Skip to content

Commit

Permalink
Add PDF MAC support for BCFips mode
Browse files Browse the repository at this point in the history 
DEVSIX-8620

Autoported commit.
Original commit hash: [d25ef0a7b]
Manual files:
bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java
  • Loading branch information
Eugene Bochilo committed Sep 25, 2024
1 parent e96df9e commit f79827f
Show file tree
Hide file tree
Showing 5 changed files with 80 additions and 19 deletions.
22 changes: 18 additions & 4 deletions itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,12 @@ You should have received a copy of the GNU Affero General Public License
using iText.Kernel.Crypto;
using iText.Kernel.Exceptions;
using iText.Kernel.Geom;
using iText.Kernel.Logs;
using iText.Kernel.Pdf;
using iText.Kernel.Pdf.Annot;
using iText.Kernel.Utils;
using iText.Test;
using iText.Test.Attributes;

namespace iText.Kernel.Mac {
[NUnit.Framework.Category("BouncyCastleIntegrationTest")]
Expand All @@ -54,7 +56,6 @@ public class MacIntegrityProtectorCreationTest : ExtendedITextTest {

[NUnit.Framework.OneTimeSetUp]
public static void BeforeClass() {
NUnit.Framework.Assume.That("BC".Equals(PROVIDER_NAME));
CreateOrClearDestinationFolder(DESTINATION_FOLDER);
}

Expand All @@ -64,6 +65,7 @@ public static void AfterClass() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void StandaloneMacStandardEncryptionTest() {
String fileName = "standaloneMacStandardEncryptionTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -80,6 +82,7 @@ public virtual void StandaloneMacStandardEncryptionTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void MacEncryptionWithAesGsmTest() {
String fileName = "macEncryptionWithAesGsmTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -96,12 +99,13 @@ public virtual void MacEncryptionWithAesGsmTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void StandaloneMacUnwritableStreamTest() {
MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256, MacProperties.MacAlgorithm
.HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD);
WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption
(PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, macProperties);
MemoryStream unwritableStream = new _MemoryStream_124();
MemoryStream unwritableStream = new _MemoryStream_129();
String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(Exception), () => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(unwritableStream, writerProperties))) {
pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100)));
Expand All @@ -112,8 +116,8 @@ public virtual void StandaloneMacUnwritableStreamTest() {
unwritableStream.Dispose();
}

private sealed class _MemoryStream_124 : MemoryStream {
public _MemoryStream_124() {
private sealed class _MemoryStream_129 : MemoryStream {
public _MemoryStream_129() {
}

public override void Write(byte[] b, int off, int len) {
Expand All @@ -122,6 +126,7 @@ public override void Write(byte[] b, int off, int len) {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void StandaloneMacWithAllHashAlgorithmsTest() {
for (int i = 0; i < EnumUtil.GetAllValuesOfEnum<MacProperties.MacDigestAlgorithm>().Count; i++) {
String fileName = "standaloneMacWithAllHashAlgorithmsTest" + (i + 1) + ".pdf";
Expand All @@ -142,6 +147,7 @@ public virtual void StandaloneMacWithAllHashAlgorithmsTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void StandaloneMacPdfVersionNotSetTest() {
String fileName = "standaloneMacPdfVersionNotSetTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -160,6 +166,7 @@ public virtual void StandaloneMacPdfVersionNotSetTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void StandaloneMacOldEncryptionAlgorithmTest() {
String fileName = "standaloneMacOldEncryptionAlgorithmTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -179,6 +186,13 @@ public virtual void StandaloneMacOldEncryptionAlgorithmTest() {

[NUnit.Framework.Test]
public virtual void StandaloneMacPublicKeyEncryptionTest() {
try {
BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true);
}
catch (Exception) {
NUnit.Framework.Assume.That(false);
}
NUnit.Framework.Assume.That(!BouncyCastleFactoryCreator.GetFactory().IsInApprovedOnlyMode());
String fileName = "standaloneMacPublicKeyEncryptionTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
Expand Down
42 changes: 34 additions & 8 deletions ...tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,12 @@ You should have received a copy of the GNU Affero General Public License
using iText.Kernel.Crypto;
using iText.Kernel.Exceptions;
using iText.Kernel.Geom;
using iText.Kernel.Logs;
using iText.Kernel.Pdf;
using iText.Kernel.Pdf.Annot;
using iText.Kernel.Utils;
using iText.Test;
using iText.Test.Attributes;

namespace iText.Kernel.Mac {
[NUnit.Framework.Category("BouncyCastleIntegrationTest")]
Expand All @@ -52,7 +54,6 @@ public class MacIntegrityProtectorReadingAndRewritingTest : ExtendedITextTest {

[NUnit.Framework.OneTimeSetUp]
public static void BeforeClass() {
NUnit.Framework.Assume.That("BC".Equals(PROVIDER_NAME));
CreateOrClearDestinationFolder(DESTINATION_FOLDER);
}

Expand All @@ -62,6 +63,7 @@ public static void AfterClass() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void AppendModeTest() {
String fileName = "appendModeTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -76,6 +78,7 @@ public virtual void AppendModeTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void PreserveEncryptionTest() {
String fileName = "preserveEncryptionTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -90,6 +93,7 @@ public virtual void PreserveEncryptionTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void WriterPropertiesTest() {
String fileName = "writerPropertiesTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -107,6 +111,7 @@ public virtual void WriterPropertiesTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void MacShouldNotBePreservedWithEncryptionTest() {
String fileName = "macShouldNotBePreservedWithEncryptionTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -123,6 +128,7 @@ public virtual void MacShouldNotBePreservedWithEncryptionTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void MacShouldNotBePreservedTest() {
String fileName = "macShouldNotBePreservedTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -136,6 +142,7 @@ public virtual void MacShouldNotBePreservedTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void InvalidMacTokenTest() {
String fileName = "invalidMacTokenTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -150,7 +157,14 @@ public virtual void InvalidMacTokenTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void InvalidPublicKeyMacProtectedDocumentTest() {
try {
BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true);
}
catch (Exception) {
NUnit.Framework.Assume.That(false);
}
String fileName = "invalidPublicKeyMacProtectedDocumentTest.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC +
Expand All @@ -168,9 +182,10 @@ public virtual void InvalidPublicKeyMacProtectedDocumentTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadSignedMacProtectedDocumentWithoutAttributeTest() {
String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocWithoutAttribute.pdf"
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocWithoutAttribute.pdf"
, new ReaderProperties().SetPassword(PASSWORD)))) {
}
}
Expand All @@ -179,54 +194,65 @@ public virtual void ReadSignedMacProtectedDocumentWithoutAttributeTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void MacProtectionStrippedTest() {
String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf",
new ReaderProperties().SetPassword(PASSWORD)))) {
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf"
, new ReaderProperties().SetPassword(PASSWORD)))) {
}
}
).Message;
NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_PERMS_WITHOUT_MAC, message);
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadSignedMacProtectedDocumentTest() {
NUnit.Framework.Assert.DoesNotThrow(() => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocument.pdf"
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocument.pdf"
, new ReaderProperties().SetPassword(PASSWORD)))) {
}
}
);
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadThirdPartyMacProtectedDocumentTest() {
NUnit.Framework.Assert.DoesNotThrow(() => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocument.pdf"
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocument.pdf"
, new ReaderProperties().SetPassword(PASSWORD)))) {
}
}
);
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadThirdPartyPublicKeyMacProtectedDocumentTest() {
try {
BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true);
}
catch (Exception) {
NUnit.Framework.Assume.That(false);
}
IPrivateKey privateKey = MacIntegrityProtectorCreationTest.GetPrivateKey(CERTS_SRC + "keyForEncryption.pem"
);
IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC +
"certForEncryption.crt"));
NUnit.Framework.Assert.DoesNotThrow(() => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyPublicKeyMacProtectedDocument.pdf"
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyPublicKeyMacProtectedDocument.pdf"
, new ReaderProperties().SetPublicKeySecurityParams(certificate, privateKey)))) {
}
}
);
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadMacProtectedPdf1_7() {
NUnit.Framework.Assert.DoesNotThrow(() => {
using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocumentPdf1_7.pdf"
using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocumentPdf1_7.pdf"
, new ReaderProperties().SetPassword(PASSWORD)))) {
}
}
Expand Down
19 changes: 16 additions & 3 deletions itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,13 @@ You should have received a copy of the GNU Affero General Public License
using iText.Commons.Utils;
using iText.Kernel.Crypto;
using iText.Kernel.Exceptions;
using iText.Kernel.Logs;
using iText.Kernel.Pdf;
using iText.Kernel.Utils;
using iText.Signatures;
using iText.Signatures.Testutils;
using iText.Test;
using iText.Test.Attributes;

namespace iText.Signatures.Mac {
[NUnit.Framework.Category("BouncyCastleIntegrationTest")]
Expand All @@ -56,11 +58,11 @@ public class SignedDocumentWithMacTest : ExtendedITextTest {

[NUnit.Framework.OneTimeSetUp]
public static void Before() {
NUnit.Framework.Assume.That("BC".Equals(FACTORY.GetProviderName()));
CreateOrClearDestinationFolder(DESTINATION_FOLDER);
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void SignMacProtectedDocTest() {
String fileName = "signMacProtectedDocTest.pdf";
String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf";
Expand All @@ -82,6 +84,7 @@ public virtual void SignMacProtectedDocTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void SignMacProtectedDocInAppendModeTest() {
String fileName = "signMacProtectedDocInAppendModeTest.pdf";
String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf";
Expand All @@ -103,6 +106,7 @@ public virtual void SignMacProtectedDocInAppendModeTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void SignMacProtectedDocWithSHA3_384Test() {
String fileName = "signMacProtectedDocWithSHA3_384Test.pdf";
String srcFileName = SOURCE_FOLDER + "macEncryptedDocSHA3_384.pdf";
Expand All @@ -124,7 +128,14 @@ public virtual void SignMacProtectedDocWithSHA3_384Test() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void SignMacPublicEncryptionDocTest() {
try {
BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true);
}
catch (Exception) {
NUnit.Framework.Assume.That(false);
}
String fileName = "signMacPublicEncryptionDocTest.pdf";
String srcFileName = SOURCE_FOLDER + "macEncryptedWithPublicHandlerDoc.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
Expand All @@ -147,10 +158,11 @@ public virtual void SignMacPublicEncryptionDocTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void ReadSignedMacProtectedInvalidDocTest() {
String srcFileName = SOURCE_FOLDER + "signedMacProtectedInvalidDoc.pdf";
String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(PdfException), () => {
using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
using (PdfDocument ignored = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
(ENCRYPTION_PASSWORD)))) {
}
}
Expand All @@ -160,12 +172,13 @@ public virtual void ReadSignedMacProtectedInvalidDocTest() {
}

[NUnit.Framework.Test]
[LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)]
public virtual void UpdateSignedMacProtectedDocumentTest() {
String fileName = "updateSignedMacProtectedDocumentTest.pdf";
String srcFileName = SOURCE_FOLDER + "thirdPartyMacProtectedAndSignedDocument.pdf";
String outputFileName = DESTINATION_FOLDER + fileName;
String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName;
using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
using (PdfDocument ignored = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword
(ENCRYPTION_PASSWORD)), new PdfWriter(FileUtil.GetFileOutputStream(outputFileName)), new StampingProperties
().UseAppendMode())) {
}
Expand Down
Loading

0 comments on commit f79827f

Please sign in to comment.