Improved AwsKmsSignature to also support RSASSA-PSS

AwsKmsSignature does not reject the AWS RSASSA_PSS_SHA_* signing algorithms anymore. Instead it returns algorithm identification data for proper iText 8 RSASSA-PSS signatures. The AWS KMS TestSignSimple test suite got a new test testSignSimpleRsaSsaPss that tests AwsKmsSignature for RSASSA-PSS. The former test testSignSimpleRsaSsaPss which tests AwsKmsSignatureContainer for RSASSA-PSS, has been renamed to testSignSimpleRsaSsaPssExternal. Added BouncyCastle adapter to make AWS KMS tests runnable DEVSIX-7804

Author: mkl-public

aws-kms/pom.xml

@@ -49,6 +49,11 @@
 <artifactId>aws-sdk-java</artifactId>
 <version>${awssdk.version}</version>
 </dependency>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>bouncy-castle-adapter</artifactId>
+<scope>test</scope>
+</dependency>
 <dependency>
 <groupId>org.junit.jupiter</groupId>
 <artifactId>junit-jupiter-api</artifactId>

aws-kms/src/main/java/com/itextpdf/signingexamples/aws/kms/AwsKmsSignature.java

@@ -1,10 +1,14 @@
 package com.itextpdf.signingexamples.aws.kms;
 
 import java.security.GeneralSecurityException;
+import java.util.List;
+import java.util.function.Function;
 
 import com.itextpdf.signatures.IExternalSignature;
 
 import com.itextpdf.signatures.ISignatureMechanismParams;
+import com.itextpdf.signatures.RSASSAPSSMechanismParams;
+
 import software.amazon.awssdk.core.SdkBytes;
 import software.amazon.awssdk.services.kms.KmsClient;
 import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest;
@@ -19,26 +23,29 @@
  */
 public class AwsKmsSignature implements IExternalSignature {
  public AwsKmsSignature(String keyId) {
+ this(keyId, a -> a != null && a.size() > 0 ? a.get(0) : null);
+ }
+
+ public AwsKmsSignature(String keyId, Function<List<SigningAlgorithmSpec>, SigningAlgorithmSpec> selector) {
  this.keyId = keyId;
 
  try ( KmsClient kmsClient = KmsClient.create() ) {
  GetPublicKeyRequest getPublicKeyRequest = GetPublicKeyRequest.builder()
  .keyId(keyId)
  .build();
  GetPublicKeyResponse getPublicKeyResponse = kmsClient.getPublicKey(getPublicKeyRequest);
- signingAlgorithmSpec = getPublicKeyResponse.signingAlgorithms().get(0);
+ signingAlgorithmSpec = selector.apply(getPublicKeyResponse.signingAlgorithms());
  switch(signingAlgorithmSpec) {
  case ECDSA_SHA_256:
  case ECDSA_SHA_384:
  case ECDSA_SHA_512:
  case RSASSA_PKCS1_V1_5_SHA_256:
  case RSASSA_PKCS1_V1_5_SHA_384:
  case RSASSA_PKCS1_V1_5_SHA_512:
- break;
  case RSASSA_PSS_SHA_256:
  case RSASSA_PSS_SHA_384:
  case RSASSA_PSS_SHA_512:
- throw new IllegalArgumentException(String.format("Signing algorithm %s not supported directly by iText", signingAlgorithmSpec));
+ break;
  default:
  throw new IllegalArgumentException(String.format("Unknown signing algorithm: %s", signingAlgorithmSpec));
  }
@@ -50,12 +57,15 @@ public String getDigestAlgorithmName() {
  switch(signingAlgorithmSpec) {
  case ECDSA_SHA_256:
  case RSASSA_PKCS1_V1_5_SHA_256:
+ case RSASSA_PSS_SHA_256:
  return "SHA-256";
  case ECDSA_SHA_384:
  case RSASSA_PKCS1_V1_5_SHA_384:
+ case RSASSA_PSS_SHA_384:
  return "SHA-384";
  case ECDSA_SHA_512:
  case RSASSA_PKCS1_V1_5_SHA_512:
+ case RSASSA_PSS_SHA_512:
  return "SHA-512";
  default:
  return null;
@@ -73,14 +83,34 @@ public String getSignatureAlgorithmName() {
  case RSASSA_PKCS1_V1_5_SHA_384:
  case RSASSA_PKCS1_V1_5_SHA_512:
  return "RSA";
+ case RSASSA_PSS_SHA_256:
+ case RSASSA_PSS_SHA_384:
+ case RSASSA_PSS_SHA_512:
+ return "RSASSA-PSS";
  default:
  return null;
  }
  }
 
  @Override
  public ISignatureMechanismParams getSignatureMechanismParameters() {
- return null;
+ switch (signingAlgorithmSpec)
+ {
+ case RSASSA_PSS_SHA_256:
+ return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-256");
+ case RSASSA_PSS_SHA_384:
+ return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-384");
+ case RSASSA_PSS_SHA_512:
+ return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-512");
+ case ECDSA_SHA_256:
+ case ECDSA_SHA_384:
+ case ECDSA_SHA_512:
+ case RSASSA_PKCS1_V1_5_SHA_256:
+ case RSASSA_PKCS1_V1_5_SHA_384:
+ case RSASSA_PKCS1_V1_5_SHA_512:
+ default:
+ return null;
+ }
  }
 
  @Override

aws-kms/src/test/java/com/itextpdf/signingexamples/aws/kms/TestSignSimple.java

@@ -49,7 +49,7 @@ void testSignSimpleRsa() throws IOException, GeneralSecurityException {
  PdfSigner pdfSigner = new PdfSigner(pdfReader, result, new StampingProperties().useAppendMode());
 
  IExternalDigest externalDigest = new BouncyCastleDigest();
- pdfSigner.signDetached(externalDigest , signature, new Certificate[] {certificate}, null, null, null, 0, CryptoStandard.CMS);
+ pdfSigner.signDetached(externalDigest, signature, new Certificate[] {certificate}, null, null, null, 0, CryptoStandard.CMS);
  }
  }
 
@@ -65,22 +65,23 @@ void testSignSimpleEcdsa() throws IOException, GeneralSecurityException {
  PdfSigner pdfSigner = new PdfSigner(pdfReader, result, new StampingProperties().useAppendMode());
 
  IExternalDigest externalDigest = new BouncyCastleDigest();
- pdfSigner.signDetached(externalDigest , signature, new Certificate[] {certificate}, null, null, null, 0, CryptoStandard.CMS);
+ pdfSigner.signDetached(externalDigest, signature, new Certificate[] {certificate}, null, null, null, 0, CryptoStandard.CMS);
  }
  }
 
  @Test
  void testSignSimpleRsaSsaPss() throws IOException, GeneralSecurityException {
  String keyId = "alias/SigningExamples-RSA_2048";
- X509Certificate certificate = CertificateUtils.generateSelfSignedCertificate(keyId, "CN=AWS KMS PDF Signing Test,OU=mkl tests,O=mkl", TestSignSimple::selectRsaSsaPss);
- AwsKmsSignatureContainer signatureContainer = new AwsKmsSignatureContainer(certificate, keyId, TestSignSimple::selectRsaSsaPss);
+ AwsKmsSignature signature = new AwsKmsSignature(keyId, TestSignSimple::selectRsaSsaPss);
+ Certificate certificate = CertificateUtils.generateSelfSignedCertificate(keyId, "CN=AWS KMS PDF Signing Test,OU=mkl tests,O=mkl");
 
  try ( InputStream resource = getClass().getResourceAsStream("/circles.pdf");
  PdfReader pdfReader = new PdfReader(resource);
  OutputStream result = new FileOutputStream(new File(RESULT_FOLDER, "circles-aws-kms-signed-simple-RSASSA_PSS.pdf"))) {
  PdfSigner pdfSigner = new PdfSigner(pdfReader, result, new StampingProperties().useAppendMode());
 
- pdfSigner.signExternalContainer(signatureContainer, 8192);
+ IExternalDigest externalDigest = new BouncyCastleDigest();
+ pdfSigner.signDetached(externalDigest, signature, new Certificate[] {certificate}, null, null, null, 0, CryptoStandard.CMS);
  }
  }
 
@@ -91,6 +92,21 @@ static SigningAlgorithmSpec selectRsaSsaPss (List<SigningAlgorithmSpec> specs) {
  return null;
  }
 
+ @Test
+ void testSignSimpleRsaSsaPssExternal() throws IOException, GeneralSecurityException {
+ String keyId = "alias/SigningExamples-RSA_2048";
+ X509Certificate certificate = CertificateUtils.generateSelfSignedCertificate(keyId, "CN=AWS KMS PDF Signing Test,OU=mkl tests,O=mkl", TestSignSimple::selectRsaSsaPss);
+ AwsKmsSignatureContainer signatureContainer = new AwsKmsSignatureContainer(certificate, keyId, TestSignSimple::selectRsaSsaPss);
+
+ try ( InputStream resource = getClass().getResourceAsStream("/circles.pdf");
+ PdfReader pdfReader = new PdfReader(resource);
+ OutputStream result = new FileOutputStream(new File(RESULT_FOLDER, "circles-aws-kms-signed-simple-RSASSA_PSS-External.pdf"))) {
+ PdfSigner pdfSigner = new PdfSigner(pdfReader, result, new StampingProperties().useAppendMode());
+
+ pdfSigner.signExternalContainer(signatureContainer, 8192);
+ }
+ }
+
  @Test
  void testSignSimpleEcdsaExternal() throws IOException, GeneralSecurityException {
  String keyId = "alias/SigningExamples-ECC_NIST_P256";