Finalize LOTL API

Add support for GraalVM

Author: guustysebie

pom.xml

@@ -943,7 +943,6 @@
                 <arg>
                   --initialize-at-build-time=org.junit.validator.PublicClassValidator
                   --initialize-at-build-time=org.junit.platform.engine.TestTag
-
                   --initialize-at-run-time=org.bouncycastle.crypto.prng.SP800SecureRandom
                   --initialize-at-run-time=org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV
                   --initialize-at-run-time=org.bouncycastle.jcajce.provider.drbg.DRBG$Default
@@ -953,6 +952,9 @@
                   --enable-all-security-services
                   --enable-url-protocols=http,https,ftp
 
+                  -H:IncludeLocales=en_US
+                  -H:IncludeResourceBundles=org.apache.xml.security.resource.xmlsecurity
+
                   -H:+AddAllCharsets
                   -H:ReflectionConfigurationFiles=${basedir}/../resources/graalvm/reflect-config.json
                   <!-- Graalvm requires VisualStudio 2022 on Windows but it also works with earlier versions.

resources/graalvm/reflect-config.json

@@ -19,11 +19,6 @@
     "allDeclaredConstructors": true,
     "allDeclaredFields": true
   },
-  {
-    "name": "com.itextpdf.commons.utils.JsonUtilTest$ClassWithEnum",
-    "allDeclaredConstructors": true,
-    "allDeclaredFields": true
-  },
   {
     "name": "com.itextpdf.commons.utils.JsonUtilTest$SomeEnum",
     "allDeclaredConstructors": true,
@@ -53,5 +48,154 @@
     "name": "com.itextpdf.styledxmlparser.jsoup.parser.HtmlTreeBuilderState$Constants",
     "allDeclaredConstructors": true,
     "allDeclaredFields": true
+  },
+  {
+    "name": "com.sun.org.apache.xpath.internal.functions.FuncNormalizeSpace",
+    "methods": [
+      {
+        "name": "<init>",
+        "parameterTypes": []
+      }
+    ]
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureDSA",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.c14n.implementations.Canonicalizer20010315OmitComments",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.c14n.implementations.Canonicalizer20010315WithComments",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclWithComments",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1MGF1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA224MGF1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256MGF1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384MGF1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512MGF1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA224",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA256",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA384",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA512",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA224",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureHMAC",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureHMAC$SignatureHMACSHA1",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureHMAC$SignatureHMACSHA256",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureHMAC$SignatureHMACSHA384",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.algorithms.implementations.SignatureHMAC$SignatureHMACSHA512",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.transforms.implementations.TransformXPath",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.transforms.implementations.TransformBase64",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.transforms.implementations.TransformC14NExclusive",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.transforms.implementations.TransformC14NInclusive",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.encryption.XMLCipher",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.encryption.EncryptedKey",
+    "allDeclaredConstructors": true
+  },
+  {
+    "name": "org.apache.xml.security.Init",
+    "allDeclaredConstructors": true
   }
 ]

sign/src/main/java/com/itextpdf/signatures/exceptions/SignExceptionMessageConstant.java

@@ -127,21 +127,21 @@ public final class SignExceptionMessageConstant {
             "and 'addSchemaNameToIgnore' methods. " + "either provide specific countries to process, or provide " +
             "specific countries to ignore (All " + "countries not ignored will be processed). ";
     public static final String STALE_DATA_IS_USED = "Cached data is older then configured staleness. This means that "
-            + "the cache has failed to update automatically for the configured period " + "Please refresh using " +
-            "LotlService#intializeCache, or look into the generated log messages for more " + "details" + " why the " +
+            + "the cache has failed to update automatically for the configured period. Please, refresh using " +
+            "LotlService#intializeCache, or look into the generated log messages for more details on why the " +
             "cache has not been updated.";
     public static final String STALENESS_MUST_BE_POSITIVE = "Staleness must be a positive value. " + "It is used to " +
             "determine how long the cache is valid before it needs to be refreshed.";
     public static final String FAILED_TO_FETCH_LOTL_FOR_COUNTRY =
             "Failed to fetch Lotl for country {0} from {1}. " + "Report {2}";
     public static final String CACHE_NOT_INITIALIZED = "Lotl cache has not been initialized. " + "Please call " +
-            "LotlFetchingProperties#initializeCache before using LotlValidator.\n" + "If you are using a custom Lotl " +
-            "service, " + "please make sure to call #initializeCache on your custom implementation.";
+            "LotlService#initializeGlobalCache if European LOTLs are trusted.\nIf you are using a custom LotlService, "
+            + "please make sure to call LotlService#initializeCache on your custom implementation.";
     public static final String FAILED_TO_FETCH_EU_JOURNAL_CERTIFICATES = "Problem occurred while fetching " + "EU " +
             "Journal certificates.\n{0}";
-    public static final String CACHE_ALREADY_INITIALIZED = "Global Lotl service has already been initialized. " +
+    public static final String CACHE_ALREADY_INITIALIZED = "Global LOTL service has already been initialized. " +
             "You cannot initialize it again. If you want to use a different configuration, please create a new " +
-            "instance " + "of LotlService with the desired properties and use this one in the LotlValidator.";
+            "instance of LotlService with the desired properties and use it in ValidatorChainBuilder.";
 
     private SignExceptionMessageConstant() {
         // Private constructor will prevent the instantiation of this class directly

sign/src/main/java/com/itextpdf/signatures/validation/CertificateChainValidator.java

@@ -89,7 +89,7 @@ protected CertificateChainValidator(ValidatorChainBuilder builder) {
         this.certificateRetriever = builder.getCertificateRetriever();
         this.properties = builder.getProperties();
         this.revocationDataValidator = builder.getRevocationDataValidator();
-        this.lotlTrustedStore = builder.getLotlTrustedstore();
+        this.lotlTrustedStore = builder.getLotlTrustedStore();
     }
 
     /**
@@ -161,8 +161,8 @@ private boolean checkIfCertIsTrusted(ValidationReport result, ValidationContext
     }
 
     private boolean stopValidation(ValidationReport result, ValidationContext context) {
-        return !properties.getContinueAfterFailure(context)
-                && result.getValidationResult() == ValidationReport.ValidationResult.INVALID;
+        return result.getValidationResult() == ValidationResult.INVALID &&
+                !properties.getContinueAfterFailure(context);
     }
 
     private void validateValidityPeriod(ValidationReport result, X509Certificate certificate,

sign/src/main/java/com/itextpdf/signatures/validation/SafeCalling.java

@@ -31,9 +31,13 @@ This file is part of the iText (R) project.
 import java.util.function.Function;
 import java.util.function.Supplier;
 
-final class SafeCalling {
+/**
+ * Utility class to handle exceptions and generate validation report items instead.
+ */
+public final class SafeCalling {
 
-    private SafeCalling() {}
+    private SafeCalling() {
+    }
 
     /**
      * Adds a report item to the report when an exception is thrown in the action.
@@ -43,9 +47,11 @@ private SafeCalling() {}
      * @param reportItemCreator A callback to generate a ReportItem
      */
     public static void onExceptionLog(ThrowingAction action, ValidationReport report,
-                                      Function<Exception, ReportItem> reportItemCreator) {
+            Function<Exception, ReportItem> reportItemCreator) {
         try {
             action.execute();
+        } catch (SafeCallingAvoidantException e) {
+            throw e;
         } catch (Exception e) {
             report.addReportItem(reportItemCreator.apply(e));
         }
@@ -58,14 +64,16 @@ public static void onExceptionLog(ThrowingAction action, ValidationReport report
      * @param defaultValue      The value to return when an exception is thrown
      * @param report            The report to add the ReportItem to
      * @param reportItemCreator A callback to generate a ReportItem
-     * @param <T>
+     * @param <T>               type of return value
      *
      * @return The returned value from the action
      */
     public static <T> T onExceptionLog(ThrowingSupplier<T> action, T defaultValue, ValidationReport report,
-                                       Function<Exception, ReportItem> reportItemCreator) {
+            Function<Exception, ReportItem> reportItemCreator) {
         try {
             return action.get();
+        } catch (SafeCallingAvoidantException e) {
+            throw e;
         } catch (Exception e) {
             report.addReportItem(reportItemCreator.apply(e));
         }
@@ -80,9 +88,11 @@ public static <T> T onExceptionLog(ThrowingSupplier<T> action, T defaultValue, V
      * @param reportItemCreator A callback to generate a ReportItem
      */
     public static void onRuntimeExceptionLog(Action action, ValidationReport report,
-                                             Function<Exception, ReportItem> reportItemCreator) {
+            Function<Exception, ReportItem> reportItemCreator) {
         try {
             action.execute();
+        } catch (SafeCallingAvoidantException e) {
+            throw e;
         } catch (RuntimeException e) {
             report.addReportItem(reportItemCreator.apply(e));
         }
@@ -95,14 +105,16 @@ public static void onRuntimeExceptionLog(Action action, ValidationReport report,
      * @param defaultValue      The value to return when an exception is thrown
      * @param report            The report to add the ReportItem to
      * @param reportItemCreator A callback to generate a ReportItem
-     * @param <T>
+     * @param <T>               type of return value
      *
      * @return The returned value from the action
      */
     public static <T> T onRuntimeExceptionLog(Supplier<T> action, T defaultValue, ValidationReport report,
-                                              Function<Exception, ReportItem> reportItemCreator) {
+            Function<Exception, ReportItem> reportItemCreator) {
         try {
             return action.get();
+        } catch (SafeCallingAvoidantException e) {
+            throw e;
         } catch (RuntimeException e) {
             report.addReportItem(reportItemCreator.apply(e));
         }

sign/src/main/java/com/itextpdf/signatures/validation/SafeCallingAvoidantException.java

@@ -0,0 +1,56 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2025 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.signatures.validation;
+
+import com.itextpdf.kernel.exceptions.PdfException;
+
+/**
+ * In some cases we need to propagate the exception without @{link SafeCalling} mechanism converting it to
+ * report items.
+ * This exception is used to indicate that something actually went wrong and not only the validation report is Invalid,
+ * but an underlying process might be affected.
+ */
+public class SafeCallingAvoidantException extends PdfException {
+
+    /**
+     * Creates a new instance of {@link SafeCallingAvoidantException} with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public SafeCallingAvoidantException(String message) {
+        super(message);
+    }
+
+
+    /**
+     * Creates a new instance of {@link SafeCallingAvoidantException} with the specified detail message
+     *
+     * @param message the detail message.
+     * @param obj     an object for more details.
+     */
+    public SafeCallingAvoidantException(String message, Object obj) {
+        this(message);
+        this.object = obj;
+    }
+
+}