Skip to content

Commit

Permalink
Support ocsp archive cutoff extension
Browse files Browse the repository at this point in the history 
DEVSIX-8353

Autoported commit.
Original commit hash: [1102018db]
Manual files:
bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/BouncyCastleFactory.java
bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/cert/ocsp/BasicOCSPRespBC.java
bouncy-castle-connector/src/main/java/com/itextpdf/bouncycastleconnector/BouncyCastleDefaultFactory.java
bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java
bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/cert/ocsp/BasicOCSPRespBCFips.java
commons/src/main/java/com/itextpdf/commons/bouncycastle/IBouncyCastleFactory.java
commons/src/main/java/com/itextpdf/commons/bouncycastle/cert/ocsp/IBasicOCSPResp.java
sign/src/test/java/com/itextpdf/signatures/testutils/builder/TestOcspResponseBuilder.java
Failed to automatically remove sharp analogs of next files:
sign/src/test/java/com/itextpdf/signatures/validation/v1/AssertCertificateReportItem.java
  • Loading branch information
@AnhelinaM
AnhelinaM committed Jun 5, 2024
1 parent 455ad0b commit 4ccad97
Show file tree
Hide file tree
Showing 17 changed files with 172 additions and 267 deletions.
19 changes: 12 additions & 7 deletions itext.tests/itext.sign.tests/itext/signatures/testutils/builder/TestOcspResponseBuilder.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ You should have received a copy of the GNU Affero General Public License
using iText.Commons.Bouncycastle.Cert;
using iText.Commons.Bouncycastle.Cert.Ocsp;
using iText.Commons.Bouncycastle.Crypto;
using iText.Commons.Utils;

namespace iText.Signatures.Testutils.Builder {
public class TestOcspResponseBuilder {
Expand All @@ -54,6 +53,9 @@ public class TestOcspResponseBuilder {
private IX509Certificate[] chain;

private bool chainSet = false;

private Dictionary<IDerObjectIdentifier, IX509Extension> extensions = new Dictionary<IDerObjectIdentifier, IX509Extension>();


public TestOcspResponseBuilder(IX509Certificate issuerCert, IPrivateKey issuerPrivateKey,
ICertStatus certificateStatus)
Expand Down Expand Up @@ -90,6 +92,10 @@ public virtual void SetProducedAt(DateTime producedAt) {
this.producedAt = producedAt;
}

public virtual void AddResponseExtension(IDerObjectIdentifier objectIdentifier, IDerOctetString extensionValue) {
this.extensions.Add(objectIdentifier, FACTORY.CreateExtension(false, extensionValue));
}

public virtual byte[] MakeOcspResponse(byte[] requestBytes) {
IBasicOcspResponse ocspResponse = MakeOcspResponseObject(requestBytes);
return ocspResponse.GetEncoded();
Expand All @@ -102,14 +108,13 @@ public virtual IBasicOcspResponse MakeOcspResponseObject(byte[] requestBytes) {
IX509Extension extNonce = ocspRequest.GetExtension(FACTORY.CreateOCSPObjectIdentifiers()
.GetIdPkixOcspNonce());
if (!FACTORY.IsNullExtension(extNonce)) {
// TODO ensure
IX509Extensions responseExtensions = FACTORY.CreateExtensions(new Dictionary<IDerObjectIdentifier, IX509Extension>() {
{
FACTORY.CreateOCSPObjectIdentifiers().GetIdPkixOcspNonce(), extNonce
}});
responseBuilder.SetResponseExtensions(responseExtensions);
extensions.Add(FACTORY.CreateOCSPObjectIdentifiers().GetIdPkixOcspNonce(), extNonce);
}

IX509Extensions responseExtensions = FACTORY.CreateExtensions(extensions);
responseBuilder.SetResponseExtensions(responseExtensions);
extensions.Clear();

foreach (IReq req in requestList) {
responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(),
FACTORY.CreateExtensions());
Expand Down
162 changes: 0 additions & 162 deletions itext.tests/itext.sign.tests/itext/signatures/validation/v1/AssertCertificateReportItem.cs
View file

This file was deleted.

2 changes: 1 addition & 1 deletion itext.tests/itext.sign.tests/itext/signatures/validation/v1/CRLValidatorTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ private byte[] CreateCrl(IX509Certificate issuerCert, IPrivateKey issuerKey, Dat

private byte[] CreateCrl(IX509Certificate issuerCert, IPrivateKey issuerKey, DateTime issueDate, DateTime
nextUpdate, IX509Certificate revokedCert, DateTime revocationDate, int reason) {
TestCrlBuilder builder = new TestCrlBuilder(issuerCert, issuerKey);
TestCrlBuilder builder = new TestCrlBuilder(issuerCert, issuerKey, issueDate);
if (nextUpdate != null) {
builder.SetNextUpdate(nextUpdate);
}
Expand Down
3 changes: 1 addition & 2 deletions itext.tests/itext.sign.tests/itext/signatures/validation/v1/CertificateChainValidatorTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,7 @@ public virtual void RevocationValidationCallTest() {
certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
));
certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
);
validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME);
NUnit.Framework.Assert.AreEqual(2, mockRevocationDataValidator.calls.Count);
MockRevocationDataValidator.RevocationDataValidatorCall call1 = mockRevocationDataValidator.calls[0];
NUnit.Framework.Assert.AreEqual(signingCert, call1.certificate);
Expand Down
44 changes: 5 additions & 39 deletions itext.tests/itext.sign.tests/itext/signatures/validation/v1/OCSPValidatorIntegrationTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ public virtual void ValidateAuthorizedOCSPResponderWithOcspRevokedTest() {

[NUnit.Framework.Test]
public virtual void ValidateAuthorizedOCSPResponderFromTheTrustedStoreTest() {
ValidationReport report = ValidateOcspWithoutCertsTest(true);
ValidationReport report = ValidateOcspWithoutCertsTest();
NUnit.Framework.Assert.AreEqual(0, report.GetFailures().Count);
NUnit.Framework.Assert.AreEqual(ValidationReport.ValidationResult.VALID, report.GetValidationResult());
}
Expand Down Expand Up @@ -161,10 +161,7 @@ public virtual void AuthorizedOcspResponderDoesNotHaveOcspSigningExtensionTest()
}

private ValidationReport ValidateTest(DateTime checkDate) {
return ValidateTest(checkDate, checkDate.AddDays(1), 0);
}

private ValidationReport ValidateTest(DateTime checkDate, DateTime thisUpdate, long freshness) {
DateTime thisUpdate = checkDate.AddDays(1);
TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
builder.SetThisUpdate(DateTimeUtil.GetCalendar(thisUpdate));
TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
Expand All @@ -174,38 +171,20 @@ private ValidationReport ValidateTest(DateTime checkDate, DateTime thisUpdate, l
certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
parameters.SetFreshness(ValidatorContexts.All(), CertificateSources.All(), TimeBasedContexts.All(), TimeSpan.FromDays
(freshness));
validator.Validate(report, baseContext, checkCert, basicOCSPResp.GetResponses()[0], basicOCSPResp, checkDate
);
return report;
}

private ValidationReport ValidateRevokedTest(DateTime checkDate, DateTime revocationDate) {
TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
builder.SetCertificateStatus(FACTORY.CreateRevokedStatus(revocationDate, FACTORY.CreateCRLReason().GetKeyCompromise
()));
TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
IBasicOcspResponse basicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspClient.
GetEncoded(checkCert, caCert, null)));
ValidationReport report = new ValidationReport();
certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
(0));
validator.Validate(report, baseContext, checkCert, basicOCSPResp.GetResponses()[0], basicOCSPResp, checkDate
);
return report;
}

private ValidationReport ValidateOcspWithoutCertsTest(bool addResponderToTrusted) {
private ValidationReport ValidateOcspWithoutCertsTest() {
TestOcspResponseBuilder builder = new TestOcspResponseBuilder(responderCert, ocspRespPrivateKey);
builder.SetOcspCertsChain(new IX509Certificate[0]);
TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
IBasicOcspResponse basicOCSPResp = FACTORY.CreateBasicOCSPResponse(FACTORY.CreateASN1Primitive(ocspClient.
GetEncoded(checkCert, caCert, null)));
ValidationReport report = new ValidationReport();
certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(caCert));
if (addResponderToTrusted) {
certificateRetriever.AddTrustedCertificates(JavaCollectionsUtil.SingletonList(responderCert));
}
certificateRetriever.AddTrustedCertificates(JavaUtil.ArraysAsList(caCert, responderCert));
OCSPValidator validator = validatorChainBuilder.BuildOCSPValidator();
validator.Validate(report, baseContext, checkCert, basicOCSPResp.GetResponses()[0], basicOCSPResp, TimeTestUtil
.TEST_DATE_TIME);
Expand Down Expand Up @@ -250,18 +229,5 @@ private ValidationReport VerifyResponderWithOcsp(bool revokedOcsp) {
);
return report;
}

private class TestIssuingCertificateRetriever : IssuingCertificateRetriever {
internal IX509Certificate issuerCertificate;

public TestIssuingCertificateRetriever(String issuerPath)
: base() {
this.issuerCertificate = PemFileHelper.ReadFirstChain(issuerPath)[0];
}

public override IX509Certificate RetrieveIssuerCertificate(IX509Certificate certificate) {
return issuerCertificate;
}
}
}
}
Loading

0 comments on commit 4ccad97

Please sign in to comment.