Author: tilman Date: Sat Mar 10 16:22:51 2018 New Revision: 1826416 URL: http://svn.apache.org/viewvc?rev=1826416&view=rev Log: PDFBOX-3984: Add validation data of signer to document + check the signature of the OCSP-response, by Alexis Suter
Added: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java - copied, changed from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java - copied, changed from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java - copied, changed from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertificateProccessingException.java - copied unchanged from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertificateProccessingException.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java - copied unchanged from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java - copied, changed from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/RevokedCertificateException.java - copied unchanged from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/RevokedCertificateException.java Copied: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java (from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java) URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?p2=pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java&p1=pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java&r1=1826404&r2=1826416&rev=1826416&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java Sat Mar 10 16:22:51 2018 @@ -66,7 +66,7 @@ public class AddValidationInformation private COSArray crls; private COSArray certs; private PDDocument document; - private final Set<BigInteger> foundRevocationInformation = new HashSet<>(); + private final Set<BigInteger> foundRevocationInformation = new HashSet<BigInteger>(); /** * Signs the given PDF file. @@ -82,12 +82,12 @@ public class AddValidationInformation throw new FileNotFoundException("Document for signing does not exist"); } - try (PDDocument doc = PDDocument.load(inFile); - FileOutputStream fos = new FileOutputStream(outFile)) - { - document = doc; - doValidation(inFile.getAbsolutePath(), fos); - } + PDDocument doc = PDDocument.load(inFile); + FileOutputStream fos = new FileOutputStream(outFile); + document = doc; + doValidation(inFile.getAbsolutePath(), fos); + fos.close(); + doc.close(); } /** @@ -172,7 +172,12 @@ public class AddValidationInformation { result = clazz.newInstance(); } - catch (InstantiationException | IllegalAccessException e) + catch (InstantiationException e) + { + LOG.error("Failed to create new instance of " + clazz.getCanonicalName(), e); + return null; + } + catch (IllegalAccessException e) { LOG.error("Failed to create new instance of " + clazz.getCanonicalName(), e); return null; @@ -276,7 +281,17 @@ public class AddValidationInformation addOcspData(certInfo); return true; } - catch (OCSPException | CertificateProccessingException | IOException e) + catch (OCSPException e) + { + LOG.warn("Failed fetching Ocsp", e); + return false; + } + catch (CertificateProccessingException e) + { + LOG.warn("Failed fetching Ocsp", e); + return false; + } + catch (IOException e) { LOG.warn("Failed fetching Ocsp", e); return false; @@ -299,7 +314,17 @@ public class AddValidationInformation { addCrlRevocationInfo(certInfo); } - catch (CRLException | IOException | RevokedCertificateException e) + catch (CRLException e) + { + LOG.warn("Failed fetching CRL", e); + throw new IOException(e); + } + catch (RevokedCertificateException e) + { + LOG.warn("Failed fetching CRL", e); + throw new IOException(e); + } + catch (IOException e) { LOG.warn("Failed fetching CRL", e); throw new IOException(e); @@ -393,10 +418,10 @@ public class AddValidationInformation COSArray filters = new COSArray(); filters.add(COSName.FLATE_DECODE); - try (OutputStream os = stream.createOutputStream(filters)) - { - os.write(data); - } + OutputStream os = stream.createOutputStream(filters); + os.write(data); + os.close(); + return stream; } Copied: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java (from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java) URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java?p2=pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java&p1=pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java&r1=1826404&r2=1826416&rev=1826416&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java Sat Mar 10 16:22:51 2018 @@ -74,7 +74,7 @@ public class CertInformationCollector private static final int MAX_CERTIFICATE_CHAIN_DEPTH = 5; - private final Map<BigInteger, X509Certificate> certificateStore = new HashMap<>(); + private final Map<BigInteger, X509Certificate> certificateStore = new HashMap<BigInteger, X509Certificate>(); private final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter(); @@ -95,12 +95,18 @@ public class CertInformationCollector PDSignature signature = getLastRelevantSignature(document); if (signature != null) { - try (FileInputStream documentInput = new FileInputStream(fileName)) + FileInputStream documentInput = null; + try { + documentInput = new FileInputStream(fileName); byte[] docBytes = IOUtils.toByteArray(documentInput); byte[] signatureContent = signature.getContents(docBytes); return getCertInfo(signatureContent); } + finally + { + IOUtils.closeQuietly(document); + } } return null; } @@ -114,7 +120,7 @@ public class CertInformationCollector */ private PDSignature getLastRelevantSignature(PDDocument document) throws IOException { - SortedMap<Integer, PDSignature> sortedMap = new TreeMap<>(); + SortedMap<Integer, PDSignature> sortedMap = new TreeMap<Integer, PDSignature>(); for (PDSignature signature : document.getSignatureDictionaries()) { int sigOffset = signature.getByteRange()[1]; @@ -202,7 +208,11 @@ public class CertInformationCollector processSignerStore(certificatesStore, tsToken.toCMSSignedData(), rootCertInfo.tsaCerts); } - catch (TSPException | CMSException e) + catch (TSPException e) + { + throw new IOException("Error parsing timestamp token", e); + } + catch (CMSException e) { throw new IOException("Error parsing timestamp token", e); } @@ -319,17 +329,20 @@ public class CertInformationCollector { URL certUrl = new URL(certInfo.issuerUrl); CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); - try (InputStream in = certUrl.openStream()) - { - X509Certificate altIssuerCert = (X509Certificate) certFactory - .generateCertificate(in); - addCertToCertStore(altIssuerCert); + InputStream in = certUrl.openStream(); - certInfo.alternativeCertChain = new CertSignatureInformation(); - traverseChain(altIssuerCert, certInfo.alternativeCertChain, maxDepth - 1); - } + X509Certificate altIssuerCert = (X509Certificate) certFactory.generateCertificate(in); + addCertToCertStore(altIssuerCert); + + certInfo.alternativeCertChain = new CertSignatureInformation(); + traverseChain(altIssuerCert, certInfo.alternativeCertChain, maxDepth - 1); + in.close(); + } + catch (IOException e) + { + LOG.error("Error getting additional Certificate from " + certInfo.issuerUrl, e); } - catch (IOException | CertificateException e) + catch (CertificateException e) { LOG.error("Error getting additional Certificate from " + certInfo.issuerUrl, e); } Copied: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java (from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java) URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java?p2=pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java&p1=pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java&r1=1826404&r2=1826416&rev=1826416&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationHelper.java Sat Mar 10 16:22:51 2018 @@ -117,8 +117,19 @@ public class CertInformationHelper return false; } } - catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException - | NoSuchProviderException e) + catch (InvalidKeyException e) + { + throw new CertificateProccessingException(e); + } + catch (CertificateException e) + { + throw new CertificateProccessingException(e); + } + catch (NoSuchAlgorithmException e) + { + throw new CertificateProccessingException(e); + } + catch (NoSuchProviderException e) { throw new CertificateProccessingException(e); } Copied: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java (from r1826404, pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java) URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java?p2=pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java&p1=pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java&r1=1826404&r2=1826416&rev=1826416&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/OcspHelper.java Sat Mar 10 16:22:51 2018 @@ -206,10 +206,9 @@ public class OcspHelper httpConnection.setRequestProperty("Content-Type", "application/ocsp-request"); httpConnection.setRequestProperty("Accept", "application/ocsp-response"); httpConnection.setDoOutput(true); - try (OutputStream out = httpConnection.getOutputStream()) - { - out.write(request.getEncoded()); - } + OutputStream out = httpConnection.getOutputStream(); + out.write(request.getEncoded()); + out.close(); if (httpConnection.getResponseCode() != 200) {