itext
diff --git a/‎commons/src/main/java/com/itextpdf/commons/utils/DateTimeUtil.java‎
Lines changed: 14 additions & 0 deletions b/‎commons/src/main/java/com/itextpdf/commons/utils/DateTimeUtil.java‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java‎
Lines changed: 0 additions & 1 deletion b/‎sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/validation/CertificateChainValidator.java‎
Lines changed: 13 additions & 74 deletions b/‎sign/src/main/java/com/itextpdf/signatures/validation/CertificateChainValidator.java‎
Lines changed: 13 additions & 74 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/validation/CountryServiceContext.java‎
Lines changed: 5 additions & 0 deletions b/‎sign/src/main/java/com/itextpdf/signatures/validation/CountryServiceContext.java‎
Lines changed: 5 additions & 0 deletions
@@ -25,6 +25,9 @@ This file is part of the iText (R) project.
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
+import java.time.Instant;
+import java.time.LocalDateTime;
+import java.time.ZoneOffset;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.GregorianCalendar;
@@ -246,6 +249,17 @@ public static String dateToString(Calendar date) {
         return new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z").format(date.getTime());
     }
 
+    /**
+     * Gets the {@link LocalDateTime} from milliseconds.
+     *
+     * @param milliseconds the UTC milliseconds from the epoch
+     *
+     * @return {@link LocalDateTime} converted from milliseconds
+     */
+    public static LocalDateTime getTimeFromMillis(long milliseconds) {
+        return LocalDateTime.ofInstant(Instant.ofEpochMilli(milliseconds), ZoneOffset.ofHours(0));
+    }
+
     private static DateFormat initParserSDF(String pattern) {
         final SimpleDateFormat parserSDF = new SimpleDateFormat(pattern);
         parserSDF.setCalendar(new GregorianCalendar());
 
@@ -117,7 +117,6 @@ public final class SignExceptionMessageConstant {
     public static final String FAILED_TO_RETRIEVE_CERTIFICATE = "Failed to retrieve certificates from binary data";
     public static final String FAILED_TO_GET_EU_LOTL = "Failed to get European List of Trusted Lists (LOTL) from {0}.";
 
-
     private SignExceptionMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly
     }
 
@@ -48,6 +48,12 @@ This file is part of the iText (R) project.
  * Validator class, which is expected to be used for certificates chain validation.
  */
 public class CertificateChainValidator {
+
+    private final SignatureValidationProperties properties;
+    private final IssuingCertificateRetriever certificateRetriever;
+    private final RevocationDataValidator revocationDataValidator;
+    private final LOTLTrustedStore lotlTrustedStore;
+
     static final String CERTIFICATE_CHECK = "Certificate check.";
     static final String VALIDITY_CHECK = "Certificate validity period check.";
     static final String EXTENSIONS_CHECK = "Required certificate extensions check.";
@@ -74,11 +80,6 @@ public class CertificateChainValidator {
     static final String VALIDITY_PERIOD_CHECK_FAILED =
             "Unexpected exception occurred while validating certificate validity period.";
 
-
-    private final SignatureValidationProperties properties;
-    private final IssuingCertificateRetriever certificateRetriever;
-    private final RevocationDataValidator revocationDataValidator;
-
     /**
      * Create new instance of {@link CertificateChainValidator}.
      *
@@ -88,6 +89,7 @@ protected CertificateChainValidator(ValidatorChainBuilder builder) {
         this.certificateRetriever = builder.getCertificateRetriever();
         this.properties = builder.getProperties();
         this.revocationDataValidator = builder.getRevocationDataValidator();
+        this.lotlTrustedStore = builder.getLOTLTrustedstore();
     }
 
     /**
@@ -131,9 +133,9 @@ private ValidationReport validate(ValidationReport result, ValidationContext con
             return result;
         }
 
-        if (onExceptionLog(() -> checkIfCertIsTrusted(result, localContext, certificate), Boolean.FALSE, result,
-                e -> new CertificateReportItem(certificate, CERTIFICATE_CHECK, TRUSTSTORE_RETRIEVAL_FAILED,
-                        e, ReportItemStatus.INFO))) {
+        if (onExceptionLog(() -> checkIfCertIsTrusted(result, localContext, certificate, validationDate),
+                Boolean.FALSE, result, e -> new CertificateReportItem(certificate, CERTIFICATE_CHECK,
+                        TRUSTSTORE_RETRIEVAL_FAILED, e, ReportItemStatus.INFO))) {
             return result;
         }
 
@@ -148,72 +150,9 @@ private ValidationReport validate(ValidationReport result, ValidationContext con
     }
 
     private boolean checkIfCertIsTrusted(ValidationReport result, ValidationContext context,
-            X509Certificate certificate) {
-        if (CertificateSource.TRUSTED == context.getCertificateSource()) {
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-            return true;
-        }
-        TrustedCertificatesStore store = certificateRetriever.getTrustedCertificatesStore();
-        if (store.isCertificateGenerallyTrusted(certificate)) {
-            // Certificate is trusted for everything.
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-            return true;
-        }
-        if (store.isCertificateTrustedForCA(certificate)) {
-            // Certificate is trusted to be CA, we need to make sure it wasn't used to directly sign anything else.
-            if (CertificateSource.CERT_ISSUER == context.getCertificateSource()) {
-                result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                        CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-                return true;
-            }
-            // Certificate is trusted to be CA, but is not used in CA context.
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, certificate.getSubjectX500Principal(),
-                    "certificates generation"), ReportItemStatus.INFO));
-        }
-        if (store.isCertificateTrustedForTimestamp(certificate)) {
-            // Certificate is trusted for timestamp signing,
-            // we need to make sure this chain is responsible for timestamping.
-            if (ValidationContext.checkIfContextChainContainsCertificateSource(context, CertificateSource.TIMESTAMP)) {
-                result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                        CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-                return true;
-            }
-            // Certificate is trusted for timestamps generation, but is not used in timestamp generation context.
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, certificate.getSubjectX500Principal(),
-                    "timestamp generation"), ReportItemStatus.INFO));
-        }
-        if (store.isCertificateTrustedForOcsp(certificate)) {
-            // Certificate is trusted for OCSP response signing,
-            // we need to make sure this chain is responsible for OCSP response generation.
-            if (ValidationContext.checkIfContextChainContainsCertificateSource(
-                    context, CertificateSource.OCSP_ISSUER)) {
-                result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                        CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-                return true;
-            }
-            // Certificate is trusted for OCSP response generation, but is not used in OCSP response generation context.
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, certificate.getSubjectX500Principal(),
-                    "OCSP response generation"), ReportItemStatus.INFO));
-        }
-        if (store.isCertificateTrustedForCrl(certificate)) {
-            // Certificate is trusted for CRL signing,
-            // we need to make sure this chain is responsible for CRL generation.
-            if (ValidationContext.checkIfContextChainContainsCertificateSource(context, CertificateSource.CRL_ISSUER)) {
-                result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                        CERTIFICATE_TRUSTED, certificate.getSubjectX500Principal()), ReportItemStatus.INFO));
-                return true;
-            }
-            // Certificate is trusted for CRL generation, but is not used in CRL generation context.
-            result.addReportItem(new CertificateReportItem(certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(
-                    CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, certificate.getSubjectX500Principal(),
-                    "CRL generation"), ReportItemStatus.INFO));
-        }
-        return false;
+            X509Certificate certificate, Date validationDate) {
+        return certificateRetriever.getTrustedCertificatesStore().checkIfCertIsTrusted(result, context, certificate)
+                || lotlTrustedStore.checkIfCertIsTrusted(result, context, certificate, validationDate);
     }
 
     private boolean stopValidation(ValidationReport result, ValidationContext context) {
 
@@ -22,6 +22,7 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures.validation;
 
+import com.itextpdf.commons.utils.DateTimeUtil;
 import java.security.cert.Certificate;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
@@ -66,6 +67,10 @@ void addNewServiceStatus(ServiceStatusInfo serviceStatusInfo) {
         serviceStatusInfos.add(serviceStatusInfo);
     }
 
+    String getServiceStatusByDate(long milliseconds) {
+        return getServiceStatusByDate(DateTimeUtil.getTimeFromMillis(milliseconds));
+    }
+
     String getServiceStatusByDate(LocalDateTime time) {
         for (ServiceStatusInfo serviceStatusInfo: serviceStatusInfos) {
             if (serviceStatusInfo.getServiceStatusStartingTime().isBefore(time)) {
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,6 @@ public final class SignExceptionMessageConstant {`
`117`	`117`	`public static final String FAILED_TO_RETRIEVE_CERTIFICATE = "Failed to retrieve certificates from binary data";`
`118`	`118`	`public static final String FAILED_TO_GET_EU_LOTL = "Failed to get European List of Trusted Lists (LOTL) from {0}.";`
`119`	`119`
`120`		`-`
`121`	`120`	`private SignExceptionMessageConstant() {`
`122`	`121`	`// Private constructor will prevent the instantiation of this class directly`
`123`	`122`	`}`