Skip to content

Commit

Permalink
Support MAC integrity protection in two step signing
Browse files Browse the repository at this point in the history 
DEVSIX-8637

Autoported commit.
Original commit hash: [4cf0b52d4]
Manual files:
bouncy-castle-adapter/src/main/java/com/itextpdf/bouncycastle/BouncyCastleFactory.java
bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java
kernel/src/main/java/com/itextpdf/kernel/utils/IdleOutputStream.java
sign/src/test/java/com/itextpdf/signatures/sign/TwoPhaseSigningTest.java
  • Loading branch information
Eugene Bochilo committed Nov 16, 2024
1 parent d515302 commit 0549443
Show file tree
Hide file tree
Showing 23 changed files with 493 additions and 144 deletions.
55 changes: 41 additions & 14 deletions itext.tests/itext.sign.tests/itext/signatures/PdfTwoPhaseSignerUnitTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,21 +96,48 @@ public virtual void AddSignatureToPreparedDocumentTest() {
PdfTwoPhaseSigner signer = new PdfTwoPhaseSigner(reader, outputStream);
int estimatedSize = 8079;
SignerProperties signerProperties = new SignerProperties();
byte[] digest = signer.PrepareDocumentForSignature(signerProperties, DigestAlgorithms.SHA256, PdfName.Adobe_PPKLite
, PdfName.Adbe_pkcs7_detached, estimatedSize, false);
signer.PrepareDocumentForSignature(signerProperties, DigestAlgorithms.SHA256, PdfName.Adobe_PPKLite, PdfName
.Adbe_pkcs7_detached, estimatedSize, false);
String fieldName = signerProperties.GetFieldName();
PdfReader resultReader = new PdfReader(new MemoryStream(outputStream.ToArray()));
PdfDocument resultDoc = new PdfDocument(resultReader);
ByteArrayOutputStream completedOutputStream = new ByteArrayOutputStream();
byte[] testData = ByteUtils.GetIsoBytes("Some data to test the signature addition with");
PdfTwoPhaseSigner.AddSignatureToPreparedDocument(resultDoc, fieldName, completedOutputStream, testData);
resultReader = new PdfReader(new MemoryStream(completedOutputStream.ToArray()));
resultDoc = new PdfDocument(resultReader);
SignatureUtil signatureUtil = new SignatureUtil(resultDoc);
PdfSignature signature = signatureUtil.GetSignature(fieldName);
byte[] content = signature.GetContents().GetValueBytes();
for (int i = 0; i < testData.Length; i++) {
NUnit.Framework.Assert.AreEqual(testData[i], content[i]);
using (PdfReader resultReader = new PdfReader(new MemoryStream(outputStream.ToArray()))) {
ByteArrayOutputStream completedOutputStream = new ByteArrayOutputStream();
byte[] testData = ByteUtils.GetIsoBytes("Some data to test the signature addition with");
PdfTwoPhaseSigner.AddSignatureToPreparedDocument(resultReader, fieldName, completedOutputStream, testData);
using (PdfDocument resultDoc = new PdfDocument(new PdfReader(new MemoryStream(completedOutputStream.ToArray
())))) {
SignatureUtil signatureUtil = new SignatureUtil(resultDoc);
PdfSignature signature = signatureUtil.GetSignature(fieldName);
byte[] content = signature.GetContents().GetValueBytes();
for (int i = 0; i < testData.Length; i++) {
NUnit.Framework.Assert.AreEqual(testData[i], content[i]);
}
}
}
}

[NUnit.Framework.Test]
public virtual void AddSignatureToPreparedDocumentDeprecatedApiTest() {
PdfReader reader = new PdfReader(new MemoryStream(CreateSimpleDocument()));
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
PdfTwoPhaseSigner signer = new PdfTwoPhaseSigner(reader, outputStream);
int estimatedSize = 8079;
SignerProperties signerProperties = new SignerProperties();
signer.PrepareDocumentForSignature(signerProperties, DigestAlgorithms.SHA256, PdfName.Adobe_PPKLite, PdfName
.Adbe_pkcs7_detached, estimatedSize, false);
String fieldName = signerProperties.GetFieldName();
using (PdfDocument document = new PdfDocument(new PdfReader(new MemoryStream(outputStream.ToArray())))) {
ByteArrayOutputStream completedOutputStream = new ByteArrayOutputStream();
byte[] testData = ByteUtils.GetIsoBytes("Some data to test the signature addition with");
PdfTwoPhaseSigner.AddSignatureToPreparedDocument(document, fieldName, completedOutputStream, testData);
using (PdfDocument resultDoc = new PdfDocument(new PdfReader(new MemoryStream(completedOutputStream.ToArray
())))) {
SignatureUtil signatureUtil = new SignatureUtil(resultDoc);
PdfSignature signature = signatureUtil.GetSignature(fieldName);
byte[] content = signature.GetContents().GetValueBytes();
for (int i = 0; i < testData.Length; i++) {
NUnit.Framework.Assert.AreEqual(testData[i], content[i]);
}
}
}
}

Expand Down
81 changes: 19 additions & 62 deletions itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ You should have received a copy of the GNU Affero General Public License
using iText.Commons.Bouncycastle.Crypto;
using iText.Commons.Utils;
using iText.Kernel.Crypto;
using iText.Kernel.Exceptions;
using iText.Kernel.Logs;
using iText.Kernel.Pdf;
using iText.Signatures;
Expand Down Expand Up @@ -82,20 +81,12 @@ public virtual void SignMacProtectedDocTest(String certName, String signingOpera
))) {
using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
if (signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.Catch(typeof(PdfException), () => PerformSigningOperation(signingOperation, pdfSigner
, signRsaPrivateKey, signRsaChain));
}
else {
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}

[NUnit.Framework.TestCaseSource("CreateParameters")]
Expand All @@ -112,20 +103,12 @@ public virtual void SignNotMacProtectedDocTest(String certName, String signingOp
))) {
using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
if (signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.Catch(typeof(PdfException), () => PerformSigningOperation(signingOperation, pdfSigner
, signRsaPrivateKey, signRsaChain));
}
else {
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}

[NUnit.Framework.TestCaseSource("CreateParameters")]
Expand All @@ -145,7 +128,6 @@ public virtual void SignNotMacProtectedDoc17Test(String certName, String signing
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
// TODO DEVSIX-8637 Add else statement for empty signature container
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
Expand All @@ -171,7 +153,6 @@ public virtual void SignNotMacProtectedDocInAppendModeTest(String certName, Stri
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
// TODO DEVSIX-8637 Add else statement for empty signature container
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
Expand All @@ -193,20 +174,12 @@ public virtual void SignMacProtectedDocInAppendModeTest(String certName, String
))) {
using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties().UseAppendMode());
if (signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.Catch(typeof(PdfException), () => PerformSigningOperation(signingOperation, pdfSigner
, signRsaPrivateKey, signRsaChain));
}
else {
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}

[NUnit.Framework.TestCaseSource("CreateParameters")]
Expand All @@ -223,20 +196,12 @@ public virtual void SignMacProtectedDocWithSHA3_384Test(String certName, String
))) {
using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
if (signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.Catch(typeof(PdfException), () => PerformSigningOperation(signingOperation, pdfSigner
, signRsaPrivateKey, signRsaChain));
}
else {
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
if (!signingOperation.Equals("signExternalContainerBlank")) {
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}
ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}

[NUnit.Framework.TestCaseSource("CreateParameters")]
Expand All @@ -262,19 +227,11 @@ public virtual void SignMacPublicEncryptionDocTest(String certName, String signi
using (PdfReader reader = new PdfReader(srcFileName, properties)) {
using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
if (signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.Catch(typeof(PdfException), () => PerformSigningOperation(signingOperation, pdfSigner
, signRsaPrivateKey, signRsaChain));
}
else {
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
PerformSigningOperation(signingOperation, pdfSigner, signRsaPrivateKey, signRsaChain);
}
}
if (!signingOperation.Equals("signExternalContainerBlank")) {
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}
NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
, properties));
}

private static void PerformSigningOperation(String signingOperation, PdfSigner pdfSigner, IPrivateKey privateKey
Expand Down
Loading

0 comments on commit 0549443

Please sign in to comment.