Add support for transition period and check for incompatible OJ certificates

DEVSIX-9285

Author: Eugene Bochilo

sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java

@@ -142,6 +142,10 @@ public final class SignExceptionMessageConstant {
     public static final String CACHE_ALREADY_INITIALIZED = "Global LOTL service has already been initialized. " +
             "You cannot initialize it again. If you want to use a different configuration, please create a new " +
             "instance of LotlService with the desired properties and use it in ValidatorChainBuilder.";
+    public static final String OFFICIAL_JOURNAL_CERTIFICATES_OUTDATED =
+            "Trusted certificates from Official Journal of European Union are outdated. " +
+            "LOTL file cannot be validated. " +
+            "Please, provide OJ certificates, which match the ones used to sign European Union List of Trusted Lists.";
 
     private SignExceptionMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly

sign/src/main/java/com/itextpdf/signatures/logs/SignLogMessageConstant.java

@@ -47,6 +47,11 @@ public final class SignLogMessageConstant {
     public static final String NO_COUNTRY_SPECIFIC_LOTL_FETCHED = "Zero country specific Lotl files were fetched." ;
     public static final String FAILED_TO_FETCH_EU_JOURNAL_CERTIFICATES = "Problem occurred while fetching " +
             "EU Journal certificates.\n{0}";
+    public static final String OJ_TRANSITION_PERIOD =
+            "Main LOTL file contains two Official Journal of European Union links. " +
+                    "This usually indicates that transition period for Official Journal has started. " +
+                    "Newest version of Official Journal should be used from now on " +
+                    "to retrieve trusted certificates and LOTL location.";
 
     private SignLogMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly

sign/src/main/java/com/itextpdf/signatures/validation/lotl/EuropeanResourceFetcher.java

@@ -57,6 +57,7 @@ public Result getEUJournalCertificates() {
         Result result = new Result();
         EuropeanTrustedListConfigurationFactory factory =
                 EuropeanTrustedListConfigurationFactory.getFactory().get();
+        result.setCurrentlySupportedPublication(factory.getCurrentlySupportedPublication());
 
         SafeCalling.onExceptionLog(
                 () -> result.setCertificates(factory.getCertificates()),
@@ -72,6 +73,7 @@ public Result getEUJournalCertificates() {
     public static class Result {
         private final ValidationReport localReport;
         private List<Certificate> certificates;
+        private String currentlySupportedPublication;
 
         /**
          * Create a new Instance of {@link Result}.
@@ -99,6 +101,15 @@ public List<Certificate> getCertificates() {
             return certificates;
         }
 
+        /**
+         * Gets string constant representing currently used Official Journal publication.
+         *
+         * @return {@link String} constant representing currently used Official Journal publication
+         */
+        public String getCurrentlySupportedPublication() {
+            return currentlySupportedPublication;
+        }
+
         /**
          * Sets the list of certificates.
          *
@@ -107,6 +118,16 @@ public List<Certificate> getCertificates() {
         public void setCertificates(List<Certificate> certificates) {
             this.certificates = certificates;
         }
+
+        /**
+         * Sets string constant representing currently used Official Journal publication.
+         *
+         * @param currentlySuppostedPublication {@link String}
+         * constant representing currently used Official Journal publication
+         */
+        public void setCurrentlySupportedPublication(String currentlySuppostedPublication) {
+            this.currentlySupportedPublication = currentlySuppostedPublication;
+        }
     }
 
 }

sign/src/main/java/com/itextpdf/signatures/validation/lotl/LotlFetchingProperties.java

@@ -148,7 +148,7 @@ public LotlFetchingProperties setCacheStalenessInMilliseconds(long stalenessInMi
      * Gets the calculation function for the cache refresh interval.
      * <p>
      * This function will be used to determine the refresh interval based on the staleness time.
-     * By default, it takes 70% of the staleness time as the refresh interval.
+     * By default, it takes 23% of the staleness time as the refresh interval.
      *
      * @return a function that takes the staleness time in milliseconds and returns the refresh interval in
      * milliseconds.

sign/src/main/java/com/itextpdf/signatures/validation/lotl/LotlService.java

@@ -160,13 +160,14 @@ public void initializeCache() {
         setupTimer();
         EuropeanLotlFetcher.Result mainLotlResult = lotlByteFetcher.fetch();
         if (!mainLotlResult.getLocalReport().getFailures().isEmpty()) {
-            //We throw on main Lotl fetch failure, so we don't proceed to pivot and country specific LOTL fetches
+            // We throw on main LOTL fetch failure, so we don't proceed to pivot and country specific LOTL fetches
             final ReportItem reportItem = mainLotlResult.getLocalReport().getFailures().get(0);
             throw new PdfException(reportItem.getMessage(), reportItem.getExceptionCause());
         }
 
         EuropeanResourceFetcher.Result europeanResourceFetcherEUJournalCertificates =
                 europeanResourceFetcher.getEUJournalCertificates();
+        pivotFetcher.setCurrentJournalUri(europeanResourceFetcherEUJournalCertificates.getCurrentlySupportedPublication());
         PivotFetcher.Result pivotsResult = pivotFetcher.downloadAndValidatePivotFiles(mainLotlResult.getLotlXml(),
                 europeanResourceFetcherEUJournalCertificates.getCertificates());
 
@@ -320,9 +321,11 @@ protected void tryAndRefreshCache() {
         boolean mainLotlFetchSuccessful = false;
         Exception mainLotlFetchException = null;
 
+        String currentJournalUri;
         try {
             EuropeanResourceFetcher.Result europeanResourceFetcherEUJournalCertificates =
                     europeanResourceFetcher.getEUJournalCertificates();
+            currentJournalUri = europeanResourceFetcherEUJournalCertificates.getCurrentlySupportedPublication();
             if (europeanResourceFetcherEUJournalCertificates.getLocalReport().getValidationResult()
                     != ValidationResult.VALID) {
                 throw new PdfException(
@@ -352,6 +355,7 @@ protected void tryAndRefreshCache() {
         if (mainLotlFetchSuccessful) {
             //Only if the main Lotl was fetched successfully, we proceed to re-fetch the new pivot files.
             try {
+                pivotFetcher.setCurrentJournalUri(currentJournalUri);
                 pivotResult = pivotFetcher.downloadAndValidatePivotFiles(
                         mainLotlResult.getLotlXml(),
                         europeanResourceFetcher.getEUJournalCertificates().getCertificates());
@@ -405,11 +409,13 @@ protected void tryAndRefreshCache() {
         }
     }
 
-    PivotFetcher.Result getAndValidatePivotFiles(byte[] lotlXml, List<Certificate> certificates) {
+    PivotFetcher.Result getAndValidatePivotFiles(byte[] lotlXml, List<Certificate> certificates,
+                                                 String currentJournalUri) {
         PivotFetcher.Result result = cache.getPivotResult();
         if (result != null) {
             return result;
         }
+        pivotFetcher.setCurrentJournalUri(currentJournalUri);
         PivotFetcher.Result newResult = pivotFetcher.downloadAndValidatePivotFiles(lotlXml, certificates);
         cache.setPivotResult(newResult);
         return newResult;

sign/src/main/java/com/itextpdf/signatures/validation/lotl/LotlValidator.java

@@ -75,7 +75,7 @@ public ValidationReport validate() {
         report.merge(europeanResult.getLocalReport());
 
         PivotFetcher.Result result = service.getAndValidatePivotFiles(lotl.getLotlXml(),
-                europeanResult.getCertificates());
+                europeanResult.getCertificates(), europeanResult.getCurrentlySupportedPublication());
 
         report.merge(result.getLocalReport());
         if (result.getLocalReport().getValidationResult() != ValidationResult.VALID) {

sign/src/main/java/com/itextpdf/signatures/validation/lotl/PivotFetcher.java

@@ -24,19 +24,24 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.commons.utils.MessageFormatUtil;
 import com.itextpdf.kernel.exceptions.PdfException;
+import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
+import com.itextpdf.signatures.logs.SignLogMessageConstant;
 import com.itextpdf.signatures.validation.SafeCalling;
 import com.itextpdf.signatures.validation.TrustedCertificatesStore;
 import com.itextpdf.signatures.validation.lotl.xml.XmlSaxProcessor;
 import com.itextpdf.signatures.validation.report.ReportItem;
 import com.itextpdf.signatures.validation.report.ValidationReport;
 import com.itextpdf.signatures.validation.report.ValidationReport.ValidationResult;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.ByteArrayInputStream;
 import java.net.URL;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.stream.Collectors;
 
 import static com.itextpdf.signatures.validation.lotl.LotlValidator.LOTL_VALIDATION;
 import static com.itextpdf.signatures.validation.lotl.LotlValidator.LOTL_VALIDATION_UNSUCCESSFUL;
@@ -46,8 +51,10 @@ This file is part of the iText (R) project.
  * This class fetches and validates pivot files from a List of Trusted Lists (Lotl) XML.
  */
 public class PivotFetcher {
+    private static final Logger LOGGER = LoggerFactory.getLogger(PivotFetcher.class);
 
     private final LotlService service;
+    private String currentJournalUri;
 
     /**
      * Constructs a PivotFetcher with the specified LotlService and ValidatorChainBuilder.
@@ -58,6 +65,15 @@ public PivotFetcher(LotlService service) {
         this.service = service;
     }
 
+    /**
+     * Sets {@link String} constant representing currently used Official Journal publication.
+     *
+     * @param currentJournalUri {@link String} constant representing currently used Official Journal publication
+     */
+    public void setCurrentJournalUri(String currentJournalUri) {
+        this.currentJournalUri = currentJournalUri;
+    }
+
     /**
      * Fetches and validates pivot files from the provided Lotl XML.
      *
@@ -70,24 +86,36 @@ public Result downloadAndValidatePivotFiles(byte[] lotlXml, List<Certificate> ce
         if (lotlXml == null) {
             throw new PdfException(LotlValidator.UNABLE_TO_RETRIEVE_LOTL);
         }
-        XmlPivotsHandler pivotsHandler = new XmlPivotsHandler();
-        new XmlSaxProcessor().process(new ByteArrayInputStream(lotlXml), pivotsHandler);
         Result result = new Result();
 
-        List<String> pivotsUrlList = pivotsHandler.getPivots();
+        List<String> pivotsUrlList = getPivotsUrlList(lotlXml);
+        List<String> ojUris = pivotsUrlList.stream()
+                .filter(url -> XmlPivotsHandler.isOfficialJournal(url)).collect(Collectors.toList());
+        if (ojUris.size() > 1) {
+            LOGGER.warn(SignLogMessageConstant.OJ_TRANSITION_PERIOD);
+        }
         result.setPivotUrls(pivotsUrlList);
         List<byte[]> pivotFiles = new ArrayList<>();
 
+        // If we weren't able to find any OJ links, or current OJ uri is null, we process all the pivots.
+        boolean startProcessing = ojUris.isEmpty() || currentJournalUri == null;
         // We need to process pivots backwards.
         for (int i = pivotsUrlList.size() - 1; i >= 0; i--) {
             String pivotUrl = pivotsUrlList.get(i);
-            SafeCalling.onExceptionLog(
-                    () -> pivotFiles.add(service.getResourceRetriever().getByteArrayByUrl(new URL(pivotUrl))),
-                    result.getLocalReport(),
-                    e -> new ReportItem(LOTL_VALIDATION, MessageFormatUtil.format(
-                            UNABLE_TO_RETRIEVE_PIVOT, pivotUrl), e, ReportItem.ReportItemStatus.INVALID));
-            if (result.getLocalReport().getValidationResult() != ValidationResult.VALID) {
-                return result;
+            if (pivotUrl.equals(currentJournalUri)) {
+                // We only need to process pivots which, were created after OJ entry was added.
+                startProcessing = true;
+                continue;
+            }
+            if (startProcessing && !XmlPivotsHandler.isOfficialJournal(pivotUrl)) {
+                SafeCalling.onExceptionLog(
+                        () -> pivotFiles.add(service.getResourceRetriever().getByteArrayByUrl(new URL(pivotUrl))),
+                        result.getLocalReport(),
+                        e -> new ReportItem(LOTL_VALIDATION, MessageFormatUtil.format(
+                                UNABLE_TO_RETRIEVE_PIVOT, pivotUrl), e, ReportItem.ReportItemStatus.INVALID));
+                if (result.getLocalReport().getValidationResult() != ValidationResult.VALID) {
+                    return result;
+                }
             }
         }
 
@@ -107,6 +135,9 @@ public Result downloadAndValidatePivotFiles(byte[] lotlXml, List<Certificate> ce
                 result.getLocalReport().addReportItem(new ReportItem(LOTL_VALIDATION, LOTL_VALIDATION_UNSUCCESSFUL,
                         ReportItem.ReportItemStatus.INVALID));
                 result.getLocalReport().merge(localReport);
+                if (!ojUris.stream().anyMatch(ojUri -> ojUri.equals(currentJournalUri))) {
+                    throw new PdfException(SignExceptionMessageConstant.OFFICIAL_JOURNAL_CERTIFICATES_OUTDATED);
+                }
                 return result;
             }
             XmlCertificateRetriever certificateRetriever = new XmlCertificateRetriever(
@@ -116,6 +147,19 @@ public Result downloadAndValidatePivotFiles(byte[] lotlXml, List<Certificate> ce
         return result;
     }
 
+    /**
+     * Gets list of pivots xml files, including OJ entries.
+     *
+     * @param lotlXml {@code byte} array representing main LOTL file
+     *
+     * @return list of pivots xml files, including OJ entries
+     */
+    protected List<String> getPivotsUrlList(byte[] lotlXml) {
+        XmlPivotsHandler pivotsHandler = new XmlPivotsHandler();
+        new XmlSaxProcessor().process(new ByteArrayInputStream(lotlXml), pivotsHandler);
+        return pivotsHandler.getPivots();
+    }
+
     /**
      * Result class encapsulates the result of the pivot fetching and validation process.
      */

sign/src/main/java/com/itextpdf/signatures/validation/lotl/XmlPivotsHandler.java

@@ -50,8 +50,11 @@ public void startElement(String uri, String localName, String qName, HashMap<Str
     public void endElement(String uri, String localName, String qName) {
         if (XmlTagConstants.SCHEME_INFORMATION_URI.equals(localName)) {
             schemeInformationContext = false;
-        } else if (XmlTagConstants.URI.equals(localName) && isPivot(uriLink.toString())) {
-            pivots.add(uriLink.toString());
+        } else if (XmlTagConstants.URI.equals(localName)) {
+            String uriLinkString = uriLink.toString();
+            if (isPivot(uriLinkString) || isOfficialJournal(uriLinkString)) {
+                pivots.add(uriLinkString);
+            }
         }
     }
 
@@ -66,6 +69,10 @@ public List<String> getPivots() {
         return new ArrayList<>(pivots);
     }
 
+    static boolean isOfficialJournal(String uriLink) {
+        return uriLink.contains("eur-lex.europa.eu");
+    }
+
     private static boolean isPivot(String uriLink) {
         return uriLink.contains("eu-lotl-pivot");
     }

sign/src/test/java/com/itextpdf/signatures/validation/lotl/LotlServiceTest.java

@@ -133,7 +133,7 @@ public Result downloadAndValidatePivotFiles(byte[] lotlXml, List<Certificate> ce
                     }
             );
             f = lotlService.getAndValidatePivotFiles("abc".getBytes(StandardCharsets.UTF_8),
-                    Collections.<Certificate>emptyList());
+                    Collections.<Certificate>emptyList(), null);
         }
         Assertions.assertNotNull(f);
         assertEquals(1, f.getPivotUrls().size());
@@ -215,7 +215,7 @@ protected void tryAndRefreshCache() {
             }
         }) {
             lotlService.setupTimer();
-            Thread.sleep(1000);
+            Thread.sleep(2000);
         }
         Assertions.assertTrue(refreshCounter.get() >= 8,
                 "Refresh counter should be greater than 8, but was: " + refreshCounter.get());