pdfbox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From til...@apache.org
Subject svn commit: r1847393 - in /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature: SigUtils.java cert/OcspHelper.java
Date Sun, 25 Nov 2018 07:45:29 GMT
Author: tilman
Date: Sun Nov 25 07:45:29 2018
New Revision: 1847393

URL: http://svn.apache.org/viewvc?rev=1847393&view=rev
Log:
PDFBOX-3017: check responder certificate key usage

Modified:
    pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java
    pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java?rev=1847393&r1=1847392&r2=1847393&view=diff
==============================================================================
--- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java
(original)
+++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java
Sun Nov 25 07:45:29 2018
@@ -193,6 +193,24 @@ public class SigUtils
     }
 
     /**
+     * Log if the certificate is not valid for responding.
+     *
+     * @param x509Certificate 
+     * @throws java.security.cert.CertificateParsingException 
+     */
+    public static void checkResponderCertificateUsage(X509Certificate x509Certificate)
+            throws CertificateParsingException
+    {
+        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
+        // https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+        if (extendedKeyUsage != null &&
+            !extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.toString()))
+        {
+            LOG.error("Certificate extended key usage does not include OCSP responding");
+        }
+    }
+
+    /**
      * Gets the last relevant signature in the document, i.e. the one with the highest offset.
      * 
      * @param document to get its last signature

Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1847393&r1=1847392&r2=1847393&view=diff
==============================================================================
--- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
(original)
+++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
Sun Nov 25 07:45:29 2018
@@ -27,6 +27,7 @@ import java.security.NoSuchAlgorithmExce
 import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.Calendar;
 import java.util.Date;
@@ -35,6 +36,7 @@ import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.pdfbox.examples.signature.SigUtils;
 import org.apache.pdfbox.io.IOUtils;
 import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
 import org.bouncycastle.asn1.DEROctetString;
@@ -183,7 +185,15 @@ public class OcspHelper
                 throw new OCSPException("OCSP: certificate for responder " + name + " not
found");
             }
 
-            //TODO verify that ExtendedKeyUsage usage contains OCSPSigning
+            try
+            {
+                SigUtils.checkResponderCertificateUsage(ocspResponderCertificate);
+            }
+            catch (CertificateParsingException ex)
+            {
+                // unlikely to happen because the certificate existed as an object
+                LOG.error(ex, ex);
+            }
             checkOcspSignature(ocspResponderCertificate, basicResponse);
 
             boolean nonceChecked = checkNonce(basicResponse);
@@ -253,7 +263,6 @@ public class OcspHelper
                 X500Name certSubjectName = new X500Name(cert.getSubjectX500Principal().getName());
                 if (certSubjectName.equals(name))
                 {
-                    
                     ocspResponderCertificate = cert;
                     break;
                 }



Mime
View raw message