Hello,
I'm using Apache PDFBox to sign a PDF document, and to add validation
information.
For that purpose I've used the examples provided in classes CreateSignature and
AddValidationInformation.
Creating signature works fine, but there is an exception caught while adding
validation information:
java.lang.ClassCastException: class org.bouncycastle.asn1.DLSequence cannot be
cast to class org.bouncycastle.asn1.DERTaggedObject
(org.bouncycastle.asn1.DLSequence and org.bouncycastle.asn1.DERTaggedObject are
in unnamed module of loader
org.apache.catalina.loader.ParallelWebappClassLoader @2fd1731c)
at
org.apache.pdfbox.examples.signature.validation.CertInformationHelper.getCrlUrlFromExtensionValue(CertInformationHelper.java:119)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:333)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:243)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:214)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:124)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:96)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:128)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:104)
Version of Apache PDFBox is 2.0.17 and version of BouncyCastle is 1.60 as
stated on dependencies page, but I have also tried with BouncyCastle 1.62 and
1.64 and the behavior is the same.
It seems that there is a problem in
CertInformationHelper.getCrlUrlFromExtensionValue, in line derTagged =
(DERTaggedObject) derTagged.getObject();
I’m not sure why are there two identical lines, and the resolution would
probably be to include another check, if derTagged.getObject() instanceof
DLSequence.
I’d appreciate a comment on this situation.
/**
* Gets the first CRL URL from given extension value. Structure has to be
* built as in 4.2.1.14 CRL Distribution Points of RFC 2459.
*
* @param extensionValue to get the extension value from
* @return first CRL- URL or null
* @throws IOException when there is a problem with the extensionValue
*/
protected static String getCrlUrlFromExtensionValue(byte[] extensionValue)
throws IOException
{
ASN1Sequence asn1Seq = (ASN1Sequence)
JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
Enumeration<?> objects = asn1Seq.getObjects();
while (objects.hasMoreElements())
{
DLSequence obj = (DLSequence) objects.nextElement();
DERTaggedObject derTagged = (DERTaggedObject) obj.getObjectAt(0);
derTagged = (DERTaggedObject) derTagged.getObject();
derTagged = (DERTaggedObject) derTagged.getObject();
if (!(derTagged.getObject() instanceof DEROctetString))
{
// happens with SampleSignedPDFDocument.pdf
continue;
}
DEROctetString uri = (DEROctetString) derTagged.getObject();
String url = new String(uri.getOctets());
// TODO Check for: DistributionPoint ::= SEQUENCE (see RFC 2459),
multiples can be possible.
// return first http(s)-Url for crl
if (url.startsWith("http"))
{
return url;
}
}
return null;
}
Best regards,
Predrag
