SIVA-760 Validate 'not granted ASiC-S timestamp tokens at POE time' as valid but with warnings

Author: ivoMattus

siva-parent/siva-validation-proxy/src/main/java/ee/openeid/siva/proxy/ContainerValidationProxy.java

@@ -189,6 +189,7 @@ private SimpleReport mergeReports(SimpleReport timeStampTokenReport, SimpleRepor
             dataFileReport.getValidationConclusion().setSignatureForm(timeStampTokenReport.getValidationConclusion().getSignatureForm());
             dataFileReport.getValidationConclusion().setValidatedDocument(timeStampTokenReport.getValidationConclusion().getValidatedDocument());
             dataFileReport.getValidationConclusion().setValidationTime(timeStampTokenReport.getValidationConclusion().getValidationTime());
+            dataFileReport.getValidationConclusion().setValidationWarnings(timeStampTokenReport.getValidationConclusion().getValidationWarnings());
             return dataFileReport;
         }
         return timeStampTokenReport;

validation-services-parent/timestamptoken-validation-service/src/main/java/ee/openeid/validation/service/timestamptoken/TimeStampTokenValidationService.java

@@ -28,6 +28,7 @@
 import ee.openeid.siva.validation.service.signature.policy.properties.ConstraintDefinedPolicy;
 import ee.openeid.tsl.configuration.AlwaysFailingCRLSource;
 import ee.openeid.tsl.configuration.AlwaysFailingOCSPSource;
+import ee.openeid.validation.service.timestamptoken.util.TimestampNotGrantedValidationUtils;
 import ee.openeid.validation.service.timestamptoken.validator.report.TimeStampTokenValidationReportBuilder;
 import eu.europa.esig.dss.asic.cades.validation.ASiCContainerWithCAdESValidator;
 import eu.europa.esig.dss.enumerations.MimeType;
@@ -88,6 +89,7 @@ public Reports validateDocument(ValidationDocument validationDocument) {
 
             final ConstraintDefinedPolicy policy = signaturePolicyService.getPolicy(validationDocument.getSignaturePolicy());
             final eu.europa.esig.dss.validation.reports.Reports reports = validator.validateDocument(policy.getConstraintDataStream());
+            TimestampNotGrantedValidationUtils.convertNotGrantedErrorsToWarnings(reports);
 
             return new TimeStampTokenValidationReportBuilder(
                 reports,

validation-services-parent/timestamptoken-validation-service/src/main/java/ee/openeid/validation/service/timestamptoken/util/TimestampNotGrantedValidationUtils.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright 2024 Riigi Infosüsteemi Amet
+ *
+ * Licensed under the EUPL, Version 1.1 or – as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ *
+ * https://joinup.ec.europa.eu/software/page/eupl
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
+ * distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and limitations under the Licence.
+ */
+
+package ee.openeid.validation.service.timestamptoken.util;
+
+import ee.openeid.siva.validation.document.report.ValidationWarning;
+import ee.openeid.siva.validation.document.report.Warning;
+import eu.europa.esig.dss.enumerations.Indication;
+import eu.europa.esig.dss.i18n.I18nProvider;
+import eu.europa.esig.dss.i18n.MessageTag;
+import eu.europa.esig.dss.simplereport.jaxb.XmlDetails;
+import eu.europa.esig.dss.simplereport.jaxb.XmlMessage;
+import eu.europa.esig.dss.simplereport.jaxb.XmlTimestamp;
+import eu.europa.esig.dss.simplereport.jaxb.XmlToken;
+import eu.europa.esig.dss.validation.reports.Reports;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import org.apache.commons.collections4.CollectionUtils;
+
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Objects;
+import java.util.function.Consumer;
+import java.util.function.Function;
+import java.util.function.Predicate;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class TimestampNotGrantedValidationUtils {
+    private static final String NOT_GRANTED_AT_MESSAGE_TAG = MessageTag.QUAL_HAS_GRANTED_AT_ANS.getId();
+    private static final String NOT_GRANTED_AT_TST_POE_TIME_MESSAGE_TEXT = new I18nProvider()
+            .getMessage(MessageTag.QUAL_HAS_GRANTED_AT_ANS, MessageTag.VT_TST_POE_TIME);
+
+    private static final Predicate<String> NOT_GRANTED_TEXT_PREDICATE = NOT_GRANTED_AT_TST_POE_TIME_MESSAGE_TEXT::equals;
+    private static final Predicate<XmlMessage> NOT_GRANTED_MESSAGE_PREDICATE = message -> message != null &&
+            NOT_GRANTED_AT_MESSAGE_TAG.equals(message.getKey()) && NOT_GRANTED_TEXT_PREDICATE.test(message.getValue());
+
+    private static final String NOT_GRANTED_CONTAINER_WARNING = "Found a timestamp token not related to granted status."
+            + " If not yet covered with a fresh timestamp token, this container might become invalid in the future.";
+
+    public static void convertNotGrantedErrorsToWarnings(Reports reports) {
+        doForEachTimestampInSimpleReportJaxb(reports, timestamp -> {
+            if (isValidWithOneQualificationError(timestamp)) {
+                convertErrorsToWarnings(timestamp.getQualificationDetails(), NOT_GRANTED_MESSAGE_PREDICATE);
+            }
+        });
+    }
+
+    public static ValidationWarning getValidationWarningIfNotGrantedTimestampExists(List<Warning> timestampWarnings) {
+        if (containsMessage(timestampWarnings, Warning::getContent, NOT_GRANTED_TEXT_PREDICATE)) {
+            return new ValidationWarning(NOT_GRANTED_CONTAINER_WARNING);
+        } else {
+            return null;
+        }
+    }
+
+    private static void doForEachTimestampInSimpleReportJaxb(Reports reports, Consumer<XmlTimestamp> timestampProcessor) {
+        for (XmlToken token : reports.getSimpleReportJaxb().getSignatureOrTimestampOrEvidenceRecord()) {
+            if (token instanceof XmlTimestamp) {
+                timestampProcessor.accept((XmlTimestamp) token);
+            }
+        }
+    }
+
+    private static boolean isValidWithOneQualificationError(XmlTimestamp timestamp) {
+        return Indication.PASSED.equals(timestamp.getIndication()) &&
+                hasNoErrors(timestamp.getAdESValidationDetails()) &&
+                getErrorCount(timestamp.getQualificationDetails()) == 1;
+    }
+
+    private static void convertErrorsToWarnings(XmlDetails details, Predicate<XmlMessage> messageFilter) {
+        if (details == null || CollectionUtils.isEmpty(details.getError())) {
+            return;
+        }
+
+        Iterator<XmlMessage> errorsIterator = details.getError().iterator();
+
+        while (errorsIterator.hasNext()) {
+            XmlMessage errorMessage = errorsIterator.next();
+
+            if (messageFilter.test(errorMessage)) {
+                errorsIterator.remove();
+                details.getWarning().add(errorMessage);
+            }
+        }
+    }
+
+    private static boolean hasErrors(XmlDetails details) {
+        return (details != null) && CollectionUtils.isNotEmpty(details.getError());
+    }
+
+    private static boolean hasNoErrors(XmlDetails details) {
+        return !hasErrors(details);
+    }
+
+    private static int getErrorCount(XmlDetails details) {
+        return (details != null)
+                ? CollectionUtils.size(details.getError())
+                : 0;
+    }
+
+    private static <E> boolean containsMessage(
+            Collection<E> collection,
+            Function<E, String> messageMapper,
+            Predicate<String> messageFilter
+    ) {
+        return CollectionUtils.isNotEmpty(collection) && collection.stream()
+                .filter(Objects::nonNull)
+                .map(messageMapper)
+                .filter(Objects::nonNull)
+                .anyMatch(messageFilter);
+    }
+}

validation-services-parent/timestamptoken-validation-service/src/main/java/ee/openeid/validation/service/timestamptoken/validator/report/TimeStampTokenValidationReportBuilder.java

@@ -17,11 +17,22 @@
 package ee.openeid.validation.service.timestamptoken.validator.report;
 
 import ee.openeid.siva.validation.document.ValidationDocument;
+import ee.openeid.siva.validation.document.report.Certificate;
+import ee.openeid.siva.validation.document.report.CertificateType;
+import ee.openeid.siva.validation.document.report.DetailedReport;
+import ee.openeid.siva.validation.document.report.DiagnosticReport;
 import ee.openeid.siva.validation.document.report.Error;
-import ee.openeid.siva.validation.document.report.*;
+import ee.openeid.siva.validation.document.report.Reports;
+import ee.openeid.siva.validation.document.report.Scope;
+import ee.openeid.siva.validation.document.report.SimpleReport;
+import ee.openeid.siva.validation.document.report.TimeStampTokenValidationData;
+import ee.openeid.siva.validation.document.report.ValidationConclusion;
+import ee.openeid.siva.validation.document.report.ValidationWarning;
+import ee.openeid.siva.validation.document.report.Warning;
 import ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils;
 import ee.openeid.siva.validation.service.signature.policy.properties.ValidationPolicy;
 import ee.openeid.siva.validation.util.CertUtil;
+import ee.openeid.validation.service.timestamptoken.util.TimestampNotGrantedValidationUtils;
 import eu.europa.esig.dss.diagnostic.CertificateWrapper;
 import eu.europa.esig.dss.diagnostic.SignerDataWrapper;
 import eu.europa.esig.dss.diagnostic.TimestampWrapper;
@@ -46,7 +57,11 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.*;
+import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.WARNING_MSG_DATAFILE_NOT_COVERED_BY_TS;
+import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.createReportPolicy;
+import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.emptyWhenNull;
+import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.getDateFormatterWithGMTZone;
+import static ee.openeid.siva.validation.document.report.builder.ReportBuilderUtils.getValidationTime;
 
 public class TimeStampTokenValidationReportBuilder {
 
@@ -92,6 +107,7 @@ private ValidationConclusion getValidationConclusion() {
         validationConclusion.setSignatureForm(ASICS_SIGNATURE_FORMAT);
         validationConclusion.setTimeStampTokens(generateTimeStampTokenData());
         validationConclusion.setValidatedDocument(ReportBuilderUtils.createValidatedDocument(isReportSignatureEnabled, validationDocument.getName(), validationDocument.getBytes()));
+        validationConclusion.setValidationWarnings(addValidationWarningsIfNotGrantedTimestampExists(validationConclusion.getTimeStampTokens()));
         return validationConclusion;
     }
 
@@ -134,6 +150,16 @@ private List<TimeStampTokenValidationData> generateTimeStampTokenData() {
         return timeStampTokenValidationDataList;
     }
 
+    private List<ValidationWarning> addValidationWarningsIfNotGrantedTimestampExists(List<TimeStampTokenValidationData> validationDataList) {
+        return validationDataList.stream()
+                .map(TimeStampTokenValidationData::getWarning)
+                .map(TimestampNotGrantedValidationUtils::getValidationWarningIfNotGrantedTimestampExists)
+                .filter(Objects::nonNull)
+                .findFirst()
+                .map(warning -> new ArrayList<>(List.of(warning)))
+                .orElse(null);
+    }
+
     private List<Scope> getTimestampScopes(TimestampWrapper ts) {
         return dssReports.getDiagnosticData().getTimestampById(ts.getId()).getTimestampScopes()
             .stream()

validation-services-parent/timestamptoken-validation-service/src/test/java/ee/openeid/validation/service/timestamptoken/BaseTimeStampTokenValidationServiceTest.java

@@ -0,0 +1,69 @@
+package ee.openeid.validation.service.timestamptoken;
+
+import ee.openeid.siva.validation.configuration.ReportConfigurationProperties;
+import ee.openeid.siva.validation.document.ValidationDocument;
+import ee.openeid.siva.validation.service.signature.policy.ConstraintLoadingSignaturePolicyService;
+import ee.openeid.tsl.TSLLoader;
+import ee.openeid.tsl.TSLRefresher;
+import ee.openeid.tsl.TSLValidationJobFactory;
+import ee.openeid.tsl.configuration.TSLLoaderConfiguration;
+import ee.openeid.validation.service.generic.configuration.GenericValidationServiceConfiguration;
+import ee.openeid.validation.service.timestamptoken.configuration.TimeStampTokenSignaturePolicyProperties;
+import eu.europa.esig.dss.service.http.proxy.ProxyConfig;
+import eu.europa.esig.dss.spi.tsl.TrustedListsCertificateSource;
+import org.junit.jupiter.api.BeforeEach;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+
+@SpringBootTest(classes = {BaseTimeStampTokenValidationServiceTest.TestConfiguration.class})
+abstract class BaseTimeStampTokenValidationServiceTest {
+    TimeStampTokenValidationService validationService;
+    final TimeStampTokenSignaturePolicyProperties policyProperties = new TimeStampTokenSignaturePolicyProperties();
+
+    @Autowired
+    TrustedListsCertificateSource trustedListsCertificateSource;
+
+    @BeforeEach
+    void setUp() {
+        validationService = new TimeStampTokenValidationService();
+        policyProperties.initPolicySettings();
+        ConstraintLoadingSignaturePolicyService signaturePolicyService = new ConstraintLoadingSignaturePolicyService(policyProperties);
+        validationService.setSignaturePolicyService(signaturePolicyService);
+        validationService.setTrustedListsCertificateSource(trustedListsCertificateSource);
+        ReportConfigurationProperties reportConfigurationProperties = new ReportConfigurationProperties(true);
+        validationService.setReportConfigurationProperties(reportConfigurationProperties);
+    }
+
+    static ValidationDocument buildValidationDocument(String testFile) {
+        return TestUtils.buildValidationDocument(TestUtils.TEST_FILES_LOCATION, testFile);
+    }
+
+    @Import({
+            TSLLoaderConfiguration.class,
+            GenericValidationServiceConfiguration.class
+    })
+    public static class TestConfiguration {
+
+        @Bean
+        public ProxyConfig proxyConfig() {
+            return new ProxyConfig();
+        }
+
+        @Bean
+        public TSLLoader tslLoader() {
+            return new TSLLoader("testName");
+        }
+
+        @Bean
+        public TSLRefresher tslRefresher() {
+            return new TSLRefresher();
+        }
+
+        @Bean
+        public TSLValidationJobFactory tslValidationJobFactory() {
+            return new TSLValidationJobFactory();
+        }
+    }
+}

validation-services-parent/timestamptoken-validation-service/src/test/java/ee/openeid/validation/service/timestamptoken/TestUtils.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2024 Riigi Infosüsteemi Amet
+ *
+ * Licensed under the EUPL, Version 1.1 or – as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ *
+ * https://joinup.ec.europa.eu/software/page/eupl
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
+ * distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and limitations under the Licence.
+ */
+
+package ee.openeid.validation.service.timestamptoken;
+
+import ee.openeid.siva.validation.document.ValidationDocument;
+import ee.openeid.siva.validation.document.builder.DummyValidationDocumentBuilder;
+
+public class TestUtils {
+
+    public static final String TEST_FILES_LOCATION = "test-files/";
+    public static final String NOT_GRANTED_WARNING = "Found a timestamp token not related to granted status."
+            + " If not yet covered with a fresh timestamp token, this container might become invalid in the future.";
+    public static final String POE_TIME_MESSAGE_TEXT = "The certificate is not related to a granted status at time-stamp lowest POE time!";
+
+    public static ValidationDocument buildValidationDocument(String testFileLocation, String testFile) {
+        return DummyValidationDocumentBuilder
+                .aValidationDocument()
+                .withDocument(testFileLocation + testFile)
+                .withName(testFile)
+                .build();
+    }
+}