You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@pdfbox.apache.org by Predrag Stojković <Pr...@comtrade.com> on 2019/11/05 12:29:01 UTC

Problem with AddValidationInformation.validateSignature

Hello,

I'm using Apache PDFBox to sign a PDF document, and to add validation information.
For that purpose I've used the examples provided in classes CreateSignature and AddValidationInformation.

Creating signature works fine, but there is an exception caught while adding validation information:

java.lang.ClassCastException: class org.bouncycastle.asn1.DLSequence cannot be cast to class org.bouncycastle.asn1.DERTaggedObject (org.bouncycastle.asn1.DLSequence and org.bouncycastle.asn1.DERTaggedObject are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @2fd1731c)
       at org.apache.pdfbox.examples.signature.validation.CertInformationHelper.getCrlUrlFromExtensionValue(CertInformationHelper.java:119)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:214)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:124)
       at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:96)
       at org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:128)
       at org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:104)

Version of Apache PDFBox is 2.0.17 and version of BouncyCastle is 1.60 as stated on dependencies page, but I have also tried with BouncyCastle 1.62 and 1.64 and the behavior is the same.

It seems that there is a problem in CertInformationHelper.getCrlUrlFromExtensionValue, in line derTagged = (DERTaggedObject) derTagged.getObject();

I’m not sure why are there two identical lines, and the resolution would probably be to include another check, if derTagged.getObject() instanceof DLSequence.
I’d appreciate a comment on this situation.

    /**
     * Gets the first CRL URL from given extension value. Structure has to be
     * built as in 4.2.1.14 CRL Distribution Points of RFC 2459.
     *
     * @param extensionValue to get the extension value from
     * @return first CRL- URL or null
     * @throws IOException when there is a problem with the extensionValue
     */
    protected static String getCrlUrlFromExtensionValue(byte[] extensionValue) throws IOException
    {
        ASN1Sequence asn1Seq = (ASN1Sequence) JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
        Enumeration<?> objects = asn1Seq.getObjects();

        while (objects.hasMoreElements())
        {
            DLSequence obj = (DLSequence) objects.nextElement();

            DERTaggedObject derTagged = (DERTaggedObject) obj.getObjectAt(0);
            derTagged = (DERTaggedObject) derTagged.getObject();
            derTagged = (DERTaggedObject) derTagged.getObject();
            if (!(derTagged.getObject() instanceof DEROctetString))
            {
                // happens with SampleSignedPDFDocument.pdf
                continue;
            }
            DEROctetString uri = (DEROctetString) derTagged.getObject();
            String url = new String(uri.getOctets());
            // TODO Check for: DistributionPoint ::= SEQUENCE (see RFC 2459), multiples can be possible.

            // return first http(s)-Url for crl
            if (url.startsWith("http"))
            {
                return url;
            }
        }
        return null;
    }

Best regards,
Predrag

Re: Problem with AddValidationInformation.validateSignature

Posted by Tilman Hausherr <TH...@t-online.de>.

Am 05.11.2019 um 13:29 schrieb Predrag Stojković:
> Hello,
>
> I'm using Apache PDFBox to sign a PDF document, and to add validation information.
> For that purpose I've used the examples provided in classes CreateSignature and AddValidationInformation.
>
> Creating signature works fine, but there is an exception caught while adding validation information:
>
> java.lang.ClassCastException: class org.bouncycastle.asn1.DLSequence cannot be cast to class org.bouncycastle.asn1.DERTaggedObject (org.bouncycastle.asn1.DLSequence and org.bouncycastle.asn1.DERTaggedObject are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @2fd1731c)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationHelper.getCrlUrlFromExtensionValue(CertInformationHelper.java:119)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:214)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:124)
>         at org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:96)
>         at org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:128)
>         at org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:104)
>
> Version of Apache PDFBox is 2.0.17 and version of BouncyCastle is 1.60 as stated on dependencies page, but I have also tried with BouncyCastle 1.62 and 1.64 and the behavior is the same.
>
> It seems that there is a problem in CertInformationHelper.getCrlUrlFromExtensionValue, in line derTagged = (DERTaggedObject) derTagged.getObject();
>
> I’m not sure why are there two identical lines, and the resolution would probably be to include another check, if derTagged.getObject() instanceof DLSequence.


That the line is twice is correct (I once tried to delete the line and 
got in trouble; if you think about it, you'll understand that the result 
after the first line is not the same as the result after the seond one). 
And you are correct in your resolution suggestion too. The right thing 
to do would have been a check before each cast. Our code is somewhat 
"optimistic" because it's meant to be your own PDFs, i.e. they should be 
perfect.

Can you share your PDF? I'm interested to see what's there.

Tilman



> I’d appreciate a comment on this situation.
>
>      /**
>       * Gets the first CRL URL from given extension value. Structure has to be
>       * built as in 4.2.1.14 CRL Distribution Points of RFC 2459.
>       *
>       * @param extensionValue to get the extension value from
>       * @return first CRL- URL or null
>       * @throws IOException when there is a problem with the extensionValue
>       */
>      protected static String getCrlUrlFromExtensionValue(byte[] extensionValue) throws IOException
>      {
>          ASN1Sequence asn1Seq = (ASN1Sequence) JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
>          Enumeration<?> objects = asn1Seq.getObjects();
>
>          while (objects.hasMoreElements())
>          {
>              DLSequence obj = (DLSequence) objects.nextElement();
>
>              DERTaggedObject derTagged = (DERTaggedObject) obj.getObjectAt(0);
>              derTagged = (DERTaggedObject) derTagged.getObject();
>              derTagged = (DERTaggedObject) derTagged.getObject();
>              if (!(derTagged.getObject() instanceof DEROctetString))
>              {
>                  // happens with SampleSignedPDFDocument.pdf
>                  continue;
>              }
>              DEROctetString uri = (DEROctetString) derTagged.getObject();
>              String url = new String(uri.getOctets());
>              // TODO Check for: DistributionPoint ::= SEQUENCE (see RFC 2459), multiples can be possible.
>
>              // return first http(s)-Url for crl
>              if (url.startsWith("http"))
>              {
>                  return url;
>              }
>          }
>          return null;
>      }
>
> Best regards,
> Predrag
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org