Hi. I'm using your library for signing and validating a signature of a PDF file. All works fine up to one case:
A PDF is signed by a certificate and I trust only this certificate and none of the CA or Root-Certs in the chain.In the PDFPKCS7.java you should use the method verifyCertificates as below. As you can see I have added a cert.equals() after the cert.verify wihtin the for-loop over the keystore.
public static Object[] verifyCertificates(Certificate certs[], KeyStore
keystore, Collection crls, Calendar calendar) {
if (calendar == null)
calendar = new GregorianCalendar();
ArrayList fails = new ArrayList();
for (int k = 0; k < certs.length; ++k) {
X509Certificate cert = (X509Certificate)certs[k];
String err = verifyCertificate(cert, crls, calendar);
if (err != null)
return new Object[]{cert, err};
try {
for (Enumeration aliases = keystore.aliases();
aliases.hasMoreElements();) {
try {
String alias = (String)aliases.nextElement();
if (!keystore.isCertificateEntry(alias))
continue;
X509Certificate certStoreX509 =
(X509Certificate)keystore.getCertificate(alias);
if (verifyCertificate(certStoreX509, crls, calendar) !=
null)
continue;
try {
cert.verify(certStoreX509.getPublicKey());
return null;
}
catch (Exception e) {
}
if cert.equals(certStoreX509){
return null;
}
continue;
}
catch (Exception ex) {
}
}
}
catch (Exception e) {
}
int j;
for (j = 0; j < certs.length; ++j) {
if (j == k)
continue;
X509Certificate certNext = (X509Certificate)certs[j];
try {
cert.verify(certNext.getPublicKey());
break;
}
catch (Exception e) {
}
}
if (j == certs.length)
return new Object[]{cert, "Cannot be verified against the KeyStore
or the certificate chain"};
}
return new Object[]{null, "Invalid state. Possible circular certificate
chain"};
}
Best regards
--
Peter Knopp
------------------------
media transfer AG
Dolivostrasse 11
D-64293 Darmstadt
Germany
Phone : +49 6151 8193 23
Fax : +49 6151 8193 41
E-Mail: [EMAIL PROTECTED]
WWW : www.mtg.de
smime.p7s
Description: S/MIME Cryptographic Signature
