3EQ2YmT1Y-8sS^4atu8~V!>6BJ-I1z6q)OPv z*GKGk=Zp9DJFFE;MgJu+0Z*A~&^>EhuEoJ|Okv{&hgfthxufl!AqB5%@=Xx!OU%Y< zg#ik@IM!v9YN`Lx51%XgAMA{o%Vn5(bGcfgM?uAsKg zBZVR*za_?90!Q&07I&eQ?F>g@?3ii5eKnUNfXSuajO7lt>sA``QyR$SLm<95{0dW# z#o;+42J9090L}HgFeh;wp$kkQYEy>OCv0@oknlp-Oc`~@#A3+0 z8thSJtiPvLI$=u@@5oL_E*v@xZfg>UA!(j7X$hcK^nvIE)A+6E$qbKJ#!6SOGyp5?YgLWBsvTqG`beS7k&u!$|@1 zdL_tNQXCE5l#0l0TF|~3(dZd_Bf3_4#Y(Lf z!7wi3c^L>%;;sdeVIO%ogiG%u{#cIh|C(d_hhzKaBAbuIb_uxt%-D{yxUL2&O(8i@ zpzR7n4#X=WL9nftT00n7mf~FRrQ}FE6ex8K>>5!DWK0+)Ley?uCnynqK)gAjN+OYh z4U_3)l|;Kfl&4}}B8_O46hJPSjs_0Y(239k*y=zq-l1sju5cud$cBBA4K%cwphgll zLKg6`DG+X#ARR#hP@)pRkcb@?U4_b`2TODXvZKbpf?#Y07BcvV8R3SAi(0eX4<&c}o!t*$vw zniEKV1PHu)kDrB?N#I-$aH*Y?ssmvPZWy`->cz(#@s+7d%ST%P3x0x7rl4rZ>qZQS zeONBwVnlbu^7j(a(LXTWE=PCdulOzg;idVnE}}W;?4kv1z||I?mc%7e4y6)I20%6~ zr)Y!kqae<<)$e54MMbenTKLkzupSF{fmE!3ZlNUycToetC4z6eL1`Nv4?;#ki045e@FPFdsmvDlw6gW9(H1DKi#=-$3sO zKAq@K@F`IwWdi0NF<8Jlw?RkYV+7-uK=Fdc!kqxaQ>qL<27y@`0$~8I)}AbU)yP^4 z=2}Vi3SlMVYJ4Vk6I%fiM$rvS0f~|)LoQ7;QhiN01-(n;g&{F(S8M|sfG+?OSRhno z)6qqR`EiKLh;`%>l_WANMS70#Rf^obIolyb3AxM=K8>`P1;M}+p%ZTi%m!g#MQ{K_ zJ%Tnr2NOc>PG|%>jC060jYzrwE6@gvbJ-G2!}5d~ZGlL;Yv7c|w^W`)=!?o?_c$5k z_HoNX!4Vm_dT?`tjk3sNB&Uj0X7EU;H1x7Z4bVZb77#^8OA3>W=`}Y{Axajw7VP)= ztN=dlf|W$N;-|;T!pVKBPxuPf2vdR!Cn^5m>e4Scvw>*Dm;}r?2_XoVl_khX$aFhk zD!_OIIAt^6kUNPm*ij{~Fqu}oCBwsIKr2Dc_g-BloP?+Xaj22}5f>F9%jg0IC)d@a zxei{9zcB#vQ9tn6hxxl}`G0{SYV;0hcXBZNFis{C!oj`3IU-$m4O6Th>41$1WSU7N zf)FbR01Ot601?H=%)py4Zixxt888PN6mUNZJ2oUds|-Z|EFjax zISL@kU=@MgOqgJdBg0SB-m)iRmMoe3&=3R&L7-s?QJ4{MBb0&ecuSHKDC@By0pb9# z2Qm(LF!J!oBtgrr!O!^wa8Ga-aB4Uu0JO&_J)RDV5k>-kWsxiVglC!=-vZ${7K4-l zG|qXn3fIZzNJBh6{)~fCuR027vCtk_^feKw!u!AY>rxx&&iIWgT{8XxdmlFau!( zLIXDjEN2$rJrJ8@2};IWMT8ab(6;Uve!AXyA;97Od*%a>$jk@qW0@qbUGV!eA29O) z1Ld6Y`!gT#>77J^(NA#wGaoSX0e>AnUbod zKzcEDz|V59cb}4oY`%_X5;9XnwFLbxDOR(7sHZII89 zIVzB}uzAN*Fwj(~gu(xk&VzEvRiV*gxWShr^Jf394Mv$1$tO54s3~AP+eZ62U3(g1 zjCf>@!}EeUBWyaPvM1lx5I_prjXN3gdS+m%hr5D>AYF*1fJUK%Nu5EUPA3BjRS*O4 zNr^eZUXeK)nnc(NfF0B%BYL5Gk)`+@cw z=c95kb*(EB`|&hP1%g94llnpUncQWjy8(gO^Cfv;zW^u?RRiEA*-M$HiNN8KeXl|G zLn@MdLoSd;!qu^@02whhnW6L8769Uht_&brwaSzuGz;uHSrijf>{mi{uxE^T;T75C z&Q4Y~utO{oU|ws6Nr94Jk4&>Y8DQ$AOS)xR7&kj845SyG8=#TC=mc_yD!K^S+IGnK^DjeDZ z7vs?ha;L(h1=Z_-ZF*P6mZ+5lipfVdT;|U#fms5x1ZD}$5||}0OJJ73EP+`9vjk=d z%o3O-FiT*Tz$}4T0<#2W3Ct3hB``~1mcT55Spu^JW(mv^m?bbvV3xovfms5x1ZD}$ z5||}0OJJ73-;o54&MQdXr8;9fJU;&Iqve(wlB=>S%}6ad$}7J9nGp*@!7Se>QG#7 z%7f`bT^>AX-!DgBH%9?Zb!+kalSend+iqWPezjQq@WT&>%gyR=wSKXnxZ!C{>$>0# z6>kr}+rD~9sm$r~`jbDiKXcySbLRQewK%WTHNAU!y4r4@Q3!KX;rwe=IUVbGQK7ZH zqzveO02l$aT3>7?eOU%{oZ2_OdyG6EPjXjtlBqtNc&>i&@acl<7Qb0MUK~%mdZHL! z+3sqyQVI0=u)ggmwfZm1`l4+YPjAxvG;QCko4mF7b{ZupPcHkDqo(V=!(Ca@hZK*z za{5Zy(|hM7U3cAlqS)-k5QZ9`+55kKlmEmhKcfuoz7DE7uX)Pb-`DD(Drp?U8lO=I zRZsi2yg4B#yn23o_Y1E@iz{_c-FbagMeQpj@lIQMvaHoR$7mO>-}9`+_$e=HvnuL~ zuo&ZWQJa;w7}Wpk`l=z+QSXD|Uc7Y9ODR-d;q7foDP>-erdS|V4XC~(d1;!rhpDc{ zdmNOD;GG1`d)qx$3c2u3NG?=;5!AFuR2<`tb?S@oQZW?(8!wYn_<}+Z)VH8CgyaTX u$;-vmPUDRbdGt_u6at*S}U(UAzCz-Rt^B z+`IPsKm6u@_tHjf4(n%oH*ap={_12rCXN;(ax^&+{iR%U#{XE zW8qvXb2aNdBM6%FIO8+l48D<>?Y@cp?p+T#jA%oB;rk-rhwNSOF-18u^Iqn$JHGP0 zi}J0NZ*{PWH99-H!>cLWL?yuIyNPSn#@!sHKhj^S8+6y+OYVp4^|>X?bT4;b}Y%y7L6;WXzgv1 zUu&#c)ml?S>newgoSKspr{j5n>f(k$1ttyd1RV}#Jh z97!3I(9@W_*0Z$I6;nU~T2I;z(^Ct+GZoIteq5sD=yQ&>6&q*s#nh2pzzi}&ttF}$ zLK!_*&l#q*ttIU=v$NG`W$ozQ=}`i<7y|>Zx&-g0GLac0hgul8M(w!FbiLGIiY<-F z>NydCalW+HG={G%`)aN4*fGwXO`-sN8rd%f9F+51A~JO(*n6tO=gK83^2@sA7*JX3+ZaXr zRGi1UUmx#+r7S)(>n>hNJTpFvEfUtKs&;KAbgfufYSyGwom^wpQi-)_Q_#okZ4;@A z=iVJXk*Zt#vL9@A9{=UO_|$&ITCr60UlSMbl%*#-tHtGd92}n+Y~0}xo6W6Gw0$z9 z6m2hYsN7kK>bx}=pu&q|UCx+chE}QAoI3{>mepfU8g(DJ4J?766kD0G;XwimsM4&% z$|ZWnE{jVMWiz2?XZvuiGC$Kw^}dA|WA`AbK4bGk&Av!s3Xj*3!LGs(7Qt z6^PNNIz6^)%w)D!71w1X&Wr)a!T^d2vyY}54jO~(%&h5bF%TU90c9jYdrB@j{HZO-Y2x-( z6la934Aq!C9uW1x+v*<0Iwi8RN^A{A_d;afY3Zx9>2M1rUZ#2l5=T*92jaipm*g=}3Dr%%|Js3GBnuvseV zj)~<|ZFktCsaXFkqfNq=A>KuhWikOB2Dc53!_e$rYi3`Kvk*k5uoj|hp2R2zAjJ&v zEnrU$!n(c3usA=CD?2VcGl)$GA`>CS5;c6sKC3tftbm}Q39ZEpS%2)8XxebW-8eO! zI4MBh>;yTlbFkn|ZHU}%BpZiQgDYciMAyz$u~Khc?qX^ov^FsEnbHh-`Vm?xd5#WF z#)e&Pc1}YmO9;USjdQA4UrS7vOJ!R|1sV9vpu@}{Z)-H3Ir-2^?X^?6KiwRKbn7Ik~K$D#r1+>v;Fw+rGKp$Xm5Q#t)K$F#u zg%Uu5VVuYFCJ0gEt`(8tH1hBfE`3V;@qB*z*BaYj9^1b!vbiF*YrysQjO{2(m_|@( zNhN>+{WKVIB3=;*k{`46KEcSkwGifPt!DN^fy%VNE{RegW5O^IqE8$6wTQUjwBG-uurmqfi@G= zNWvs!0Uw6};Z6*kQ9>nW|>;L{}g?Y78t$&R1X|gU^@|Ziu*O)hK{u zY)2U^uDQeklgtkk69JtdcY-E%ix}e2i4+9zLlPZJX`Y!#vYh4I!IF=Fhg$(d*T59P zx*a1bCRgKt_e_FOj8-utz%;N_TpXc%g17Sk_5=WNa08U=V#mN+P^IvHJR@*E7aVC1 zBSg}iMDn9R;4?=2Y*x8|b0ff|Pg1H0glV{81r|;ql$!CCWopll^#B(91b*7UNMMu8 zRB0~BujHA2gb`UQsJ0nh(CLtRbibh(Gze> z(gd6YXy!Puq%pKcnUv89gQ~;|qEV};j|DMGrdk4Uub|4TzMUGRMUE9zeGZXlTr04Y ztAOSWwrzxcSgttGW)SHtX=LIFqa+^K+KHMyCk9~nO@j|Rs6{|;^QeolS(9m6Oj0mi zTJnoa^J1Q8fl8tsirBT=3pJFzb%F0#wsyD8a7Rf4Nl$g>F9iqUwa5$>W+%XUpc(u{ z_!ffa90P*s&-XwNF7NSueJ~oK8i^7Czc&)3l*y|yzRi$b;e|D#SSS+#TF?X`7}5k%{Y-{2AVzT64Im|Oeq>#8MFpk@ z3GjbBc@?Gv1tyK34V+~`8n8E@tP0j~Bytf?Tb!#VC+7zKJR0B)c|KkYbXIUG3HpVM z#F5Sw1LXiI;cCZUlhMs#$3$;Bd5VsBVAM>AjI5wO8d3%hk#}ZdK$zk#L1y4azEbc9 z9t750ZNv=nmDwf=iS^*mAyA^qjwCcC;aDJRLX%w6fB{L=NE!q4ARnqApoV5Q(3iN}y3#$O-atAhE&|`~uM9&wV*c0Z3&Onq4^9W$C zMDAHoc%fhcwKjW_UNm<0I>;kDBpJt&Eqs3->2j1ox)MQz-+jecSwMZd*DL%4YlJ8D z#21jX#Fyt+7kw0+bXYY!1Stw+99$*DhX8{lbX*x8o-H&;yiUrG!MHw|J>DY0hF~2d zlj<}KR$(ddpbmgufPERTft8Ri;djW@AS?kk-~|h#7szyUf#=KQ6=Zhb6IJ3sKqDQ| zs$$>^V|F++SOrkw1Rg>yKwaTo#j8PoVC6~cQb1_r3viBTJJf3iI%P&K94mxRM6Tq;*5FNHtzm%0#dcU;)*|4m`JecnF^M@WDO?Q< zF5I4tP*`wcxQ7%-_V9^#o{IBf>4o0z4hO`5kaBGm7a-&>=fz9SVaPXwOi!ajOs|nd zlLxAS*OiQ17l95i*l^vjX-1(^GAVi@*dQavun8R)QZ}fIU}|BU;FT~u@je1G zmhIT#hm}FP#1EZ%h39KSm-cv_y!L6dVZE=we&1OUS{bC3K@zmHs|c+O(yMFFc-QZ! z4y_E*${_uT7^JIw{?gI0bOBg>$*1hfn^m%Rkl0&R>` zD1cZb6qMq~h=F-P9tTYcequb7?kJfP=rz}*norV5YDmtm1~g}dwj2eBDYaF285$p? zcuCO%l9azmS*fm5c!Yun6M{qmgB<`1Sx`gO8s?LtFSUUPS4h=@L{>YfB&Jv!DLh5j zS{v0qkYWM$6*C(Mnu@uFY}JYE0kW3n37A4qJ^(rc)TlooNT@=EhnW%N2^xnym6}XM zoUmZb6mcXZK)yi|MXwPc63$Bp`U+ryBG44s8b^K)DWE#PE;%mT9BlGqA6*|!V)L|F?(p`ef?Us^*iJmr%nyC=sm!Obwy|`C8ZeS+q{+qBCG&?1n zBn=|;UZkb%fPH+O73ym^+M`I&W1r--+EHqRU!aZ4QxCyq(G3NUpW%&2)_64WW3r?e7^@D-Gjq)-KYMiqt93^WKiEXAuDrE?*}zGH?2 z1&zLEXd=eMFyQt$kD`8?4UH90NO)l?D$*y09n!o6!PhykBL^JqbP7I^;tyOe`T3+r zgB}qG&PMgi;EZdf!bRb@Vz9&|R*)o_VrlP~I|K_yGf_M@9Bh%o8Wn9vg^8jyomP~i z;1W9A1mzrBPdGaxr^pO9N=%>#4w*@rxJ7&v?v=8ERFQ}*(2q2ENNqP{%1TtGsfSZ9 ztHN;7SLfjos0d40jnj$38`@!+wuH;I6Knw44rib)kA-dB_F6#+B zi3_~USmB4H=jgPraP8#!ZmbSFB$2< z=raYWVPY67Jxf$lDcItjV8$qaMF0iFDcA=~mcimjIVA;M+U1x$z=!%R!|DLR(WrI< zJfRsaq%nLd%?}OVBSxDk8BjQ*hl5@XXjHN8f;1E*6Q+w8=$n9bt=KI#io?J`;(x%H zATnn{07JpC;dE$bV+NFgrLc`-Yn3t|MMAnRY0N_ADnJtgE9rU>cuDUXVg3XddE0i!KA=k!1R%ONRDx-I|+aa zl-#jBd~*e#!*MUW2aePa@HL<7?YZ2!v#=>kM)SfoNwmRha%QmjRilQ3ddYaDt8BT$ zZ8`JH#%vV$SM%3ywJ|0KEOKBGixN*`#|bQw_DrW44KE`yHgN6J@M_rAsS3eT9i z1A)#)70CUA+>0W2-_ddqx~DC&N$Ujna4^M8Ihu@_ds*mwNEFyh+=^6F# zkcNDQyk9UeHxY7M0~9ZJ{c)cH=)XIXYg*4L-OaRnG_vtT>zmxV#f6;Qb0`!q9~MJ# z8)8$6(y-F7mmu;YO#>uK41oK*xTB`i7Mh?_NY3S!q6Yav6RT9a@$oPha{E=FBb8f@ zxJ4snrlgP*Lni59(hw6JV%yLZMK6?r=H=!QXA+r)+;Ww=G^97l5J>c-g+OuVmoKzs zO2)#i9}vEk4uHH|%fi>ueIUI|q#}zZv?*B@9Yk`M6+Q2CG?0GN0Sjx(e@Kyp0ser* z!6F9-i!$MYBRvH)5auq;4&*^3Q}o@^+d*c;ZF#iKCb}*X0-`mw!#UC{D2+-D$^*Wa z3jZMEU_6Ru0s62RRXI7Rtc;USS7GZV3ois zfmH&l1Xc;G5?Cd$N??`1DuGo3s{~dFtP)ryuu5Q+z$$@N0;>d839J%WC9q0hmB1>2 zRRXI7Rtc;USS7GZV3oisfmH&l1Xc;G5?Cd$N??`1DuGo3s{~dFtP)ryuu5Q+z$$@N z0;>d839J%WC9q0hmB1>2RRXI7Rtc;USS7GZ;4eY~x3+ippPY=N?d^V8$Bp~ zd;95A{{66gKDM{`**+NMcsaqtXZ7?N?>>5X@5Y_m{oRK*`Zy`=SEFwqef4x~AMQWC zb!%@NFow_e@*gKi;I>+0L%#`SbL8r{lc)q@0X*Mmy|CVjMg^ z`PIg!Tepr+jz;->@5_Jt=^u~wzWMFH*hk7ec;nt5On9jN^FMxP!^dyj`{uX*_ul_} z{q-;2_|5je@BQQNe*E?CkN)Kcr z+dGE`C*$Dccq5~Gu>D~4{qpwVm&+V^8|fxF^Xc|}Ibxs9A{|6cL*1~~AAWfI{=@e^dbIg>Ui+u6^UTG#S$5d`?C9{>)6It; zZ+`ja?VsI$|N0l>=$KLb@~wZ^e16#X=lok9Yh3dUNOSXlxQ^^%rN|9lJR{ z_WUx&ZEin3`s#R`U+1lh$?J>B-)={TcMp#~-^67F-u;sGkYR{?-+g%R4x6{j@%VT* zxUIesx99u3KfV}GHfE8#NcZ@3jTUj=DJSL0;U$Ha^*dF9JBQC$P`&;6en0+XQSDE6 z7P6e>Vw|$9r-#TOWWBfVjVE7>ll@kajK745LWT{cw;YiUd-}r6lbcn7~s`*l+KM)WV;)}KYdg`!+tLr*x&q!pTBz1 zT)sRSb5G#}_RgHIRvTW|ZvAF%cAxP^X^Y_GXLE4&887u@WxxFyuO)f$Gu}k|!hSp# z{rS)2O)@WjmY?5`3u^55x$E+<_UAs6{dQx~=kwSdCI4Q0W<76eyg2scsO&!(N8%{& zy|ek`X6J2#yi;-VURWMW$jcFU0k*tYkXKdm?8cUE-Q*R!ykds;0?ES&2k#in_>vYQ zkA}=CH=cazioBA=*~#{ zw_x&yOkRq>10s1J?BKceJYBQ#@Oj>C!NcKs&ST|ym$yFM-aD9w8}TtX?ZZQKefjm_ p{=W{E72UeF_<-wT($~Lj(tF1z<>+Kl0eNF^-n(|~-H-0>{Xc(Bp)~*i literal 0 HcmV?d00001 diff --git a/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs b/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs index 73c20a594..60456da35 100644 --- a/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs +++ b/itext/itext.sign/itext/signatures/validation/v1/SignatureValidator.cs @@ -26,6 +26,7 @@ You should have received a copy of the GNU Affero General Public License using iText.Bouncycastleconnector; using iText.Commons.Actions.Contexts; using iText.Commons.Bouncycastle; +using iText.Commons.Bouncycastle.Asn1.Ocsp; using iText.Commons.Bouncycastle.Asn1.Tsp; using iText.Commons.Bouncycastle.Cert; using iText.Commons.Bouncycastle.Cert.Ocsp; @@ -181,72 +182,51 @@ public virtual ValidationReport ValidateSignatures(PdfDocument document) { //\cond DO_NOT_DOCUMENT internal virtual ValidationReport ValidateLatestSignature(PdfDocument document) { ValidationReport validationReport = new ValidationReport(); - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); PdfPKCS7 pkcs7 = MathematicallyVerifySignature(validationReport, document); + UpdateValidationClients(pkcs7, validationReport, validationContext, document); + // We only retrieve not signed revocation data at the very beginning of signature processing. + RetrieveNotSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext); if (StopValidation(validationReport, validationContext)) { return validationReport; } IList certificatesFromDss = GetCertificatesFromDss(validationReport, document); certificateRetriever.AddKnownCertificates(certificatesFromDss); if (pkcs7.IsTsp()) { - ValidateTimestampChain(validationReport, pkcs7.GetTimeStampTokenInfo(), pkcs7.GetCertificates(), pkcs7.GetSigningCertificate - ()); - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); + ValidateTimestampChain(validationReport, pkcs7.GetCertificates(), pkcs7.GetSigningCertificate()); + if (UpdateLastKnownPoE(validationReport, pkcs7.GetTimeStampTokenInfo())) { + UpdateValidationClients(pkcs7, validationReport, validationContext, document); + } return validationReport; } + bool isPoEUpdated = false; DateTime previousLastKnowPoE = lastKnownPoE; ValidationContext previousValidationContext = validationContext; if (pkcs7.GetTimeStampTokenInfo() != null) { - try { - if (!pkcs7.VerifyTimestampImprint()) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus - .INVALID)); - } - } - catch (AbstractGeneralSecurityException e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus - .INVALID)); - } - if (StopValidation(validationReport, validationContext)) { - return validationReport; - } - PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); - try { - if (!timestampSignatureContainer.VerifySignatureIntegrityAndAuthenticity()) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus - .INVALID)); - } - } - catch (AbstractGeneralSecurityException e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus - .INVALID)); + ValidationReport tsValidationReport = ValidateEmbeddedTimestamp(pkcs7); + isPoEUpdated = UpdateLastKnownPoE(tsValidationReport, pkcs7.GetTimeStampTokenInfo()); + if (isPoEUpdated) { + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + UpdateValidationClients(pkcs7, tsValidationReport, validationContext, document); } - if (StopValidation(validationReport, validationContext)) { - return validationReport; - } - IX509Certificate[] timestampCertificates = timestampSignatureContainer.GetCertificates(); - ValidateTimestampChain(validationReport, pkcs7.GetTimeStampTokenInfo(), timestampCertificates, timestampSignatureContainer - .GetSigningCertificate()); - if (StopValidation(validationReport, validationContext)) { + validationReport.Merge(tsValidationReport); + if (StopValidation(tsValidationReport, validationContext)) { return validationReport; } } - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); IX509Certificate[] certificates = pkcs7.GetCertificates(); certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(certificates)); IX509Certificate signingCertificate = pkcs7.GetSigningCertificate(); ValidationReport signatureReport = new ValidationReport(); certificateChainValidator.Validate(signatureReport, validationContext, signingCertificate, lastKnownPoE); - if (signatureReport.GetValidationResult() != ValidationReport.ValidationResult.VALID) { + if (isPoEUpdated && signatureReport.GetValidationResult() != ValidationReport.ValidationResult.VALID) { // We can only use PoE retrieved from timestamp attribute in case main signature validation is successful. - // That's why if the result is not valid, we set back lastKnownPoE value, validation context and DSS. + // That's why if the result is not valid, we set back lastKnownPoE value, validation context and rev data. lastKnownPoE = previousLastKnowPoE; validationContext = previousValidationContext; - UpdateValidationOcspClient(validationReport, validationContext, document); - UpdateValidationCrlClient(validationReport, validationContext, document); + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + UpdateValidationClients(pkcs7, validationReport, validationContext, document); } return validationReport.Merge(signatureReport); } @@ -276,29 +256,96 @@ private PdfPKCS7 MathematicallyVerifySignature(ValidationReport validationReport return pkcs7; } - private ValidationReport ValidateTimestampChain(ValidationReport validationReport, ITstInfo timeStampTokenInfo - , IX509Certificate[] knownCerts, IX509Certificate signingCert) { - certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(knownCerts)); + private ValidationReport ValidateEmbeddedTimestamp(PdfPKCS7 pkcs7) { ValidationReport tsValidationReport = new ValidationReport(); - certificateChainValidator.Validate(tsValidationReport, validationContext.SetCertificateSource(CertificateSource + try { + if (!pkcs7.VerifyTimestampImprint()) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus + .INVALID)); + } + } + catch (AbstractGeneralSecurityException e) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus + .INVALID)); + } + if (StopValidation(tsValidationReport, validationContext)) { + return tsValidationReport; + } + PdfPKCS7 timestampSignatureContainer = pkcs7.GetTimestampSignatureContainer(); + RetrieveSignedRevocationInfoFromSignatureContainer(timestampSignatureContainer, validationContext); + try { + if (!timestampSignatureContainer.VerifySignatureIntegrityAndAuthenticity()) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, ReportItem.ReportItemStatus + .INVALID)); + } + } + catch (AbstractGeneralSecurityException e) { + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, CANNOT_VERIFY_TIMESTAMP, e, ReportItem.ReportItemStatus + .INVALID)); + } + if (StopValidation(tsValidationReport, validationContext)) { + return tsValidationReport; + } + IX509Certificate[] timestampCertificates = timestampSignatureContainer.GetCertificates(); + ValidateTimestampChain(tsValidationReport, timestampCertificates, timestampSignatureContainer.GetSigningCertificate + ()); + return tsValidationReport; + } + + private void ValidateTimestampChain(ValidationReport validationReport, IX509Certificate[] knownCerts, IX509Certificate + signingCert) { + certificateRetriever.AddKnownCertificates(JavaUtil.ArraysAsList(knownCerts)); + certificateChainValidator.Validate(validationReport, validationContext.SetCertificateSource(CertificateSource .TIMESTAMP), signingCert, lastKnownPoE); - validationReport.Merge(tsValidationReport); + } + + private bool UpdateLastKnownPoE(ValidationReport tsValidationReport, ITstInfo timeStampTokenInfo) { if (tsValidationReport.GetValidationResult() == ValidationReport.ValidationResult.VALID) { try { lastKnownPoE = timeStampTokenInfo.GetGenTime(); if (validationContext.GetTimeBasedContext() == TimeBasedContext.PRESENT) { validationContext = validationContext.SetTimeBasedContext(TimeBasedContext.HISTORICAL); } + return true; } catch (Exception e) { - validationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e, ReportItem.ReportItemStatus + tsValidationReport.AddReportItem(new ReportItem(TIMESTAMP_VERIFICATION, TIMESTAMP_EXTRACTION_FAILED, e, ReportItem.ReportItemStatus .INDETERMINATE)); } } - return validationReport; + return false; + } + + private void UpdateValidationClients(PdfPKCS7 pkcs7, ValidationReport validationReport, ValidationContext + validationContext, PdfDocument document) { + RetrieveOcspResponsesFromDss(validationReport, validationContext, document); + RetrieveCrlResponsesFromDss(validationReport, validationContext, document); + RetrieveSignedRevocationInfoFromSignatureContainer(pkcs7, validationContext); + } + + private void RetrieveSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7, ValidationContext validationContext + ) { + if (pkcs7.GetCRLs() != null) { + foreach (IX509Crl crl in pkcs7.GetCRLs()) { + validationCrlClient.AddCrl((IX509Crl)crl, lastKnownPoE, validationContext.GetTimeBasedContext()); + } + } + if (pkcs7.GetOcsp() != null) { + validationOcspClient.AddResponse(pkcs7.GetOcsp(), lastKnownPoE, validationContext.GetTimeBasedContext()); + } + } + + private void RetrieveNotSignedRevocationInfoFromSignatureContainer(PdfPKCS7 pkcs7, ValidationContext validationContext + ) { + foreach (IX509Crl crl in pkcs7.GetSignedDataCRLs()) { + validationCrlClient.AddCrl((IX509Crl)crl, lastKnownPoE, validationContext.GetTimeBasedContext()); + } + foreach (IBasicOcspResponse oscp in pkcs7.GetSignedDataOcsps()) { + validationOcspClient.AddResponse(oscp, lastKnownPoE, validationContext.GetTimeBasedContext()); + } } - private void UpdateValidationOcspClient(ValidationReport validationReport, ValidationContext context, PdfDocument + private void RetrieveOcspResponsesFromDss(ValidationReport validationReport, ValidationContext context, PdfDocument document) { PdfDictionary dss = document.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.DSS); if (dss != null) { @@ -323,7 +370,7 @@ private void UpdateValidationOcspClient(ValidationReport validationReport, Valid } } - private void UpdateValidationCrlClient(ValidationReport validationReport, ValidationContext context, PdfDocument + private void RetrieveCrlResponsesFromDss(ValidationReport validationReport, ValidationContext context, PdfDocument document) { PdfDictionary dss = document.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.DSS); if (dss != null) { diff --git a/port-hash b/port-hash index 1207cb84a..6c31ceae0 100644 --- a/port-hash +++ b/port-hash @@ -1 +1 @@ -174e3e01db8fc32c3cc06e043b36de249f7a45c8 +b6139dd529e7df47bdcdc5c8673f6e786e4e9844