Author: tilman
Date: Fri Nov 30 18:19:10 2018
New Revision: 1847843
URL: http://svn.apache.org/viewvc?rev=1847843&view=rev
Log:
PDFBOX-3017: Check CRL issuer certificate if not identical to certificate issuer
Modified:
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
Modified:
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
URL:
http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java?rev=1847843&r1=1847842&r2=1847843&view=diff
==============================================================================
---
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
(original)
+++
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CRLVerifier.java
Fri Nov 30 18:19:10 2018
@@ -23,7 +23,6 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
-import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
@@ -31,6 +30,7 @@ import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Calendar;
import java.util.Date;
import java.util.Hashtable;
import java.util.List;
@@ -89,6 +89,7 @@ public final class CRLVerifier
{
try
{
+ Date now = Calendar.getInstance().getTime();
Exception firstException = null;
List<String> crlDistributionPointsURLs =
getCrlDistributionPoints(cert);
for (String crlDistributionPointsURL : crlDistributionPointsURLs)
@@ -113,23 +114,34 @@ public final class CRLVerifier
// Verify CRL, see wikipedia:
// "To validate a specific CRL prior to relying on it,
// the certificate of its corresponding CA is needed"
- PublicKey issuerKey = null;
+ X509Certificate crlIssuerCert = null;
for (X509Certificate additionalCert : additionalCerts)
{
- if (crl.getIssuerX500Principal().equals(
- additionalCert.getSubjectX500Principal()))
+ if
(crl.getIssuerX500Principal().equals(additionalCert.getSubjectX500Principal()))
{
- issuerKey = additionalCert.getPublicKey();
+ crlIssuerCert = additionalCert;
+ break;
}
}
- if (issuerKey == null)
+ if (crlIssuerCert == null)
{
throw new CertificateVerificationException(
"Certificate for " + crl.getIssuerX500Principal() +
"not found in certificate chain, so the CRL at " +
crlDistributionPointsURL + " could not be
verified");
}
- crl.verify(issuerKey,
SecurityProvider.getProvider().getName());
+ crl.verify(crlIssuerCert.getPublicKey(),
SecurityProvider.getProvider().getName());
+
+ if
(!crl.getIssuerX500Principal().equals(cert.getIssuerX500Principal()))
+ {
+ LOG.info("CRL issuer certificate is not identical to cert
issuer, check needed");
+ CertificateVerifier.verifyCertificate(crlIssuerCert,
additionalCerts, true, now);
+ LOG.info("CRL issuer certificate checked successfully");
+ }
+ else
+ {
+ LOG.info("CRL issuer certificate is identical to cert
issuer, no extra check needed");
+ }
checkRevocation(crl, cert, signDate, crlDistributionPointsURL);
