pdfbox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From til...@apache.org
Subject svn commit: r1847950 - /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
Date Sun, 02 Dec 2018 10:30:48 GMT
Author: tilman
Date: Sun Dec  2 10:30:48 2018
New Revision: 1847950

URL: http://svn.apache.org/viewvc?rev=1847950&view=rev
Log:
PDFBOX-3017: fallback solution for findResponderCertificateByKeyHash

Modified:
    pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1847950&r1=1847949&r2=1847950&view=diff
==============================================================================
--- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
(original)
+++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
Sun Dec  2 10:30:48 2018
@@ -228,6 +228,16 @@ public class OcspHelper
         }
     }
 
+    private byte[] getKeyHashFromCertHolder(X509CertificateHolder certHolder) throws IOException
+    {
+        SHA1DigestCalculator digCalc = new SHA1DigestCalculator();
+        SubjectPublicKeyInfo info = certHolder.getSubjectPublicKeyInfo();
+        OutputStream dgOut = digCalc.getOutputStream();
+        dgOut.write(info.getPublicKeyData().getBytes());
+        dgOut.close();
+        return digCalc.getDigest();
+    }
+
     private void findResponderCertificateByKeyHash(BasicOCSPResp basicResponse, byte[] keyHash)
             throws IOException
     {
@@ -243,12 +253,7 @@ public class OcspHelper
         X509CertificateHolder[] certHolders = basicResponse.getCerts();
         for (X509CertificateHolder certHolder : certHolders)
         {
-            SHA1DigestCalculator digCalc = new SHA1DigestCalculator();
-            SubjectPublicKeyInfo info = certHolder.getSubjectPublicKeyInfo();
-            OutputStream dgOut = digCalc.getOutputStream();
-            dgOut.write(info.getPublicKeyData().getBytes());
-            dgOut.close();
-            byte[] digest = digCalc.getDigest();
+            byte[] digest = getKeyHashFromCertHolder(certHolder);
             if (Arrays.equals(keyHash, digest))
             {
                 try
@@ -263,6 +268,31 @@ public class OcspHelper
                 break;
             }
         }
+        if (ocspResponderCertificate == null)
+        {
+            // DO NOT use the certificate found in additionalCerts first. One file had a
+            // responder certificate in the PDF itself with SHA1withRSA algorithm, but
+            // the responder delivered a different (newer, more secure) certificate
+            // with SHA256withRSA (tried with QV_RCA1_RCA3_CPCPS_V4_11.pdf)
+            // https://www.quovadisglobal.com/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_11.ashx
+            for (X509Certificate cert : additionalCerts)
+            {
+                try
+                {
+                    byte[] digest = getKeyHashFromCertHolder(new X509CertificateHolder(cert.getEncoded()));
+                    if (Arrays.equals(keyHash, digest))
+                    {
+                        ocspResponderCertificate = cert;
+                        break;
+                    }
+                }
+                catch (CertificateException ex)
+                {
+                    // unlikely to happen because the certificate existed as an object
+                    LOG.error(ex, ex);
+                }
+            }
+        }
     }
 
     private void findResponderCertificateByName(BasicOCSPResp basicResponse, X500Name name)



Mime
View raw message