You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2018/10/29 17:46:24 UTC
svn commit: r1845153 -
/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Author: tilman
Date: Mon Oct 29 17:46:24 2018
New Revision: 1845153
URL: http://svn.apache.org/viewvc?rev=1845153&view=rev
Log:
PDFBOX-3017: check isolated timestamp signature
Modified:
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1845153&r1=1845152&r2=1845153&view=diff
==============================================================================
--- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original)
+++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Mon Oct 29 17:46:24 2018
@@ -34,6 +34,7 @@ import java.security.cert.CertificateFac
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
+import java.util.Arrays;
import java.util.Collection;
import org.apache.pdfbox.cos.COSArray;
import org.apache.pdfbox.cos.COSBase;
@@ -221,6 +222,7 @@ public final class ShowSignature
}
else if (subFilter.equals("ETSI.RFC3161"))
{
+ // e.g. PDFBOX-1848, file_timestamped.pdf
TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(contents.getBytes()));
System.out.println("Time stamp gen time: " + timeStampToken.getTimeStampInfo().getGenTime());
System.out.println("Time stamp tsa name: " + timeStampToken.getTimeStampInfo().getTsa().getName());
@@ -230,7 +232,30 @@ public final class ShowSignature
Collection<? extends Certificate> certs = factory.generateCertificates(certStream);
System.out.println("certs=" + certs);
- //TODO verify signature
+ String hashAlgorithm = timeStampToken.getTimeStampInfo().getMessageImprintAlgOID().getId();
+ // compare the hash of the signed content with the hash in
+ // the timestamp
+ if (Arrays.equals(MessageDigest.getInstance(hashAlgorithm).digest(buf),
+ timeStampToken.getTimeStampInfo().getMessageImprintDigest()))
+ {
+ System.out.println("ETSI.RFC3161 timestamp signature verified");
+ }
+ else
+ {
+ System.err.println("ETSI.RFC3161 timestamp signature verification failed");
+ }
+
+ // https://stackoverflow.com/questions/42114742/
+ Collection<X509CertificateHolder> tstMatches
+ = timeStampToken.getCertificates().getMatches(timeStampToken.getSID());
+ X509CertificateHolder holder = tstMatches.iterator().next();
+ X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
+ SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert);
+ timeStampToken.validate(siv);
+ System.out.println("TimeStampToken validated");
+
+ //TODO check certificate chain, revocation lists, etc
+ // verifyPKCS7(hash, contents, sig) does not work
}
else
{