You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/16 18:23:08 UTC
svn commit: r1844038 -
/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Author: tilman
Date: Tue Oct 16 18:23:08 2018
New Revision: 1844038
URL: http://svn.apache.org/viewvc?rev=1844038&view=rev
Log:
PDFBOX-3017: validate TimeStampToken
Modified:
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1844038&r1=1844037&r2=1844038&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Tue Oct 16 18:23:08 2018
@@ -54,6 +54,10 @@ import org.apache.pdfbox.pdmodel.PDDocum
import org.apache.pdfbox.pdmodel.PDDocumentCatalog;
import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
import org.apache.pdfbox.util.Hex;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.cms.Attribute;
+import org.bouncycastle.asn1.cms.AttributeTable;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
@@ -61,6 +65,7 @@ import org.bouncycastle.cms.CMSProcessab
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
+import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.tsp.TSPException;
@@ -256,7 +261,7 @@ public final class ShowSignature
*/
private void verifyPKCS7(byte[] byteArray, COSString contents, PDSignature sig)
throws CMSException, StoreException, OperatorCreationException,
- CertificateVerificationException, GeneralSecurityException
+ CertificateVerificationException, GeneralSecurityException, TSPException, IOException
{
// inspiration:
// http://stackoverflow.com/a/26702631/535646
@@ -272,6 +277,28 @@ public final class ShowSignature
X509CertificateHolder certificateHolder = matches.iterator().next();
X509Certificate certFromSignedData = new JcaX509CertificateConverter().getCertificate(certificateHolder);
System.out.println("certFromSignedData: " + certFromSignedData);
+
+ if (signerInformation.getUnsignedAttributes() != null)
+ {
+ AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
+
+ // https://stackoverflow.com/questions/1647759/how-to-validate-if-a-signed-jar-contains-a-timestamp
+ Attribute attribute = unsignedAttributes.get(
+ PKCSObjectIdentifiers.id_aa_signatureTimeStampToken);
+ ASN1Object obj = (ASN1Object) attribute.getAttrValues().getObjectAt(0);
+ CMSSignedData signedTSTData = new CMSSignedData(obj.getEncoded());
+ TimeStampToken timeStampToken = new TimeStampToken(signedTSTData);
+
+ // https://stackoverflow.com/questions/42114742/
+ Collection<X509CertificateHolder> tstMatches =
+ timeStampToken.getCertificates().getMatches(timeStampToken.getSID());
+ X509CertificateHolder holder = tstMatches.iterator().next();
+ X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
+ SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().build(tstCert);
+ timeStampToken.validate(siv);
+ System.out.println("TimeStampToken validated");
+ }
+
try
{
//TODO NPE risk