Use 'eu-trusted-lists-resources' to parse and load certificates

DEVSIX-9215

Author: guustysebie

commons/src/main/java/com/itextpdf/commons/utils/RuntimeUtil.java

@@ -0,0 +1,49 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.commons.utils;
+
+/**
+ * Utility class for runtime-related operations.
+ */
+public final class RuntimeUtil {
+
+    private RuntimeUtil() {
+        // Private constructor to prevent instantiation
+    }
+
+    /**
+     * Checks if a class is loaded in the current runtime environment.
+     *
+     * @param fullyQualifiedClassName the fully qualified name of the class to check
+     * @return true if the class is loaded, false otherwise
+     */
+    public static boolean isClassLoaded(String fullyQualifiedClassName) {
+        try {
+            Class.forName(fullyQualifiedClassName);
+            return true;
+        } catch (ClassNotFoundException ignored) {
+            // ignore the exception, it means the resources are not available
+            return false;
+        }
+    }
+}

commons/src/test/java/com/itextpdf/commons/utils/RuntimeUtilTest.java

@@ -0,0 +1,49 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.commons.utils;
+
+import com.itextpdf.test.ExtendedITextTest;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+
+
+@Tag("UnitTest")
+public class RuntimeUtilTest extends ExtendedITextTest {
+
+    @Test
+    void isClassLoaded() {
+        Assertions.assertTrue(
+                RuntimeUtil.isClassLoaded("com.itextpdf.commons.utils.RuntimeUtil"),
+                "The RuntimeUtil class should be loaded"
+        );
+    }
+
+    @Test
+    void isClassNotLoaded() {
+        Assertions.assertFalse(
+                RuntimeUtil.isClassLoaded("com.itextpdf.commons.utils.NonExistentClass"),
+                "The NonExistentClass should not be loaded"
+        );
+    }
+}

sharpenConfiguration.xml

@@ -53,6 +53,10 @@
                 <file path="com/itextpdf/commons/datastructures/ConcurrentWeakMap.java" />
                 <file path="com/itextpdf/commons/datastructures/ConcurrentWeakMapTest.java" />
             </fileset>
+            <fileset reason="Checking class instance is different">
+                <file path="com/itextpdf/commons/utils/RuntimeUtil.java"/>
+                <file path="com/itextpdf/commons/utils/RuntimeUtilTest.java"/>
+            </fileset>
             <fileset reason="SystemUtil is a manual class, and the methods of this class can have input and output other than java despite similar names.
         Therefore, the test for this class also cannot be ported automatically">
                 <file path="com/itextpdf/commons/utils/SystemUtilTest.java"/>
@@ -470,6 +474,10 @@
                 <file path="com/itextpdf/signatures/validation/lotl/CertificateSelector.java" />
                 <file path="com/itextpdf/signatures/validation/lotl/xml/XmlSaxProcessor.java" />
             </fileset>
+            <fileset reason="uri handeling and certificate handeling is different">
+                <file path="com/itextpdf/signatures/validation/EuropeanTrustedCertificatesResourceLoader.java"/>
+                <file path="com/itextpdf/signatures/validation/LoadFromModuleEuropeanTrustedListConfigurationFactory.java"/>
+            </fileset>
             <file path="com/itextpdf/signatures/ProviderDigest.java"/>
             <fileset reason="ProviderDigest class exists only on Java.">
                 <file path="com/itextpdf/signatures/ProviderDigestUnitTest.java"/>

sign/pom.xml

@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
@@ -61,10 +62,14 @@
       <artifactId>xmlsec</artifactId>
       <version>${apache.santuario.version}</version>
     </dependency>
+    <dependency>
+      <groupId>com.itextpdf</groupId>
+      <artifactId>eu-trusted-lists-resources</artifactId>
+      <version>1.0.0</version>
+      <optional>true</optional>
+    </dependency>
   </dependencies>
-
   <profiles>
-
     <profile>
       <id>bouncy-castle-test</id>
       <activation>

sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java

@@ -107,7 +107,7 @@ public final class SignExceptionMessageConstant {
     public static final String INVALID_ARGUMENTS = "Invalid parameters provided.";
     public static final String CMS_SIGNERINFO_READONLY =
             "Updating the signed attributes of this SignerInfo instance is" +
-            " not possible because it has been serialized or been initiated from a serialized version.";
+                    " not possible because it has been serialized or been initiated from a serialized version.";
     public static final String CMS_SIGNERINFO_NOT_INITIALIZED = "Signer info is not yet initialized";
     public static final String CMS_INVALID_CONTAINER_STRUCTURE = "Provided data is not a CMS container";
     public static final String CMS_ONLY_ONE_SIGNER_ALLOWED = "Only one signer per CMS container is allowed";
@@ -116,6 +116,12 @@ public final class SignExceptionMessageConstant {
             "The certificate set must at least contains the signer certificate";
     public static final String FAILED_TO_RETRIEVE_CERTIFICATE = "Failed to retrieve certificates from binary data.";
     public static final String FAILED_TO_GET_EU_LOTL = "Failed to get European List of Trusted Lists (LOTL) from {0}.";
+    public static final String CERTIFICATE_HASH_MISMATCH = "Certificate {0} hash mismatch.";
+    public static final String CERTIFICATE_HASH_NULL = "Hash was null.";
+    public static final String EU_RESOURCES_NOT_LOADED = "European Trusted List resources are not available. " +
+            "Please ensure that the itextpdf-eutrustedlistsresources module is included in your project. " +
+            "Alternatively, " +
+            " you can use the EuropeanTrustedListConfigurationFactory to load the resources from a custom location.";
 
     private SignExceptionMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly

sign/src/main/java/com/itextpdf/signatures/validation/EuropeanTrustedCertificatesResourceLoader.java

@@ -0,0 +1,100 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import com.itextpdf.commons.utils.MessageFormatUtil;
+import com.itextpdf.eutrustedlistsresources.EuropeanTrustedListConfiguration;
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.signatures.CertificateUtil;
+import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
+
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+
+/**
+ * Loads the certificates as published as part of the european journal publication "Information related to data on
+ * Member States' trusted lists as notified under Commission Implementing Decision (EU) 2015/1505"
+ */
+class EuropeanTrustedCertificatesResourceLoader {
+
+    private final EuropeanTrustedListConfiguration configuration;
+
+    /**
+     * Creates a new instance of {@link  EuropeanTrustedCertificatesResourceLoader}
+     */
+    EuropeanTrustedCertificatesResourceLoader(EuropeanTrustedListConfiguration config) {
+        this.configuration = config;
+    }
+
+    static void verifyCertificate(
+            String hashB64Encoded, Certificate certificate)
+            throws CertificateException, NoSuchAlgorithmException {
+        if (hashB64Encoded == null) {
+            throw new PdfException(SignExceptionMessageConstant.CERTIFICATE_HASH_NULL);
+        }
+        final MessageDigest digest = MessageDigest.getInstance("SHA-256");
+        final byte[] certHash = digest.digest(certificate.getEncoded());
+        if (!MessageDigest.isEqual(certHash, Base64.getDecoder().decode(hashB64Encoded))) {
+            if (certificate instanceof X509Certificate) {
+                X509Certificate x509Certificate = (X509Certificate) certificate;
+                throw new PdfException(MessageFormatUtil.format(SignExceptionMessageConstant.CERTIFICATE_HASH_MISMATCH,
+                        x509Certificate.getIssuerX500Principal().getName()));
+            }
+            throw new PdfException(MessageFormatUtil.format(
+                    SignExceptionMessageConstant.CERTIFICATE_HASH_MISMATCH, hashB64Encoded));
+        }
+    }
+
+    /**
+     * Loads the certificates from the European Trusted List configuration.
+     * And verifies if they match the expected SHA-256 hash.
+     *
+     * @return A list of X509Certificates.
+     */
+    public List<Certificate> loadCertificates() {
+        final ArrayList<Certificate> result = new ArrayList<>();
+        for (EuropeanTrustedListConfiguration.PemCertificateWithHash pemContainer : configuration.getCertificates()) {
+            Certificate certificate = CertificateUtil.readCertificatesFromPem(
+                    new ByteArrayInputStream(pemContainer.getPemCertificate().getBytes(
+                            StandardCharsets.UTF_8)))[0];
+            result.add(certificate);
+            try {
+                verifyCertificate(pemContainer.getHash(), certificate);
+            } catch (CertificateException | NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+
+            }
+        }
+        return result;
+    }
+}
+
+

sign/src/main/java/com/itextpdf/signatures/validation/EuropeanTrustedListConfigurationFactory.java

@@ -0,0 +1,94 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
+
+import java.security.cert.Certificate;
+import java.util.List;
+import java.util.function.Supplier;
+
+/**
+ * Abstract factory class for configuring and retrieving European Trusted List configurations.
+ * This class provides methods to get and set the factory implementation, as well as abstract
+ * methods to retrieve trusted list-related information.
+ */
+public abstract class EuropeanTrustedListConfigurationFactory {
+
+    /**
+     * Supplier for the current factory implementation.
+     * By default, it uses {@link LoadFromModuleEuropeanTrustedListConfigurationFactory}.
+     */
+    private static Supplier<EuropeanTrustedListConfigurationFactory> configuration =
+            () -> {
+                try {
+                    return new LoadFromModuleEuropeanTrustedListConfigurationFactory();
+                } catch (Exception e) {
+                    throw new PdfException(SignExceptionMessageConstant.EU_RESOURCES_NOT_LOADED);
+                }
+            };
+
+    /**
+     * Retrieves the current factory supplier.
+     *
+     * @return the current factory supplier
+     */
+    public static Supplier<EuropeanTrustedListConfigurationFactory> getFactory() {
+        return configuration;
+    }
+
+    /**
+     * Sets the factory supplier.
+     *
+     * @param factory the new factory supplier to set
+     * @throws IllegalArgumentException if the provided factory is null
+     */
+    public static void setFactory(Supplier<EuropeanTrustedListConfigurationFactory> factory) {
+        if (factory == null) {
+            throw new IllegalArgumentException("Factory cannot be null");
+        }
+        configuration = factory;
+    }
+
+    /**
+     * Retrieves the URI of the trusted list.
+     *
+     * @return the trusted list URI
+     */
+    public abstract String getTrustedListUri();
+
+    /**
+     * Retrieves the currently supported publication of the trusted list.
+     *
+     * @return the currently supported publication
+     */
+    public abstract String getCurrentlySupportedPublication();
+
+    /**
+     * Retrieves the list of certificates from the trusted list.
+     *
+     * @return a list of certificates
+     */
+    public abstract List<Certificate> getCertificates();
+}