itext
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/CertificateUtil.java‎
Lines changed: 71 additions & 30 deletions b/‎sign/src/main/java/com/itextpdf/signatures/CertificateUtil.java‎
Lines changed: 71 additions & 30 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/DefaultIssuingCertificateRetriever.java‎
Lines changed: 61 additions & 0 deletions b/‎sign/src/main/java/com/itextpdf/signatures/DefaultIssuingCertificateRetriever.java‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/IMissingCertificatesClient.java‎ renamed to ‎sign/src/main/java/com/itextpdf/signatures/IIssuingCertificateRetriever.java‎
Lines changed: 15 additions & 3 deletions b/‎sign/src/main/java/com/itextpdf/signatures/IMissingCertificatesClient.java‎ renamed to ‎sign/src/main/java/com/itextpdf/signatures/IIssuingCertificateRetriever.java‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎sign/src/main/java/com/itextpdf/signatures/MissingCertificatesClient.java‎ renamed to ‎sign/src/main/java/com/itextpdf/signatures/IssuingCertificateRetriever.java‎
Lines changed: 31 additions & 8 deletions b/‎sign/src/main/java/com/itextpdf/signatures/MissingCertificatesClient.java‎ renamed to ‎sign/src/main/java/com/itextpdf/signatures/IssuingCertificateRetriever.java‎
Lines changed: 31 additions & 8 deletions
@@ -128,6 +128,23 @@ public static CRL getCRL(String url) throws IOException, CertificateException, C
         return SignUtils.parseCrlFromStream(new URL(url).openStream());
     }
 
+    /**
+     * Retrieves the URL for the issuer certificate for the given CRL.
+     *
+     * @param crl the CRL response
+     *
+     * @return the URL or null.
+     */
+    public static String getIssuerCertURL(CRL crl) {
+        IASN1Primitive obj;
+        try {
+            obj = getExtensionValue(crl, FACTORY.createExtension().getAuthorityInfoAccess().getId());
+            return getValueFromAIAExtension(obj, SecurityIDs.ID_CA_ISSUERS);
+        } catch (IOException e) {
+            return null;
+        }
+    }
+
     // Online Certificate Status Protocol
 
     /**
@@ -141,22 +158,10 @@ public static String getOCSPURL(X509Certificate certificate) {
         IASN1Primitive obj;
         try {
             obj = getExtensionValue(certificate, FACTORY.createExtension().getAuthorityInfoAccess().getId());
-            if (obj == null) {
-                return null;
-            }
-            IASN1Sequence accessDescriptions = FACTORY.createASN1Sequence(obj);
-            for (int i = 0; i < accessDescriptions.size(); i++) {
-                IASN1Sequence accessDescription = FACTORY.createASN1Sequence(accessDescriptions.getObjectAt(i));
-                IASN1ObjectIdentifier id = FACTORY.createASN1ObjectIdentifier(accessDescription.getObjectAt(0));
-                if (accessDescription.size() == 2 && id != null && SecurityIDs.ID_OCSP.equals(id.getId())) {
-                    IASN1Primitive description = FACTORY.createASN1Primitive(accessDescription.getObjectAt(1));
-                    return getStringFromGeneralName(description);
-                }
-            }
+            return getValueFromAIAExtension(obj, SecurityIDs.ID_OCSP);
         } catch (IOException e) {
             return null;
         }
-        return null;
     }
 
     // Missing certificates in chain
@@ -172,22 +177,10 @@ public static String getIssuerCertURL(X509Certificate certificate) {
         IASN1Primitive obj;
         try {
             obj = getExtensionValue(certificate, FACTORY.createExtension().getAuthorityInfoAccess().getId());
-            if (obj == null) {
-                return null;
-            }
-            IASN1Sequence accessDescriptions = FACTORY.createASN1Sequence(obj);
-            for (int i = 0; i < accessDescriptions.size(); i++) {
-                IASN1Sequence accessDescription = FACTORY.createASN1Sequence(accessDescriptions.getObjectAt(i));
-                IASN1ObjectIdentifier id = FACTORY.createASN1ObjectIdentifier(accessDescription.getObjectAt(0));
-                if (accessDescription.size() == 2 && id != null && SecurityIDs.ID_CA_ISSUERS.equals(id.getId())) {
-                    IASN1Primitive description = FACTORY.createASN1Primitive(accessDescription.getObjectAt(1));
-                    return getStringFromGeneralName(description);
-                }
-            }
+            return getValueFromAIAExtension(obj, SecurityIDs.ID_CA_ISSUERS);
         } catch (IOException e) {
             return null;
         }
-        return null;
     }
 
     // Time Stamp Authority
@@ -245,17 +238,41 @@ static boolean isSelfSigned(X509Certificate certificate) {
      * @param certificate the certificate from which we need the ExtensionValue
      * @param oid         the Object Identifier value for the extension.
      *
-     * @return the extension value as an {@link IASN1Primitive} object
+     * @return the extension value as an {@link IASN1Primitive} object.
      * 
      * @throws IOException
      */
     private static IASN1Primitive getExtensionValue(X509Certificate certificate, String oid) throws IOException {
-        byte[] bytes = SignUtils.getExtensionValueByOid(certificate, oid);
-        if (bytes == null) {
+        return getExtensionValueFromByteArray(SignUtils.getExtensionValueByOid(certificate, oid));
+    }
+
+    /**
+     * @param crl the CRL from which we need the ExtensionValue
+     * @param oid the Object Identifier value for the extension.
+     *
+     * @return the extension value as an {@link IASN1Primitive} object.
+     *
+     * @throws IOException
+     */
+    private static IASN1Primitive getExtensionValue(CRL crl, String oid) throws IOException {
+        return getExtensionValueFromByteArray(SignUtils.getExtensionValueByOid(crl, oid));
+    }
+
+    /**
+     * Converts extension value represented as byte array to {@link IASN1Primitive} object.
+     *
+     * @param extensionValue the extension value as byte array
+     *
+     * @return the extension value as an {@link IASN1Primitive} object.
+     *
+     *  @throws IOException
+     */
+    private static IASN1Primitive getExtensionValueFromByteArray(byte[] extensionValue) throws IOException {
+        if (extensionValue == null) {
             return null;
         }
         IASN1OctetString octs;
-        try (IASN1InputStream aIn = FACTORY.createASN1InputStream(new ByteArrayInputStream(bytes))) {
+        try (IASN1InputStream aIn = FACTORY.createASN1InputStream(new ByteArrayInputStream(extensionValue))) {
             octs = FACTORY.createASN1OctetString(aIn.readObject());
         }
         try (IASN1InputStream aIn = FACTORY.createASN1InputStream(new ByteArrayInputStream(octs.getOctets()))) {
@@ -274,4 +291,28 @@ private static String getStringFromGeneralName(IASN1Primitive names) {
         IASN1TaggedObject taggedObject = FACTORY.createASN1TaggedObject(names);
         return new String(FACTORY.createASN1OctetString(taggedObject, false).getOctets(), StandardCharsets.ISO_8859_1);
     }
+
+    /**
+     * Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.
+     *
+     * @param extensionValue Authority Information Access extension value
+     * @param accessMethod accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp
+     *
+     * @return the location (URI) of the information.
+     */
+    private static String getValueFromAIAExtension(IASN1Primitive extensionValue, String accessMethod) {
+        if (extensionValue == null) {
+            return null;
+        }
+        IASN1Sequence accessDescriptions = FACTORY.createASN1Sequence(extensionValue);
+        for (int i = 0; i < accessDescriptions.size(); i++) {
+            IASN1Sequence accessDescription = FACTORY.createASN1Sequence(accessDescriptions.getObjectAt(i));
+            IASN1ObjectIdentifier id = FACTORY.createASN1ObjectIdentifier(accessDescription.getObjectAt(0));
+            if (accessDescription.size() == 2 && id != null && accessMethod.equals(id.getId())) {
+                IASN1Primitive description = FACTORY.createASN1Primitive(accessDescription.getObjectAt(1));
+                return getStringFromGeneralName(description);
+            }
+        }
+        return null;
+    }
 }
@@ -0,0 +1,61 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2023 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures;
+
+import java.security.cert.CRL;
+import java.security.cert.Certificate;
+
+/**
+ * Empty {@link IIssuingCertificateRetriever} implementation for compatibility with the older code.
+ */
+class DefaultIssuingCertificateRetriever implements IIssuingCertificateRetriever {
+
+    /**
+     * Creates {@link DefaultIssuingCertificateRetriever} instance.
+     */
+    public DefaultIssuingCertificateRetriever() {
+        // Empty constructor.
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @param chain {@inheritDoc}
+     * @return {@inheritDoc}
+     */
+    @Override
+    public Certificate[] retrieveMissingCertificates(Certificate[] chain) {
+        return chain;
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @param crl {@inheritDoc}
+     * @return {@inheritDoc}
+     */
+    @Override
+    public Certificate[] getCrlIssuerCertificates(CRL crl) {
+        return new Certificate[0];
+    }
+}
@@ -22,19 +22,31 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.signatures;
 
+import java.security.cert.CRL;
 import java.security.cert.Certificate;
 
 /**
- * Interface client to support Certificate Chain with Missing Certificates.
+ * Interface helper to support retrieving CAIssuers certificates from Authority Information Access (AIA) Extension in
+ * order to support certificate chains with missing certificates and getting CRL response issuer certificates.
  */
-public interface IMissingCertificatesClient {
+public interface IIssuingCertificateRetriever {
     /**
-     * Retrieves missing certificates in chain using Authority Information Access (AIA) Extension.
+     * Retrieves missing certificates in chain using certificate Authority Information Access (AIA) Extension.
      *
      * @param chain certificate chain to restore with at least signing certificate.
      *
      * @return full chain of trust or maximum chain that could be restored in case missing certificates cannot be
      * retrieved from AIA extension.
      */
     Certificate[] retrieveMissingCertificates(Certificate[] chain);
+
+    /**
+     * Retrieves certificates that can be used to verify the signature on the CRL response using CRL
+     * Authority Information Access (AIA) Extension.
+     *
+     * @param crl CRL response to retrieve issuer for.
+     *
+     * @return certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.
+     */
+    Certificate[] getCrlIssuerCertificates(CRL crl);
 }
@@ -27,6 +27,7 @@ This file is part of the iText (R) project.
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.security.cert.CRL;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -37,16 +38,16 @@ This file is part of the iText (R) project.
 import org.slf4j.LoggerFactory;
 
 /**
- * {@link IMissingCertificatesClient} default implementation.
+ * {@link IIssuingCertificateRetriever} default implementation.
  */
-public class MissingCertificatesClient implements IMissingCertificatesClient {
+public class IssuingCertificateRetriever implements IIssuingCertificateRetriever {
 
-    private static final Logger LOGGER = LoggerFactory.getLogger(MissingCertificatesClient.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(IssuingCertificateRetriever.class);
 
     /**
-     * Creates {@link MissingCertificatesClient} instance.
+     * Creates {@link IssuingCertificateRetriever} instance.
      */
-    public MissingCertificatesClient() {
+    public IssuingCertificateRetriever() {
         // Empty constructor.
     }
 
@@ -73,7 +74,8 @@ public Certificate[] retrieveMissingCertificates(Certificate[] chain) {
                 i++;
             } else {
                 // Get missing certificates using AIA Extensions
-                Collection<Certificate> certificatesFromAIA = processCertificatesFromAIA(lastAddedCert);
+                String url = CertificateUtil.getIssuerCertURL((X509Certificate) lastAddedCert);
+                Collection<Certificate> certificatesFromAIA = processCertificatesFromAIA(url);
                 if (certificatesFromAIA == null || certificatesFromAIA.isEmpty()) {
                     // Unable to retrieve missing certificates
                     while (i < chain.length) {
@@ -90,6 +92,28 @@ public Certificate[] retrieveMissingCertificates(Certificate[] chain) {
         return fullChain.toArray(new Certificate[0]);
     }
 
+    /**
+     * {@inheritDoc}
+     *
+     * @param crl {@inheritDoc}
+     *
+     * @return {@inheritDoc}
+     */
+    @Override
+    public Certificate[] getCrlIssuerCertificates(CRL crl) {
+        // Usually CRLs are signed using CA certificate, so we don’t need to do anything extra and the revocation data
+        // is already collected. However, it is possible to sign it with any other certificate.
+
+        // IssuingDistributionPoint extension: https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
+        // Nothing special for the indirect CRLs.
+
+        // AIA Extension
+        String url = CertificateUtil.getIssuerCertURL(crl);
+        List<Certificate> certificatesFromAIA = (List<Certificate>) processCertificatesFromAIA(url);
+        return certificatesFromAIA == null ? new Certificate[0] :
+                retrieveMissingCertificates(certificatesFromAIA.toArray(new Certificate[0]));
+    }
+
     /**
      * Get CA issuers certificates represented as {@link InputStream}.
      *
@@ -117,8 +141,7 @@ protected Collection<Certificate> parseCertificates(InputStream certsData) throw
         return SignUtils.readAllCerts(certsData, null);
     }
 
-    private Collection<Certificate> processCertificatesFromAIA(Certificate certificate) {
-        String url = CertificateUtil.getIssuerCertURL((X509Certificate) certificate);
+    private Collection<Certificate> processCertificatesFromAIA(String url) {
         if (url == null) {
             // We don't have any URIs to the issuer certificates in AuthorityInfoAccess extension
             return null;