You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/31 18:41:16 UTC

svn commit: r1845366 - /pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java

Author: tilman
Date: Wed Oct 31 18:41:16 2018
New Revision: 1845366

URL: http://svn.apache.org/viewvc?rev=1845366&view=rev
Log:
PDFBOX-3017: correct checking of embedded timestamp

Modified:
    pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java

Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1845366&r1=1845365&r2=1845366&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Wed Oct 31 18:41:16 2018
@@ -334,7 +334,8 @@ public final class ShowSignature
         SigUtils.checkCertificateUsage(certFromSignedData);
         
         if (signerInformation.getUnsignedAttributes() != null)
-        {            
+        {
+            // Embedded timestamp
             AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
 
             // https://stackoverflow.com/questions/1647759/how-to-validate-if-a-signed-jar-contains-a-timestamp
@@ -344,10 +345,16 @@ public final class ShowSignature
             CMSSignedData signedTSTData = new CMSSignedData(obj.getEncoded());
             TimeStampToken timeStampToken = new TimeStampToken(signedTSTData);
 
+            // tested with QV_RCA1_RCA3_CPCPS_V4_11.pdf
+            // https://www.quovadisglobal.com/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_11.ashx
+            // timeStampToken.getCertificates() only contained the local certificate and not
+            // the whole chain, so use the store of the main signature.
+            // (If this assumption is incorrect, then the code must be changed to merge
+            // both stores, or to pass a collection)
             validateTimestampToken(timeStampToken);
-            X509Certificate tstCert = (X509Certificate) timeStampToken.getCertificates().getMatches(null).iterator().next();
-            verifyCertificateChain(timeStampToken.getCertificates(),
-                    tstCert,
+            X509CertificateHolder tstCertHolder = (X509CertificateHolder) timeStampToken.getCertificates().getMatches(null).iterator().next();
+            verifyCertificateChain(certificatesStore,
+                    new JcaX509CertificateConverter().getCertificate(tstCertHolder),
                     timeStampToken.getTimeStampInfo().getGenTime());
         }