From commits-return-13630-archive-asf-public=cust-asf.ponee.io@pdfbox.apache.org  Thu Nov 22 19:23:57 2018
Return-Path: <commits-return-13630-archive-asf-public=cust-asf.ponee.io@pdfbox.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id CBD6918067B
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 22 Nov 2018 19:23:56 +0100 (CET)
Received: (qmail 84242 invoked by uid 500); 22 Nov 2018 18:23:56 -0000
Mailing-List: contact commits-help@pdfbox.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@pdfbox.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@pdfbox.apache.org>
List-Post: <mailto:commits@pdfbox.apache.org>
List-Id: <commits.pdfbox.apache.org>
Reply-To: dev@pdfbox.apache.org
Delivered-To: mailing list commits@pdfbox.apache.org
Received: (qmail 84232 invoked by uid 99); 22 Nov 2018 18:23:55 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Nov 2018 18:23:55 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 85FB03A008F
	for <commits@pdfbox.apache.org>; Thu, 22 Nov 2018 18:23:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1847200 -
 /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
Date: Thu, 22 Nov 2018 18:23:55 -0000
To: commits@pdfbox.apache.org
From: tilman@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20181122182355.85FB03A008F@svn01-us-west.apache.org>

Author: tilman
Date: Thu Nov 22 18:23:55 2018
New Revision: 1847200

URL: http://svn.apache.org/viewvc?rev=1847200&view=rev
Log:
PDFBOX-3017: consider id-pkix-ocsp-nocheck; add more TODOs

Modified:
    pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java

Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?rev=1847200&r1=1847199&r2=1847200&view=diff
==============================================================================
--- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java (original)
+++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java Thu Nov 22 18:23:55 2018
@@ -51,6 +51,7 @@ import org.apache.pdfbox.pdmodel.PDDocum
 import org.apache.pdfbox.pdmodel.PDDocumentCatalog;
 import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
 import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
+import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPResp;
@@ -376,10 +377,19 @@ public class AddValidationInformation
         OCSPResp ocspResp = ocspHelper.getResponseOcsp();
         BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResp.getResponseObject();
         certInformationHelper.addAllCertsFromHolders(basicResponse.getCerts());
-
-        // mkl in https://stackoverflow.com/questions/30617875
-        // "ocsp responses usually are signed by special certificates. 
-        //  Often these certificates are marked to not require revocation checks but not always"
+        if (basicResponse.getCerts()[0].getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck) == null)
+        {
+            // mkl in https://stackoverflow.com/questions/30617875
+            // "ocsp responses usually are signed by special certificates. 
+            //  Often these certificates are marked to not require revocation checks but not always"
+            CertSignatureInformation ocspCertInfo = certInformationHelper.getOCSPCertInfo(basicResponse.getCerts()[0]);
+            addRevocationDataRecursive(ocspCertInfo);
+
+            //TODO 
+            // 1) this must go into separate VRI
+            // 2) basicResponse.getCerts()[0] is not always the correct certificate
+            //    see in OCSPHelper code with ResponderID
+        }
         CertSignatureInformation ocspCertInfo = certInformationHelper.getOCSPCertInfo(basicResponse.getCerts()[0]);
         addRevocationDataRecursive(ocspCertInfo);