From commits-return-13613-archive-asf-public=cust-asf.ponee.io@pdfbox.apache.org Tue Nov 20 19:05:12 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 997B418064E for ; Tue, 20 Nov 2018 19:05:11 +0100 (CET) Received: (qmail 85230 invoked by uid 500); 20 Nov 2018 18:05:10 -0000 Mailing-List: contact commits-help@pdfbox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pdfbox.apache.org Delivered-To: mailing list commits@pdfbox.apache.org Received: (qmail 85221 invoked by uid 99); 20 Nov 2018 18:05:10 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2018 18:05:10 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 2B8893A061F for ; Tue, 20 Nov 2018 18:05:10 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1847044 - in /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation: AddValidationInformation.java CertInformationCollector.java Date: Tue, 20 Nov 2018 18:05:10 -0000 To: commits@pdfbox.apache.org From: tilman@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20181120180510.2B8893A061F@svn01-us-west.apache.org> Author: tilman Date: Tue Nov 20 18:05:09 2018 New Revision: 1847044 URL: http://svn.apache.org/viewvc?rev=1847044&view=rev Log: PDFBOX-3017: include possible revocation of OCSP response, as suggested by mkl Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?rev=1847044&r1=1847043&r2=1847044&view=diff ============================================================================== --- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java Tue Nov 20 18:05:09 2018 @@ -264,7 +264,11 @@ public class AddValidationInformation isRevocationInfoFound = true; } - if (!isRevocationInfoFound) + if (certInfo.getOcspUrl() == null && certInfo.getCrlUrl() == null) + { + LOG.info("No revocation information for cert " + certInfo.getCertificate().getSubjectX500Principal()); + } + else if (!isRevocationInfoFound) { throw new IOException("Could not fetch Revocation Info for Cert: " + certInfo.getCertificate().getSubjectX500Principal()); @@ -284,7 +288,7 @@ public class AddValidationInformation /** * Tries to fetch and add OCSP Data to its containers. - * + * * @param certInfo the certificate info, for it to check OCSP data. * @return true when the OCSP data has successfully been fetched and added * @throws IOException when Certificate is revoked. @@ -371,6 +375,12 @@ public class AddValidationInformation BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResp.getResponseObject(); certInformationHelper.addAllCertsFromHolders(basicResponse.getCerts()); + // mkl in https://stackoverflow.com/questions/30617875 + // "ocsp responses usually are signed by special certificates. + // Often these certificates are marked to not require revocation checks but not always" + CertSignatureInformation ocspCertInfo = certInformationHelper.getOCSPCertInfo(basicResponse.getCerts()[0]); + addRevocationDataRecursive(ocspCertInfo); + byte[] ocspData = ocspResp.getEncoded(); COSStream ocspStream = writeDataToStream(ocspData); Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java?rev=1847044&r1=1847043&r2=1847044&view=diff ============================================================================== --- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java Tue Nov 20 18:05:09 2018 @@ -422,6 +422,31 @@ public class CertInformationCollector } /** + * Traverse the OCSP certificate. + * + * @param certHolder + * @return + * @throws CertificateProccessingException + */ + CertSignatureInformation getOCSPCertInfo(X509CertificateHolder certHolder) throws CertificateProccessingException + { + try + { + CertSignatureInformation certSignatureInformation = new CertSignatureInformation(); + traverseChain(certConverter.getCertificate(certHolder), certSignatureInformation, MAX_CERTIFICATE_CHAIN_DEPTH); + return certSignatureInformation; + } + catch (CertificateException ex) + { + throw new CertificateProccessingException(ex); + } + catch (IOException ex) + { + throw new CertificateProccessingException(ex); + } + } + + /** * Get the map of all processed certificates until now. * * @return a map of serial numbers to certificates.