Author: tilman Date: Tue Nov 13 20:21:27 2018 New Revision: 1846543 URL: http://svn.apache.org/viewvc?rev=1846543&view=rev Log: PDFBOX-4377: verify CRL with the certificate issuer public key
Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?rev=1846543&r1=1846542&r2=1846543&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java (original) +++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java Tue Nov 13 20:21:27 2018 @@ -298,7 +298,7 @@ public class AddValidationInformation { addCrlRevocationInfo(certInfo); } - catch (CRLException | IOException | RevokedCertificateException e) + catch (GeneralSecurityException | IOException | RevokedCertificateException e) { LOG.warn("Failed fetching CRL", e); throw new IOException(e); @@ -344,10 +344,10 @@ public class AddValidationInformation * @throws RevokedCertificateException */ private void addCrlRevocationInfo(CertSignatureInformation certInfo) - throws CRLException, IOException, RevokedCertificateException + throws IOException, RevokedCertificateException, GeneralSecurityException { byte[] crlData = CrlHelper.performCrlRequestAndCheck(certInfo.getCrlUrl(), - certInfo.getCertificate()); + certInfo.getCertificate(), certInfo.getIssuerCertificate().getPublicKey()); COSStream crlStream = writeDataToStream(crlData); crls.add(crlStream); if (correspondingCRLs != null) Modified: pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java URL: http://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java?rev=1846543&r1=1846542&r2=1846543&view=diff ============================================================================== --- pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java (original) +++ pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CrlHelper.java Tue Nov 13 20:21:27 2018 @@ -20,6 +20,8 @@ import java.io.IOException; import java.io.InputStream; import java.net.HttpURLConnection; import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.PublicKey; import java.security.cert.CRLException; import java.security.cert.X509CRL; import java.security.cert.X509Certificate; @@ -40,15 +42,17 @@ public final class CrlHelper /** * Performs the CRL-Request and checks if the given certificate has been revoked. - * + * * @param crlUrl to get the CRL from * @param cert to be checked if it is inside the CRL - * @return CRL-Response; might be very big depending on the issuer. - * @throws CRLException if an Error occurred getting the CRL, or parsing it. + * @param issuerKey public key of the issuer certificate to verify the CRL signature + * @return CRL-Response; might be very big depending on the issuer. + * @throws GeneralSecurityException if an error occurred getting the CRL, or parsing it, or + * verifying it. * @throws RevokedCertificateException */ - public static byte[] performCrlRequestAndCheck(String crlUrl, X509Certificate cert) - throws CRLException, RevokedCertificateException + public static byte[] performCrlRequestAndCheck(String crlUrl, X509Certificate cert, PublicKey issuerKey) + throws RevokedCertificateException, GeneralSecurityException { try { @@ -66,7 +70,9 @@ public final class CrlHelper try (InputStream is = con.getInputStream()) { crl = (X509CRL) certFac.engineGenerateCRL(is); + crl.verify(issuerKey); } + //TODO should be checked for signing time, see CRLVerifier.verifyCertificateCRLs if (crl.isRevoked(cert)) { throw new RevokedCertificateException("The Certificate was found on the CRL and is revoked!");