From commits-return-13628-archive-asf-public=cust-asf.ponee.io@pdfbox.apache.org Thu Nov 22 19:22:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id DBFF1180675 for ; Thu, 22 Nov 2018 19:22:03 +0100 (CET) Received: (qmail 81084 invoked by uid 500); 22 Nov 2018 18:22:03 -0000 Mailing-List: contact commits-help@pdfbox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pdfbox.apache.org Delivered-To: mailing list commits@pdfbox.apache.org Received: (qmail 81073 invoked by uid 99); 22 Nov 2018 18:22:03 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Nov 2018 18:22:03 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 716393A008F for ; Thu, 22 Nov 2018 18:22:02 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1847198 - /pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java Date: Thu, 22 Nov 2018 18:22:02 -0000 To: commits@pdfbox.apache.org From: tilman@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20181122182202.716393A008F@svn01-us-west.apache.org> Author: tilman Date: Thu Nov 22 18:22:02 2018 New Revision: 1847198 URL: http://svn.apache.org/viewvc?rev=1847198&view=rev Log: PDFBOX-3017: get correct certificate from list in responder; add some TODOs Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1847198&r1=1847197&r2=1847198&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java (original) +++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java Thu Nov 22 18:22:02 2018 @@ -38,7 +38,9 @@ import org.bouncycastle.asn1.DEROctetStr import org.bouncycastle.asn1.DLSequence; import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers; import org.bouncycastle.asn1.ocsp.OCSPResponseStatus; +import org.bouncycastle.asn1.ocsp.ResponderID; import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; @@ -112,12 +114,60 @@ public class OcspHelper private void verifyOcspResponse(OCSPResp ocspResponse) throws OCSPException, RevokedCertificateException, IOException { + X509CertificateHolder ocspResponderCertificateHolder = null; + verifyRespStatus(ocspResponse); BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject(); if (basicResponse != null) { - checkOcspSignature(basicResponse.getCerts()[0], basicResponse); + ResponderID responderID = basicResponse.getResponderId().toASN1Primitive(); + // https://tools.ietf.org/html/rfc6960#section-4.2.2.3 + // The basic response type contains: + // (...) + // either the name of the responder or a hash of the responder's + // public key as the ResponderID + X500Name name = responderID.getName(); + if (name != null) + { + // The responder MAY include certificates in the certs field of + // BasicOCSPResponse that help the OCSP client verify the responder's + // signature. + X509CertificateHolder[] certHolders = basicResponse.getCerts(); + for (X509CertificateHolder certHolder : certHolders) + { + if (name.equals(certHolder.getSubject())) + { + ocspResponderCertificateHolder = certHolder; + } + } + if (ocspResponderCertificateHolder == null) + { + //TODO search existing chain + throw new OCSPException("OCSP: certificate for responder " + name + " not found in response"); + } + } + else + { + byte[] keyHash = responderID.getKeyHash(); + //TODO + // KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key + // -- (i.e., the SHA-1 hash of the value of the + // -- BIT STRING subjectPublicKey [excluding + // -- the tag, length, and number of unused + // -- bits] in the responder's certificate) + throw new UnsupportedOperationException("search by key hash is not implemented yet"); + + // how BC calculates the HeyHash: + // see CertificateID.createCertID() + // digCalc is a SHA1DigestCalculator + // SubjectPublicKeyInfo info = issuerCert.getSubjectPublicKeyInfo(); + // dgOut = digCalc.getOutputStream(); + // dgOut.write(info.getPublicKeyData().getBytes()); + // dgOut.close(); + // ASN1OctetString issuerKeyHash = new DEROctetString(digCalc.getDigest()); + } + checkOcspSignature(ocspResponderCertificateHolder, basicResponse); boolean nonceChecked = checkNonce(basicResponse);