You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/31 18:41:16 UTC
svn commit: r1845366 -
/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Author: tilman
Date: Wed Oct 31 18:41:16 2018
New Revision: 1845366
URL: http://svn.apache.org/viewvc?rev=1845366&view=rev
Log:
PDFBOX-3017: correct checking of embedded timestamp
Modified:
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1845366&r1=1845365&r2=1845366&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Wed Oct 31 18:41:16 2018
@@ -334,7 +334,8 @@ public final class ShowSignature
SigUtils.checkCertificateUsage(certFromSignedData);
if (signerInformation.getUnsignedAttributes() != null)
- {
+ {
+ // Embedded timestamp
AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
// https://stackoverflow.com/questions/1647759/how-to-validate-if-a-signed-jar-contains-a-timestamp
@@ -344,10 +345,16 @@ public final class ShowSignature
CMSSignedData signedTSTData = new CMSSignedData(obj.getEncoded());
TimeStampToken timeStampToken = new TimeStampToken(signedTSTData);
+ // tested with QV_RCA1_RCA3_CPCPS_V4_11.pdf
+ // https://www.quovadisglobal.com/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_11.ashx
+ // timeStampToken.getCertificates() only contained the local certificate and not
+ // the whole chain, so use the store of the main signature.
+ // (If this assumption is incorrect, then the code must be changed to merge
+ // both stores, or to pass a collection)
validateTimestampToken(timeStampToken);
- X509Certificate tstCert = (X509Certificate) timeStampToken.getCertificates().getMatches(null).iterator().next();
- verifyCertificateChain(timeStampToken.getCertificates(),
- tstCert,
+ X509CertificateHolder tstCertHolder = (X509CertificateHolder) timeStampToken.getCertificates().getMatches(null).iterator().next();
+ verifyCertificateChain(certificatesStore,
+ new JcaX509CertificateConverter().getCertificate(tstCertHolder),
timeStampToken.getTimeStampInfo().getGenTime());
}