Merge branch 'develop' into devsecops

itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs

@@ -72,8 +72,7 @@ public virtual void StandaloneMacStandardEncryptionTest() {
                 .HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD);
             WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption
                 (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, macProperties);
-            using (PdfDocument pdfDoc = new PdfDocument(CompareTool.CreateTestPdfWriter(outputFileName, writerProperties
-                ))) {
+            using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(outputFileName, writerProperties))) {
                 pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100)));
             }
             NUnit.Framework.Assert.IsNull(new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER

itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs

@@ -167,6 +167,38 @@ public virtual void InvalidPublicKeyMacProtectedDocumentTest() {
             NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_VALIDATION_FAILED, exceptionMessage);
         }
 
+        [NUnit.Framework.Test]
+        public virtual void ReadSignedMacProtectedDocumentWithoutAttributeTest() {
+            String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
+                using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocWithoutAttribute.pdf"
+                    , new ReaderProperties().SetPassword(PASSWORD)))) {
+                }
+            }
+            ).Message;
+            NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_ATTRIBUTE_NOT_SPECIFIED, message);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void MacProtectionStrippedTest() {
+            String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
+                using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf", 
+                    new ReaderProperties().SetPassword(PASSWORD)))) {
+                }
+            }
+            ).Message;
+            NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_PERMS_WITHOUT_MAC, message);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void ReadSignedMacProtectedDocumentTest() {
+            NUnit.Framework.Assert.DoesNotThrow(() => {
+                using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocument.pdf"
+                    , new ReaderProperties().SetPassword(PASSWORD)))) {
+                }
+            }
+            );
+        }
+
         [NUnit.Framework.Test]
         public virtual void ReadThirdPartyMacProtectedDocumentTest() {
             NUnit.Framework.Assert.DoesNotThrow(() => {

itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs

@@ -0,0 +1,186 @@
+/*
+This file is part of the iText (R) project.
+Copyright (c) 1998-2024 Apryse Group NV
+Authors: Apryse Software.
+
+This program is offered under a commercial and under the AGPL license.
+For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+AGPL licensing:
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+using System;
+using System.IO;
+using NUnit.Framework;
+using iText.Bouncycastleconnector;
+using iText.Commons.Bouncycastle;
+using iText.Commons.Bouncycastle.Cert;
+using iText.Commons.Bouncycastle.Crypto;
+using iText.Commons.Utils;
+using iText.Kernel.Crypto;
+using iText.Kernel.Exceptions;
+using iText.Kernel.Pdf;
+using iText.Kernel.Utils;
+using iText.Signatures;
+using iText.Signatures.Testutils;
+using iText.Test;
+
+namespace iText.Signatures.Mac {
+    [NUnit.Framework.Category("BouncyCastleIntegrationTest")]
+    public class SignedDocumentWithMacTest : ExtendedITextTest {
+        private static readonly IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.GetFactory();
+
+        private static readonly String CERTS_SRC = iText.Test.TestUtil.GetParentProjectDirectory(NUnit.Framework.TestContext
+            .CurrentContext.TestDirectory) + "/resources/itext/signatures/mac/SignedDocumentWithMacTest/certs/";
+
+        private static readonly String SOURCE_FOLDER = iText.Test.TestUtil.GetParentProjectDirectory(NUnit.Framework.TestContext
+            .CurrentContext.TestDirectory) + "/resources/itext/signatures/mac/SignedDocumentWithMacTest/";
+
+        private static readonly String DESTINATION_FOLDER = NUnit.Framework.TestContext.CurrentContext.TestDirectory
+             + "/test/itext/signatures/mac/SignedDocumentWithMacTest/";
+
+        private static readonly byte[] ENCRYPTION_PASSWORD = "123".GetBytes();
+
+        private static readonly char[] PRIVATE_KEY_PASSWORD = "testpassphrase".ToCharArray();
+
+        [NUnit.Framework.OneTimeSetUp]
+        public static void Before() {
+            NUnit.Framework.Assume.That("BC".Equals(FACTORY.GetProviderName()));
+            CreateOrClearDestinationFolder(DESTINATION_FOLDER);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void SignMacProtectedDocTest() {
+            String fileName = "signMacProtectedDocTest.pdf";
+            String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf";
+            String outputFileName = DESTINATION_FOLDER + fileName;
+            String signCertFileName = CERTS_SRC + "signCertRsa01.pem";
+            String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+            IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD);
+            using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD
+                ))) {
+                using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
+                    PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
+                    PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain);
+                }
+            }
+            ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
+            NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
+                , properties));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void SignMacProtectedDocInAppendModeTest() {
+            String fileName = "signMacProtectedDocInAppendModeTest.pdf";
+            String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf";
+            String outputFileName = DESTINATION_FOLDER + fileName;
+            String signCertFileName = CERTS_SRC + "signCertRsa01.pem";
+            String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+            IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD);
+            using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD
+                ))) {
+                using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
+                    PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties().UseAppendMode());
+                    PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain);
+                }
+            }
+            ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
+            NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
+                , properties));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void SignMacProtectedDocWithSHA3_384Test() {
+            String fileName = "signMacProtectedDocWithSHA3_384Test.pdf";
+            String srcFileName = SOURCE_FOLDER + "macEncryptedDocSHA3_384.pdf";
+            String outputFileName = DESTINATION_FOLDER + fileName;
+            String signCertFileName = CERTS_SRC + "signCertRsa01.pem";
+            String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+            IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD);
+            using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD
+                ))) {
+                using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
+                    PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
+                    PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain);
+                }
+            }
+            ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD);
+            NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
+                , properties));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void SignMacPublicEncryptionDocTest() {
+            String fileName = "signMacPublicEncryptionDocTest.pdf";
+            String srcFileName = SOURCE_FOLDER + "macEncryptedWithPublicHandlerDoc.pdf";
+            String outputFileName = DESTINATION_FOLDER + fileName;
+            String signCertFileName = CERTS_SRC + "signCertRsa01.pem";
+            String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+            IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName);
+            IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD);
+            IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC +
+                 "SHA256withRSA.cer"));
+            IPrivateKey privateKey = PemFileHelper.ReadFirstKey(CERTS_SRC + "SHA256withRSA.key", PRIVATE_KEY_PASSWORD);
+            ReaderProperties properties = new ReaderProperties().SetPublicKeySecurityParams(certificate, privateKey);
+            using (PdfReader reader = new PdfReader(srcFileName, properties)) {
+                using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) {
+                    PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties());
+                    PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain);
+                }
+            }
+            NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties
+                , properties));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void ReadSignedMacProtectedInvalidDocTest() {
+            String srcFileName = SOURCE_FOLDER + "signedMacProtectedInvalidDoc.pdf";
+            String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
+                using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
+                    (ENCRYPTION_PASSWORD)))) {
+                }
+            }
+            ).Message;
+            // Do nothing.
+            NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_VALIDATION_FAILED, exceptionMessage);
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void UpdateSignedMacProtectedDocumentTest() {
+            String fileName = "updateSignedMacProtectedDocumentTest.pdf";
+            String srcFileName = SOURCE_FOLDER + "thirdPartyMacProtectedAndSignedDocument.pdf";
+            String outputFileName = DESTINATION_FOLDER + fileName;
+            String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
+            using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
+                (ENCRYPTION_PASSWORD)), new PdfWriter(FileUtil.GetFileOutputStream(outputFileName)), new StampingProperties
+                ().UseAppendMode())) {
+            }
+            // Do nothing.
+            // This call produces INFO log from AESCipher caused by exception while decrypting. The reason is that,
+            // while comparing encrypted signed documents, CompareTool needs to mark signature value as unencrypted.
+            // Instead, it tries to decrypt not encrypted value which results in exception.
+            NUnit.Framework.Assert.IsNull(new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER
+                , "diff", ENCRYPTION_PASSWORD, ENCRYPTION_PASSWORD));
+        }
+
+        private static void PerformSignDetached(PdfSigner pdfSigner, IPrivateKey privateKey, IX509Certificate[] chain
+            ) {
+            pdfSigner.SignDetached(new PrivateKeySignature(privateKey, DigestAlgorithms.SHA256), chain, null, null, null
+                , 0, PdfSigner.CryptoStandard.CADES);
+        }
+    }
+}

itext.tests/itext.sign.tests/itext/signatures/testutils/SignaturesCompareTool.cs

@@ -56,6 +56,8 @@ public class SignaturesCompareTool {
 
         private const String OID_OCSP_NONCE_EXTENSION = "1.3.6.1.5.5.7.48.1.2";
 
+        private const String ID_ATTR_PDF_MAC_DATA = "1.0.32004.1.2";
+
         private static readonly IAsn1Dump DUMP = BOUNCY_CASTLE_FACTORY.CreateASN1Dump();
 
         private static readonly ICollection<String> IGNORED_OIDS;
@@ -66,6 +68,7 @@ static SignaturesCompareTool() {
             tempSet.Add(OID_TST_INFO);
             tempSet.Add(OID_SIGNING_TIME);
             tempSet.Add(OID_OCSP_NONCE_EXTENSION);
+            tempSet.Add(ID_ATTR_PDF_MAC_DATA);
             IGNORED_OIDS = JavaCollectionsUtil.UnmodifiableSet(tempSet);
         }
 

itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/certs/SHA256withRSA.key

@@ -0,0 +1,51 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQdOaEUfD0sZWtUR11
+xwgn0gICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEBaNXSfwUjF5SS7n
+ce1JFoUEggTQ6eV+IsckiVP7I9VTldLkpP5OKB8brmw5t20fO11HyCnqkkhooR2b
+t2fBj4fWv0IRUe266L+fVs7AOngjkWfezEvGR6nte4pNXEFrOwt/U8A6IYZXBdA5
+dvqs6VMPHbjQ8CufVLGvksuYFQVRcGy0rk1DH2Of44GU4X0GtROlFFJnkmfZhVPS
+Hx2MXXGQ02Ko1i1eKoEGgvmSAsDcPijiX96DKlQZJ4YMtI/8rRsdvNJsJ2beyZDa
+T3aJMmSSBF92mS2dtS21DwjzEu8utquguYA0KYzjZM9onOuBEEUifam8Fjnvlui6
+beQJya4zldoA6QZPSd2PUAP6l1U/d8UXqcisjzArDZDmRu58dPxn4rs0NgTOIO8h
+fEUIvfS+wuknff1b/wdGnwXkXoeSrrjS9dhP9KVU1SJ/FWKc6BY+P+JmE5vLjAtn
+AmbyZhXY0jX7ZHFh0z0y1y1fTIXL1aj4iB+cUwhJ1ZdlGkT5HdG4ts/oTGCnpB6O
+F1GvGyhprmtjp/dspLH5ha0I+4aTn46yFpnBNyg8w9c2+xj8Jiqy9J/ppVtPdhxt
+wrE1/ThUGIWUTsbGbLW87WIrZq6IlSGtztbxAMYxXoe4solYueE3pI3eYFzgnBcq
+T6Byktr71gt9AGD/N/p+Kk5RM4JT8XpQjLjz9TlmsGpJzUoBGeG6KFLsqqLLSD+0
+c5lAGWsFhec3uCu4fCyBqxpQc0y5j2bgUiTRGYn1NOdyZg+ERO/aWGfkDOAtlL1i
+B79NGIBxIXgt508g83UeaQC6KjuG/8hPY6UHmU5mlgRT9H5jvkSX3mEtl1Gdk2y0
+M5pZTTrhbG4p66GhBi8vM5tQfiBoLUKEM/kgiGXPC6Kob42nb3ufP0rmnKklcDGC
++898hW5ge+VNmOkHpVuV5ZD9aWUSVEU4+8QNZj8pcyL0GXFyEL/HxNxUESdz3k0S
+bInuxO49mgGPjBqtx5ZvaxyWFnzOp6rmHZUHymejxxdnlnTnSnXKkJFjcm7n0sKO
+575ofHtk0OdqIK6YiPgfeF6nZkIg3C0PbReZ05kTplrW182ZWuQQyJgv+RPzF4+9
+5rCe67nJhJrt7hXFRsUScHXNj+HF9Av8WR2RnHTRbpQBJszijM+Xgl+VeYcY5ckB
+fk+AfcR9r0Jud4O9795OOWVxWqGVu/b1RGonfjMkGW+JdnZL0vkOYYcHt4iMZmzW
+M0ZowZPGO5dFBV7/ZkVzb0fexw+f+E0lUBEK1cx0gxnzjmcGJO+C9if1uIEfwpon
+3wBOTDsU7XKDx9v6ibcDMOXrZa+rcJWxgNkXt5nRpozZkddYctBkehGu+snV2g4n
+SdOwr0eIVv/L+v4IywZmeWWEVnbSAvB0p7nB89bgLMr9tV0ly7MWxPH+gPnNJ1gE
+7Mp3AgN5BxEmLfW3+ou3QLoqnOS2MCw/xcgLP0nJACSPI7/nWy95iKXKgkCkAgF9
+4Ztk7uBG4tiK14KcKq8ToCW2YNliT3g0CWjBLtVPUS6qboudMiuedxTxE8WEirpT
+A77nfDNg4MVjl4kP9jhV0Phpn9rDMJ2jw0BqFc1Vou4aNDXYandAFJea44Wce9H+
+qAowcrfsWehD01HBQ2KwWVg3sLnwwBHw0nvbATS41hdxsP2OmCnxWkc=
+-----END ENCRYPTED PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIEUFic9zANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJU
+UzETMBEGA1UECBMKVGVzdCBTdGF0ZTESMBAGA1UEBxMJVGVzdCBUb3duMREwDwYD
+VQQKEwhUZXN0IG9yZzEQMA4GA1UECxMHVGVzdCBPVTESMBAGA1UEAxMJVGVzdCBV
+c2VyMCAXDTE0MDkyMjA5MTExMVoYDzIxMTQwODI5MDkxMTExWjBvMQswCQYDVQQG
+EwJUUzETMBEGA1UECBMKVGVzdCBTdGF0ZTESMBAGA1UEBxMJVGVzdCBUb3duMREw
+DwYDVQQKEwhUZXN0IG9yZzEQMA4GA1UECxMHVGVzdCBPVTESMBAGA1UEAxMJVGVz
+dCBVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+6g5sYzXiNOA
+hR7C8wc8buxU/JgcbdHpHIR44iuXjpepBYAE7hRsWM7H4cuXrKiRxS9UMOadqkGF
+Qqb5sG6lo2UUhcj4qlN6hKDc/+AMZMIW1mvQldiygCAkqgM8iso+kw56dpVuerG/
+k1nd8f+X9rjXN6/DIMznZcMy2d9ByIFuixFKElPvOWx9q9N4aiueOd5FM5eHxp+3
+F4uCTrpM5zkS7Rmf5GVtCofc8KgaTLLp4D0Ge5VUJm7yW8fuU3eIpin4ivjk+Gye
+Q3t0BsrmNyQy3CmKGOBP/vX0+wEMvGN2xqNgAFP9dxA+AbJMiAfsmoWvxXaPktqC
+DOspTCFqbwIDAQABoyEwHzAdBgNVHQ4EFgQUILviRCmSrhuLDmF0nus4pv2uu7gw
+DQYJKoZIhvcNAQELBQADggEBAGnfGYL7nDm5taDPRxuGGMqUPwRnH2bXwef6S2Xb
+/nIEFtNheVFQFtKNn5Ikq68DTFMP06yXLnI7F40+ZiQezRBB1EPPmDL2fYKc9fL1
+SHntu6HLgP/Y5nnCVegtL8l9745gQZnnXlMtkTs2HFwffznIHW/3STO0Bcj0+KMa
+p8vebMjmvV7bZEGvrcrVXL55QPZXJwRuQMXJB3f5XhAEH1VqAhTW6DrvBUnuESwo
+9fxxA5gmblt80SQYdKr2I08OTk0qmyF8zNuffTOiSS8/V6Cf7CntuPWjSuVf1EVP
+MH6KkSjceLZ99Y7bvl7KKvQ4Kj5Bp27PwlRvtYbfCUmQEG8=
+-----END CERTIFICATE-----