[iText-questions] [SPAM] Re: Certificate Chain order could be wrong in PdfPKPCS7

Fri, 08 Feb 2013 13:11:07 -0800 

Jonathan Vargas,

Jonathan Vargas wrote
> But when calling this instance's getCertificates () method, it returns an
> unordered certificate list which doesn't respect the certificate path
> order.
> [...]
> Why is it returning a different certificate path order than the one
> provided when the document was originally signed?

If you look at the sources, you will see:

iText svn wrote
>     /**
>      * Get all the X.509 certificates associated with this PKCS#7 object 
*
> in no particular order
*
> .
>      * Other certificates, from OCSP for example, will also be included.
>      * @return the X.509 certificates associated with this PKCS#7 object
>      */
>     public Certificate[] getCertificates() {
>         return certs.toArray(new X509Certificate[certs.size()]);
>     }

(http://sourceforge.net/p/itext/code/5685/tree/trunk/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.java)

Thus, no special order of certificates is to be expected.

Currently this method returns the certificates embedded in the CMS container
before the SignerInfos, i.e. not any spiffy CAdES structure but good old
PKCS#7-ish stuff.

In certain contexts in iText this has been recognonized to not be the most
apropos certificate collection for certain jobs. Thus, there now also is
getSignCertificateChain() which returns only certificates from the
certificate chain of the signer certificate starting with that and each
following certificate being the issuer certificate of the preceding one. The
certificates for this are selected from the getCertificates() certificates,
no additional sources are queried... currently.

Regards,   Michael.



--
View this message in context: 
http://itext-general.2136553.n4.nabble.com/Certificate-Chain-order-could-be-wrong-in-PdfPKPCS7-tp4657581p4657582.html
Sent from the iText - General mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: 
http://itextpdf.com/themes/keywords.php

Reply via email to