Skip to content

Commit f76f859

Browse files
committed
updated to Bouncycastle.Cryptography and .net 8 libs (solve known vulnerabilities)
1 parent 1bbd338 commit f76f859

15 files changed

+56
-42
lines changed

src/core/iTextSharp/text/pdf/PdfPublicKeySecurityHandler.cs

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -157,11 +157,11 @@ virtual public byte[] GetEncodedRecipient(int index) {
157157
Asn1Object obj = CreateDERForRecipient(pkcs7input, certificate);
158158

159159
MemoryStream baos = new MemoryStream();
160-
161-
DerOutputStream k = new DerOutputStream(baos);
162-
163-
k.WriteObject(obj);
164-
160+
161+
using (var k = Asn1OutputStream.Create(baos, "DER"))
162+
{
163+
k.WriteObject(obj);
164+
}
165165
cms = baos.ToArray();
166166

167167
recipient.Cms = cms;
@@ -226,7 +226,7 @@ private KeyTransRecipientInfo ComputeRecipientInfo(X509Certificate x509certifica
226226
new Org.BouncyCastle.Asn1.Cms.IssuerAndSerialNumber(
227227
tbscertificatestructure.Issuer,
228228
tbscertificatestructure.SerialNumber.Value);
229-
IBufferedCipher cipher = CipherUtilities.GetCipher(algorithmidentifier.ObjectID);
229+
IBufferedCipher cipher = CipherUtilities.GetCipher(algorithmidentifier.Algorithm.Id);
230230
cipher.Init(true, x509certificate.GetPublicKey());
231231
byte[] outp = new byte[10000];
232232
int len = cipher.DoFinal(abyte0, outp, 0);

src/core/iTextSharp/text/pdf/crypto/AESCipher.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ public class AESCipherCBCnoPad {
5656

5757
/** Creates a new instance of AESCipher */
5858
public AESCipherCBCnoPad(bool forEncryption, byte[] key) {
59-
IBlockCipher aes = new AesFastEngine();
59+
IBlockCipher aes = new AesLightEngine();
6060
cbc = new CbcBlockCipher(aes);
6161
KeyParameter kp = new KeyParameter(key);
6262
cbc.Init(forEncryption, kp);

src/core/iTextSharp/text/pdf/crypto/AESCipherCBCnoPad.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,9 +57,9 @@ public class AESCipher {
5757

5858
/** Creates a new instance of AESCipher */
5959
public AESCipher(bool forEncryption, byte[] key, byte[] iv) {
60-
IBlockCipher aes = new AesFastEngine();
60+
IBlockCipher aes = new AesLightEngine();
6161
IBlockCipher cbc = new CbcBlockCipher(aes);
62-
bp = new PaddedBufferedBlockCipher(cbc);
62+
bp = new PaddedBufferedBlockCipher(cbc, new Pkcs7Padding());
6363
KeyParameter kp = new KeyParameter(key);
6464
ParametersWithIV piv = new ParametersWithIV(kp, iv);
6565
bp.Init(forEncryption, piv);

src/core/iTextSharp/text/pdf/security/CertificateUtil.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,7 @@ public static String GetOCSPURL(X509Certificate certificate) {
136136
* @throws IOException
137137
*/
138138
public static String GetTSAURL(X509Certificate certificate) {
139-
Asn1OctetString octetString = certificate.GetExtensionValue(SecurityIDs.ID_TSA);
139+
Asn1OctetString octetString = certificate.GetExtensionValue(new DerObjectIdentifier(SecurityIDs.ID_TSA));
140140
if (octetString == null)
141141
return null;
142142
byte[] der = octetString.GetOctets();

src/core/iTextSharp/text/pdf/security/CertificateVerification.cs

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ source product.
4747
using Org.BouncyCastle.Tsp;
4848
using Org.BouncyCastle.Asn1.X509;
4949
using Org.BouncyCastle.Security.Certificates;
50+
using Org.BouncyCastle.Asn1;
5051
namespace iTextSharp.text.pdf.security {
5152

5253
/**
@@ -79,7 +80,8 @@ public static String VerifyCertificate(X509Certificate cert, ICollection<X509Crl
7980
}
8081
try {
8182
// EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
82-
if (oid == X509Extensions.ExtendedKeyUsage.Id && cert.GetExtendedKeyUsage().Contains("1.3.6.1.5.5.7.3.8")) {
83+
if (oid == X509Extensions.ExtendedKeyUsage.Id &&
84+
cert.GetExtendedKeyUsage().Contains(new DerObjectIdentifier("1.3.6.1.5.5.7.3.8"))) {
8385
continue;
8486
}
8587
}

src/core/iTextSharp/text/pdf/security/OcspClientBouncyCastle.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ source product.
5252
using Org.BouncyCastle.Asn1.Ocsp;
5353
using iTextSharp.text.error_messages;
5454
using iTextSharp.text.log;
55+
using System.Collections.Generic;
5556

5657
namespace iTextSharp.text.pdf.security {
5758

@@ -155,7 +156,7 @@ private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigIntege
155156
gen.AddRequest(id);
156157

157158
// create details for nonce extension
158-
IDictionary extensions = new Hashtable();
159+
var extensions = new Dictionary<DerObjectIdentifier, X509Extension>();
159160

160161
extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
161162

src/core/iTextSharp/text/pdf/security/OcspVerifier.cs

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ source product.
5151
using iTextSharp.text.log;
5252
using Org.BouncyCastle.Asn1.Ocsp;
5353
using Org.BouncyCastle.Security.Certificates;
54-
using Org.BouncyCastle.Utilities.Date;
54+
using Org.BouncyCastle.Asn1;
5555

5656
/**
5757
* Class that allows you to verify a certificate against
@@ -62,7 +62,8 @@ public class OcspVerifier : RootStoreVerifier {
6262
/** The Logger instance */
6363
private static ILogger LOGGER = LoggerFactory.GetLogger(typeof(OcspVerifier));
6464

65-
protected readonly static String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
65+
protected readonly static String id_kp_OCSPSigning_Raw = "1.3.6.1.5.5.7.3.9";
66+
protected static DerObjectIdentifier id_kp_OCSPSigning;
6667

6768
/** The list of OCSP responses. */
6869
protected List<BasicOcspResp> ocsps;
@@ -145,7 +146,7 @@ virtual public bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X50
145146
continue;
146147
}
147148
// check if the OCSP response was valid at the time of signing
148-
DateTimeObject nextUpdate = resp[i].NextUpdate;
149+
DateTime? nextUpdate = resp[i].NextUpdate;
149150
DateTime nextUpdateDate;
150151
if (nextUpdate == null) {
151152
nextUpdateDate = resp[i].ThisUpdate.AddSeconds(180);
@@ -203,9 +204,15 @@ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issu
203204
} catch (Exception ex) {
204205
continue;
205206
}
206-
IList keyPurposes = null;
207+
IList<Org.BouncyCastle.Asn1.DerObjectIdentifier> keyPurposes = null;
207208
try {
208209
keyPurposes = tempCert.GetExtendedKeyUsage();
210+
if (id_kp_OCSPSigning == null)
211+
{
212+
if (DerObjectIdentifier.TryFromID(id_kp_OCSPSigning_Raw, out var id))
213+
id_kp_OCSPSigning = id;
214+
}
215+
209216
if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) {
210217
responderCert = tempCert;
211218
break;
@@ -247,7 +254,7 @@ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issu
247254
// validating ocsp signers certificate
248255
// Check if responders certificate has id-pkix-ocsp-nocheck extension,
249256
// in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
250-
if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) {
257+
if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck) == null) {
251258
X509Crl crl;
252259
try {
253260
X509CrlParser crlParser = new X509CrlParser();

src/core/iTextSharp/text/pdf/security/PdfPKCS7.cs

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -305,7 +305,7 @@ public PdfPKCS7(byte[] contentsKey, PdfName filterSubtype) {
305305
EssCertIDv2 cerv2 = cerv2m[0];
306306
AlgorithmIdentifier ai2 = cerv2.HashAlgorithm;
307307
byte[] enc2 = signCert.GetEncoded();
308-
IDigest m2 = DigestUtilities.GetDigest(ai2.ObjectID.Id);
308+
IDigest m2 = DigestUtilities.GetDigest(ai2.Algorithm.Id);
309309
byte[] signCertHash = DigestAlgorithms.Digest(m2, enc2);
310310
byte[] hs2 = cerv2.GetCertHash();
311311
if (!Arrays.AreEqual(signCertHash, hs2))
@@ -605,10 +605,12 @@ virtual public byte[] GetEncodedPKCS1() {
605605
else
606606
digest = sig.GenerateSignature();
607607
MemoryStream bOut = new MemoryStream();
608-
609-
Asn1OutputStream dout = new Asn1OutputStream(bOut);
610-
dout.WriteObject(new DerOctetString(digest));
611-
dout.Close();
608+
609+
using (Asn1OutputStream dout = Asn1OutputStream.Create(bOut))
610+
{
611+
dout.WriteObject(new DerOctetString(digest));
612+
dout.Close();
613+
}
612614

613615
return bOut.ToArray();
614616
}
@@ -752,10 +754,12 @@ virtual public byte[] GetEncodedPKCS7(byte[] secondDigest, ITSAClient tsaClient,
752754
whole.Add(new DerTaggedObject(0, new DerSequence(body)));
753755

754756
MemoryStream bOut = new MemoryStream();
755-
756-
Asn1OutputStream dout = new Asn1OutputStream(bOut);
757-
dout.WriteObject(new DerSequence(whole));
758-
dout.Close();
757+
758+
using (Asn1OutputStream dout = Asn1OutputStream.Create(bOut))
759+
{
760+
dout.WriteObject(new DerSequence(whole));
761+
dout.Close();
762+
}
759763

760764
return bOut.ToArray();
761765
}

src/core/iTextSharp/text/pdf/security/SignaturePolicyInfo.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ protected internal SignaturePolicyIdentifier ToSignaturePolicyIdentifier() {
118118

119119
signaturePolicyIdentifier = new SignaturePolicyIdentifier(new SignaturePolicyId(
120120
DerObjectIdentifier.GetInstance(new DerObjectIdentifier(this.PolicyIdentifier.Replace("urn:oid:", ""))),
121-
new OtherHashAlgAndValue(new AlgorithmIdentifier(algId), new DerOctetString(this.PolicyHash)), spqi));
121+
new OtherHashAlgAndValue(new AlgorithmIdentifier(new DerObjectIdentifier(algId)), new DerOctetString(this.PolicyHash)), spqi));
122122

123123
return signaturePolicyIdentifier;
124124
}

src/core/iTextSharp/xmp/impl/XmpSerializerRdf.cs

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
using System.Collections;
22
using System.IO;
3-
using Org.BouncyCastle.Utilities.Collections;
43
using iTextSharp.text.xml.simpleparser;
54
using iTextSharp.text.xml.xmp;
65
using iTextSharp.xmp.options;
6+
using System.Collections.Generic;
77

88
//Copyright (c) 2006, Adobe Systems Incorporated
99
//All rights reserved.
@@ -71,8 +71,8 @@ public class XmpSerializerRdf {
7171

7272
/// <summary>
7373
/// a set of all rdf attribute qualifier </summary>
74-
internal static readonly ISet RDF_ATTR_QUALIFIER =
75-
new HashSet(new string[] {XmpConst.XML_LANG, "rdf:resource", "rdf:ID", "rdf:bagID", "rdf:nodeID"});
74+
internal static readonly HashSet<string> RDF_ATTR_QUALIFIER =
75+
new HashSet<string> { XmpConst.XML_LANG, "rdf:resource", "rdf:ID", "rdf:bagID", "rdf:nodeID" };
7676

7777
/// <summary>
7878
/// the stored serialization options </summary>
@@ -339,7 +339,7 @@ private void SerializeCompactRdfSchemas(int level) {
339339
WriteTreeName();
340340

341341
// Write all necessary xmlns attributes.
342-
ISet usedPrefixes = new HashSet();
342+
var usedPrefixes = new HashSet<string>();
343343
usedPrefixes.Add("xml");
344344
usedPrefixes.Add("rdf");
345345

@@ -739,7 +739,7 @@ private void SerializeCanonicalRdfSchema(XmpNode schemaNode, int level) {
739739
/// <param name="usedPrefixes"> a set containing currently used prefixes </param>
740740
/// <param name="indent"> the current indent level </param>
741741
/// <exception cref="IOException"> Forwards all writer exceptions. </exception>
742-
private void DeclareUsedNamespaces(XmpNode node, ISet usedPrefixes, int indent) {
742+
private void DeclareUsedNamespaces(XmpNode node, HashSet<string> usedPrefixes, int indent) {
743743
if (node.Options.SchemaNode) {
744744
// The schema node name is the URI, the value is the prefix.
745745
string prefix = node.Value.Substring(0, node.Value.Length - 1);
@@ -778,7 +778,7 @@ private void DeclareUsedNamespaces(XmpNode node, ISet usedPrefixes, int indent)
778778
/// <param name="usedPrefixes"> a set containing currently used prefixes </param>
779779
/// <param name="indent"> the current indent level </param>
780780
/// <exception cref="IOException"> Forwards all writer exceptions. </exception>
781-
private void DeclareNamespace(string prefix, string @namespace, ISet usedPrefixes, int indent) {
781+
private void DeclareNamespace(string prefix, string @namespace, HashSet<string> usedPrefixes, int indent) {
782782
if (@namespace == null) {
783783
// prefix contains qname, extract prefix and lookup namespace with prefix
784784
QName qname = new QName(prefix);
@@ -817,7 +817,7 @@ private void StartOuterRdfDescription(XmpNode schemaNode, int level) {
817817
Write(RDF_SCHEMA_START);
818818
WriteTreeName();
819819

820-
ISet usedPrefixes = new HashSet();
820+
var usedPrefixes = new HashSet<string>();
821821
usedPrefixes.Add("xml");
822822
usedPrefixes.Add("rdf");
823823

0 commit comments

Comments
 (0)