You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/15 15:57:44 UTC
svn commit: r1843920 - in
/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature:
ShowSignature.java cert/CRLVerifier.java cert/CertificateVerifier.java
Author: tilman
Date: Mon Oct 15 15:57:44 2018
New Revision: 1843920
URL: http://svn.apache.org/viewvc?rev=1843920&view=rev
Log:
PDFBOX-3017: add class comment; use sign date when checking certificate against CRL
Modified:
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1843920&r1=1843919&r2=1843920&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Mon Oct 15 15:57:44 2018
@@ -70,7 +70,9 @@ import org.bouncycastle.util.Store;
import org.bouncycastle.util.StoreException;
/**
- * This will read a document from the filesystem, decrypt it and do something with the signature.
+ * This will get the signature(s) from the document, do some verifications and
+ * show the signature(s) and the certificates. This is a complex topic - the
+ * code here is an example and not a production-ready solution.
*
* @author Ben Litchfield
*/
@@ -272,6 +274,7 @@ public final class ShowSignature
System.out.println("certFromSignedData: " + certFromSignedData);
try
{
+ //TODO NPE risk
certFromSignedData.checkValidity(sig.getSignDate().getTime());
System.out.println("Certificate valid at signing time");
}
@@ -316,7 +319,9 @@ public final class ShowSignature
additionalCerts.add(certificate);
}
}
- CertificateVerifier.verifyCertificate(certFromSignedData, additionalCerts, true);
+ //TODO NPE risk (signDate parameter)
+ CertificateVerifier.verifyCertificate(certFromSignedData,
+ additionalCerts, true, sig.getSignDate().getTime());
}
}
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java?rev=1843920&r1=1843919&r2=1843920&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java Mon Oct 15 15:57:44 2018
@@ -27,8 +27,10 @@ import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Date;
import java.util.Hashtable;
import java.util.List;
@@ -71,9 +73,11 @@ public final class CRLVerifier
* the distribution points. Supports HTTP, HTTPS, FTP and LDAP based URLs.
*
* @param cert the certificate to be checked for revocation
+ * @param signDate the date when the signing took place
* @throws CertificateVerificationException if the certificate is revoked
*/
- public static void verifyCertificateCRLs(X509Certificate cert) throws CertificateVerificationException
+ public static void verifyCertificateCRLs(X509Certificate cert, Date signDate)
+ throws CertificateVerificationException
{
try
{
@@ -82,10 +86,17 @@ public final class CRLVerifier
{
LOG.info("Checking distribution point URL: " + crlDistributionPointsURL);
X509CRL crl = downloadCRL(crlDistributionPointsURL);
- if (crl.isRevoked(cert))
+ //TODO verify CRL, see wikipedia:
+ // "To validate a specific CRL prior to relying on it,
+ // the certificate of its corresponding CA is needed"
+ X509CRLEntry revokedCRLEntry = crl.getRevokedCertificate(cert);
+ if (revokedCRLEntry != null &&
+ revokedCRLEntry.getRevocationDate().compareTo(signDate) <= 0)
{
throw new CertificateVerificationException(
- "The certificate is revoked by CRL: " + crlDistributionPointsURL);
+ "The certificate was revoked by CRL " +
+ crlDistributionPointsURL + " on " +
+ revokedCRLEntry.getRevocationDate());
}
}
}
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java?rev=1843920&r1=1843919&r2=1843920&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java Mon Oct 15 15:57:44 2018
@@ -32,6 +32,7 @@ import java.security.cert.PKIXCertPathBu
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
+import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
@@ -66,6 +67,7 @@ public final class CertificateVerifier
* considered to be trusted root CA certificates. All the rest are
* considered to be intermediate CA certificates.
* @param verifySelfSignedCert true if a self-signed certificate is accepted, false if not.
+ * @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws CertificateVerificationException - if the certification is not
* successful (e.g. certification path cannot be built or some certificate
@@ -73,7 +75,8 @@ public final class CertificateVerifier
*/
public static PKIXCertPathBuilderResult verifyCertificate(
X509Certificate cert, Set<X509Certificate> additionalCerts,
- boolean verifySelfSignedCert) throws CertificateVerificationException
+ boolean verifySelfSignedCert, Date signDate)
+ throws CertificateVerificationException
{
try
{
@@ -106,7 +109,7 @@ public final class CertificateVerifier
// Check whether the certificate is revoked by the CRL
// given in its CRL distribution point extension
- CRLVerifier.verifyCertificateCRLs(cert);
+ CRLVerifier.verifyCertificateCRLs(cert, signDate);
// The chain is built and verified. Return it as a result
return verifiedCertChain;