pdfbox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From til...@apache.org
Subject svn commit: r1846543 - in /pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation: AddValidationInformation.java CrlHelper.java
Date Tue, 13 Nov 2018 20:21:27 GMT
Author: tilman
Date: Tue Nov 13 20:21:27 2018
New Revision: 1846543

URL: http://svn.apache.org/viewvc?rev=1846543&view=rev
Log:
PDFBOX-4377: verify CRL with the certificate issuer public key

Modified:
    pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
    pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java

Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?rev=1846543&r1=1846542&r2=1846543&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
(original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
Tue Nov 13 20:21:27 2018
@@ -298,7 +298,7 @@ public class AddValidationInformation
         {
             addCrlRevocationInfo(certInfo);
         }
-        catch (CRLException | IOException | RevokedCertificateException e)
+        catch (GeneralSecurityException | IOException | RevokedCertificateException e)
         {
             LOG.warn("Failed fetching CRL", e);
             throw new IOException(e);
@@ -344,10 +344,10 @@ public class AddValidationInformation
      * @throws RevokedCertificateException
      */
     private void addCrlRevocationInfo(CertSignatureInformation certInfo)
-            throws CRLException, IOException, RevokedCertificateException
+            throws IOException, RevokedCertificateException, GeneralSecurityException
     {
         byte[] crlData = CrlHelper.performCrlRequestAndCheck(certInfo.getCrlUrl(),
-                certInfo.getCertificate());
+                certInfo.getCertificate(), certInfo.getIssuerCertificate().getPublicKey());
         COSStream crlStream = writeDataToStream(crlData);
         crls.add(crlStream);
         if (correspondingCRLs != null)

Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java?rev=1846543&r1=1846542&r2=1846543&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
(original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
Tue Nov 13 20:21:27 2018
@@ -20,6 +20,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.PublicKey;
 import java.security.cert.CRLException;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
@@ -40,15 +42,17 @@ public final class CrlHelper
 
     /**
      * Performs the CRL-Request and checks if the given certificate has been revoked.
-     * 
+     *
      * @param crlUrl to get the CRL from
      * @param cert to be checked if it is inside the CRL
-     * @return CRL-Response; might be very big depending on the issuer. 
-     * @throws CRLException if an Error occurred getting the CRL, or parsing it.
+     * @param issuerKey public key of the issuer certificate to verify the CRL signature
+     * @return CRL-Response; might be very big depending on the issuer.
+     * @throws GeneralSecurityException if an error occurred getting the CRL, or parsing
it, or
+     * verifying it.
      * @throws RevokedCertificateException
      */
-    public static byte[] performCrlRequestAndCheck(String crlUrl, X509Certificate cert)
-            throws CRLException, RevokedCertificateException
+    public static byte[] performCrlRequestAndCheck(String crlUrl, X509Certificate cert, PublicKey
issuerKey)
+            throws RevokedCertificateException, GeneralSecurityException
     {
         try
         {
@@ -66,7 +70,9 @@ public final class CrlHelper
             try (InputStream is = con.getInputStream())
             {
                 crl = (X509CRL) certFac.engineGenerateCRL(is);
+                crl.verify(issuerKey);
             }
+            //TODO should be checked for signing time, see CRLVerifier.verifyCertificateCRLs
             if (crl.isRevoked(cert))
             {   
                 throw new RevokedCertificateException("The Certificate was found on the CRL
and is revoked!");



Mime
View raw message