Author: tilman Date: Sun Oct 21 06:55:16 2018 New Revision: 1844463 URL: http://svn.apache.org/viewvc?rev=1844463&view=rev Log: PDFBOX-3017: check TimeStampToken
Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Modified: pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?rev=1844463&r1=1844462&r2=1844463&view=diff ============================================================================== --- pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java (original) +++ pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java Sun Oct 21 06:55:16 2018 @@ -49,8 +49,11 @@ import org.apache.pdfbox.pdmodel.PDDocum import org.apache.pdfbox.pdmodel.encryption.SecurityProvider; import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature; import org.apache.pdfbox.util.Hex; +import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.cms.Attribute; +import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSAttributes; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.Time; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; @@ -59,6 +62,7 @@ import org.bouncycastle.cms.CMSProcessab import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.cms.SignerInformationVerifier; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.tsp.TSPException; @@ -273,7 +277,7 @@ public final class ShowSignature */ private void verifyPKCS7(byte[] byteArray, COSString contents, PDSignature sig) throws CMSException, CertificateException, StoreException, OperatorCreationException, - NoSuchAlgorithmException, NoSuchProviderException, IOException + NoSuchAlgorithmException, NoSuchProviderException, TSPException, IOException { // inspiration: // http://stackoverflow.com/a/26702631/535646 @@ -290,6 +294,28 @@ public final class ShowSignature X509CertificateHolder certificateHolder = matches.iterator().next(); X509Certificate certFromSignedData = new JcaX509CertificateConverter().getCertificate(certificateHolder); System.out.println("certFromSignedData: " + certFromSignedData); + + if (signerInformation.getUnsignedAttributes() != null) + { + AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes(); + + // https://stackoverflow.com/questions/1647759/how-to-validate-if-a-signed-jar-contains-a-timestamp + Attribute attribute = unsignedAttributes.get( + PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); + ASN1Object obj = (ASN1Object) attribute.getAttrValues().getObjectAt(0); + CMSSignedData signedTSTData = new CMSSignedData(obj.getEncoded()); + TimeStampToken timeStampToken = new TimeStampToken(signedTSTData); + + // https://stackoverflow.com/questions/42114742/ + Collection<X509CertificateHolder> tstMatches = + timeStampToken.getCertificates().getMatches(timeStampToken.getSID()); + X509CertificateHolder holder = tstMatches.iterator().next(); + X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder); + SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert); + timeStampToken.validate(siv); + System.out.println("TimeStampToken validated"); + } + try { if (sig.getSignDate() != null)