Author: tilman Date: Sun Oct 21 06:49:55 2018 New Revision: 1844462 URL: http://svn.apache.org/viewvc?rev=1844462&view=rev Log: PDFBOX-3017: check key usage when signing
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java?rev=1844462&r1=1844461&r2=1844462&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java (original) +++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java Sun Oct 21 06:49:55 2018 @@ -84,6 +84,8 @@ public abstract class CreateSignatureBas { // avoid expired certificate ((X509Certificate) cert).checkValidity(); + + SigUtils.checkCertificateUsage((X509Certificate) cert); } break; } Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java?rev=1844462&r1=1844461&r2=1844462&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java (original) +++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/SigUtils.java Sun Oct 21 06:49:55 2018 @@ -16,12 +16,18 @@ package org.apache.pdfbox.examples.signature; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.List; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.pdfbox.cos.COSArray; import org.apache.pdfbox.cos.COSBase; import org.apache.pdfbox.cos.COSDictionary; import org.apache.pdfbox.cos.COSName; import org.apache.pdfbox.pdmodel.PDDocument; import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature; +import org.bouncycastle.asn1.x509.KeyPurposeId; /** * Utility class for the signature / timestamp examples. @@ -30,6 +36,8 @@ import org.apache.pdfbox.pdmodel.interac */ public class SigUtils { + private static final Log LOG = LogFactory.getLog(SigUtils.class); + private SigUtils() { } @@ -126,4 +134,40 @@ public class SigUtils catalogDict.setNeedToBeUpdated(true); permsDict.setNeedToBeUpdated(true); } + + /** + * Log if the certificate is not valid for signature usage. Doing this + * anyway results in Adobe Reader failing to validate the PDF. + * + * @param x509Certificate + * @throws java.security.cert.CertificateParsingException + */ + public static void checkCertificateUsage(X509Certificate x509Certificate) + throws CertificateParsingException + { + // Check whether signer certificate is "valid for usage" + // https://stackoverflow.com/a/52765021/535646 + // https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSig/changes.html#id1 + boolean[] keyUsage = x509Certificate.getKeyUsage(); + if (keyUsage != null && !keyUsage[0] && !keyUsage[1]) + { + // (unclear what "signTransaction" is) + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + LOG.error("Certificate key usage does not include " + + "digitalSignature nor nonRepudiation"); + } + List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage(); + if (extendedKeyUsage != null && + !extendedKeyUsage.contains(KeyPurposeId.id_kp_emailProtection.toString()) && + !extendedKeyUsage.contains(KeyPurposeId.id_kp_codeSigning.toString()) && + !extendedKeyUsage.contains(KeyPurposeId.anyExtendedKeyUsage.toString()) && + !extendedKeyUsage.contains("1.2.840.113583.1.1.5") && + // not mentioned in Adobe document, but tolerated in practice + !extendedKeyUsage.contains("1.3.6.1.4.1.311.10.3.12")) + { + LOG.error("Certificate extended key usage does not include " + + "emailProtection, nor codeSigning, nor anyExtendedKeyUsage, " + + "nor 'Adobe Authentic Documents Trust'"); + } + } }