CertificateVerifier.java

tilman Sun, 02 Dec 2018 04:55:42 -0800

Author: tilman
Date: Sun Dec  2 12:54:57 2018
New Revision: 1847996

URL: http://svn.apache.org/viewvc?rev=1847996&view=rev
Log:
PDFBOX-3017: download extra certificate at the correct place, remove method 
that is no longer needed


Modified:
    
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java

Modified: 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
URL: 
http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java?rev=1847996&r1=1847995&r2=1847996&view=diff
==============================================================================
--- 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
 (original)
+++ 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java
 Sun Dec  2 12:54:57 2018
@@ -30,7 +30,6 @@ import java.security.cert.CertPathBuilde
 import java.security.cert.CertPathBuilderException;
 import java.security.cert.CertStore;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CollectionCertStoreParameters;
@@ -65,8 +64,6 @@ import org.bouncycastle.cert.jcajce.JcaX
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPResp;
-import org.bouncycastle.util.CollectionStore;
-import org.bouncycastle.util.Store;
 
 /**
  * Copied from Apache CXF 2.4.9, initial version:
@@ -116,11 +113,19 @@ public final class CertificateVerifier
                 throw new CertificateVerificationException("The certificate is 
self-signed.");
             }
 
+            Set<X509Certificate> certSet = 
CertificateVerifier.downloadExtraCertificates(cert);
+            int downloadSize = certSet.size();
+            certSet.addAll(additionalCerts);
+            if (downloadSize > 0)
+            {
+                LOG.info("CA issuers: " + (certSet.size() - 
additionalCerts.size()) + " downloaded certificate(s) are new");
+            }
+
             // Prepare a set of trust anchors (set of root CA certificates)
             // and a set of intermediate certificates
             Set<X509Certificate> intermediateCerts = new 
HashSet<X509Certificate>();
             Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
-            for (X509Certificate additionalCert : additionalCerts)
+            for (X509Certificate additionalCert : certSet)
             {
                 if (isSelfSigned(additionalCert))
                 {
@@ -143,7 +148,7 @@ public final class CertificateVerifier
 
             LOG.info("Certification chain verified successfully");
 
-            checkRevocations(cert, additionalCerts, signDate);
+            checkRevocations(cert, certSet, signDate);
 
             return verifiedCertChain;
         }
@@ -253,44 +258,6 @@ public final class CertificateVerifier
     }
 
     /**
-     * Download extra certificates from the URI mentioned in id-ad-caIssuers 
in the "authority
-     * information access" extension. These are added to the store and the 
possibly updated store is
-     * returned. The method is lenient, i.e. catches all exceptions.
-     *
-     * @param ext an X509 object that can have extensions.
-     * @param certificatesStore
-     * @return the updated certificates store.
-     */
-    public static Store<X509CertificateHolder> addExtraCertificatesToStore(
-            X509Extension ext, Store<X509CertificateHolder> certificatesStore)
-    {
-        // use Set to get rid of duplicates 
-        Set<X509CertificateHolder> certHolderSet =
-                                new 
HashSet<X509CertificateHolder>(certificatesStore.getMatches(null));
-        int startSize = certHolderSet.size();
-        for (X509Certificate cert : downloadExtraCertificates(ext))
-        {
-            try
-            {
-                certHolderSet.add(new 
X509CertificateHolder(cert.getEncoded()));
-            }
-            catch (CertificateEncodingException ex)
-            {
-                // should not happen because the certificates already exist
-                LOG.warn(ex.getMessage(), ex);
-            }
-            catch (IOException ex)
-            {
-                // should not happen because the certificates already exist
-                LOG.warn(ex.getMessage(), ex);
-            }
-        }
-        int added = certHolderSet.size() - startSize;
-        LOG.info("CA issuers: Added " + added + " new certificate(s) to the 
store");
-        return new CollectionStore<X509CertificateHolder>(certHolderSet);
-    }
-
-    /**
      * Download extra certificates from the URI mentioned in id-ad-caIssuers 
in the "authority
      * information access" extension. The method is lenient, i.e. catches all 
exceptions.
      *

svn commit: r1847996 - /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/CertificateVerifier.java

Reply via email to