svn commit: r1846543 - in /pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation: AddValidationInformation.java CrlHelper.java

Tue, 13 Nov 2018 12:21:35 -0800 

Author: tilman
Date: Tue Nov 13 20:21:27 2018
New Revision: 1846543

URL: http://svn.apache.org/viewvc?rev=1846543&view=rev
Log:
PDFBOX-4377: verify CRL with the certificate issuer public key

Modified:
    
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
    
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java

Modified: 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
URL: 
http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?rev=1846543&r1=1846542&r2=1846543&view=diff
==============================================================================
--- 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
 (original)
+++ 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
 Tue Nov 13 20:21:27 2018
@@ -298,7 +298,7 @@ public class AddValidationInformation
         {
             addCrlRevocationInfo(certInfo);
         }
-        catch (CRLException | IOException | RevokedCertificateException e)
+        catch (GeneralSecurityException | IOException | 
RevokedCertificateException e)
         {
             LOG.warn("Failed fetching CRL", e);
             throw new IOException(e);
@@ -344,10 +344,10 @@ public class AddValidationInformation
      * @throws RevokedCertificateException
      */
     private void addCrlRevocationInfo(CertSignatureInformation certInfo)
-            throws CRLException, IOException, RevokedCertificateException
+            throws IOException, RevokedCertificateException, 
GeneralSecurityException
     {
         byte[] crlData = 
CrlHelper.performCrlRequestAndCheck(certInfo.getCrlUrl(),
-                certInfo.getCertificate());
+                certInfo.getCertificate(), 
certInfo.getIssuerCertificate().getPublicKey());
         COSStream crlStream = writeDataToStream(crlData);
         crls.add(crlStream);
         if (correspondingCRLs != null)

Modified: 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
URL: 
http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java?rev=1846543&r1=1846542&r2=1846543&view=diff
==============================================================================
--- 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
 (original)
+++ 
pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java
 Tue Nov 13 20:21:27 2018
@@ -20,6 +20,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.PublicKey;
 import java.security.cert.CRLException;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
@@ -40,15 +42,17 @@ public final class CrlHelper
 
     /**
      * Performs the CRL-Request and checks if the given certificate has been 
revoked.
-     * 
+     *
      * @param crlUrl to get the CRL from
      * @param cert to be checked if it is inside the CRL
-     * @return CRL-Response; might be very big depending on the issuer. 
-     * @throws CRLException if an Error occurred getting the CRL, or parsing 
it.
+     * @param issuerKey public key of the issuer certificate to verify the CRL 
signature
+     * @return CRL-Response; might be very big depending on the issuer.
+     * @throws GeneralSecurityException if an error occurred getting the CRL, 
or parsing it, or
+     * verifying it.
      * @throws RevokedCertificateException
      */
-    public static byte[] performCrlRequestAndCheck(String crlUrl, 
X509Certificate cert)
-            throws CRLException, RevokedCertificateException
+    public static byte[] performCrlRequestAndCheck(String crlUrl, 
X509Certificate cert, PublicKey issuerKey)
+            throws RevokedCertificateException, GeneralSecurityException
     {
         try
         {
@@ -66,7 +70,9 @@ public final class CrlHelper
             try (InputStream is = con.getInputStream())
             {
                 crl = (X509CRL) certFac.engineGenerateCRL(is);
+                crl.verify(issuerKey);
             }
+            //TODO should be checked for signing time, see 
CRLVerifier.verifyCertificateCRLs
             if (crl.isRevoked(cert))
             {   
                 throw new RevokedCertificateException("The Certificate was 
found on the CRL and is revoked!");

Reply via email to