[iText-questions] Possible bug on OCSPVerifier

Thu, 24 Jan 2013 09:14:17 -0800 

While testing the LtvVerifier, I noticed that some documents, those with an
embedded OCSP response, were raising a NullPointerException:

java.lang.NullPointerException
    at java.util.Date.getMillisOf(Date.java:939)
    at java.util.Date.after(Date.java:912)
    at
com.itextpdf.text.pdf.security.OCSPVerifier.verify(OCSPVerifier.java:162)
    at
com.itextpdf.text.pdf.security.OCSPVerifier.verify(OCSPVerifier.java:116)
    at
com.itextpdf.text.pdf.security.LtvVerifier.verify(LtvVerifier.java:270)

Upon closer inspection, I found out that the nextUpdate date/time in the
OCSP response was null and that the OCSPVerifier tried to use it here (line
162):


        // check if the OCSP response was valid at the time of signing
        if (signDate.after(*resp[i].getNextUpdate**()*)) {
                LOGGER.info(String.format("OCSP no longer valid: %s after %s",
signDate, resp[i].getNextUpdate()));
                continue;
        }


It looks to me that it may be perfectly fine for the nextUpdate field to be
null, as per RFC 2560:

2.4  Semantics of thisUpdate, nextUpdate and producedAt
(...)
- nextUpdate: The time at or before which newer information will be
                 available about the status of the certificate
(...)
If nextUpdate is not set, the responder is indicating that newer
   revocation information is available all the time.


I'm not sure how to correctly check the signing time with the OCSP
response, because the response was most likely issued during the signature
process, so that the signDate is likely a few seconds after the response.

Maybe it would be OK the check if the signDate is within a few minutes
after the time stored in the producedAt field:

- producedAt: The time at which the OCSP responder signed this
                 response.


Cheers,
Rafael.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: 
http://itextpdf.com/themes/keywords.php

Reply via email to