Prepare support for multiple signing engines (#420)

Author: kwart

design-doc/3.1-signing-engines.md

@@ -30,6 +30,16 @@ runtime.
   `bin\jsignpdf.cmd` launchers (and `com.intoolswetrust.jsignpdf.Bootstrap`
   for runtime checks + JavaFX classifier selection) instead.
 - **`jsignpdf-3.1.0-SHA256SUMS.txt`** covers every release artifact.
+- **Pluggable signing engines (phase 1).** The signing backend is now
+  selectable. JSignPdf ships the **OpenPDF** engine as the default, and
+  its output is byte-for-byte identical to previous releases, so nothing
+  changes by default. New `--list-engines` and `-eng` / `--engine` CLI
+  options, plus an *Engine* selector in the JavaFX toolbar, let you pick
+  the engine; the choice is stored in `advanced.properties`
+  (`engine=openpdf`). Engines are discovered via `ServiceLoader` from
+  `lib/`, so third-party engines can be dropped in. Additional engines
+  (PDFBox, EU DSS / PAdES) are planned for a follow-up. See
+  `design-doc/3.1-signing-engines.md`.
 
 ## Notes
 

distribution/doc/release-notes/3.1.0.md

@@ -218,6 +218,17 @@
             <artifactId>jsignpdf</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <!--
+          Bundled signing engines. The main jsignpdf jar compile-depends only on the engine API;
+          the concrete engine implementations are pulled in here (runtime) so their jars land in
+          lib/ and are discovered via ServiceLoader. Additional engines (PDFBox, DSS) are added
+          here in phase 2.
+        -->
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>jsignpdf-engine-openpdf</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
             <artifactId>installcert</artifactId>

distribution/pom.xml

@@ -0,0 +1,44 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>jsignpdf-engine-api</artifactId>
+    <packaging>jar</packaging>
+    <name>${project.artifactId}</name>
+    <description>JSignPdf signing-engine SPI and shared signing model</description>
+
+    <parent>
+        <groupId>com.github.kwart.jsign</groupId>
+        <artifactId>jsignpdf-root</artifactId>
+        <version>3.1.0-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <!--
+      The engine API is the backend-neutral core: the SPI (SigningEngine / Capability / EngineConfig),
+      the shared signing model (BasicSignerOptions, types, listeners) and the configuration / keystore
+      utilities every engine relies on. It deliberately depends ONLY on BouncyCastle + commons (and
+      the PKCS#11 helper); it must never depend on a signing backend (OpenPDF / PDFBox / DSS).
+    -->
+    <dependencies>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.github.kwart.jsign</groupId>
+            <artifactId>jsign-pkcs11</artifactId>
+        </dependency>
+    </dependencies>
+</project>

engines/api/pom.xml

@@ -16,7 +16,6 @@
 import net.sf.jsignpdf.utils.PropertyProvider;
 import net.sf.jsignpdf.utils.PropertyStoreFactory;
 
-import org.apache.commons.cli.ParseException;
 import org.apache.commons.lang3.StringUtils;
 import org.bouncycastle.crypto.CryptoException;
 
@@ -103,6 +102,11 @@ public class BasicSignerOptions {
 
     private String[] cmdLine;
 
+    // Signing engine id. Transient per-invocation override (set by the CLI --engine flag); not
+    // persisted in config.properties. When null, the dispatcher falls back to the engine selected in
+    // advanced.properties (see AppConfig#defaultEngineId()).
+    private String engine;
+
     /**
      * Loads options from PropertyProvider
      */
@@ -1221,6 +1225,20 @@ public Proxy createProxy() {
         return tmpResult;
     }
 
+    /**
+     * @return the signing-engine id override (CLI {@code --engine}), or {@code null} when unset
+     */
+    public String getEngine() {
+        return engine;
+    }
+
+    /**
+     * @param engine the signing-engine id override to set (CLI {@code --engine})
+     */
+    public void setEngine(final String engine) {
+        this.engine = engine;
+    }
+
     protected String[] getCmdLine() {
         return cmdLine;
     }
@@ -1297,6 +1315,7 @@ public BasicSignerOptions createCopy() {
         copy.setProxyType(getProxyType());
         copy.setProxyHost(getProxyHost());
         copy.setProxyPort(getProxyPort());
+        copy.setEngine(getEngine());
         return copy;
     }
 

…/net/sf/jsignpdf/BasicSignerOptions.java …/net/sf/jsignpdf/BasicSignerOptions.javajsignpdf/src/main/java/net/sf/jsignpdf/BasicSignerOptions.java renamed to engines/api/src/main/java/net/sf/jsignpdf/BasicSignerOptions.java jsignpdf/src/main/java/net/sf/jsignpdf/BasicSignerOptions.java renamed to engines/api/src/main/java/net/sf/jsignpdf/BasicSignerOptions.java

@@ -246,6 +246,12 @@ public class Constants {
     public static final String ARG_LIST_KEYS = "lk";
     public static final String ARG_LIST_KEYS_LONG = "list-keys";
 
+    public static final String ARG_ENGINE = "eng";
+    public static final String ARG_ENGINE_LONG = "engine";
+
+    public static final String ARG_LIST_ENGINES = "le";
+    public static final String ARG_LIST_ENGINES_LONG = "list-engines";
+
     public static final String ARG_KS_TYPE_LONG = "keystore-type";
     public static final String ARG_KS_TYPE = "kst";
 

…main/java/net/sf/jsignpdf/Constants.java …main/java/net/sf/jsignpdf/Constants.javajsignpdf/src/main/java/net/sf/jsignpdf/Constants.java renamed to engines/api/src/main/java/net/sf/jsignpdf/Constants.java jsignpdf/src/main/java/net/sf/jsignpdf/Constants.java renamed to engines/api/src/main/java/net/sf/jsignpdf/Constants.java

@@ -0,0 +1,44 @@
+package net.sf.jsignpdf.engine;
+
+import net.sf.jsignpdf.utils.AdvancedConfig;
+
+/**
+ * {@link EngineConfig} backed by {@link AdvancedConfig}, resolving engine-relative keys under a fixed
+ * {@code engine.<id>.} prefix.
+ *
+ * @author Josef Cacek
+ */
+public final class AdvancedEngineConfig implements EngineConfig {
+
+    private final AdvancedConfig cfg;
+    private final String prefix;
+
+    /**
+     * @param cfg the backing advanced configuration
+     * @param prefix the {@code engine.<id>.} key prefix (including the trailing dot)
+     */
+    public AdvancedEngineConfig(AdvancedConfig cfg, String prefix) {
+        this.cfg = cfg;
+        this.prefix = prefix;
+    }
+
+    @Override
+    public String getString(String key) {
+        return cfg.getProperty(prefix + key);
+    }
+
+    @Override
+    public String getString(String key, String fallback) {
+        return cfg.getProperty(prefix + key, fallback);
+    }
+
+    @Override
+    public boolean getBoolean(String key, boolean fallback) {
+        return cfg.getAsBool(prefix + key, fallback);
+    }
+
+    @Override
+    public int getInt(String key, int fallback) {
+        return cfg.getAsInt(prefix + key, fallback);
+    }
+}