pdfbox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From til...@apache.org
Subject svn commit: r1847304 - /pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
Date Fri, 23 Nov 2018 18:28:48 GMT
Author: tilman
Date: Fri Nov 23 18:28:48 2018
New Revision: 1847304

URL: http://svn.apache.org/viewvc?rev=1847304&view=rev
Log:
PDFBOX-3017: don't fail validation because of policy qualifiers

Modified:
    pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java

Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java?rev=1847304&r1=1847303&r2=1847304&view=diff
==============================================================================
--- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
(original)
+++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
Fri Nov 23 18:28:48 2018
@@ -243,6 +243,17 @@ public final class CertificateVerifier
         // Disable CRL checks (this is done manually as additional step)
         pkixParams.setRevocationEnabled(false);
 
+        // not doing this brings
+        // "SunCertPathBuilderException: unable to find valid certification path to requested
target"
+        // (when using -Djava.security.debug=certpath: "critical policy qualifiers present
in certificate")
+        // for files like 021496.pdf that have the "Adobe CDS Certificate Policy" 1.2.840.113583.1.2.1
+        // CDS = "Certified Document Services"
+        // https://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf
+        pkixParams.setPolicyQualifiersRejected(false);
+        // However, maybe there is still work to do:
+        // "If the policyQualifiersRejected flag is set to false, it is up to the application
+        // to validate all policy qualifiers in this manner in order to be PKIX compliant."
+
         pkixParams.setDate(signDate);
 
         // Specify a list of intermediate certificates



Mime
View raw message