Merge branch 'develop' into devsecops

itext.tests/itext.sign.tests/itext/signatures/sign/PdfPadesSignerTest.cs

@@ -27,6 +27,7 @@ You should have received a copy of the GNU Affero General Public License
 using iText.Commons.Bouncycastle;
 using iText.Commons.Bouncycastle.Cert;
 using iText.Commons.Bouncycastle.Crypto;
+using iText.Commons.Bouncycastle.Security;
 using iText.Commons.Utils;
 using iText.Forms.Form.Element;
 using iText.Kernel.Exceptions;
@@ -39,7 +40,7 @@ You should have received a copy of the GNU Affero General Public License
 using iText.Test;
 
 namespace iText.Signatures.Sign {
-    [NUnit.Framework.Category("IntegrationTest")]
+    [NUnit.Framework.Category("BouncyCastleIntegrationTest")]
     public class PdfPadesSignerTest : ExtendedITextTest {
         private static readonly IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.GetFactory();
 
@@ -183,6 +184,55 @@ public virtual void SmallTokenSizeEstimationTest() {
             Exception exception = NUnit.Framework.Assert.Catch(typeof(IOException), () => padesSigner.SignWithBaselineLTAProfile
                 (signerProperties, signRsaChain, pks, testTsa));
         }
+
+        [NUnit.Framework.Test]
+        public virtual void PadesSignatureEd25519Test() {
+            NUnit.Framework.Assume.That(!FACTORY.IsInApprovedOnlyMode());
+            String fileName = "padesSignatureEd25519Test.pdf";
+            String outFileName = destinationFolder + fileName;
+            String cmpFileName = sourceFolder + "cmp_" + fileName;
+            String srcFileName = sourceFolder + "helloWorldDoc.pdf";
+            String signCertFileName = certsSrc + "signCertEd25519.pem";
+            IX509Certificate[] signEdDSAChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signEdDSAPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, password);
+            SignerProperties signerProperties = CreateSignerProperties();
+            PdfPadesSigner padesSigner = CreatePdfPadesSigner(srcFileName, outFileName);
+            if (FIPS_MODE) {
+                // algorithm identifier in key not recognised
+                Exception exception = NUnit.Framework.Assert.Catch(typeof(PdfException), () => padesSigner.SignWithBaselineBProfile
+                    (signerProperties, signEdDSAChain, signEdDSAPrivateKey));
+                NUnit.Framework.Assert.AreEqual(MessageFormatUtil.Format(SignExceptionMessageConstant.ALGORITHMS_NOT_SUPPORTED,
+                    "SHA512withEd25519", "Ed25519"), exception.Message);
+            } else {
+                padesSigner.SignWithBaselineBProfile(signerProperties, signEdDSAChain, signEdDSAPrivateKey);
+                TestSignUtils.BasicCheckSignedDoc(outFileName, "Signature1");
+                NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outFileName, cmpFileName));
+            }
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void PadesSignatureEd448Test() {
+            NUnit.Framework.Assume.That(!FACTORY.IsInApprovedOnlyMode());
+            String fileName = "padesSignatureEd448Test.pdf";
+            String outFileName = destinationFolder + fileName;
+            String cmpFileName = sourceFolder + "cmp_" + fileName;
+            String srcFileName = sourceFolder + "helloWorldDoc.pdf";
+            String signCertFileName = certsSrc + "signCertEd448.pem";
+            IX509Certificate[] signEdDSAChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signEdDSAPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, password);
+            SignerProperties signerProperties = CreateSignerProperties();
+            PdfPadesSigner padesSigner = CreatePdfPadesSigner(srcFileName, outFileName);
+            if (FIPS_MODE) {
+                // SHAKE256 is currently not supported in BCFIPS
+                Exception exception = NUnit.Framework.Assert.Catch(typeof(AbstractGeneralSecurityException), () => padesSigner.SignWithBaselineBProfile
+                    (signerProperties, signEdDSAChain, signEdDSAPrivateKey));
+            }
+            else {
+                padesSigner.SignWithBaselineBProfile(signerProperties, signEdDSAChain, signEdDSAPrivateKey);
+                TestSignUtils.BasicCheckSignedDoc(outFileName, "Signature1");
+                NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outFileName, cmpFileName));
+            }
+        }
 
         private SignerProperties CreateSignerProperties() {
             SignerProperties signerProperties = new SignerProperties();

itext.tests/itext.sign.tests/resources/itext/signatures/certs/signCertEd25519.pem

@@ -0,0 +1,11 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPIdKJtjErGrsgpBaM04RZa49tMWLFrKDt6fVoGDxdtZ
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBCDCBuwIUGX/b5h/jmeMPJ11mVZgEfizZc1wwBQYDK2VwMCcxCzAJBgNVBAYT
+AkJFMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMjMxMjA2MTQyNzQwWhcN
+NDMwMjA0MTQyNzQwWjAnMQswCQYDVQQGEwJCRTEYMBYGA1UEAwwPd3d3LmV4YW1w
+bGUuY29tMCowBQYDK2VwAyEAZUXx5GDu4xyo6UKEOqPaxTyna6LGoUswH2ShmyO/
+uJswBQYDK2VwA0EAV1xEcFJunwRzH9ufTGAJ362AbadF5N+hIYd5wxKES8EOkY/2
+TsMbipY6uQLQJP2alusxc5+2varXxskpNGAuDQ==
+-----END CERTIFICATE-----

itext.tests/itext.sign.tests/resources/itext/signatures/certs/signCertEd448.pem

@@ -0,0 +1,14 @@
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOfrKlMzLC2KFud/xAxCCT9N8y2mPl8pKyUM3nT3uWYBK
+MwG7PWEKk2jVgxLBIjdRATaMFG7SrZJHQQ==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBUzCB1AIUZ3HGGxCugYIeKkQjLrCVG90vhqkwBQYDK2VxMCcxCzAJBgNVBAYT
+AkJFMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMjMxMjA2MTQ0NzE4WhcN
+NDMwMjA0MTQ0NzE4WjAnMQswCQYDVQQGEwJCRTEYMBYGA1UEAwwPd3d3LmV4YW1w
+bGUuY29tMEMwBQYDK2VxAzoAO12xP2xDv+3i6DrOUiLkKk4AYf4limP3IstJejo/
+IcL31H7oRZvtNrDlkpdjTmfgmX06KicNVBcAMAUGAytlcQNzALdSj5VltGHj/2OY
+lXLeHnwe//gUpEQQBMX+u5MHxBWApGvz1R2yrJ/NASvcQW0703M9KDGD7VY+gAYn
+mnPXaXL1RO8mcVpz29/hak6sFEVTFHvoo6NjlAXEjYtkbraf3jCIk77t9KD5oRi1
+T25XxGUUAA==
+-----END CERTIFICATE-----

itext/itext.sign/itext/signatures/PdfPadesSigner.cs

@@ -126,7 +126,7 @@ public virtual void SignWithBaselineBProfile(SignerProperties signerProperties,
         /// </param>
         public virtual void SignWithBaselineBProfile(SignerProperties signerProperties, IX509Certificate[] chain, 
             IPrivateKey privateKey) {
-            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM);
+            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, GetDigestAlgorithm(privateKey));
             SignWithBaselineBProfile(signerProperties, chain, externalSignature);
         }
 
@@ -179,7 +179,7 @@ public virtual void SignWithBaselineTProfile(SignerProperties signerProperties,
         /// </param>
         public virtual void SignWithBaselineTProfile(SignerProperties signerProperties, IX509Certificate[] chain, 
             IPrivateKey privateKey, ITSAClient tsaClient) {
-            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM);
+            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, GetDigestAlgorithm(privateKey));
             SignWithBaselineTProfile(signerProperties, chain, externalSignature, tsaClient);
         }
 
@@ -245,7 +245,7 @@ public virtual void SignWithBaselineLTProfile(SignerProperties signerProperties,
         /// </param>
         public virtual void SignWithBaselineLTProfile(SignerProperties signerProperties, IX509Certificate[] chain, 
             IPrivateKey privateKey, ITSAClient tsaClient) {
-            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM);
+            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, GetDigestAlgorithm(privateKey));
             SignWithBaselineLTProfile(signerProperties, chain, externalSignature, tsaClient);
         }
 
@@ -312,7 +312,7 @@ public virtual void SignWithBaselineLTAProfile(SignerProperties signerProperties
         /// </param>
         public virtual void SignWithBaselineLTAProfile(SignerProperties signerProperties, IX509Certificate[] chain
             , IPrivateKey privateKey, ITSAClient tsaClient) {
-            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, DEFAULT_DIGEST_ALGORITHM);
+            IExternalSignature externalSignature = new PrivateKeySignature(privateKey, GetDigestAlgorithm(privateKey));
             SignWithBaselineLTAProfile(signerProperties, chain, externalSignature, tsaClient);
         }
 
@@ -624,5 +624,22 @@ private void CreateRevocationClients(IX509Certificate signingCert, bool clientsR
                 ocspClient = new OcspClientBouncyCastle(null);
             }
         }
+
+        private String GetDigestAlgorithm(IPrivateKey privateKey) {
+            String signatureAlgorithm = SignUtils.GetPrivateKeyAlgorithm(privateKey);
+            switch (signatureAlgorithm) {
+                case "Ed25519": {
+                    return DigestAlgorithms.SHA512;
+                }
+
+                case "Ed448": {
+                    return DigestAlgorithms.SHAKE256;
+                }
+
+                default: {
+                    return DEFAULT_DIGEST_ALGORITHM;
+                }
+            }
+        }
     }
 }

port-hash

@@ -1 +1 @@
-15993f567b79c85d1bcaef6d9e680ebe13b492cc
+19ee24c01d3a0cbe1e0e64bf2b9383b7fb1dc7da