feat: sign protected pdfs

.github/workflows/test.yaml

@@ -67,4 +67,4 @@ jobs:
         with:
           name: code-coverage-report-markdown
           path: ./*/coverage-results.md
-          retention-days: 1
+          retention-days: 1

src/main/java/digital/slovensko/autogram/core/Autogram.java

@@ -4,10 +4,12 @@
 import digital.slovensko.autogram.core.visualization.DocumentVisualizationBuilder;
 import digital.slovensko.autogram.core.visualization.UnsupportedVisualization;
 import digital.slovensko.autogram.drivers.TokenDriver;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.ui.BatchUiResult;
 import digital.slovensko.autogram.ui.UI;
 import digital.slovensko.autogram.util.Logging;
 import digital.slovensko.autogram.util.PDFUtils;
+import eu.europa.esig.dss.enumerations.SignatureLevel;
 import eu.europa.esig.dss.model.DSSException;
 import eu.europa.esig.dss.pdfa.PDFAStructureValidator;
 import eu.europa.esig.dss.spi.x509.tsp.TSPSource;
@@ -56,22 +58,45 @@ public void checkPDFACompliance(SigningJob job) {
             return;
 
         ui.onWorkThreadDo(() -> {
+            // PDF/A doesn't support encryption
+            if (job.getDocument().hasOpenDocumentPassword()) {
+                ui.onUIThreadDo(() -> ui.onPDFAComplianceCheckFailed(job));
+                return;
+            }
+
             var result = new PDFAStructureValidator().validate(job.getDocument());
             if (!result.isCompliant()) {
                 ui.onUIThreadDo(() -> ui.onPDFAComplianceCheckFailed(job));
             }
         });
     }
 
+    public void handleProtectedPdfDocument(AutogramDocument document) {
+        var protection = PDFUtils.determinePDFProtection(document);
+        if (protection == PDFUtils.PDFProtection.NONE)
+            return;
+
+        var password = ui.getDocumentPassword(document);
+        switch (protection) {
+            case OPEN_DOCUMENT_PASSWORD -> document.setOpenDocumentPassword(password);
+            case MASTER_PASSWORD -> document.setMasterPassword(password);
+        }
+    }
+
+    public SigningJob buildSigningJobFromFile(File file, Responder responder, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
+        var document = SigningJob.createDSSFileDocumentFromFile(file);
+        handleProtectedPdfDocument(document);
+
+        var parameters = SigningJob.getParametersForFile(document, checkPDFACompliance, signatureType, isEn319132, tspSource, plainXmlEnabled);
+        return SigningJob.build(document, parameters, responder);
+    }
+
+    public void wrapInWorkThread(Runnable callback) {
+        ui.onWorkThreadDo(callback);
+    }
+
     public void startVisualization(SigningJob job) {
         ui.onWorkThreadDo(() -> {
-            if (PDFUtils.isPdfAndPasswordProtected(job.getDocument())) {
-                ui.onUIThreadDo(() -> {
-                    ui.showError(new AutogramException("Nastala chyba", "Dokument je chránený heslom", "Snažíte sa podpísať dokument chránený heslom, čo je funkcionalita, ktorá nie je podporovaná.\n\nOdstráňte ochranu heslom a potom budete môcť dokument podpísať."));
-                });
-                return;
-            }
-
             try {
                 var visualization = DocumentVisualizationBuilder.fromJob(job, settings);
                 ui.onUIThreadDo(() -> ui.showVisualization(visualization, this));

src/main/java/digital/slovensko/autogram/core/SignatureValidator.java

@@ -15,7 +15,7 @@
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
-import eu.europa.esig.dss.enumerations.ASiCContainerType;
+import digital.slovensko.autogram.model.AutogramDocument;
 import eu.europa.esig.dss.simplereport.SimpleReport;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -24,7 +24,6 @@
 
 import digital.slovensko.autogram.util.XMLUtils;
 import eu.europa.esig.dss.enumerations.SignatureLevel;
-import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.model.DSSException;
 import eu.europa.esig.dss.service.crl.OnlineCRLSource;
 import eu.europa.esig.dss.service.http.commons.CommonsDataLoader;
@@ -167,7 +166,7 @@ public static ValidationReports getSignatureCheckReport(SigningJob job) {
         return new ValidationReports(validator.validateDocument(), job);
     }
 
-    public static SimpleReport getSignedDocumentSimpleReport(DSSDocument document) {
+    public static SimpleReport getSignedDocumentSimpleReport(AutogramDocument document) {
         var validator = createDocumentValidator(document);
         if (validator == null)
             return null;

src/main/java/digital/slovensko/autogram/core/SigningJob.java

@@ -6,11 +6,11 @@
 import digital.slovensko.autogram.core.eforms.xdc.XDCBuilder;
 import digital.slovensko.autogram.core.eforms.xdc.XDCValidator;
 import digital.slovensko.autogram.core.errors.AutogramException;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.util.Logging;
 import eu.europa.esig.dss.asic.cades.signature.ASiCWithCAdESService;
 import eu.europa.esig.dss.asic.xades.signature.ASiCWithXAdESService;
 import eu.europa.esig.dss.cades.signature.CAdESService;
-import eu.europa.esig.dss.enumerations.MimeTypeEnum;
 import eu.europa.esig.dss.enumerations.SignatureLevel;
 import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.model.FileDocument;
@@ -24,16 +24,16 @@
 
 public class SigningJob {
     private final Responder responder;
-    private final DSSDocument document;
+    private final AutogramDocument document;
     private final SigningParameters parameters;
 
-    private SigningJob(DSSDocument document, SigningParameters parameters, Responder responder) {
+    private SigningJob(AutogramDocument document, SigningParameters parameters, Responder responder) {
         this.document = document;
         this.parameters = parameters;
         this.responder = responder;
     }
 
-    public DSSDocument getDocument() {
+    public AutogramDocument getDocument() {
         return this.document;
     }
 
@@ -46,7 +46,6 @@ public int getVisualizationWidth() {
     }
 
     public void signWithKeyAndRespond(SigningKey key) throws InterruptedException, AutogramException {
-
         Logging.log("Signing Job: " + this.hashCode() + " file " + getDocument().getName());
         boolean isContainer = getParameters().getContainer() != null;
         var doc = switch (getParameters().getSignatureType()) {
@@ -141,6 +140,7 @@ private DSSDocument signDocumentAsPAdeS(SigningKey key) {
         signatureParameters.setSigningCertificate(key.getCertificate());
         signatureParameters.setCertificateChain(key.getCertificateChain());
         signatureParameters.setSignWithExpiredCertificate(true);
+        signatureParameters.setPasswordProtection(document.getSigningPassword());
 
         if (signatureParameters.getSignatureLevel().equals(SignatureLevel.PAdES_BASELINE_T)) {
             service.setTspSource(getParameters().getTspSource());
@@ -153,7 +153,7 @@ private DSSDocument signDocumentAsPAdeS(SigningKey key) {
         return service.signDocument(getDocument(), signatureParameters, signatureValue);
     }
 
-    public static FileDocument createDSSFileDocumentFromFile(File file) {
+    public static AutogramDocument createDSSFileDocumentFromFile(File file) {
         var fileDocument = new FileDocument(file);
 
         if (fileDocument.getName().endsWith(".xdcf"))
@@ -165,12 +165,13 @@ else if (isXDC(fileDocument.getMimeType()) || isXML(fileDocument.getMimeType())
         else if (isTxt(fileDocument.getMimeType()))
             fileDocument.setMimeType(AutogramMimeType.TEXT_WITH_CHARSET);
 
-        return fileDocument;
+        return new AutogramDocument(fileDocument);
     }
 
-    private static SigningJob build(DSSDocument document, SigningParameters params, Responder responder) {
+    public static SigningJob build(AutogramDocument autogramDocument, SigningParameters params, Responder responder) {
+        DSSDocument document = autogramDocument;
         if (params.shouldCreateXdc() && !isXDC(document.getMimeType()) && !isAsice(document.getMimeType()))
-            document = XDCBuilder.transform(params, document.getName(), EFormUtils.getXmlFromDocument(document));
+            autogramDocument = new AutogramDocument(XDCBuilder.transform(params, document.getName(), EFormUtils.getXmlFromDocument(document)));
 
         if (isTxt(document.getMimeType()))
             document.setMimeType(AutogramMimeType.TEXT_WITH_CHARSET);
@@ -180,20 +181,10 @@ private static SigningJob build(DSSDocument document, SigningParameters params,
             document.setName(getXdcfFilename(document.getName()));
         }
 
-        return new SigningJob(document, params, responder);
-    }
-
-    public static SigningJob buildFromRequest(DSSDocument document, SigningParameters params, Responder responder) {
-        return build(document, params, responder);
-    }
-
-    public static SigningJob buildFromFile(File file, Responder responder, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
-        var document = createDSSFileDocumentFromFile(file);
-        var parameters = getParametersForFile(document, checkPDFACompliance, signatureType, isEn319132, tspSource, plainXmlEnabled);
-        return build(document, parameters, responder);
+        return new SigningJob(autogramDocument, params, responder);
     }
 
-    private static SigningParameters getParametersForFile(FileDocument document, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
+    public static SigningParameters getParametersForFile(AutogramDocument document, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
         var level = SignatureValidator.getSignedDocumentSignatureLevel(SignatureValidator.getSignedDocumentSimpleReport(document));
         if (level != null) switch (level.getSignatureForm()) {
             case PAdES:

src/main/java/digital/slovensko/autogram/core/errors/AutogramException.java

@@ -63,6 +63,8 @@ public static AutogramException createFromDSSException(DSSException e) {
                     return new TsaServerMisconfiguredException("Nie je nastavená žiadna adresa TSA servera. Skontrolujte nastavenia TSA servera.", cause);
                 } else if (cause instanceof IOException && (cause.getMessage().contains("The specified module could not be found") || cause.getMessage().contains("Zadaný modul sa nepodarilo"))) {
                     return new PkcsEidWindowsDllException(e);
+                } else if (cause instanceof eu.europa.esig.dss.pades.exception.InvalidPasswordException) {
+                    return new InvalidPasswordException("Zadali ste nesprávne heslo");
                 }
             }
         }

src/main/java/digital/slovensko/autogram/core/errors/InvalidPasswordException.java

@@ -0,0 +1,7 @@
+package digital.slovensko.autogram.core.errors;
+
+public class InvalidPasswordException extends AutogramException {
+    public InvalidPasswordException(String message) {
+        super("Nesprávne heslo", "Heslo je nesprávne", message);
+    }
+}

src/main/java/digital/slovensko/autogram/core/visualization/DocumentVisualizationBuilder.java

@@ -6,11 +6,11 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import digital.slovensko.autogram.core.UserSettings;
+import digital.slovensko.autogram.model.AutogramDocument;
 import eu.europa.esig.dss.model.DSSDocument;
 
 import org.xml.sax.SAXException;
 
-import digital.slovensko.autogram.core.AutogramMimeType;
 import static digital.slovensko.autogram.core.AutogramMimeType.*;
 import digital.slovensko.autogram.core.SigningJob;
 import digital.slovensko.autogram.core.SigningParameters;
@@ -22,10 +22,10 @@
 
 public class DocumentVisualizationBuilder {
 
-    private final DSSDocument document;
+    private final AutogramDocument document;
     private final SigningParameters parameters;
 
-    private DocumentVisualizationBuilder(DSSDocument document, SigningParameters parameters) {
+    private DocumentVisualizationBuilder(AutogramDocument document, SigningParameters parameters) {
         this.document = document;
         this.parameters = parameters;
     }
@@ -44,7 +44,7 @@ private Visualization createVisualization(SigningJob job, UserSettings userSetti
         var documentToDisplay = document;
         if (isAsice(documentToDisplay.getMimeType())) {
             try {
-                documentToDisplay = AsicContainerUtils.getOriginalDocument(document);
+                documentToDisplay = new AutogramDocument(AsicContainerUtils.getOriginalDocument(document));
             } catch (AutogramException e) {
                 return new UnsupportedVisualization(job);
             }
@@ -86,7 +86,7 @@ private boolean isTranformationAvailable(String transformation) {
         return transformation != null;
     }
 
-    private boolean isDocumentSupportingTransformation(DSSDocument document) {
+    private boolean isDocumentSupportingTransformation(AutogramDocument document) {
         return isXDC(document.getMimeType()) || isXML(document.getMimeType());
     }
 }

src/main/java/digital/slovensko/autogram/core/visualization/PDFVisualization.java

@@ -6,27 +6,27 @@
 
 import digital.slovensko.autogram.core.SigningJob;
 import digital.slovensko.autogram.core.UserSettings;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.ui.Visualizer;
-import eu.europa.esig.dss.model.DSSDocument;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.rendering.ImageType;
 import org.apache.pdfbox.rendering.PDFRenderer;
 
 import javax.imageio.ImageIO;
 
 public class PDFVisualization extends Visualization {
-    private final DSSDocument document;
+    private final AutogramDocument document;
     private final UserSettings settings;
 
 
-    public PDFVisualization(DSSDocument document, SigningJob job, UserSettings settings) {
+    public PDFVisualization(AutogramDocument document, SigningJob job, UserSettings settings) {
         super(job);
         this.document = document;
         this.settings = settings;
     }
 
     private ArrayList<byte []> getPdfImages() throws IOException {
-        var pdfDocument = PDDocument.load(this.document.openStream());
+        var pdfDocument = PDDocument.load(this.document.openStream(), new String(this.document.getOpenDocumentPassword()));
         var pdfRenderer = new PDFRenderer(pdfDocument);
         var divs = new ArrayList<byte[]>();
         for (int page = 0; page < pdfDocument.getNumberOfPages(); ++page) {

src/main/java/digital/slovensko/autogram/model/AutogramDocument.java

@@ -0,0 +1,88 @@
+package digital.slovensko.autogram.model;
+
+import eu.europa.esig.dss.enumerations.DigestAlgorithm;
+import eu.europa.esig.dss.enumerations.MimeType;
+import eu.europa.esig.dss.model.DSSDocument;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class AutogramDocument implements DSSDocument {
+    private final DSSDocument document;
+
+    private char[] openDocumentPassword = new char[0];
+    private char[] masterPassword = new char[0];
+
+    public AutogramDocument(DSSDocument document) {
+        this.document = document;
+    }
+
+    public boolean hasOpenDocumentPassword() {
+        return openDocumentPassword.length > 0;
+    }
+
+    public char[] getOpenDocumentPassword() {
+        return openDocumentPassword;
+    }
+
+    public void setOpenDocumentPassword(char[] openDocumentPassword) {
+        this.openDocumentPassword = openDocumentPassword;
+    }
+
+    public char[] getMasterPassword() {
+        return masterPassword;
+    }
+
+    public void setMasterPassword(char[] masterPassword) {
+        this.masterPassword = masterPassword;
+    }
+
+    public char[] getSigningPassword() {
+        return hasOpenDocumentPassword() ? openDocumentPassword : masterPassword;
+    }
+
+    @Override
+    public String getName() {
+        return document.getName();
+    }
+
+    @Override
+    public void setName(String s) {
+        document.setName(s);
+    }
+
+    @Override
+    public MimeType getMimeType() {
+        return document.getMimeType();
+    }
+
+    @Override
+    public void setMimeType(MimeType mimeType) {
+        document.setMimeType(mimeType);
+    }
+
+    @Override
+    public void save(String s) throws IOException {
+        document.save(s);
+    }
+
+    @Override
+    public String getDigest(DigestAlgorithm digestAlgorithm) {
+        return document.getDigest(digestAlgorithm);
+    }
+
+    @Override
+    public InputStream openStream() {
+        return document.openStream();
+    }
+
+    @Override
+    public void writeTo(OutputStream outputStream) throws IOException {
+        document.writeTo(outputStream);
+    }
+
+    public DSSDocument getDSSDocument() {
+        return document;
+    }
+}

src/main/java/digital/slovensko/autogram/server/SignEndpoint.java

@@ -24,12 +24,14 @@ public SignEndpoint(Autogram autogram) {
     public void handle(HttpExchange exchange) throws IOException {
         try {
             var body = EndpointUtils.loadFromJsonExchange(exchange, SignRequestBody.class);
+            autogram.handleProtectedPdfDocument(body.getDocument());
+
             body.validateDocument();
             body.validateSigningParameters();
 
             var responder = body.getBatchId() == null ? new ServerResponder(exchange)
                     : new ResponderInBatch(new ServerResponder(exchange), autogram.getBatch(body.getBatchId()));
-            var job = SigningJob.buildFromRequest(body.getDocument(), body.getParameters(autogram.getTspSource(), autogram.isPlainXmlEnabled()), responder);
+            var job = SigningJob.build(body.getDocument(), body.getParameters(autogram.getTspSource(), autogram.isPlainXmlEnabled()), responder);
 
             if (body.getBatchId() != null)
                 autogram.batchSign(job, body.getBatchId());