updated to Bouncycastle.Cryptography and .net 8 libs (solve known vulnerabilities)

Author: danielgindi

src/core/iTextSharp/text/pdf/PdfPublicKeySecurityHandler.cs

@@ -157,11 +157,11 @@ virtual public byte[] GetEncodedRecipient(int index) {
             Asn1Object obj = CreateDERForRecipient(pkcs7input, certificate);
 
             MemoryStream baos = new MemoryStream();
-                
-            DerOutputStream k = new DerOutputStream(baos);
-                
-            k.WriteObject(obj);  
-            
+
+            using (var k = Asn1OutputStream.Create(baos, "DER"))
+            {
+                k.WriteObject(obj);
+            }
             cms = baos.ToArray();
 
             recipient.Cms = cms;
@@ -226,7 +226,7 @@ private KeyTransRecipientInfo ComputeRecipientInfo(X509Certificate x509certifica
                 new Org.BouncyCastle.Asn1.Cms.IssuerAndSerialNumber(
                     tbscertificatestructure.Issuer, 
                     tbscertificatestructure.SerialNumber.Value);
-            IBufferedCipher cipher = CipherUtilities.GetCipher(algorithmidentifier.ObjectID);
+            IBufferedCipher cipher = CipherUtilities.GetCipher(algorithmidentifier.Algorithm.Id);
             cipher.Init(true, x509certificate.GetPublicKey());
             byte[] outp = new byte[10000];
             int len = cipher.DoFinal(abyte0, outp, 0);

src/core/iTextSharp/text/pdf/crypto/AESCipher.cs

@@ -56,7 +56,7 @@ public class AESCipherCBCnoPad {
 
         /** Creates a new instance of AESCipher */
         public AESCipherCBCnoPad(bool forEncryption, byte[] key) {
-            IBlockCipher aes = new AesFastEngine();
+            IBlockCipher aes = new AesLightEngine();
             cbc = new CbcBlockCipher(aes);
             KeyParameter kp = new KeyParameter(key);
             cbc.Init(forEncryption, kp);

src/core/iTextSharp/text/pdf/crypto/AESCipherCBCnoPad.cs

@@ -57,9 +57,9 @@ public class AESCipher {
 
         /** Creates a new instance of AESCipher */
         public AESCipher(bool forEncryption, byte[] key, byte[] iv) {
-            IBlockCipher aes = new AesFastEngine();
+            IBlockCipher aes = new AesLightEngine();
             IBlockCipher cbc = new CbcBlockCipher(aes);
-            bp = new PaddedBufferedBlockCipher(cbc);
+            bp = new PaddedBufferedBlockCipher(cbc, new Pkcs7Padding());
             KeyParameter kp = new KeyParameter(key);
             ParametersWithIV piv = new ParametersWithIV(kp, iv);
             bp.Init(forEncryption, piv);

src/core/iTextSharp/text/pdf/security/CertificateUtil.cs

@@ -136,7 +136,7 @@ public static String GetOCSPURL(X509Certificate certificate) {
          * @throws IOException
          */
         public static String GetTSAURL(X509Certificate certificate) {
-            Asn1OctetString octetString = certificate.GetExtensionValue(SecurityIDs.ID_TSA);
+            Asn1OctetString octetString = certificate.GetExtensionValue(new DerObjectIdentifier(SecurityIDs.ID_TSA));
             if (octetString == null)
                 return null;
             byte[] der = octetString.GetOctets();

src/core/iTextSharp/text/pdf/security/CertificateVerification.cs

@@ -47,6 +47,7 @@ source product.
 using Org.BouncyCastle.Tsp;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Security.Certificates;
+using Org.BouncyCastle.Asn1;
 namespace iTextSharp.text.pdf.security {
 
     /**
@@ -79,7 +80,8 @@ public static String VerifyCertificate(X509Certificate cert, ICollection<X509Crl
                 }
                 try {
                     // EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
-                    if (oid == X509Extensions.ExtendedKeyUsage.Id && cert.GetExtendedKeyUsage().Contains("1.3.6.1.5.5.7.3.8")) {
+                    if (oid == X509Extensions.ExtendedKeyUsage.Id &&
+                        cert.GetExtendedKeyUsage().Contains(new DerObjectIdentifier("1.3.6.1.5.5.7.3.8"))) {
                         continue;
                     }
                 }

src/core/iTextSharp/text/pdf/security/OcspClientBouncyCastle.cs

@@ -52,6 +52,7 @@ source product.
 using Org.BouncyCastle.Asn1.Ocsp;
 using iTextSharp.text.error_messages;
 using iTextSharp.text.log;
+using System.Collections.Generic;
 
 namespace iTextSharp.text.pdf.security {
 
@@ -155,7 +156,7 @@ private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigIntege
             gen.AddRequest(id);
 
             // create details for nonce extension
-            IDictionary extensions = new Hashtable();
+            var extensions = new Dictionary<DerObjectIdentifier, X509Extension>();
 
             extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
 

src/core/iTextSharp/text/pdf/security/OcspVerifier.cs

@@ -51,7 +51,7 @@ source product.
 using iTextSharp.text.log;
 using Org.BouncyCastle.Asn1.Ocsp;
 using Org.BouncyCastle.Security.Certificates;
-using Org.BouncyCastle.Utilities.Date;
+using Org.BouncyCastle.Asn1;
 
 /**
  * Class that allows you to verify a certificate against
@@ -62,7 +62,8 @@ public class OcspVerifier : RootStoreVerifier {
         /** The Logger instance */
         private static ILogger LOGGER = LoggerFactory.GetLogger(typeof(OcspVerifier));
 
-        protected readonly static String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
+        protected readonly static String id_kp_OCSPSigning_Raw = "1.3.6.1.5.5.7.3.9";
+        protected static DerObjectIdentifier id_kp_OCSPSigning;
 
 	    /** The list of OCSP responses. */
 	    protected List<BasicOcspResp> ocsps;
@@ -145,7 +146,7 @@ virtual public bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X50
 				    continue;
 			    }
 			    // check if the OCSP response was valid at the time of signing
-                DateTimeObject nextUpdate = resp[i].NextUpdate;
+                DateTime? nextUpdate = resp[i].NextUpdate;
                 DateTime nextUpdateDate;
                 if (nextUpdate == null) {
                     nextUpdateDate = resp[i].ThisUpdate.AddSeconds(180);
@@ -203,9 +204,15 @@ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issu
                         } catch (Exception ex) {
                             continue;
                         }
-                        IList keyPurposes = null;
+                        IList<Org.BouncyCastle.Asn1.DerObjectIdentifier> keyPurposes = null;
                         try {
                             keyPurposes = tempCert.GetExtendedKeyUsage();
+                            if (id_kp_OCSPSigning == null)
+                            {
+                                if (DerObjectIdentifier.TryFromID(id_kp_OCSPSigning_Raw, out var id))
+                                    id_kp_OCSPSigning = id;
+                            }
+
                             if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) {
                                 responderCert = tempCert;
                                 break;
@@ -247,7 +254,7 @@ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issu
             // validating ocsp signers certificate
             // Check if responders certificate has id-pkix-ocsp-nocheck extension,
             // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
-            if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) {
+            if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck) == null) {
                 X509Crl crl;
                 try {
                     X509CrlParser crlParser = new X509CrlParser();

src/core/iTextSharp/text/pdf/security/PdfPKCS7.cs

@@ -305,7 +305,7 @@ public PdfPKCS7(byte[] contentsKey, PdfName filterSubtype) {
                         EssCertIDv2 cerv2 = cerv2m[0];
                         AlgorithmIdentifier ai2 = cerv2.HashAlgorithm;
                         byte[] enc2 = signCert.GetEncoded();
-                        IDigest m2 = DigestUtilities.GetDigest(ai2.ObjectID.Id);
+                        IDigest m2 = DigestUtilities.GetDigest(ai2.Algorithm.Id);
                         byte[] signCertHash = DigestAlgorithms.Digest(m2, enc2);
                         byte[] hs2 = cerv2.GetCertHash();
                         if (!Arrays.AreEqual(signCertHash, hs2))
@@ -605,10 +605,12 @@ virtual public byte[] GetEncodedPKCS1() {
             else
                 digest = sig.GenerateSignature();
             MemoryStream bOut = new MemoryStream();
-            
-            Asn1OutputStream dout = new Asn1OutputStream(bOut);
-            dout.WriteObject(new DerOctetString(digest));
-            dout.Close();
+
+            using (Asn1OutputStream dout = Asn1OutputStream.Create(bOut))
+            {
+                dout.WriteObject(new DerOctetString(digest));
+                dout.Close();
+            }
 
             return bOut.ToArray();
         }
@@ -752,10 +754,12 @@ virtual public byte[] GetEncodedPKCS7(byte[] secondDigest, ITSAClient tsaClient,
             whole.Add(new DerTaggedObject(0, new DerSequence(body)));
 
             MemoryStream bOut = new MemoryStream();
-            
-            Asn1OutputStream dout = new Asn1OutputStream(bOut);
-            dout.WriteObject(new DerSequence(whole));
-            dout.Close();
+
+            using (Asn1OutputStream dout = Asn1OutputStream.Create(bOut))
+            {
+                dout.WriteObject(new DerSequence(whole));
+                dout.Close();
+            }
 
             return bOut.ToArray();
         }

src/core/iTextSharp/text/pdf/security/SignaturePolicyInfo.cs

@@ -118,7 +118,7 @@ protected internal SignaturePolicyIdentifier ToSignaturePolicyIdentifier() {
 
             signaturePolicyIdentifier = new SignaturePolicyIdentifier(new SignaturePolicyId(
                         DerObjectIdentifier.GetInstance(new DerObjectIdentifier(this.PolicyIdentifier.Replace("urn:oid:", ""))),
-                        new OtherHashAlgAndValue(new AlgorithmIdentifier(algId), new DerOctetString(this.PolicyHash)), spqi));
+                        new OtherHashAlgAndValue(new AlgorithmIdentifier(new DerObjectIdentifier(algId)), new DerOctetString(this.PolicyHash)), spqi));
 
             return signaturePolicyIdentifier;
         }

src/core/iTextSharp/xmp/impl/XmpSerializerRdf.cs

@@ -1,9 +1,9 @@
 using System.Collections;
 using System.IO;
-using Org.BouncyCastle.Utilities.Collections;
 using iTextSharp.text.xml.simpleparser;
 using iTextSharp.text.xml.xmp;
 using iTextSharp.xmp.options;
+using System.Collections.Generic;
 
 //Copyright (c) 2006, Adobe Systems Incorporated
 //All rights reserved.
@@ -71,8 +71,8 @@ public class XmpSerializerRdf {
 
         /// <summary>
         /// a set of all rdf attribute qualifier </summary>
-        internal static readonly ISet RDF_ATTR_QUALIFIER =
-            new HashSet(new string[] {XmpConst.XML_LANG, "rdf:resource", "rdf:ID", "rdf:bagID", "rdf:nodeID"});
+        internal static readonly HashSet<string> RDF_ATTR_QUALIFIER =
+            new HashSet<string> { XmpConst.XML_LANG, "rdf:resource", "rdf:ID", "rdf:bagID", "rdf:nodeID" };
 
         /// <summary>
         /// the stored serialization options </summary>
@@ -339,7 +339,7 @@ private void SerializeCompactRdfSchemas(int level) {
             WriteTreeName();
 
             // Write all necessary xmlns attributes.
-            ISet usedPrefixes = new HashSet();
+            var usedPrefixes = new HashSet<string>();
             usedPrefixes.Add("xml");
             usedPrefixes.Add("rdf");
 
@@ -739,7 +739,7 @@ private void SerializeCanonicalRdfSchema(XmpNode schemaNode, int level) {
         /// <param name="usedPrefixes"> a set containing currently used prefixes </param>
         /// <param name="indent"> the current indent level </param>
         /// <exception cref="IOException"> Forwards all writer exceptions. </exception>
-        private void DeclareUsedNamespaces(XmpNode node, ISet usedPrefixes, int indent) {
+        private void DeclareUsedNamespaces(XmpNode node, HashSet<string> usedPrefixes, int indent) {
             if (node.Options.SchemaNode) {
                 // The schema node name is the URI, the value is the prefix.
                 string prefix = node.Value.Substring(0, node.Value.Length - 1);
@@ -778,7 +778,7 @@ private void DeclareUsedNamespaces(XmpNode node, ISet usedPrefixes, int indent)
         /// <param name="usedPrefixes"> a set containing currently used prefixes </param>
         /// <param name="indent"> the current indent level </param>
         /// <exception cref="IOException"> Forwards all writer exceptions. </exception>
-        private void DeclareNamespace(string prefix, string @namespace, ISet usedPrefixes, int indent) {
+        private void DeclareNamespace(string prefix, string @namespace, HashSet<string> usedPrefixes, int indent) {
             if (@namespace == null) {
                 // prefix contains qname, extract prefix and lookup namespace with prefix
                 QName qname = new QName(prefix);
@@ -817,7 +817,7 @@ private void StartOuterRdfDescription(XmpNode schemaNode, int level) {
             Write(RDF_SCHEMA_START);
             WriteTreeName();
 
-            ISet usedPrefixes = new HashSet();
+            var usedPrefixes = new HashSet<string>();
             usedPrefixes.Add("xml");
             usedPrefixes.Add("rdf");