You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/29 18:00:19 UTC
svn commit: r1845155 -
/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Author: tilman
Date: Mon Oct 29 18:00:19 2018
New Revision: 1845155
URL: http://svn.apache.org/viewvc?rev=1845155&view=rev
Log:
PDFBOX-3017: refactor TimestampToken validation
Modified:
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1845155&r1=1845154&r2=1845155&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Mon Oct 29 18:00:19 2018
@@ -27,6 +27,7 @@ import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.Security;
import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
@@ -243,14 +244,7 @@ public final class ShowSignature
System.err.println("ETSI.RFC3161 timestamp signature verification failed");
}
- // https://stackoverflow.com/questions/42114742/
- Collection<X509CertificateHolder> tstMatches
- = timeStampToken.getCertificates().getMatches(timeStampToken.getSID());
- X509CertificateHolder holder = tstMatches.iterator().next();
- X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
- SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert);
- timeStampToken.validate(siv);
- System.out.println("TimeStampToken validated");
+ validateTimestampToken(timeStampToken);
//TODO check certificate chain, revocation lists, etc
// verifyPKCS7(hash, contents, sig) does not work
@@ -321,14 +315,7 @@ public final class ShowSignature
CMSSignedData signedTSTData = new CMSSignedData(obj.getEncoded());
TimeStampToken timeStampToken = new TimeStampToken(signedTSTData);
- // https://stackoverflow.com/questions/42114742/
- Collection<X509CertificateHolder> tstMatches =
- timeStampToken.getCertificates().getMatches(timeStampToken.getSID());
- X509CertificateHolder holder = tstMatches.iterator().next();
- X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
- SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert);
- timeStampToken.validate(siv);
- System.out.println("TimeStampToken validated");
+ validateTimestampToken(timeStampToken);
}
try
@@ -421,6 +408,19 @@ public final class ShowSignature
}
}
+ private void validateTimestampToken(TimeStampToken timeStampToken)
+ throws TSPException, CertificateException, StoreException, OperatorCreationException, IOException
+ {
+ // https://stackoverflow.com/questions/42114742/
+ Collection<X509CertificateHolder> tstMatches =
+ timeStampToken.getCertificates().getMatches(timeStampToken.getSID());
+ X509CertificateHolder holder = tstMatches.iterator().next();
+ X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
+ SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert);
+ timeStampToken.validate(siv);
+ System.out.println("TimeStampToken validated");
+ }
+
// for later use: get all root certificates. Will be used to check
// whether we trust the root in the certificate chain.
private Set<X509Certificate> getRootCertificates()