svn commit: r1847948 - /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Sun, 02 Dec 2018 02:08:19 -0800 

Author: tilman
Date: Sun Dec  2 10:08:09 2018
New Revision: 1847948

URL: http://svn.apache.org/viewvc?rev=1847948&view=rev
Log:
PDFBOX-3017: revert previous commit, fallback solution needs to be added to 
findResponderCertificateByKeyHash as well

Modified:
    
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Modified: 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
URL: 
http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1847948&r1=1847947&r2=1847948&view=diff
==============================================================================
--- 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 (original)
+++ 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 Sun Dec  2 10:08:09 2018
@@ -172,24 +172,6 @@ public class OcspHelper
                     findResponderCertificateByKeyHash(basicResponse, keyHash);
                 }
             }
-            
-            if (ocspResponderCertificate == null)
-            {
-                // DO NOT use the certificate found in additionalCerts first. 
One file had a
-                // responder certificate in the PDF itself with SHA1withRSA 
algorithm, but
-                // the responder delivered a different (newer, more secure) 
certificate
-                // with SHA256withRSA (tried with QV_RCA1_RCA3_CPCPS_V4_11.pdf)
-                // 
https://www.quovadisglobal.com/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_11.ashx
-                for (X509Certificate cert : additionalCerts)
-                {
-                    X500Name certSubjectName = new 
X500Name(cert.getSubjectX500Principal().getName());
-                    if (certSubjectName.equals(name))
-                    {
-                        ocspResponderCertificate = cert;
-                        break;
-                    }
-                }
-            }
 
             if (ocspResponderCertificate == null)
             {
@@ -214,7 +196,7 @@ public class OcspHelper
             {
                 throw new OCSPException(
                         "OCSP: Received " + responses.length + " responses 
instead of 1!");
-            }    
+            }
 
             SingleResp resp = responses[0];
             Object status = resp.getCertStatus();
@@ -302,6 +284,23 @@ public class OcspHelper
                 break;
             }
         }
+        if (ocspResponderCertificate == null)
+        {
+            // DO NOT use the certificate found in additionalCerts first. One 
file had a
+            // responder certificate in the PDF itself with SHA1withRSA 
algorithm, but
+            // the responder delivered a different (newer, more secure) 
certificate
+            // with SHA256withRSA (tried with QV_RCA1_RCA3_CPCPS_V4_11.pdf)
+            // 
https://www.quovadisglobal.com/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_11.ashx
+            for (X509Certificate cert : additionalCerts)
+            {
+                X500Name certSubjectName = new 
X500Name(cert.getSubjectX500Principal().getName());
+                if (certSubjectName.equals(name))
+                {
+                    ocspResponderCertificate = cert;
+                    break;
+                }
+            }
+        }
     }
 
     private void checkOcspResponseFresh(SingleResp resp) throws OCSPException

Reply via email to