diff --git a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs index 2aac77d3b8..e46e2cd428 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs @@ -31,10 +31,12 @@ You should have received a copy of the GNU Affero General Public License using iText.Kernel.Crypto; using iText.Kernel.Exceptions; using iText.Kernel.Geom; +using iText.Kernel.Logs; using iText.Kernel.Pdf; using iText.Kernel.Pdf.Annot; using iText.Kernel.Utils; using iText.Test; +using iText.Test.Attributes; namespace iText.Kernel.Mac { [NUnit.Framework.Category("BouncyCastleIntegrationTest")] @@ -54,7 +56,6 @@ public class MacIntegrityProtectorCreationTest : ExtendedITextTest { [NUnit.Framework.OneTimeSetUp] public static void BeforeClass() { - NUnit.Framework.Assume.That("BC".Equals(PROVIDER_NAME)); CreateOrClearDestinationFolder(DESTINATION_FOLDER); } @@ -64,6 +65,7 @@ public static void AfterClass() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacStandardEncryptionTest() { String fileName = "standaloneMacStandardEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -80,6 +82,7 @@ public virtual void StandaloneMacStandardEncryptionTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void MacEncryptionWithAesGsmTest() { String fileName = "macEncryptionWithAesGsmTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -96,12 +99,13 @@ public virtual void MacEncryptionWithAesGsmTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacUnwritableStreamTest() { MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256, MacProperties.MacAlgorithm .HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD); WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, macProperties); - MemoryStream unwritableStream = new _MemoryStream_124(); + MemoryStream unwritableStream = new _MemoryStream_129(); String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(Exception), () => { using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(unwritableStream, writerProperties))) { pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); @@ -112,8 +116,8 @@ public virtual void StandaloneMacUnwritableStreamTest() { unwritableStream.Dispose(); } - private sealed class _MemoryStream_124 : MemoryStream { - public _MemoryStream_124() { + private sealed class _MemoryStream_129 : MemoryStream { + public _MemoryStream_129() { } public override void Write(byte[] b, int off, int len) { @@ -122,6 +126,7 @@ public override void Write(byte[] b, int off, int len) { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacWithAllHashAlgorithmsTest() { for (int i = 0; i < EnumUtil.GetAllValuesOfEnum().Count; i++) { String fileName = "standaloneMacWithAllHashAlgorithmsTest" + (i + 1) + ".pdf"; @@ -142,6 +147,7 @@ public virtual void StandaloneMacWithAllHashAlgorithmsTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacPdfVersionNotSetTest() { String fileName = "standaloneMacPdfVersionNotSetTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -160,6 +166,7 @@ public virtual void StandaloneMacPdfVersionNotSetTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacOldEncryptionAlgorithmTest() { String fileName = "standaloneMacOldEncryptionAlgorithmTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -179,6 +186,13 @@ public virtual void StandaloneMacOldEncryptionAlgorithmTest() { [NUnit.Framework.Test] public virtual void StandaloneMacPublicKeyEncryptionTest() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } + NUnit.Framework.Assume.That(!BouncyCastleFactoryCreator.GetFactory().IsInApprovedOnlyMode()); String fileName = "standaloneMacPublicKeyEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; diff --git a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs index 624f24c1ae..1ce7cd8b9f 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs @@ -29,10 +29,12 @@ You should have received a copy of the GNU Affero General Public License using iText.Kernel.Crypto; using iText.Kernel.Exceptions; using iText.Kernel.Geom; +using iText.Kernel.Logs; using iText.Kernel.Pdf; using iText.Kernel.Pdf.Annot; using iText.Kernel.Utils; using iText.Test; +using iText.Test.Attributes; namespace iText.Kernel.Mac { [NUnit.Framework.Category("BouncyCastleIntegrationTest")] @@ -52,7 +54,6 @@ public class MacIntegrityProtectorReadingAndRewritingTest : ExtendedITextTest { [NUnit.Framework.OneTimeSetUp] public static void BeforeClass() { - NUnit.Framework.Assume.That("BC".Equals(PROVIDER_NAME)); CreateOrClearDestinationFolder(DESTINATION_FOLDER); } @@ -62,6 +63,7 @@ public static void AfterClass() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void AppendModeTest() { String fileName = "appendModeTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -76,6 +78,7 @@ public virtual void AppendModeTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void PreserveEncryptionTest() { String fileName = "preserveEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -90,6 +93,7 @@ public virtual void PreserveEncryptionTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void WriterPropertiesTest() { String fileName = "writerPropertiesTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -107,6 +111,7 @@ public virtual void WriterPropertiesTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void MacShouldNotBePreservedWithEncryptionTest() { String fileName = "macShouldNotBePreservedWithEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -123,6 +128,7 @@ public virtual void MacShouldNotBePreservedWithEncryptionTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void MacShouldNotBePreservedTest() { String fileName = "macShouldNotBePreservedTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -136,6 +142,7 @@ public virtual void MacShouldNotBePreservedTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void InvalidMacTokenTest() { String fileName = "invalidMacTokenTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -150,7 +157,14 @@ public virtual void InvalidMacTokenTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void InvalidPublicKeyMacProtectedDocumentTest() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } String fileName = "invalidPublicKeyMacProtectedDocumentTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC + @@ -168,9 +182,10 @@ public virtual void InvalidPublicKeyMacProtectedDocumentTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadSignedMacProtectedDocumentWithoutAttributeTest() { String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocWithoutAttribute.pdf" + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocWithoutAttribute.pdf" , new ReaderProperties().SetPassword(PASSWORD)))) { } } @@ -179,10 +194,11 @@ public virtual void ReadSignedMacProtectedDocumentWithoutAttributeTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void MacProtectionStrippedTest() { String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf", - new ReaderProperties().SetPassword(PASSWORD)))) { + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf" + , new ReaderProperties().SetPassword(PASSWORD)))) { } } ).Message; @@ -190,9 +206,10 @@ public virtual void MacProtectionStrippedTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadSignedMacProtectedDocumentTest() { NUnit.Framework.Assert.DoesNotThrow(() => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocument.pdf" + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "signedMacProtectedDocument.pdf" , new ReaderProperties().SetPassword(PASSWORD)))) { } } @@ -200,9 +217,10 @@ public virtual void ReadSignedMacProtectedDocumentTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadThirdPartyMacProtectedDocumentTest() { NUnit.Framework.Assert.DoesNotThrow(() => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocument.pdf" + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocument.pdf" , new ReaderProperties().SetPassword(PASSWORD)))) { } } @@ -210,13 +228,20 @@ public virtual void ReadThirdPartyMacProtectedDocumentTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadThirdPartyPublicKeyMacProtectedDocumentTest() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } IPrivateKey privateKey = MacIntegrityProtectorCreationTest.GetPrivateKey(CERTS_SRC + "keyForEncryption.pem" ); IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC + "certForEncryption.crt")); NUnit.Framework.Assert.DoesNotThrow(() => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyPublicKeyMacProtectedDocument.pdf" + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyPublicKeyMacProtectedDocument.pdf" , new ReaderProperties().SetPublicKeySecurityParams(certificate, privateKey)))) { } } @@ -224,9 +249,10 @@ public virtual void ReadThirdPartyPublicKeyMacProtectedDocumentTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadMacProtectedPdf1_7() { NUnit.Framework.Assert.DoesNotThrow(() => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocumentPdf1_7.pdf" + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocumentPdf1_7.pdf" , new ReaderProperties().SetPassword(PASSWORD)))) { } } diff --git a/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs b/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs index 0ae547a083..738f4daf05 100644 --- a/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs +++ b/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs @@ -30,11 +30,13 @@ You should have received a copy of the GNU Affero General Public License using iText.Commons.Utils; using iText.Kernel.Crypto; using iText.Kernel.Exceptions; +using iText.Kernel.Logs; using iText.Kernel.Pdf; using iText.Kernel.Utils; using iText.Signatures; using iText.Signatures.Testutils; using iText.Test; +using iText.Test.Attributes; namespace iText.Signatures.Mac { [NUnit.Framework.Category("BouncyCastleIntegrationTest")] @@ -56,11 +58,11 @@ public class SignedDocumentWithMacTest : ExtendedITextTest { [NUnit.Framework.OneTimeSetUp] public static void Before() { - NUnit.Framework.Assume.That("BC".Equals(FACTORY.GetProviderName())); CreateOrClearDestinationFolder(DESTINATION_FOLDER); } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SignMacProtectedDocTest() { String fileName = "signMacProtectedDocTest.pdf"; String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf"; @@ -82,6 +84,7 @@ public virtual void SignMacProtectedDocTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SignMacProtectedDocInAppendModeTest() { String fileName = "signMacProtectedDocInAppendModeTest.pdf"; String srcFileName = SOURCE_FOLDER + "macEncryptedDoc.pdf"; @@ -103,6 +106,7 @@ public virtual void SignMacProtectedDocInAppendModeTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SignMacProtectedDocWithSHA3_384Test() { String fileName = "signMacProtectedDocWithSHA3_384Test.pdf"; String srcFileName = SOURCE_FOLDER + "macEncryptedDocSHA3_384.pdf"; @@ -124,7 +128,14 @@ public virtual void SignMacProtectedDocWithSHA3_384Test() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SignMacPublicEncryptionDocTest() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } String fileName = "signMacPublicEncryptionDocTest.pdf"; String srcFileName = SOURCE_FOLDER + "macEncryptedWithPublicHandlerDoc.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; @@ -147,10 +158,11 @@ public virtual void SignMacPublicEncryptionDocTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void ReadSignedMacProtectedInvalidDocTest() { String srcFileName = SOURCE_FOLDER + "signedMacProtectedInvalidDoc.pdf"; String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(PdfException), () => { - using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword + using (PdfDocument ignored = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword (ENCRYPTION_PASSWORD)))) { } } @@ -160,12 +172,13 @@ public virtual void ReadSignedMacProtectedInvalidDocTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void UpdateSignedMacProtectedDocumentTest() { String fileName = "updateSignedMacProtectedDocumentTest.pdf"; String srcFileName = SOURCE_FOLDER + "thirdPartyMacProtectedAndSignedDocument.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; - using (PdfDocument document = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword + using (PdfDocument ignored = new PdfDocument(new PdfReader(srcFileName, new ReaderProperties().SetPassword (ENCRYPTION_PASSWORD)), new PdfWriter(FileUtil.GetFileOutputStream(outputFileName)), new StampingProperties ().UseAppendMode())) { } diff --git a/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs b/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs index 434628ff94..8ad6eb745b 100644 --- a/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs +++ b/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs @@ -1236,7 +1236,9 @@ public string CreateEndDate(IX509Certificate certificate) { /// public byte[] GenerateHKDF(byte[] inputKey, byte[] salt, byte[] info) { - throw new NotSupportedException("HKDF algorithm is not supported in bouncy-castle FIPS mode."); + FipsKdf.HKdfKey key = FipsKdf.HKdfKeyBldr.WithSalt(salt).WithPrf(FipsPrfAlgorithm.Sha256HMac).Build(inputKey).WithIV(info); + IKdfCalculator service = CryptoServicesRegistrar.CreateService(key); + return service.GetResult(inputKey.Length).Collect(); } /// @@ -1247,12 +1249,18 @@ public byte[] GenerateHMACSHA256Token(byte[] key, byte[] data) { /// public byte[] GenerateEncryptedKeyWithAES256NoPad(byte[] key, byte[] kek) { - throw new NotSupportedException("Encrypted key generation with AES256 is not supported in bouncy-castle FIPS mode."); + FipsAes.Key aesKey = new FipsAes.Key(kek); + IBlockCipherService provider = CryptoServicesRegistrar.CreateService((ICryptoServiceType) aesKey); + IKeyWrapper keyWrapper = provider.CreateKeyWrapper(FipsAes.KW); + return keyWrapper.Wrap(key).Collect(); } /// public byte[] GenerateDecryptedKeyWithAES256NoPad(byte[] key, byte[] kek) { - throw new NotSupportedException("Encrypted key generation with AES256 is not supported in bouncy-castle FIPS mode."); + FipsAes.Key aesKey = new FipsAes.Key(kek); + IBlockCipherService provider = CryptoServicesRegistrar.CreateService((ICryptoServiceType) aesKey); + IKeyUnwrapper keyWrapper = provider.CreateKeyUnwrapper(FipsAes.KW); + return keyWrapper.Unwrap(key, 0, key.Length).Collect(); } public IGCMBlockCipher CreateGCMBlockCipher() { diff --git a/port-hash b/port-hash index d6cf904634..e5da40ac4b 100644 --- a/port-hash +++ b/port-hash @@ -1 +1 @@ -84ae14f7d75c09f2d6b698d272f9aa0a422fada1 +ad761fce7804db0efa8672f4fe236215a6c491d0 \ No newline at end of file