Ok, I reported this because LtvValidation.java uses this method and returns
unexpected results when verifying against OSCP.
http://sourceforge.net/p/itext/code/5685/tree/trunk/itext/src/main/java/com/itextpdf/text/pdf/security/LtvVerification.java#l180
See this wired code a few lines later:
ocsp.getEncoded(cert, (X509Certificate)xc[k + 1]
That assumes that the root certificate against which to validate it at a
fixed position, and since the cert chain has no order, it works erratic.
So, I think it should be fixed so that before calling Oscp client, the cert
chain must be ordered correctly to perform the requests correctly.
What do you think?
2013/2/8 mkl <m...@wir-sind-cool.org>
> Jonathan Vargas,
>
> Jonathan Vargas wrote
> > But when calling this instance's getCertificates () method, it returns an
> > unordered certificate list which doesn't respect the certificate path
> > order.
> > [...]
> > Why is it returning a different certificate path order than the one
> > provided when the document was originally signed?
>
> If you look at the sources, you will see:
>
> iText svn wrote
> > /**
> > * Get all the X.509 certificates associated with this PKCS#7 object
> *
> > in no particular order
> *
> > .
> > * Other certificates, from OCSP for example, will also be included.
> > * @return the X.509 certificates associated with this PKCS#7 object
> > */
> > public Certificate[] getCertificates() {
> > return certs.toArray(new X509Certificate[certs.size()]);
> > }
>
> (
> http://sourceforge.net/p/itext/code/5685/tree/trunk/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.java
> )
>
> Thus, no special order of certificates is to be expected.
>
> Currently this method returns the certificates embedded in the CMS
> container
> before the SignerInfos, i.e. not any spiffy CAdES structure but good old
> PKCS#7-ish stuff.
>
> In certain contexts in iText this has been recognonized to not be the most
> apropos certificate collection for certain jobs. Thus, there now also is
> getSignCertificateChain() which returns only certificates from the
> certificate chain of the signer certificate starting with that and each
> following certificate being the issuer certificate of the preceding one.
> The
> certificates for this are selected from the getCertificates() certificates,
> no additional sources are queried... currently.
>
> Regards, Michael.
>
>
>
> --
> View this message in context:
> http://itext-general.2136553.n4.nabble.com/Certificate-Chain-order-could-be-wrong-in-PdfPKPCS7-tp4657581p4657582.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> iText-questions mailing list
> iText-questions@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a
> reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples:
> http://itextpdf.com/themes/keywords.php
>
--
*Servicio y Asistencia al Cliente*
Alkaid ยท Open Source Business Software
Phone: 2553 5467 | Web: alkaid.cr
E-mail: servicioalclie...@alkaid.cr
*We are the ones that will try to solve most of our client's issues.
That's our job. Contact us anytime you want it.*
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
