Add support for AdditionalServiceInformation extension

DEVSIX-9265

Author: Alexandr Pliushchou

sharpenConfiguration.xml

@@ -542,7 +542,7 @@
                 <file path="com/itextpdf/signatures/testutils/report/xml/XmlReportTestTool.java"/>
             </fileset>
             <fileset reason="LocalDateTime and DateTime have different constructors and parsing">
-                <file path="com/itextpdf/signatures/validation/lotl/ServiceStatusInfo.java"/>
+                <file path="com/itextpdf/signatures/validation/lotl/ServiceChronologicalInfo.java"/>
             </fileset>
             <!-- jsoup -->
             <file path="com/itextpdf/styledxmlparser/jsoup/PortUtil.java" />

sign/src/main/java/com/itextpdf/signatures/validation/lotl/AdditionalServiceInformationExtension.java

@@ -0,0 +1,35 @@
+package com.itextpdf.signatures.validation.lotl;
+
+import java.util.HashSet;
+import java.util.Set;
+
+class AdditionalServiceInformationExtension {
+
+    private static final Set<String> invalidScopes = new HashSet<>();
+
+    static {
+        invalidScopes.add("http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForWebSiteAuthentication");
+    }
+
+    private String uri;
+
+    AdditionalServiceInformationExtension() {
+        // Empty constructor.
+    }
+
+    AdditionalServiceInformationExtension (String uri) {
+        this.uri = uri;
+    }
+
+    String getUri() {
+        return uri;
+    }
+
+    void setUri(String uri) {
+        this.uri = uri;
+    }
+
+    boolean isScopeValid() {
+        return !invalidScopes.contains(uri);
+    }
+}

sign/src/main/java/com/itextpdf/signatures/validation/lotl/CountryServiceContext.java

@@ -34,7 +34,7 @@ class CountryServiceContext implements IServiceContext {
     private String serviceType;
 
     //It is expected that service statuses are ordered starting from the newest one.
-    private final List<ServiceStatusInfo> serviceStatusInfos = new ArrayList<>();
+    private final List<ServiceChronologicalInfo> serviceChronologicalInfos = new ArrayList<>();
 
     CountryServiceContext() {
         // Empty constructor
@@ -64,29 +64,29 @@ String getServiceType() {
         return serviceType;
     }
 
-    void addNewServiceStatus(ServiceStatusInfo serviceStatusInfo) {
-        serviceStatusInfos.add(serviceStatusInfo);
+    void addServiceChronologicalInfo(ServiceChronologicalInfo serviceChronologicalInfo) {
+        serviceChronologicalInfos.add(serviceChronologicalInfo);
     }
 
-    String getServiceStatusByDate(long milliseconds) {
-        return getServiceStatusByDate(DateTimeUtil.getTimeFromMillis(milliseconds));
+    ServiceChronologicalInfo getServiceChronologicalInfoByDate(long milliseconds) {
+        return getServiceChronologicalInfoByDate(DateTimeUtil.getTimeFromMillis(milliseconds));
     }
 
-    String getServiceStatusByDate(LocalDateTime time) {
-        for (ServiceStatusInfo serviceStatusInfo: serviceStatusInfos) {
-            if (serviceStatusInfo.getServiceStatusStartingTime().isBefore(time)) {
-                return serviceStatusInfo.getServiceStatus();
+    ServiceChronologicalInfo getServiceChronologicalInfoByDate(LocalDateTime time) {
+        for (ServiceChronologicalInfo serviceChronologicalInfo : serviceChronologicalInfos) {
+            if (serviceChronologicalInfo.getServiceStatusStartingTime().isBefore(time)) {
+                return serviceChronologicalInfo;
             }
         }
 
         return null;
     }
 
-    ServiceStatusInfo getCurrentStatusInfo() {
-        return serviceStatusInfos.get(0);
+    ServiceChronologicalInfo getCurrentChronologicalInfo() {
+        return serviceChronologicalInfos.get(0);
     }
 
-    int getServiceStatusInfosSize() {
-        return serviceStatusInfos.size();
+    int getServiceChronologicalInfosSize() {
+        return serviceChronologicalInfos.size();
     }
 }

sign/src/main/java/com/itextpdf/signatures/validation/lotl/LOTLTrustedStore.java

@@ -59,6 +59,10 @@ public class LOTLTrustedStore {
     static final String CERTIFICATE_SERVICE_TYPE_NOT_RECOGNIZED =
             "Certificate {0} is trusted, but it's service type {1} is not recognized.";
     static final String NOT_YET_VALID_CERTIFICATE = "Certificate {0} is not yet valid.";
+    static final String SCOPE_SPECIFIED_WITH_INVALID_TYPES = "Certificate {0} is trusted for {1}, " +
+            "which is incorrect scope for pdf validation.";
+    static final String EXTENSIONS_CHECK = "Certificate extensions check.";
+
     private static final Map<String, Set<CertificateSource>> serviceTypeIdentifiersScope;
 
     private final Set<CountryServiceContext> contexts = new HashSet<>();
@@ -176,7 +180,10 @@ public boolean checkIfCertIsTrusted(ValidationReport result, ValidationContext c
 
         List<ReportItem> validationReportItems = new ArrayList<>();
         for (CountryServiceContext currentContext : currentContextSet) {
-            if (!isCertificateValidInTime(validationReportItems, certificate, currentContext, validationDate)) {
+            ServiceChronologicalInfo chronologicalInfo = getCertificateChronologicalInfoByTime(validationReportItems,
+                    certificate, currentContext, validationDate);
+            if (chronologicalInfo == null ||
+                    !isScopeCorrectlySpecified(validationReportItems, certificate, chronologicalInfo.getExtensions())) {
                 continue;
             }
 
@@ -211,6 +218,37 @@ public boolean checkIfCertIsTrusted(ValidationReport result, ValidationContext c
         return false;
     }
 
+    /**
+     * Check if scope specified by extensions contains valid types.
+     *
+     * @param reportItems {@link ValidationReport} which is populated with detailed validation results
+     * @param certificate {@link X509Certificate} to be validated
+     * @param extensions {@link AdditionalServiceInformationExtension} that specify scope
+     *
+     * @return false if extensions specify scope only with invalid types.
+     */
+    boolean isScopeCorrectlySpecified(List<ReportItem>  reportItems, X509Certificate certificate,
+                                      List<AdditionalServiceInformationExtension> extensions) {
+        List<ReportItem> currentReportItems = new ArrayList<>();
+        for (AdditionalServiceInformationExtension extension : extensions) {
+            if (extension.isScopeValid()) {
+                return true;
+            } else {
+                currentReportItems.add(new CertificateReportItem(certificate, EXTENSIONS_CHECK,
+                        MessageFormatUtil.format(SCOPE_SPECIFIED_WITH_INVALID_TYPES,
+                                certificate.getSubjectX500Principal(), extension.getUri()),
+                        ReportItem.ReportItemStatus.INVALID));
+            }
+        }
+
+        if (currentReportItems.isEmpty()) {
+            return true;
+        } else {
+            reportItems.addAll(currentReportItems);
+            return false;
+        }
+    }
+
     final void addCertificatesWithContext(Collection<CountryServiceContext> contexts) {
         this.contexts.addAll(contexts);
     }
@@ -225,23 +263,37 @@ private Set<CountryServiceContext> getCertificateContext(Certificate certificate
         return contextSet;
     }
 
-    private static boolean isCertificateValidInTime(List<ReportItem> reportItems, X509Certificate certificate,
-                                     CountryServiceContext currentContext, Date validationDate) {
-        String status = currentContext.getServiceStatusByDate(DateTimeUtil.getRelativeTime(validationDate));
+    /**
+     * Find {@link ServiceChronologicalInfo} corresponding to provided date. If Service wasn't operating at that date
+     * report item will be added and null will be returned.
+     *
+     * @param reportItems {@link ValidationReport} which is populated with detailed validation results
+     * @param certificate {@link X509Certificate} to be validated
+     * @param currentContext {@link CountryServiceContext} which contains statuses and their starting time
+     * @param validationDate {@link Date} against which certificate is expected to be validated. Usually signing
+     *                       date
+     *
+     * @return {@link ServiceChronologicalInfo} which contains time specific service information.
+     */
+    ServiceChronologicalInfo getCertificateChronologicalInfoByTime(
+            List<ReportItem> reportItems, X509Certificate certificate, CountryServiceContext currentContext,
+            Date validationDate) {
+        ServiceChronologicalInfo status = currentContext.getServiceChronologicalInfoByDate(
+                DateTimeUtil.getRelativeTime(validationDate));
         if (status == null) {
             reportItems.add(new CertificateReportItem(certificate, CERTIFICATE_CHECK,
-                    MessageFormatUtil.format(NOT_YET_VALID_CERTIFICATE, certificate.getSubjectX500Principal()),
-                    ReportItem.ReportItemStatus.INVALID));
-            return false;
+                    MessageFormatUtil.format(NOT_YET_VALID_CERTIFICATE,
+                            certificate.getSubjectX500Principal()), ReportItem.ReportItemStatus.INVALID));
+            return null;
         }
 
-        if (!ServiceStatusInfo.isStatusValid(status)) {
+        if (!ServiceChronologicalInfo.isStatusValid(status.getServiceStatus())) {
             reportItems.add(new CertificateReportItem(certificate, CERTIFICATE_CHECK,
                     MessageFormatUtil.format(REVOKED_CERTIFICATE, certificate.getSubjectX500Principal()),
                     ReportItem.ReportItemStatus.INVALID));
-            return false;
+            return null;
         }
 
-        return true;
+        return status;
     }
 }

sign/src/main/java/com/itextpdf/signatures/validation/lotl/ServiceStatusInfo.java renamed to sign/src/main/java/com/itextpdf/signatures/validation/lotl/ServiceChronologicalInfo.java

@@ -24,21 +24,24 @@ This file is part of the iText (R) project.
 
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
+import java.util.ArrayList;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
-class ServiceStatusInfo {
+class ServiceChronologicalInfo {
     private String serviceStatus;
 
     //Local time is used here because it is required to use UTC in a trusted lists, so no offset shall be presented.
     private LocalDateTime serviceStatusStartingTime;
 
+    private final List<AdditionalServiceInformationExtension> extensions = new ArrayList<>();
+
     private final DateTimeFormatter statusStartDateFormat = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss'Z'");
 
     static final String GRANTED = "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted";
     static final String GRANTED_NATIONALLY =
             "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevel";
-    static final String WITHDRAWN = "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn";
     static final String ACCREDITED = "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited";
     private static final Set<String> validStatuses = new HashSet<>();
 
@@ -48,11 +51,11 @@ class ServiceStatusInfo {
         validStatuses.add(ACCREDITED);
     }
 
-    ServiceStatusInfo() {
+    ServiceChronologicalInfo() {
         // empty constructor
     }
 
-    ServiceStatusInfo(String serviceStatus, LocalDateTime serviceStatusStartingTime) {
+    ServiceChronologicalInfo(String serviceStatus, LocalDateTime serviceStatusStartingTime) {
         this.serviceStatus = serviceStatus;
         this.serviceStatusStartingTime = serviceStatusStartingTime;
     }
@@ -80,4 +83,12 @@ LocalDateTime getServiceStatusStartingTime() {
     static boolean isStatusValid(String status) {
         return validStatuses.contains(status);
     }
+
+    void addExtension(AdditionalServiceInformationExtension extension) {
+        extensions.add(extension);
+    }
+
+    List<AdditionalServiceInformationExtension> getExtensions() {
+        return extensions;
+    }
 }

sign/src/main/java/com/itextpdf/signatures/validation/lotl/XmlCountryCertificateHandler.java

@@ -41,11 +41,13 @@ class XmlCountryCertificateHandler extends AbstractXmlCertificateHandler {
         INFORMATION_TAGS.add(XmlTagConstants.SERVICE_STATUS);
         INFORMATION_TAGS.add(XmlTagConstants.X509CERTIFICATE);
         INFORMATION_TAGS.add(XmlTagConstants.SERVICE_STATUS_STARTING_TIME);
+        INFORMATION_TAGS.add(XmlTagConstants.URI);
     }
 
     private StringBuilder information;
     private CountryServiceContext currentServiceContext = null;
-    private ServiceStatusInfo currentServiceStatusInfo = null;
+    private ServiceChronologicalInfo currentServiceChronologicalInfo = null;
+    private AdditionalServiceInformationExtension currentExtension = null;
 
     XmlCountryCertificateHandler(Set<String> serviceTypes) {
         this.serviceTypes = new HashSet<>(serviceTypes);
@@ -64,8 +66,10 @@ public void startElement(String uri, String localName, String qName, HashMap<Str
             startProvider();
         } else if (XmlTagConstants.SERVICE_HISTORY_INSTANCE.equals(localName)
                 || XmlTagConstants.SERVICE_INFORMATION.equals(localName)) {
-            currentServiceStatusInfo = new ServiceStatusInfo();
-        } else if (INFORMATION_TAGS.contains(localName)) {
+            currentServiceChronologicalInfo = new ServiceChronologicalInfo();
+        } else if (XmlTagConstants.ADDITIONAL_INFORMATION_EXTENSION.equals(localName)) {
+            currentExtension = new AdditionalServiceInformationExtension();
+        }else if (INFORMATION_TAGS.contains(localName)) {
             information = new StringBuilder();
         }
     }
@@ -84,8 +88,8 @@ public void endElement(String uri, String localName, String qName) {
                 information = null;
                 break;
             case XmlTagConstants.SERVICE_STATUS:
-                if (currentServiceContext != null) {
-                    currentServiceStatusInfo.setServiceStatus(information.toString());
+                if (currentServiceChronologicalInfo != null) {
+                    currentServiceChronologicalInfo.setServiceStatus(information.toString());
                 }
 
                 information = null;
@@ -103,19 +107,32 @@ public void endElement(String uri, String localName, String qName) {
                 information = null;
                 break;
             case XmlTagConstants.SERVICE_STATUS_STARTING_TIME:
-                if (currentServiceContext != null) {
-                    currentServiceStatusInfo.setServiceStatusStartingTime(information.toString());
+                if (currentServiceChronologicalInfo != null) {
+                    currentServiceChronologicalInfo.setServiceStatusStartingTime(information.toString());
                 }
 
                 information = null;
                 break;
             case XmlTagConstants.SERVICE_INFORMATION:
             case XmlTagConstants.SERVICE_HISTORY_INSTANCE:
                 if (currentServiceContext != null) {
-                    currentServiceContext.addNewServiceStatus(currentServiceStatusInfo);
+                    currentServiceContext.addServiceChronologicalInfo(currentServiceChronologicalInfo);
+                }
+
+                currentServiceChronologicalInfo = null;
+                break;
+            case XmlTagConstants.URI:
+                if (currentExtension != null) {
+                    currentExtension.setUri(information.toString());
+                }
+
+                break;
+            case XmlTagConstants.ADDITIONAL_INFORMATION_EXTENSION:
+                if (currentServiceChronologicalInfo != null) {
+                    currentServiceChronologicalInfo.addExtension(currentExtension);
                 }
 
-                currentServiceStatusInfo = null;
+                currentExtension = null;
         }
     }
 

sign/src/main/java/com/itextpdf/signatures/validation/lotl/XmlTagConstants.java

@@ -35,5 +35,6 @@ class XmlTagConstants {
     static final String SCHEME_TERRITORY = "SchemeTerritory";
     static final String TSLLOCATION = "TSLLocation";
     static final String MIME_TYPE = "MimeType";
+    static final String ADDITIONAL_INFORMATION_EXTENSION = "AdditionalServiceInformation";
     static final String URI = "URI";
 }