Support XML signature validation for LOTL files

DEVSIX-9200

Author: Eugene Bochilo

pom.xml

@@ -107,6 +107,7 @@
     <sonar.dependencyCheck.htmlReportPath>target/dependency-check-report.html</sonar.dependencyCheck.htmlReportPath>
     <sonar.dependencyCheck.reportPath>target/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
     <surefire.version>3.0.0-M3</surefire.version>
+    <apache.santuario.version>3.0.6</apache.santuario.version>
 
     <sharpen.builddotnet>false</sharpen.builddotnet>
     <sharpen.showdiff>false</sharpen.showdiff>

sharpenConfiguration.xml

@@ -465,6 +465,10 @@
                 <file path="com/itextpdf/forms/xfdf/ExceptionTestXmlParserFactory.java"/>
             </fileset>
             <!-- sign -->
+            <fileset reason="XML validation is different in .NET">
+                <file path="com/itextpdf/signatures/validation/XmlValidationUtils.java" />
+                <file path="com/itextpdf/signatures/validation/CertificateSelector.java" />
+            </fileset>
             <file path="com/itextpdf/signatures/ProviderDigest.java"/>
             <fileset reason="ProviderDigest class exists only on Java.">
                 <file path="com/itextpdf/signatures/ProviderDigestUnitTest.java"/>

sign/pom.xml

@@ -56,6 +56,11 @@
       <version>9.3.0-SNAPSHOT</version>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.santuario</groupId>
+      <artifactId>xmlsec</artifactId>
+      <version>${apache.santuario.version}</version>
+    </dependency>
   </dependencies>
 
   <profiles>

sign/src/main/java/com/itextpdf/signatures/validation/CertificateSelector.java

@@ -0,0 +1,42 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import java.security.cert.X509Certificate;
+
+class CertificateSelector {
+    private X509Certificate certificate;
+
+    public CertificateSelector() {
+        // Empty constructor.
+    }
+
+    public X509Certificate getCertificate() {
+        return certificate;
+    }
+
+    public CertificateSelector setCertificate(X509Certificate certificate) {
+        this.certificate = certificate;
+        return this;
+    }
+}

sign/src/main/java/com/itextpdf/signatures/validation/ValidatorChainBuilder.java

@@ -55,6 +55,7 @@ public class ValidatorChainBuilder {
     private Supplier<DocumentRevisionsValidator> documentRevisionsValidatorFactory;
     private Supplier<IOcspClientBouncyCastle> ocspClientFactory;
     private Supplier<ICrlClient> crlClientFactory;
+    private Supplier<XmlSignatureValidator> xmlSignatureValidatorFactory;
 
     private Collection<Certificate> trustedCertificates;
     private Collection<Certificate> knownCertificates;
@@ -73,6 +74,7 @@ public ValidatorChainBuilder() {
         documentRevisionsValidatorFactory = () -> buildDocumentRevisionsValidator();
         ocspClientFactory = () -> new OcspClientBouncyCastle();
         crlClientFactory = () -> new CrlClientOnline();
+        xmlSignatureValidatorFactory = () -> buildXmlSignatureValidator();
     }
 
     /**
@@ -331,6 +333,15 @@ public AdESReportAggregator getAdESReportAggregator() {
         return adESReportAggregator;
     }
 
+    /**
+     * Retrieves the explicitly added or automatically created {@link IResourceRetriever} instance.
+     *
+     * @return the explicitly added or automatically created {@link IResourceRetriever} instance.
+     */
+    public IResourceRetriever getResourceRetriever() {
+        return resourceRetrieverFactory.get();
+    }
+
     /**
      * Retrieves the explicitly added or automatically created {@link DocumentRevisionsValidator} instance.
      *
@@ -376,15 +387,6 @@ IOcspClientBouncyCastle getOcspClient() {
         return ocspClientFactory.get();
     }
 
-    /**
-     * Retrieves the explicitly added or automatically created {@link IResourceRetriever} instance.
-     *
-     * @return the explicitly added or automatically created {@link IResourceRetriever} instance.
-     */
-    public IResourceRetriever getResourceRetriever() {
-        return resourceRetrieverFactory.get();
-    }
-
     /**
      * Retrieves the explicitly added or automatically created {@link CRLValidator} instance.
      *
@@ -403,6 +405,19 @@ OCSPValidator getOCSPValidator() {
         return ocspValidatorFactory.get();
     }
 
+    ValidatorChainBuilder withXmlSignatureValidator(Supplier<XmlSignatureValidator> xmlSignatureValidatorFactory) {
+        this.xmlSignatureValidatorFactory = xmlSignatureValidatorFactory;
+        return this;
+    }
+
+    XmlSignatureValidator getXmlSignatureValidator() {
+        return xmlSignatureValidatorFactory.get();
+    }
+
+    XmlSignatureValidator buildXmlSignatureValidator() {
+        return new XmlSignatureValidator(this);
+    }
+
     private IssuingCertificateRetriever buildIssuingCertificateRetriever() {
         IssuingCertificateRetriever result = new IssuingCertificateRetriever(this.resourceRetrieverFactory.get());
         if (trustedCertificates != null) {

sign/src/main/java/com/itextpdf/signatures/validation/XmlSignatureValidator.java

@@ -0,0 +1,86 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import com.itextpdf.commons.utils.DateTimeUtil;
+import com.itextpdf.signatures.validation.context.CertificateSource;
+import com.itextpdf.signatures.validation.context.TimeBasedContext;
+import com.itextpdf.signatures.validation.context.ValidationContext;
+import com.itextpdf.signatures.validation.context.ValidatorContext;
+import com.itextpdf.signatures.validation.report.ReportItem;
+import com.itextpdf.signatures.validation.report.ReportItem.ReportItemStatus;
+import com.itextpdf.signatures.validation.report.ValidationReport;
+
+import java.io.InputStream;
+
+class XmlSignatureValidator {
+    static final String XML_SIGNATURE_VERIFICATION = "XML Signature verification check.";
+    static final String XML_SIGNATURE_VERIFICATION_EXCEPTION =
+            "XML Signature verification threw exception. Validation wasn't successful.";
+    static final String NO_CERTIFICATE =
+            "XML signing certificate wasn't find in the document. Validation wasn't successful.";
+    static final String XML_SIGNATURE_VERIFICATION_FAILED =
+            "XML Signature verification wasn't successful. Signature is invalid.";
+    private final CertificateChainValidator certificateChainValidator;
+    private final SignatureValidationProperties properties;
+    private final ValidationContext context;
+
+    XmlSignatureValidator(ValidatorChainBuilder builder) {
+        this.certificateChainValidator = builder.getCertificateChainValidator();
+        this.properties = builder.getProperties();
+        this.context = new ValidationContext(
+                ValidatorContext.XML_SIGNATURE_VALIDATOR, CertificateSource.LOTL_CERT, TimeBasedContext.PRESENT);
+    }
+
+    ValidationReport validate(InputStream xmlDocumentInputStream) {
+        ValidationReport report = new ValidationReport();
+        CertificateSelector keySelector = new CertificateSelector();
+        try {
+            boolean coreValidity =
+                    XmlValidationUtils.createXmlDocumentAndCheckValidity(xmlDocumentInputStream, keySelector);
+            if (!coreValidity) {
+                report.addReportItem(new ReportItem(
+                        XML_SIGNATURE_VERIFICATION, XML_SIGNATURE_VERIFICATION_FAILED, ReportItemStatus.INVALID));
+            }
+        } catch (Exception e) {
+            report.addReportItem(new ReportItem(
+                    XML_SIGNATURE_VERIFICATION, XML_SIGNATURE_VERIFICATION_EXCEPTION, e, ReportItemStatus.INVALID));
+        }
+        if (stopValidation(report, context)) {
+            return report;
+        }
+
+        if (keySelector.getCertificate() == null) {
+            report.addReportItem(new ReportItem(XML_SIGNATURE_VERIFICATION, NO_CERTIFICATE, ReportItemStatus.INVALID));
+            return report;
+        }
+        certificateChainValidator.validate(
+                report, context, keySelector.getCertificate(), DateTimeUtil.getCurrentTimeDate());
+        return report;
+    }
+
+    private boolean stopValidation(ValidationReport result, ValidationContext context) {
+        return !properties.getContinueAfterFailure(context)
+                && result.getValidationResult() == ValidationReport.ValidationResult.INVALID;
+    }
+}

sign/src/main/java/com/itextpdf/signatures/validation/XmlValidationUtils.java

@@ -0,0 +1,97 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.kernel.utils.XmlProcessorCreator;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.X509Certificate;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.signature.XMLSignature;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+final class XmlValidationUtils {
+    static final String CERTIFICATE_NOT_FOUND =
+            "\"X509Certificate\" object isn't found in the signature. Other certificate sources are not supported.";
+    static final String KEY_INFO_NULL = "Key info in XML signature cannot be null.";
+
+    private XmlValidationUtils() {
+        // Private constructor so that the class instance cannot be instantiated.
+    }
+
+    public static boolean createXmlDocumentAndCheckValidity(InputStream xmlDocumentInputStream,
+            CertificateSelector keySelector) throws IOException, SAXException, XMLSecurityException {
+        Document xmlDocument = XmlProcessorCreator.createSafeDocumentBuilder(true, false)
+                .parse(xmlDocumentInputStream);
+
+        preProcessXmlDocument(xmlDocument);
+        Node sigElement = xmlDocument.getElementsByTagName("ds:Signature").item(0);
+        if (sigElement == null) {
+            sigElement = xmlDocument.getElementsByTagName("Signature").item(0);
+        }
+        org.apache.xml.security.Init.init();
+        XMLSignature signature = new XMLSignature((Element) sigElement, "", true,
+                BouncyCastleFactoryCreator.getFactory().getProvider());
+
+        if (signature.getKeyInfo() == null) {
+            throw new PdfException(KEY_INFO_NULL);
+        }
+        X509Certificate cert = signature.getKeyInfo().getX509Certificate();
+        if (cert == null) {
+            throw new PdfException(CERTIFICATE_NOT_FOUND);
+        }
+        keySelector.setCertificate(cert);
+        return signature.checkSignatureValue(cert);
+    }
+
+    private static void preProcessXmlDocument(Document xmlDocument) {
+        Element rootElement = xmlDocument.getDocumentElement();
+        setIdRecursively(rootElement);
+    }
+
+    private static void setIdRecursively(Element element) {
+        NamedNodeMap attributes = element.getAttributes();
+        for (int i = 0; i < attributes.getLength(); ++i) {
+            Node attribute = attributes.item(i);
+            if ("ID".equalsIgnoreCase(attribute.getLocalName())) {
+                element.setIdAttribute(attribute.getNodeName(), true);
+            }
+        }
+
+        NodeList children = element.getChildNodes();
+        for (int i = 0; i < children.getLength(); ++i) {
+            Node child = children.item(i);
+            if (child instanceof Element) {
+                setIdRecursively((Element) child);
+            }
+        }
+    }
+}

sign/src/main/java/com/itextpdf/signatures/validation/context/CertificateSource.java

@@ -49,5 +49,9 @@ public enum CertificateSource {
     /**
      * The context while validating a timestamp issuer certificate.
      */
-    TIMESTAMP
+    TIMESTAMP,
+    /**
+     * A certificate, which is used to sign List of Trusted Lists.
+     */
+    LOTL_CERT
 }

sign/src/main/java/com/itextpdf/signatures/validation/context/ValidatorContext.java

@@ -27,6 +27,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.OCSPValidator;
 import com.itextpdf.signatures.validation.RevocationDataValidator;
 import com.itextpdf.signatures.validation.DocumentRevisionsValidator;
+import com.itextpdf.signatures.validation.SignatureValidator;
 
 /**
  * This enum lists all possible contexts related to the validator in which the validation is taking place.
@@ -49,11 +50,15 @@ public enum ValidatorContext {
      */
     CERTIFICATE_CHAIN_VALIDATOR,
     /**
-     * This value is expected to be used in SignatureValidator context.
+     * This value is expected to be used in {@link SignatureValidator} context.
      */
     SIGNATURE_VALIDATOR,
     /**
      * This value is expected to be used in {@link DocumentRevisionsValidator} context.
      */
-    DOCUMENT_REVISIONS_VALIDATOR
+    DOCUMENT_REVISIONS_VALIDATOR,
+    /**
+     * This value is expected to be used in XmlSignatureValidator context.
+     */
+    XML_SIGNATURE_VALIDATOR
 }