Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0.0, 3.0.0 PDFBox
-
None
Description
Improve signing code:
- incremental save only works for signatures and doesn't respect certificates such as Adobe Extended Usage Rights
prepareNonVisualSignature clears the AcroForm DR acroForm.setDefaultResources(null) which is not good if there are other form fields- visual/nonVisualSignature should move into the interactive.forms package and be handled within the signature field
verify signature (to have tests that go full circle)done June 2016- document or refactor / rewrite visible labyrinthine signature code
- why is it not possible to pass only the signatureField to addSignature, instead having to create a COSDocument with a page and annotations that has the signature field, and that must be searched for in prepareVisibleSignature()?
support rotated pages (see https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956 )done inPDFBOX-3671make sure that signed PDF/A files are still PDF/A (see http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf ); /ID possibly not OK; /Annots is possibly required (tilman removed this for invisible signatures); test signed files with PDF-Tools and with preflighttested, they are OK with PDF-Tools and preflight- test whether "bad" signatures are detected by preflight (search in old issues)
done on July 15, 2016PDFBOX-3363- why is the stream cached in a file? Should it be done in memory?- remove setVisualSignature(PDVisibleSigProperties visSignatureProperties) from SignatureOptions.java, all it does is to call visSignatureProperties.getVisibleSignature() which returns an InputStream, and this is already available
- checkSignatureField violates the "do one thing" rule
decide whether the whole certificate chain should be passed in the sample code, instead of only the first oneyes the whole chain is storedcheck certificate chain, revocation lists, etc,only if needed by users, code here- deprecate / remove all PDVisibleSignDesigner constructors except those with a PDDocument object, to avoid a file being opened twice
- ... your ideas...
Attachments
Attachments
- SO52757037-Signed3-OCSP-with-KeyHash.pdf
- 33 kB
- Tilman Hausherr
- QV_RCA1_RCA3_CPCPS_V4_11.pdf
- 994 kB
- Tilman Hausherr
- PDFBOX-3017_certificate_chain.diff
- 2 kB
- Aleksei Balan
- PDFBOX-3017_certificate_chain_Screenshot.png
- 104 kB
- Aleksei Balan
- pdfa_signed_insivible.pdf
- 35 kB
- Tilman Hausherr
- Eingangsbestaetigung-376670811-sig.pdf
- 108 kB
- Tilman Hausherr
- Eingangsbestaetigung-376670811-sig_ocsp.pdf
- 145 kB
- Tilman Hausherr
Issue Links
- is depended upon by
-
PDFBOX-3198 Visible Signature N2 layer / Support signature with text
- Closed
- links to
Activity
prepareNonVisualSignature clears the AcroForm DR (acroForm.setDefaultResources(null)) which is not good if there are other form fields
The pendant for this issue in the context of visual signatures has been observed in real life, cf. the stackoverflow posting PDFBox 1.8.10: Fill and Sign Document, Filling again fails.
Commit 1712037 from msahyoun in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1712037 ]
PDFBOX-2816, PDFBOX-3017: don't drop AcroForm /DR for invisible signature
Commit 1712040 from msahyoun in branch 'pdfbox/branches/1.8'
[ https://svn.apache.org/r1712040 ]
PDFBOX-2816, PDFBOX-3017: don't drop AcroForm /DR for invisible signature
mkl thank you for the 'reminder' - I've changed that so the /DR is kept
Surprisingly, the attached signed PDFA file is valid according to the PDF-Tools validator, despite not having an /AP entry.
Haven't looked into the file in detail - will do later but invisible signatures don't need an /AP entry AFAIK.
Yes, that's also my theory based on the PDF 32000 document. So either the document on pdfa.org is wrong (because they didn't think about invisible signatures), or the validator is wrong.
http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf
pages 4 and 8 require /AP entry.
I'd propose doing a rewrite of the creation of the visual signature. IMHO we could reflect the options one would have within Adobe Acrobat Dialogs because these are familiar. We could also support supplying special PDFs as templates for the signature similar to what's described in http://www.adobe.com/devnet-docs/acrobatetk/tools/DigSig/appearances.html.
This would also fit well with the work I'm about to start for AcroForms using 'styles' for fields to hide the complexity of setting the appearance parameters.
Whatever we do, we should include all the relevant users in the improvement process. This is mkl, petras, cyril and the people who were in that "signing a signed PDF" issue. Maybe even the original author, I wonder if he still uses PDFBox.
Commit 1747261 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747261 ]
PDFBOX-3017: enable verify
Commit 1747263 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747263 ]
PDFBOX-3017: enable verify
Commit 1747264 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747264 ]
PDFBOX-3017: replace keystore with one that is valid
Commit 1747265 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747265 ]
PDFBOX-3017: replace keystore with one that is valid
Commit 1747268 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747268 ]
PDFBOX-3017: add simple verify for adbe.pkcs7.detached signatures
Commit 1747269 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747269 ]
PDFBOX-3017: add simple verify for adbe.pkcs7.detached signatures
Commit 1747271 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747271 ]
PDFBOX-3017: check that certificate is valid before signing
Commit 1747272 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747272 ]
PDFBOX-3017: check that certificate is valid before signing
Commit 1747314 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747314 ]
PDFBOX-3017: add simple verify for adbe.pkcs7.sha1 signatures
Commit 1747315 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747315 ]
PDFBOX-3017: add simple verify for adbe.pkcs7.sha1 signatures
Commit 1747316 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747316 ]
PDFBOX-3017: add simple verify for adbe.pkcs7.sha1 signatures
Commit 1747418 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747418 ]
PDFBOX-3017: SonarQube fixes
Commit 1747419 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747419 ]
PDFBOX-3017: SonarQube fixes
Commit 1747564 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747564 ]
PDFBOX-3017: simplify code by using getSignedContent()
Commit 1747565 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747565 ]
PDFBOX-3017: simplify code by using getSignedContent()
Commit 1747568 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1747568 ]
PDFBOX-3017: simplify code by using getSignedContent()
Commit 1747569 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1747569 ]
PDFBOX-3017: simplify code by using getSignedContent()
Commit 1748753 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1748753 ]
PDFBOX-3017: assign name/location/reason the values set in visibleSignatureProperties; don't use signatureOptions.setVisualSignature(visibleSignatureProperties) as this is misleading
Commit 1748754 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1748754 ]
PDFBOX-3017: assign name/location/reason the values set in visibleSignatureProperties; don't use signatureOptions.setVisualSignature(visibleSignatureProperties) as this is misleading
Commit 1748961 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1748961 ]
PDFBOX-3017: SonarQube fix
Commit 1748962 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1748962 ]
PDFBOX-3017: SonarQube fix
Commit 1752856 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1752856 ]
PDFBOX-3017: cache visual signature stream as RandomAccessBuffer instead of RandomAccessBufferedFileInputStream to avoid disk access
Commit 1752857 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1752857 ]
PDFBOX-3017: cache visual signature stream as RandomAccessBuffer instead of RandomAccessBufferedFileInputStream to avoid disk access
Commit 1752875 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1752875 ]
PDFBOX-3017: DRY refactoring
Commit 1752876 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1752876 ]
PDFBOX-3017: DRY refactoring
Commit 1752937 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1752937 ]
PDFBOX-3017: move constructor to top
Commit 1752938 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1752938 ]
PDFBOX-3017: move constructor to top
Commit 1753304 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753304 ]
PDFBOX-3017: remove setting of placeholder items, this is done in PDDocument.addSignature since 2011
Commit 1753305 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753305 ]
PDFBOX-3017: remove setting of placeholder items, this is done in PDDocument.addSignature since 2011
Commit 1753543 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753543 ]
PDFBOX-3017: improve javadoc
Commit 1753544 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753544 ]
PDFBOX-3017: improve javadoc
Commit 1753548 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753548 ]
PDFBOX-3017: buffer and close inputStream, fix javadoc
Commit 1753549 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753549 ]
PDFBOX-3017: buffer and close inputStream, fix javadoc
Commit 1753550 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753550 ]
PDFBOX-3017: improve javadoc, correct local variables names
Commit 1753551 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753551 ]
PDFBOX-3017: improve javadoc, correct local variables names
Commit 1753552 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753552 ]
PDFBOX-3017: correct variables names
Commit 1753553 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753553 ]
PDFBOX-3017: correct variables names
Commit 1753567 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753567 ]
PDFBOX-3017: close image stream, clarify variable names
Commit 1753568 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753568 ]
PDFBOX-3017: close image stream, clarify variable names
Commit 1753570 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753570 ]
PDFBOX-3017: improve javadoc, rename parameter names
Commit 1753571 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753571 ]
PDFBOX-3017: improve javadoc, rename parameter names
Commit 1753573 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753573 ]
PDFBOX-3017: improve javadoc, rename parameter names
Commit 1753574 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753574 ]
PDFBOX-3017: improve javadoc, rename parameter names
Commit 1753578 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753578 ]
PDFBOX-3017: deprecate / remove poorly named method "getTemplateAppearanceStream"
Commit 1753579 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753579 ]
PDFBOX-3017: deprecate / remove poorly named method "getTemplateAppearanceStream"
Commit 1753587 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753587 ]
PDFBOX-3017: revert premature name change; rename parameter names; improve javadoc
Commit 1753588 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753588 ]
PDFBOX-3017: rename parameter names; improve javadoc
Commit 1753608 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1753608 ]
PDFBOX-3017: remove call that has no effect, add a TODO for later
Commit 1753609 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1753609 ]
PDFBOX-3017: remove call that has no effect, add a TODO for later
I'll have a new approach for creating a visible signature for 2.1 which (unfortunately?) will not be compatible to the current one but baked into PDAcroForms and PDSignatureField. It'll work similar to how you create a visible signature in Adobe Acrobat and choose a signature design with a compatible signature design template. Given that we had more interest lately for signing documents I'll pick that as the first implementation of PDFBOX-2604. It's likely that there might be some refactoring after the initial code has landed.
Yes please do. I've searched for Vakhtang Koroghlishvili and he no longer works at the employer he was at that time, and we've also not heard of him. I've also tried to find out what the code does (and added some documentation), and I've come to the conclusion that half of it should have landed in the examples, not in the core. I suspect his complex code was done to accommodate a lot of different signature types, i.e. create templates for them. Sadly there's a lot that isn't needed for most people, a PDF file is created, saved, reloaded etc.
Re the existing code, addSignature() has one weird thing: /Acroform/DR is overwritten. I wonder if this "hurts" any files. I tried to prove that it does but couldn't, all files I found had what they needed in their own resources.
it can hurt and shouldn't be done. When a form is filled the DR entries on AcroForm level are copied into the fields resources. So maybe you had filled out forms only?
No, I used the CreateVisibleSignature example. The code that does this is in PDDocument:
private void assignAcroFormDefaultResource(PDAcroForm acroForm, COSDictionary dict) { // read and set AcroForm default resource dictionary /DR if available COSBase base = dict.getDictionaryObject(COSName.DR); if (base instanceof COSDictionary) { COSDictionary dr = (COSDictionary) base; dr.setDirect(true); dr.setNeedToBeUpdated(true); acroForm.getCOSObject().setItem(COSName.DR, dr); } }
Yes, and we have to add if there are existing resources, not replace. I think the current code has been written with the mindset that there is no existing AcroForm.
Strictly speaking the PDF/A-1 spec says in 6.9 Interactive Forms:
Every form field shall have an appearance dictionary associated with the field's data.
This would support the PDF/A CC paper.
On the other hand this section is introduced by
The intent of the requirements of this subclause is to ensure that there is no ambiguity about the rendering of form fields.
This can be interpreted to imply that these requirements only refer to form fields which are rendered at all. So, invisible signatures might not be subject to these requirements.
we have to add if there are existing resources, not replace
It's not that simple. If there exists a specific resource in the current default resources (e.g. a font named F0) and your dr to merge in also a resource of the same type with the same name (i.e. also a font named F0), you would have to replace all usages of the font F0 either in this document or in the imported form elements.
Which is beyond a sensible architecture to visual signature creation...
Thus, the routines to create a signature visualization must not require uncontrolled changes to the default resources.
thanks for the hint. IMHO the correct approach is to make sure that resources required for the visible signature are merged into the existing resources making sure (upfront) that the resource names in the visible signature are unique. So you are correct that add is a simplistic term in that case but wasn't meant to be a complete description of the approach.
Even better: The signature visualization simply should not depend on default resources at all but bring along its own resources. In that case there is no need to add anything to the DR at all...
So the right thing to do would be to delete the assignAcroFormDefaultResource, right?
Unrelated but I'm trying to reach signature users:
Please have a look at PDFBOX-3065, this is about a different way to sign that will replace the current situation in 2.1, and in 2.0.* it will coexist. More explanation in PDDocument.saveIncrementalForExternalSigning, see [ https://svn.apache.org/r1759639 ].
Commit 1763995 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1763995 ]
PDFBOX-2852, PDFBOX-3017: "do one thing" refactoring of checkSignatureField()
Commit 1763996 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1763996 ]
PDFBOX-2852, PDFBOX-3017: "do one thing" refactoring of checkSignatureField()
Commit 1764781 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1764781 ]
PDFBOX-3017: remove confusing and unneeded use of getSignatureFieldName()
Commit 1764782 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1764782 ]
PDFBOX-3017: remove confusing and unneeded use of getSignatureFieldName()
The last commit was because getSignatureFieldName() was used as signerName later, which 1) makes no sense, 2) is ignored anyway, as that part is only for the temporary document, whose field is only being used as a holder for the /AP, see my change on July 20 and the Jul 23 '15 at 15:01 comment of mkl
https://stackoverflow.com/questions/31571055/how-can-i-get-pdvisiblesigproperties-to-write-the-signature-on-the-3-page-into-t
Commit 1781138 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1781138 ]
PDFBOX-3017: deprecate methods that use a byte array for AffineTransform, add methods that use AffineTransform type
Commit 1781140 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1781140 ]
PDFBOX-3017: deprecate methods that use a byte array for AffineTransform, add methods that use AffineTransform type
This was a commit for a change that is to come, to sign at the same place even if the page is rotated. For this we need the AffineTransform setting and this won't work if this is a byte array.
Commit 1781279 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1781279 ]
PDFBOX-3017: fix javadoc
Commit 1781281 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1781281 ]
PDFBOX-3017: fix javadoc
Commit 1781411 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1781411 ]
PDFBOX-3017: include adjustForRotation() call in example
Commit 1781412 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1781412 ]
PDFBOX-3017: include adjustForRotation() call in example
Commit 1786064 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1786064 ]
PDFBOX-3017, PDFBOX-3699: check for certification + certify
Commit 1786065 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1786065 ]
PDFBOX-3017, PDFBOX-3699: check for certification + certify
Commit 1797951 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1797951 ]
PDFBOX-3017: detect self-signed certs, tell whether signature covers the whole file, slight refactor
Commit 1797952 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1797952 ]
PDFBOX-3017: detect self-signed certs, tell whether signature covers the whole file, slight refactor
GitHub user abalanonline opened a pull request:
https://github.com/apache/pdfbox/pull/39
PDFBOX-3017: pass the whole certificate chain in the sample code
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/abalanonline/pdfbox PDFBOX-3017
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/pdfbox/pull/39.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #39
commit b44204abc9d32f7462b94e27d84dc1ee91cc8587
Author: Aleksei Balan <abalanonline@gmail.com>
Date: 2017-07-17T02:26:34Z
PDFBOX-3017: pass the whole certificate chain in the sample code
Hello PDFBox team. Please use this contribution if you want. There is a certificate chain fix mentioned in this issue.
Thanks... I have two questions...
+ certList.addAll(Arrays.asList(certificateChain)); certList.add(certificate);
Is it still needed to add the invididual certificate, i.e. is the second line still needed? And is there a way to see the improvement, either programmatically or in Adobe Reader? I ask because about a year ago I signed a PDF with my corporate card... and I was surprised that in AR when viewing the signed PDF I did see the hierarchy.
Or does "chain" mean something different, i.e. a chain meaning to sign with several people certificates at the same time?
It is not needed to add certificate, it should be in certificateChain. But it will not harm because bouncycastle will sort the chain in correct order taking only necessary certificates.
The improvement can be seen for example in Adobe Acrobat and Reader. If the keystore will contain a certificate chain it will be copied to pdf signature.
PDFBOX-3017_certificate_chain_Screenshot.png
You did see the certificate hierarchy because Acrobat could find the necessary intermediate certificates installed on your system and rebuild the chain by itself.
In general this is not the case so it is better to provide a chain inside the signature.
The "chain" means the sequence of certificates that signed the certificate from the keystore. The full chain ends with self-signed trusted root certificate.
Commit 1802162 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1802162 ]
PDFBOX-3017: include certificate chain, as suggested by Aleksei Balan
Commit 1802163 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1802163 ]
PDFBOX-3017: include certificate chain, as suggested by Aleksei Balan
I have committed your change because it is useful and it should be in the next release (to be built later today)
But I'd like the code to be as short as possible in the next version. It is example code so the API can change. According to the javadoc of keystore.getCertificateChain the users certificate is the first one anyway. Do you agree that certificate can be removed and at the one place where it would still be used, be replaced with certificateChain[0] ?
Commit 1802165 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1802165 ]
PDFBOX-3017: use jdk6 syntax
tilman yes, these lines can be safely removed:
1. private Certificate certificate;
2. setCertificate(cert);
3. method setCertificate
4. certList.add(certificate); because it is already added with the chain by addAll
and (optional) line cert = keystore.getCertificate(alias); can be replaced back by cert = certChain[0];
Commit 1802178 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1802178 ]
PDFBOX-3017: Certificate.getInstance() calls ASN1Sequence.getInstance(fromByteArray()) which is identical to ASN1Primitive.fromByteArray()
Commit 1802179 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1802179 ]
PDFBOX-3017: Certificate.getInstance() calls ASN1Sequence.getInstance(fromByteArray()) which is identical to ASN1Primitive.fromByteArray()
Commit 1802184 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1802184 ]
PDFBOX-3017: remove certificate and use certificateChain[0] instead
Commit 1802185 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1802185 ]
PDFBOX-3017: remove certificate and use certificateChain[0] instead
Commits missing in JIRA:
Commit 1813569 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1813569 ]
PDFBOX-3017: add ETSI.CAdES.detached
Commit 1813568 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1813568 ]
PDFBOX-3017: add ETSI.CAdES.detached
Commit 1814036 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1814036 ]
PDFBOX-3017: simplify code, avoid NPE
Commit 1814037 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1814037 ]
PDFBOX-3017: simplify code, avoid NPE
Commit 1820787 from tilman in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1820787 ]
PDFBOX-3017: put link to comment by mkl on allowed and not allowed changes in signed files
Commit 1820788 from tilman in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1820788 ]
PDFBOX-3017: put link to comment by mkl on allowed and not allowed changes in signed files
Commit 1843729 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843729 ]
PDFBOX-3017: add certificate chain verifier copied from Apache CXF 2.4.9 + reformat
Commit 1843730 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843730 ]
PDFBOX-3017: remove deprecated and modified types
I added the certificate chain verification code from Apache CXF. It is from
https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.9/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/
and it was removed in 2011 in
https://svn.apache.org/viewvc?view=revision&revision=1189820
because they no longer needed it. I couldn't find the discussion on their dev@ mailing list, but it is possible that they didn't mention it specifically.
That code is quite popular, I found it mentioned a few times on stackoverflow and also here
http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-chain-and-verify-clr-with-bouncy-castle/
without Apache header (but maybe this was the original author).
Commit 1843731 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843731 ]
PDFBOX-3017: pass original exception when rethrowing
Commit 1843732 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843732 ]
PDFBOX-3017: add logging, clarify variable names
Commit 1843735 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843735 ]
PDFBOX-3017: verify certificate chain using the new code from Apache CXF
Commit 1843738 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843738 ]
PDFBOX-3017: add throws and imports
Commit 1843740 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843740 ]
PDFBOX-3017: check whether signing time was within the certificate's validity period
Commit 1843741 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1843741 ]
PDFBOX-3017: check whether signing time was within the certificate's validity period
Commit 1843747 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843747 ]
PDFBOX-3017: remove double code
Commit 1843751 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843751 ]
PDFBOX-3017: simplify for loop, reformat
Commit 1843778 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843778 ]
PDFBOX-3017: add code to get root certificates
Commit 1843817 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843817 ]
PDFBOX-3017: add exception for when windows isn't used
Commit 1843818 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843818 ]
PDFBOX-3017: remove exception that is part of another
Commit 1843819 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843819 ]
PDFBOX-3017: remove exception that isn't thrown
Commit 1843820 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843820 ]
PDFBOX-3017: improve javadoc
Commit 1843821 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843821 ]
PDFBOX-3017: simplify exception throws
Commit 1843822 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843822 ]
PDFBOX-3017: remove unused parameter, improve javadoc
Commit 1843823 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843823 ]
PDFBOX-3017: simplify code, improve formatting
Commit 1843824 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843824 ]
PDFBOX-3017: improve formatting, remove cast
Commit 1843826 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843826 ]
PDFBOX-3017: fix exceptions
Commit 1843876 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843876 ]
PDFBOX-3017: remove unused import
Commit 1843920 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1843920 ]
PDFBOX-3017: add class comment; use sign date when checking certificate against CRL
Commit 1844025 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844025 ]
PDFBOX-3017: verify CRL against certificate; use signing date when verifying the certification chain
QV_RCA1_RCA3_CPCPS_V4_11.pdf is a file with a signature that validates perfectly in Adobe Reader, and now also in ShowSignature. While the code I copied from Apache CXF is nice, it was made for SSL (which is to be verified in the present) and not for document verification (which is to be verified for a specific past).
Commit 1844038 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844038 ]
PDFBOX-3017: validate TimeStampToken
Commit 1844060 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844060 ]
PDFBOX-3017: Check whether signer certificate is "valid for usage"
Commit 1844130 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844130 ]
PDFBOX-3017: register BouncyCastle provider, needed for "exotic" algorithms, see SO question 52849556
Commit 1844131 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844131 ]
PDFBOX-3017: register BouncyCastle provider, needed for "exotic" algorithms, see SO question 52849556; improve class javadoc
Commit 1844133 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844133 ]
PDFBOX-3017: remove solved //TODOs; avoid NPE if no signing time
Commit 1844135 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844135 ]
PDFBOX-3017: simplify code
Commit 1844136 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844136 ]
PDFBOX-3017: simplify code
Commit 1844140 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844140 ]
PDFBOX-3017: point to SO answer with code to check "adbe.x509.rsa_sha1" signed files
Commit 1844141 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844141 ]
PDFBOX-3017: point to SO answer with code to check "adbe.x509.rsa_sha1" signed files
Commit 1844142 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844142 ]
PDFBOX-3017: avoid NPE
Commit 1844143 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844143 ]
PDFBOX-3017: add check of signingTime attribute
Commit 1844144 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844144 ]
PDFBOX-3017: add check of signingTime attribute
Commit 1844145 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844145 ]
PDFBOX-3017: add log info
Commit 1844355 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844355 ]
PDFBOX-3017: remove obsolete comment part
Commit 1844356 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844356 ]
PDFBOX-3017: improve javadoc
Commit 1844357 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844357 ]
PDFBOX-3017: improve javadoc
Commit 1844461 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844461 ]
PDFBOX-3017: check key usage when signing
Commit 1844462 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844462 ]
PDFBOX-3017: check key usage when signing
Commit 1844463 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844463 ]
PDFBOX-3017: check TimeStampToken
Commit 1844464 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844464 ]
PDFBOX-3017: remove double code
Commit 1844465 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844465 ]
PDFBOX-3017: check key usage
Commit 1844466 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844466 ]
PDFBOX-3017: add some //TODOs
Commit 1844679 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844679 ]
PDFBOX-3017: make comment even scarier, as suggested by mkl in SO 52942313 comment
Commit 1844680 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844680 ]
PDFBOX-3017: make comment even scarier, as suggested by mkl in SO 52942313 comment
Commit 1844681 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844681 ]
PDFBOX-3017: use constants from BC
Commit 1844682 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844682 ]
PDFBOX-3017: use constants from BC
Commit 1844684 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844684 ]
PDFBOX-3017: add revocation date to exception message
Commit 1844685 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844685 ]
PDFBOX-3017: add revocation date to exception message
Commit 1844686 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844686 ]
PDFBOX-3017: add revocation date to exception
Commit 1844687 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844687 ]
PDFBOX-3017: add revocation date to exception
Commit 1844689 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844689 ]
PDFBOX-3017: improve javadoc; add some //TODOs
Commit 1844690 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844690 ]
PDFBOX-3017: improve javadoc; add some //TODOs
Commit 1844843 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844843 ]
PDFBOX-3017: use singleton
Commit 1844844 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844844 ]
PDFBOX-3017: use singleton
Commit 1844845 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844845 ]
PDFBOX-3017: improve javadoc
Commit 1844846 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844846 ]
PDFBOX-3017: improve javadoc
Commit 1844847 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844847 ]
PDFBOX-3017: use logger
Commit 1844848 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844848 ]
PDFBOX-3017: use logger
Commit 1844849 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844849 ]
PDFBOX-3017: check revocation with OCSP
Commit 1844913 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844913 ]
PDFBOX-3017: fix typo
Commit 1844914 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844914 ]
PDFBOX-3017: fix typo
Commit 1844915 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844915 ]
PDFBOX-3017: improve CRL logging
Commit 1844917 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844917 ]
PDFBOX-3017: improve logging
Commit 1844918 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1844918 ]
PDFBOX-3017: improve logging + add comment about nonce extension being considered invalid
Commit 1844919 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1844919 ]
PDFBOX-3017: improve logging + add comment about nonce extension being considered invalid
Commit 1845152 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845152 ]
PDFBOX-3017: check isolated timestamp signature
Commit 1845153 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845153 ]
PDFBOX-3017: check isolated timestamp signature
Commit 1845155 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845155 ]
PDFBOX-3017: refactor TimestampToken validation
Commit 1845156 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845156 ]
PDFBOX-3017: refactor TimestampToken validation
Commit 1845165 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845165 ]
PDFBOX-3017: refactor certificate chain verification + verify certificate chain for TimestampToken
Commit 1845307 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845307 ]
PDFBOX-3017: verify certificate chain of timestamp token
Commit 1845308 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845308 ]
PDFBOX-3017: validate certificate + verify certificate chain of adbe.x509.rsa_sha1 type signature; add a TODO because of missing case
Commit 1845309 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845309 ]
PDFBOX-3017: validate certificate; add a TODO because of missing case
Commit 1845310 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845310 ]
PDFBOX-3017: add missing import
Commit 1845311 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845311 ]
PDFBOX-3017: add missing cast
Commit 1845354 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845354 ]
PDFBOX-3017: remove TODO from comment, no longer needed
Commit 1845364 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845364 ]
PDFBOX-3017: simplify code + use jdk7
Commit 1845366 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845366 ]
PDFBOX-3017: correct checking of embedded timestamp
Commit 1845367 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845367 ]
PDFBOX-3017: correct checking of embedded timestamp
Commit 1845376 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845376 ]
PDFBOX-3017: partial revert of last commit, this method is only in the trunk at this time
Commit 1845379 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845379 ]
PDFBOX-3017: refactor TimeStampToken extraction
Commit 1845380 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845380 ]
PDFBOX-3017: refactor TimeStampToken extraction
Commit 1845383 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845383 ]
PDFBOX-3017: refactor ETSI.RFC3161 verification
Commit 1845384 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845384 ]
PDFBOX-3017: refactor ETSI.RFC3161 verification
Commit 1845732 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845732 ]
PDFBOX-3017: add method
Commit 1845733 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845733 ]
PDFBOX-3017: add method
Commit 1845734 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845734 ]
PDFBOX-3017: check timestamp certificate usage
Commit 1845735 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1845735 ]
PDFBOX-3017: check timestamp certificate usage
Commit 1845836 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845836 ]
PDFBOX-3017: check certificate chain only when not self-signed
Commit 1845843 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1845843 ]
PDFBOX-3017: correct variable name
Commit 1846295 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846295 ]
PDFBOX-3017: copy certificate chain verifier from trunk, remove jdk7 improvements
Commit 1846450 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846450 ]
PDFBOX-3017: remove double code
Commit 1846451 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846451 ]
PDFBOX-3017: verify certificate chain using the new code from Apache CXF
Commit 1846458 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846458 ]
PDFBOX-3017: remove obsolete TODOs
Commit 1846532 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846532 ]
PDFBOX-3017: add a TODO because OCSP response is not checked correctly
Commit 1846533 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846533 ]
PDFBOX-3017: add a TODO because OCSP response is not checked correctly
Commit 1846601 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846601 ]
PDFBOX-3017: check the whole certificate chain for revocation
Commit 1846602 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846602 ]
PDFBOX-3017: check the whole certificate chain for revocation
Commit 1846672 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846672 ]
- "critical" flag should not be set for any extension, see RFC 2560 section 4.1.2
- fallback validating the OCSP response based on time
- use default security provider
- avoid memory leaks
Commit 1846673 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846673 ]
- "critical" flag should not be set for any extension, see RFC 2560 section 4.1.2
- fallback validating the OCSP response based on time
- use default security provider
- avoid memory leaks
Commit 1846699 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846699 ]
PDFBOX-3017: improve javadoc
Commit 1846700 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846700 ]
PDFBOX-3017: improve javadoc
Commit 1846747 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846747 ]
PDFBOX-3017: move two classes to cert package
Commit 1846748 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846748 ]
PDFBOX-3017: move two classes to cert package
Commit 1846749 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846749 ]
PDFBOX-3017: remove unused imports
Commit 1846755 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846755 ]
PDFBOX-3017: use appropriate exception
Commit 1846756 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846756 ]
PDFBOX-3017: use appropriate exception
Commit 1846770 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846770 ]
PDFBOX-3017: use appropriate exception
Commit 1846785 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846785 ]
PDFBOX-3017: remove unused imports
Commit 1846786 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846786 ]
PDFBOX-3017: remove unused imports
Commit 1846787 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846787 ]
PDFBOX-3017: make field private
Commit 1846788 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846788 ]
PDFBOX-3017: make field private
Commit 1846936 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846936 ]
PDFBOX-3017: improve logging
Commit 1846937 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846937 ]
PDFBOX-3017: improve logging
Commit 1846938 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846938 ]
PDFBOX-3017: use bc provider
Commit 1846939 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846939 ]
PDFBOX-3017: use bc provider
Commit 1846940 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846940 ]
PDFBOX-3017: use self-sign check from cert package; use more obvious strategy to find issuer, but still verify
Commit 1846941 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846941 ]
PDFBOX-3017: use self-sign check from cert package; use more obvious strategy to find issuer, but still verify
Commit 1846948 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1846948 ]
PDFBOX-3017: revert "use bc provider" due to animal-sniffer build failure
Commit 1846953 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1846953 ]
PDFBOX-3017: revert "use bc provider" due to animal-sniffer build failure
I wanted to use the bc provider so that "exotic" algorithms are supported but for some reason animal sniffer doesn't like it.
Commit 1847033 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847033 ]
PDFBOX-3017: replace "denigrated" method call
Commit 1847034 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847034 ]
PDFBOX-3017: replace "denigrated" method call
Commit 1847035 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847035 ]
PDFBOX-3017: improve javadoc
Commit 1847036 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847036 ]
PDFBOX-3017: improve javadoc
Commit 1847037 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847037 ]
PDFBOX-3017: make method name more intuitive
Commit 1847038 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847038 ]
PDFBOX-3017: make method name more intuitive
Commit 1847039 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847039 ]
PDFBOX-3017: improve javadoc
Commit 1847040 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847040 ]
PDFBOX-3017: improve javadoc
Commit 1847043 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847043 ]
PDFBOX-3017: include possible revocation of OCSP response, as suggested by mkl
Commit 1847044 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847044 ]
PDFBOX-3017: include possible revocation of OCSP response, as suggested by mkl
Commit 1847049 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847049 ]
PDFBOX-3017: simplify
Commit 1847050 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847050 ]
PDFBOX-3017: simplify
Commit 1847057 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847057 ]
PDFBOX-3017: remove former double code that is no longer in use
Commit 1847058 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847058 ]
PDFBOX-3017: remove former double code that is no longer in use
Some remarks concerning your recent work with the validation example -
OCSP responses
You added OCSP response signer certificate revocation checks in response to my SO comment here.
Identifying the correct certificate
For this you determine the response signer certificate using
basicResponse.getCerts()[0]
This can return the wrong certificate.
RFC 6960 says the responder MAY include certificates in the certs field of BasicOCSPResponse that help the OCSP client verify the responder's signature. Thus, the expression above may return the response signer certificate but it also may results in an Exception if no certificates are given, or it may return the wrong certificate. You should use the ResponderID to identify the correct certificate: The purpose of the ResponderID information is to allow clients to find the certificate used to sign a signed OCSP response.
No revocation check may be necessary
RFC 6960 says a CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck. In that case no revocation check is necessary, probably not even possible...
VRI section for OCSP response signer certificate revocation checks
You add the revocation information determined for an OCSP response signer certificate into the leading PDF signature's VRI. This is wrong, this information should go into a separate VRI for the OCSP response in question:
Key | Type | Value |
---|---|---|
VRI | dictionary | (Optional) This dictionary contains Signature VRI dictionaries (see 12.8.4.4, "Validation-related information (VRI)"). The key of each entry in this dictionary is the base-16-encoded (uppercase) SHA1 digest of the signature to which it applies a and the value is the Signature VRI dictionary which contains the validation-related information for that signature. |
a ... For the signatures of CRLs and OCSP responses, the bytes that are hashed are the respective signature object represented as a BER-encoded OCTET STRING encoded with primitive encoding. |
(ISO 32000-2, Table 261 — Entries in the document security store (DSS) dictionary)
(similarly ETSI EN 319 142-1, Section 5.4.2.2 — DSS Dictionary, Table "Entries in a DSS Dictionary")
CRLs
You don't do CRL signer certificate revocation checks yet.
While often the CRL signer already is the CA certificate, this is not necessarily so. Thus, in general you need to do revocation checks here, too.
The resulting revocation information should go into their own VRI dictionary, see the quoted table above.
VRIs
You add neither a TU nor a TS to your VRI dictionaries.
While this makes sense according to ETSI EN 319 142-1 (which says the TU key should not be used. and the TS key should not be used.), in my experience Adobe Reader is unhappy without such a time indication.
Some experiences with Adobe Reader "LTV-enabled" signatures are in the AdobeLtvEnabling class for iText 7 from e.g. this SO answer. It's not 100% correct but mostly works.
I turns out that animal-sniffer was righton monday, although it gave a poor error message in version 1.17: void java.security.cert.X509CRL.verify(java.security.PublicKey, java.security.Provider) doesn't exist before 1.8. But using a provider name parameter works, I'll change that later.
The bug has been reported at
https://github.com/mojohaus/animal-sniffer/issues/60
Commit 1847129 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847129 ]
PDFBOX-3017: use bc provider name
Commit 1847130 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847130 ]
PDFBOX-3017: use bc provider name
Commit 1847134 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847134 ]
PDFBOX-3017: fix variable name
Commit 1847135 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847135 ]
PDFBOX-3017: register BC
Commit 1847136 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847136 ]
PDFBOX-3017: register BC
Commit 1847194 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847194 ]
PDFBOX-3017: try several distributionpoints; set timeout for ldap
Commit 1847195 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847195 ]
PDFBOX-3017: try several distributionpoints; set timeout for ldap
Commit 1847197 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847197 ]
PDFBOX-3017: get correct certificate from list in responder; add some TODOs
Commit 1847198 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847198 ]
PDFBOX-3017: get correct certificate from list in responder; add some TODOs
Commit 1847199 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847199 ]
PDFBOX-3017: consider id-pkix-ocsp-nocheck; add more TODOs
Commit 1847200 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847200 ]
PDFBOX-3017: consider id-pkix-ocsp-nocheck; add more TODOs
Commit 1847302 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847302 ]
PDFBOX-3017: refactor usage of trust anchors
Commit 1847303 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847303 ]
PDFBOX-3017: refactor usage of trust anchors
Commit 1847304 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847304 ]
PDFBOX-3017: don't fail validation because of policy qualifiers
Commit 1847305 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847305 ]
PDFBOX-3017: don't fail validation because of policy qualifiers
Commit 1847306 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847306 ]
PDFBOX-3017: add SonarQube exception
Commit 1847309 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847309 ]
PDFBOX-3017: add SonarQube exception, 2nd try
Commit 1847311 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847311 ]
PDFBOX-3017: try CRL if OCSP failed with IOException
Commit 1847312 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847312 ]
PDFBOX-3017: try CRL if OCSP failed with IOException
Commit 1847314 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847314 ]
PDFBOX-3017: pass additionalCerts to OCSPHelper for later ("search existing chain")
Commit 1847315 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847315 ]
PDFBOX-3017: pass additionalCerts to OCSPHelper for later ("search existing chain")
Commit 1847316 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847316 ]
PDFBOX-3017: pass empty placeholder to OCSPHelper for later ("search existing chain")
Commit 1847317 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847317 ]
PDFBOX-3017: pass empty placeholder to OCSPHelper for later ("search existing chain")
Commit 1847366 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847366 ]
PDFBOX-3017: search additionalCerts for issuer of OCSP response if not found
Commit 1847367 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847367 ]
PDFBOX-3017: search additionalCerts for issuer of OCSP response if not found
Commit 1847371 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847371 ]
PDFBOX-3017: search additionalCerts for issuer of OCSP response if not found; remove code related to possible revocation of OCSP response for now
Commit 1847372 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847372 ]
PDFBOX-3017: search additionalCerts for issuer of OCSP response if not found; remove code related to possible revocation of OCSP response for now
Commit 1847387 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847387 ]
PDFBOX-3017: provide method to get responder certificate; refactor to get rid of BC "holder" class
Commit 1847388 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847388 ]
PDFBOX-3017: provide method to get responder certificate; refactor to get rid of BC "holder" class
Commit 1847391 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847391 ]
PDFBOX-3017: refactor long code into new method
Commit 1847392 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847392 ]
PDFBOX-3017: refactor long code into new method
Commit 1847393 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847393 ]
PDFBOX-3017: check responder certificate key usage
Commit 1847394 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847394 ]
PDFBOX-3017: check responder certificate key usage
Commit 1847396 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847396 ]
PDFBOX-3017: retrieve OCSP responder certificate
Commit 1847486 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847486 ]
PDFBOX-3017: correct javadoc
Commit 1847488 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847488 ]
PDFBOX-3017: correct javadoc
Commit 1847573 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847573 ]
PDFBOX-3017: pass signing date to OCSPHelper to compare revocation date with sign date; check revocation of OCSP responder
Commit 1847574 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847574 ]
PDFBOX-3017: pass signing date to OCSPHelper to compare revocation date with sign date; check revocation of OCSP responder
Commit 1847575 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847575 ]
PDFBOX-3017: pass signing date to OCSPHelper
Commit 1847576 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847576 ]
PDFBOX-3017: pass signing date to OCSPHelper
Commit 1847577 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847577 ]
PDFBOX-3017: include mention of mkl comment so people don't take this example blindly
Commit 1847662 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847662 ]
PDFBOX-3017: avoid NPE
Commit 1847663 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847663 ]
PDFBOX-3017: avoid NPE
Commit 1847664 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847664 ]
PDFBOX-3017: refactor for less nesting
Commit 1847665 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847665 ]
PDFBOX-3017: refactor for less nesting
Commit 1847666 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847666 ]
PDFBOX-3017: merge both stores when checking embedded timestamp
Commit 1847667 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847667 ]
PDFBOX-3017: merge both stores when checking embedded timestamp
Commit 1847835 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847835 ]
PDFBOX-3017: add /TU entry
Commit 1847836 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847836 ]
PDFBOX-3017: add /TU entry
Commit 1847837 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847837 ]
PDFBOX-3017: add //TODO about vri's needing their own lists
Commit 1847838 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847838 ]
PDFBOX-3017: add //TODO about vri's needing their own lists
Commit 1847841 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847841 ]
PDFBOX-3017: do a full check of OCSP responder certificate, not just revocation
Commit 1847842 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847842 ]
PDFBOX-3017: do a full check of OCSP responder certificate, not just revocation
Commit 1847843 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847843 ]
PDFBOX-3017: Check CRL issuer certificate if not identical to certificate issuer
Commit 1847844 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847844 ]
PDFBOX-3017: Check CRL issuer certificate if not identical to certificate issuer
Commit 1847874 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847874 ]
PDFBOX-3017: retrieve additional certificates from id-ad-caIssuers in the authority information access extension
Commit 1847875 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847875 ]
PDFBOX-3017: retrieve additional certificates from id-ad-caIssuers in the authority information access extension
Commit 1847880 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847880 ]
PDFBOX-3017: change parameter type to support certificates and CRLs + avoid one ClassCastException
Commit 1847881 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847881 ]
PDFBOX-3017: change parameter type to support certificates and CRLs + avoid one ClassCastException
Commit 1847898 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847898 ]
PDFBOX-3017: refactor method in two to support Store and Set result
Commit 1847899 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847899 ]
PDFBOX-3017: refactor method in two to support Store and Set result
Commit 1847900 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847900 ]
PDFBOX-3017: use downloaded extra certificates from CRL
Commit 1847901 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847901 ]
PDFBOX-3017: use downloaded extra certificates from CRL
Commit 1847904 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847904 ]
PDFBOX-3017: clarify logging, lessen 1 level
Commit 1847905 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847905 ]
PDFBOX-3017: clarify logging, lessen 1 level
Commit 1847906 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847906 ]
PDFBOX-3017: download extra certificates
Commit 1847907 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847907 ]
PDFBOX-3017: download extra certificates
Commit 1847911 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847911 ]
PDFBOX-3017: less nesting
Commit 1847912 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847912 ]
PDFBOX-3017: less nesting
Commit 1847938 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847938 ]
PDFBOX-3017: reorder to log URL before "new URL" call
Commit 1847939 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847939 ]
PDFBOX-3017: reorder to log URL before "new URL" call
Commit 1847942 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847942 ]
PDFBOX-3017: implement finding OCSP responder certificate by key hash
Commit 1847943 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847943 ]
PDFBOX-3017: implement finding OCSP responder certificate by key hash
Commit 1847944 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847944 ]
PDFBOX-3017: move fallback code to correct location
Commit 1847945 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847945 ]
PDFBOX-3017: move fallback code to correct location
Commit 1847948 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847948 ]
PDFBOX-3017: revert previous commit, fallback solution needs to be added to findResponderCertificateByKeyHash as well
Commit 1847949 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847949 ]
PDFBOX-3017: revert previous commit, fallback solution needs to be added to findResponderCertificateByKeyHash as well
Commit 1847950 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847950 ]
PDFBOX-3017: fallback solution for findResponderCertificateByKeyHash
Commit 1847951 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847951 ]
PDFBOX-3017: fallback solution for findResponderCertificateByKeyHash
Commit 1847952 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847952 ]
PDFBOX-3017: throw exception when neither name nor keyhash
Commit 1847953 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847953 ]
PDFBOX-3017: throw exception when neither name nor keyhash
Commit 1847956 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847956 ]
PDFBOX-3017: simplify code + move comment to correct position
Commit 1847957 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847957 ]
PDFBOX-3017: simplify code + move comment to correct position
Commit 1847962 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847962 ]
PDFBOX-3017: simplify code by using return instead of break
Commit 1847963 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847963 ]
PDFBOX-3017: simplify code by using return instead of break
Commit 1847970 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847970 ]
PDFBOX-3017: SonarQube fix
Commit 1847971 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847971 ]
PDFBOX-3017: SonarQube fix
Commit 1847995 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847995 ]
PDFBOX-3017: download extra certificate at the correct place, remove method that is no longer needed
Commit 1847996 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847996 ]
PDFBOX-3017: download extra certificate at the correct place, remove method that is no longer needed
Commit 1847997 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1847997 ]
PDFBOX-3017: remove method call that is no longer needed
Commit 1847998 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1847998 ]
PDFBOX-3017: remove method call that is no longer needed
Commit 1848753 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848753 ]
PDFBOX-3017: avoid ClassCastException
Commit 1848754 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1848754 ]
PDFBOX-3017: avoid ClassCastException
Commit 1848755 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848755 ]
PDFBOX-3017: rename method that will be used for OCSP and CRL certificates and use simpler parameter type
Commit 1848756 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1848756 ]
PDFBOX-3017: rename method that will be used for OCSP and CRL certificates and use simpler parameter type
Commit 1848761 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1848761 ]
PDFBOX-3017: improve javadoc
Commit 1848762 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848762 ]
PDFBOX-3017: improve javadoc
Commit 1848831 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1848831 ]
PDFBOX-3017: include VRI for CSRL and OCSP signatures, as suggested by mkl
Commit 1848832 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848832 ]
PDFBOX-3017: include VRI for CSRL and OCSP signatures, as suggested by mkl
Commit 1848835 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848835 ]
PDFBOX-3017: remove debug stuff
Commit 1848932 from tilman@apache.org in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1848932 ]
PDFBOX-3017: add certs to each VRI where applicable
Commit 1848933 from tilman@apache.org in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1848933 ]
PDFBOX-3017: add certs to each VRI where applicable
Commit 1852237 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1852237 ]
PDFBOX-3017: improve usage, add comment to clarify (See 4th comment in SO question 54359803)
Commit 1852238 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1852238 ]
PDFBOX-3017: improve usage, add comment to clarify (See 4th comment in SO question 54359803)
Commit 1853220 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1853220 ]
PDFBOX-3017: use certificate to output meaningful text in signature appearance
Commit 1853221 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1853221 ]
PDFBOX-3017: use certificate to output meaningful text in signature appearance
Commit 1854335 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1854335 ]
PDFBOX-3017: move segment to bottom so that output comes together with signature verification
Commit 1854336 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1854336 ]
PDFBOX-3017: move segment to bottom so that output comes together with signature verification
Commit 1854484 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1854484 ]
PDFBOX-3017: add //TODO about the need to get trusted roots
Commit 1854485 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1854485 ]
PDFBOX-3017: add //TODO about the need to get trusted roots
Commit 1854931 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1854931 ]
PDFBOX-3017: replace method that is deprecated in later jdk versions
Commit 1854932 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1854932 ]
PDFBOX-3017: replace method that is deprecated in later jdk versions
Commit 1854936 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1854936 ]
PDFBOX-3017: replace map with set
Commit 1854939 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1854939 ]
PDFBOX-3017: replace map with set
Commit 1854940 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1854940 ]
PDFBOX-3017: replace map with set
Commit 1855043 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1855043 ]
PDFBOX-3017: use old-style document loading to disable leniency
Commit 1855044 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1855044 ]
PDFBOX-3017: use old-style document loading to disable leniency
Commit 1855045 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1855045 ]
PDFBOX-3017: improve comment
Commit 1855046 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1855046 ]
PDFBOX-3017: improve comment
Commit 1855060 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1855060 ]
PDFBOX-3017: check whether gap contains a hex value equal byte-by-byte to the Content value, as suggested by mkl in SO 55049270 comment
Commit 1855061 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1855061 ]
PDFBOX-3017: check whether gap contains a hex value equal byte-by-byte to the Content value, as suggested by mkl in SO 55049270 comment
Commit 1855886 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1855886 ]
PDFBOX-3017: add more checks for bad signatures, related to SO 55237713
Commit 1855887 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1855887 ]
PDFBOX-3017: add more checks for bad signatures, related to SO 55237713
Commit 1857265 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1857265 ]
PDFBOX-3017: remove unneeded println
Commit 1857266 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1857266 ]
PDFBOX-3017: remove unneeded println
Commit 1857267 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1857267 ]
PDFBOX-3017: remove unneeded println
Commit 1857268 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1857268 ]
PDFBOX-3017: remove unneeded println
Commit 1857269 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1857269 ]
PDFBOX-3017: remove unneeded println
Commit 1857349 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1857349 ]
PDFBOX-3017: crawl whole field tree and not just root
Commit 1857350 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1857350 ]
PDFBOX-3017: crawl whole field tree and not just root
Commit 1857351 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1857351 ]
PDFBOX-3017: crawl whole field tree and not just root
Commit 1859384 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1859384 ]
PDFBOX-3017: first certificate isn't always the correct one, see file from https://github.com/veraPDF/veraPDF-library/issues/1026
Commit 1859385 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1859385 ]
PDFBOX-3017: first certificate isn't always the correct one, see file from https://github.com/veraPDF/veraPDF-library/issues/1026
Commit 1859386 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1859386 ]
PDFBOX-3017: first certificate isn't always the correct one, see file from https://github.com/veraPDF/veraPDF-library/issues/1026
Commit 1860433 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1860433 ]
PDFBOX-3017: simplify code
Commit 1860434 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1860434 ]
PDFBOX-3017: simplify code
Commit 1860435 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1860435 ]
PDFBOX-3017: simplify code
Commit 1860439 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1860439 ]
PDFBOX-3017: add tests of getContents() and getSignedContent()
Commit 1860440 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1860440 ]
PDFBOX-3017: add tests of getContents() and getSignedContent()
Commit 1860441 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1860441 ]
PDFBOX-3017: add tests of getContents() and getSignedContent()
Commit 1867383 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1867383 ]
PDFBOX-3017: replace deprecated DEROutputStream
Commit 1867384 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1867384 ]
PDFBOX-3017: replace deprecated DEROutputStream
Commit 1868089 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1868089 ]
PDFBOX-3017: remove double code line, use base class, rename variable
Commit 1868090 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1868090 ]
PDFBOX-3017: remove double code line, use base class, rename variable
Commit 1868091 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1868091 ]
PDFBOX-3017: remove double code line, use base class, rename variable
Commit 1868092 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1868092 ]
PDFBOX-3017: remove double code line, use base class, rename variable
Commit 1868093 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1868093 ]
PDFBOX-3017: use constant.equals; use base class
Commit 1868094 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1868094 ]
PDFBOX-3017: use constant.equals; use base class
Commit 1868095 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1868095 ]
PDFBOX-3017: use constant.equals; use base class
Commit 1868096 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1868096 ]
PDFBOX-3017: use constant.equals; use base class
Commit 1868141 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1868141 ]
PDFBOX-3017: use base class
Commit 1868142 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1868142 ]
PDFBOX-3017: use base class
Commit 1868143 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1868143 ]
PDFBOX-3017: use base class
Commit 1868144 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1868144 ]
PDFBOX-3017: use base class
Commit 1868145 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1868145 ]
PDFBOX-3017: revert deletion of double code line because it was needed, clarify comment
Commit 1868146 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1868146 ]
PDFBOX-3017: revert deletion of double code line because it was needed, clarify comment
Commit 1868147 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1868147 ]
PDFBOX-3017: revert deletion of double code line because it was needed, clarify comment
Commit 1868148 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1868148 ]
PDFBOX-3017: revert deletion of double code line because it was needed, clarify comment
Commit 1868351 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1868351 ]
PDFBOX-3017: fix import
Commit 1869768 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869768 ]
PDFBOX-3017: support multiple CRL URLs
Commit 1869769 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869769 ]
PDFBOX-3017: support multiple CRL URLs
Commit 1869770 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869770 ]
PDFBOX-3017: support multiple CRL URLs
Commit 1869771 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869771 ]
PDFBOX-3017: support multiple CRL URLs
Commit 1869805 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869805 ]
PDFBOX-3017: refactor previous commit
Commit 1869806 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869806 ]
PDFBOX-3017: refactor previous commit
Commit 1869807 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869807 ]
PDFBOX-3017: refactor previous commit
Commit 1869808 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869808 ]
PDFBOX-3017: refactor previous commit
Commit 1869812 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869812 ]
PDFBOX-3017: use base classes (problems with newer BC versions)
Commit 1869813 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869813 ]
PDFBOX-3017: use base classes (problems with newer BC versions)
Commit 1869814 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869814 ]
PDFBOX-3017: use base classes (problems with newer BC versions)
Commit 1869815 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869815 ]
PDFBOX-3017: use base classes (problems with newer BC versions)
Commit 1869821 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869821 ]
PDFBOX-3017: use base classes (prevent problems with newer BC versions)
Commit 1869822 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869822 ]
PDFBOX-3017: use base classes (prevent problems with newer BC versions)
Commit 1869823 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869823 ]
PDFBOX-3017: use base classes (prevent problems with newer BC versions)
Commit 1869824 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869824 ]
PDFBOX-3017: use base classes (prevent problems with newer BC versions)
Commit 1869825 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869825 ]
PDFBOX-3017: remove unneeded cast
Commit 1869826 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869826 ]
PDFBOX-3017: remove unneeded cast
Commit 1869827 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869827 ]
PDFBOX-3017: remove unneeded cast
Commit 1869828 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869828 ]
PDFBOX-3017: remove unneeded cast
Commit 1869831 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869831 ]
PDFBOX-3017: remove uneeded wrapper class, simplify code
Commit 1869832 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869832 ]
PDFBOX-3017: remove uneeded wrapper class, simplify code
Commit 1869833 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869833 ]
PDFBOX-3017: remove uneeded wrapper class, simplify code
Commit 1869834 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869834 ]
PDFBOX-3017: remove uneeded wrapper class, simplify code
Commit 1869874 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869874 ]
PDFBOX-3017: use try-with-resources
Commit 1869875 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869875 ]
PDFBOX-3017: use try-with-resources
Commit 1869876 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869876 ]
PDFBOX-3017: simplify exception handling
Commit 1869877 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869877 ]
PDFBOX-3017: simplify exception handling
Commit 1869878 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869878 ]
PDFBOX-3017: simplify exception handling
Commit 1869879 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869879 ]
PDFBOX-3017: simplify exception handling
Commit 1869952 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869952 ]
PDFBOX-3017: remove unneeded imports
Commit 1869953 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869953 ]
PDFBOX-3017: remove unneeded imports
Commit 1869985 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869985 ]
PDFBOX-3017: check all signatures, not just the first one
Commit 1869986 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1869986 ]
PDFBOX-3017: check all signatures, not just the first one
Commit 1869987 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869987 ]
PDFBOX-3017: check all signatures, not just the first one
Commit 1869988 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1869988 ]
PDFBOX-3017: check all signatures, not just the first one
Commit 1869989 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1869989 ]
PDFBOX-3017: remove uneeded cast; simplify code
Commit 1869990 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1869990 ]
PDFBOX-3017: remove uneeded cast; simplify code
Commit 1870400 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870400 ]
PDFBOX-3017: compare certificates and not just serial numbers; add link to author bachelor thesis; add a TODO
Commit 1870401 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870401 ]
PDFBOX-3017: compare certificates and not just serial numbers; add link to author bachelor thesis; add a TODO
Commit 1870402 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870402 ]
PDFBOX-3017: compare certificates and not just serial numbers; add link to author bachelor thesis; add a TODO
Commit 1870403 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870403 ]
PDFBOX-3017: compare certificates and not just serial numbers; add link to author bachelor thesis; add a TODO
Commit 1870419 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870419 ]
PDFBOX-3017: don't return null (which will go NPE) when the type of the element is wrong or could not be created, throw exception instead
Commit 1870420 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870420 ]
PDFBOX-3017: don't return null (which will go NPE) when the type of the element is wrong or could not be created, throw exception instead
Commit 1870421 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870421 ]
PDFBOX-3017: don't return null (which will go NPE) when the type of the element is wrong or could not be created, throw exception instead
Commit 1870422 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870422 ]
PDFBOX-3017: don't return null (which will go NPE) when the type of the element is wrong or could not be created, throw exception instead
Commit 1870531 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870531 ]
PDFBOX-3017: use certificateHolder BC class where possible
Commit 1870532 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870532 ]
PDFBOX-3017: use certificateHolder BC class where possible
Commit 1870533 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870533 ]
PDFBOX-3017: use certificateHolder BC class where possible
Commit 1870534 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870534 ]
PDFBOX-3017: use certificateHolder BC class where possible
Commit 1870568 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870568 ]
PDFBOX-3017: remove unused code
Commit 1870569 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870569 ]
PDFBOX-3017: remove unused code
Commit 1870570 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870570 ]
PDFBOX-3017: remove unused code
Commit 1870571 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870571 ]
PDFBOX-3017: remove unused code
Commit 1870679 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870679 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870680 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870680 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870681 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870681 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870682 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870682 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870683 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1870683 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870684 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1870684 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870685 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1870685 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1870686 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1870686 ]
PDFBOX-3017: refactor: move two methods that will soon be used in tests into SigUtils
Commit 1871511 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1871511 ]
PDFBOX-3017: use SecureRandom
Commit 1871512 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1871512 ]
PDFBOX-3017: use SecureRandom
Commit 1871513 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1871513 ]
PDFBOX-3017: use SecureRandom
Commit 1871514 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1871514 ]
PDFBOX-3017: use SecureRandom
Commit 1871543 from Tilman Hausherr in branch 'pdfbox/branches/issue4569'
[ https://svn.apache.org/r1871543 ]
PDFBOX-3017: synchronize construction of SecureRandom
Commit 1871544 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1871544 ]
PDFBOX-3017: synchronize construction of SecureRandom
Commit 1875930 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1875930 ]
PDFBOX-3017, PDFBOX-3888: recover from OCSP exception and improve output
Commit 1875931 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1875931 ]
PDFBOX-3017, PDFBOX-3888: recover from OCSP exception and improve output
Commit 1875932 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1875932 ]
PDFBOX-3017, PDFBOX-3888: recover from OCSP exception and improve output
Commit 1876147 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1876147 ]
PDFBOX-3017: improve exception message due to current failure of freetsa.org
Commit 1876148 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1876148 ]
PDFBOX-3017: improve exception message due to current failure of freetsa.org
Commit 1876149 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1876149 ]
PDFBOX-3017: improve exception message due to current failure of freetsa.org
Commit 1876838 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1876838 ]
PDFBOX-3017: remove unneeded cast
Commit 1876839 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1876839 ]
PDFBOX-3017: catch correct exception
Commit 1876840 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1876840 ]
PDFBOX-3017: catch correct exception
Commit 1876841 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1876841 ]
PDFBOX-3017: catch correct exception
Commit 1876844 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1876844 ]
PDFBOX-3017: DRY refactoring
Commit 1876845 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1876845 ]
PDFBOX-3017: DRY refactoring
Commit 1876846 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1876846 ]
PDFBOX-3017: DRY refactoring
Commit 1876850 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1876850 ]
PDFBOX-3017: add methods to verify timestamp signature
Commit 1876851 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1876851 ]
PDFBOX-3017: add methods to verify timestamp signature
Commit 1876852 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1876852 ]
PDFBOX-3017: add methods to verify timestamp signature
Commit 1877030 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1877030 ]
PDFBOX-3017: close files in case of exception (not doing it broke upcoming TSA test)
Commit 1877031 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1877031 ]
PDFBOX-3017: close files in case of exception (not doing it broke upcoming TSA test)
Commit 1877033 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1877033 ]
PDFBOX-3017: optional TSA signing test
Commit 1877034 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1877034 ]
PDFBOX-3017: optional TSA signing test
Commit 1877035 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1877035 ]
PDFBOX-3017: optional TSA signing test
Commit 1877036 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1877036 ]
PDFBOX-3017: URL for optional TSA signing test, only when pedantic profile to minimize load on TSA server
Commit 1877037 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1877037 ]
PDFBOX-3017: URL for optional TSA signing test, only when pedantic profile to minimize load on TSA server
Commit 1877038 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1877038 ]
PDFBOX-3017: URL for optional TSA signing test, only when pedantic profile to minimize load on TSA server
Commit 1877039 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1877039 ]
PDFBOX-3017: rename variable to avoid confusion
Commit 1877040 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1877040 ]
PDFBOX-3017: rename variable to avoid confusion
Commit 1877041 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1877041 ]
PDFBOX-3017: rename variable to avoid confusion
I wanted to make the TSA assignment in the "example" subproject pom.xml but failed, the build froze. Thus the current solution assigning the environment variable in the parent pom.
I did not make this a fixed test because the freetsa.org server would then get used by every PDFBox build everywhere.
Commit 1877918 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1877918 ]
PDFBOX-3017: only the signDetached() call should throw the exception
Commit 1877919 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1877919 ]
PDFBOX-3017: only the signDetached() call should throw the exception
Commit 1877920 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1877920 ]
PDFBOX-3017: only the signDetached() call should throw the exception
Commit 1879120 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879120 ]
PDFBOX-3017: improve error message
Commit 1879121 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879121 ]
PDFBOX-3017: improve error message
Commit 1879122 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879122 ]
PDFBOX-3017: improve error message
Commit 1879193 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879193 ]
PDFBOX-3017: simplify code, avoid NPE
Commit 1879194 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879194 ]
PDFBOX-3017: simplify code, avoid NPE
Commit 1879195 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879195 ]
PDFBOX-3017: simplify code, avoid NPE
Commit 1879196 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879196 ]
PDFBOX-3017: better focusing that timestamp is there when expected, and not when not expected; test late embedded timestamp
Commit 1879197 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879197 ]
PDFBOX-3017: better focusing that timestamp is there when expected, and not when not expected; test late embedded timestamp
Commit 1879199 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879199 ]
PDFBOX-3017: better focusing that timestamp is there when expected, and not when not expected; test late embedded timestamp
Commit 1879211 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879211 ]
PDFBOX-3017: fix bug created in last refactoring
Commit 1879212 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879212 ]
PDFBOX-3017: fix bug created in last refactoring
Commit 1879916 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879916 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879917 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879917 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879918 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879918 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879924 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879924 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879925 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879925 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879926 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879926 ]
PDFBOX-3017: verify signature hash in timestamp (inspired by stackoverflow question 62872844 comment by mkl)
Commit 1879969 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1879969 ]
PDFBOX-3017: improve messages
Commit 1879970 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1879970 ]
PDFBOX-3017: improve messages
Commit 1879971 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1879971 ]
PDFBOX-3017: improve messages
Commit 1880041 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880041 ]
PDFBOX-3017: replace method with library call
Commit 1880042 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880042 ]
PDFBOX-3017: replace method with library call
Commit 1880062 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880062 ]
PDFBOX-3017: remove double code
Commit 1880063 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880063 ]
PDFBOX-3017: remove double code
Commit 1880064 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880064 ]
PDFBOX-3017: remove double code
Commit 1880081 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880081 ]
PDFBOX-3017: verify certificate chain of timeStamp certificate in test + DRY refactoring
Commit 1880082 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880082 ]
PDFBOX-3017: verify certificate chain of timeStamp certificate in test + DRY refactoring
Commit 1880083 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880083 ]
PDFBOX-3017: verify certificate chain of timeStamp certificate in test + DRY refactoring
Commit 1880084 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880084 ]
PDFBOX-3017: remove double comment
Commit 1880085 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880085 ]
PDFBOX-3017: remove double comment
Commit 1880086 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880086 ]
PDFBOX-3017: remove double comment
Commit 1880109 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880109 ]
PDFBOX-3017: first certificate isn't always the correct one; fix javadoc; use correct source file
Commit 1880110 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880110 ]
PDFBOX-3017: first certificate isn't always the correct one; fix javadoc; use correct source file
Commit 1880111 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880111 ]
PDFBOX-3017: first certificate isn't always the correct one; fix javadoc; use correct source file
Commit 1880182 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880182 ]
PDFBOX-3017: add hex signature for upcoming test
Commit 1880183 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880183 ]
PDFBOX-3017: add test to validate signature certificates with CRLs to increase test coverage
Commit 1880218 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880218 ]
PDFBOX-3017: download extra certificates from downloaded extra certificates
Commit 1880219 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880219 ]
PDFBOX-3017: download extra certificates from downloaded extra certificates
Commit 1880220 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880220 ]
PDFBOX-3017: download extra certificates from downloaded extra certificates
Commit 1880221 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880221 ]
PDFBOX-3017: add hex signature for upcoming test
Commit 1880222 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880222 ]
PDFBOX-3017: add hex signature for upcoming test
Commit 1880223 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880223 ]
PDFBOX-3017: add test to validate signature certificates with CRLs to increase test coverage
Commit 1880224 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880224 ]
PDFBOX-3017: add test to validate signature certificates with CRLs to increase test coverage
Commit 1880414 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880414 ]
PDFBOX-3017: add test for CreateSignedTimeStamp example (timestamp only signature) to increase code coverage
Commit 1880415 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880415 ]
PDFBOX-3017: add test for CreateSignedTimeStamp example (timestamp only signature) to increase code coverage
Commit 1880416 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880416 ]
PDFBOX-3017: add test for CreateSignedTimeStamp example (timestamp only signature) to increase code coverage
Commit 1880420 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880420 ]
PDFBOX-3017: make sure that this is really the issueing certificate
Commit 1880421 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880421 ]
PDFBOX-3017: make sure that this is really the issueing certificate
Commit 1880422 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880422 ]
PDFBOX-3017: make sure that this is really the issueing certificate
Commit 1880482 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880482 ]
PDFBOX-3017: add test for AddValidationInformation.java example (LTV) to increase code coverage
Commit 1880483 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880483 ]
PDFBOX-3017: SonarQube fix
Commit 1880484 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880484 ]
PDFBOX-3017: add test for AddValidationInformation.java example (LTV) to increase code coverage
Commit 1880485 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880485 ]
PDFBOX-3017: add test for AddValidationInformation.java example (LTV) to increase code coverage
Commit 1880486 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880486 ]
PDFBOX-3017: use try-with-resources, DRY cert factory
Commit 1880487 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880487 ]
PDFBOX-3017: DRY cert factory
Commit 1880488 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880488 ]
PDFBOX-3017: DRY cert factory
Commit 1880497 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880497 ]
PDFBOX-3017: methods that don't use the external signing toggling feature should run only once
Commit 1880498 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880498 ]
PDFBOX-3017: methods that don't use the external signing toggling feature should run only once
Commit 1880499 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880499 ]
PDFBOX-3017: methods that don't use the external signing toggling feature should run only once
Commit 1880681 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880681 ]
PDFBOX-3017: add test for CreateVisibleSignature2.java to increase code coverage
Commit 1880682 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880682 ]
PDFBOX-3017: add test for CreateVisibleSignature2.java to increase code coverage
Commit 1880683 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880683 ]
PDFBOX-3017: add test for CreateVisibleSignature2.java to increase code coverage
Commit 1880684 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880684 ]
PDFBOX-3017: DRY refactoring of keyStore loading
Commit 1880685 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880685 ]
PDFBOX-3017: DRY refactoring of keyStore loading
Commit 1880686 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880686 ]
PDFBOX-3017: DRY refactoring of keyStore loading
Commit 1880692 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1880692 ]
PDFBOX-3017: improve test failure message
Commit 1880693 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1880693 ]
PDFBOX-3017: improve test failure message
Commit 1880694 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1880694 ]
PDFBOX-3017: improve test failure message
Commit 1881003 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1881003 ]
PDFBOX-3017: improve log message, inspired by SO question 63457413
Commit 1881004 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1881004 ]
PDFBOX-3017: improve log message, inspired by SO question 63457413
Commit 1881005 from Tilman Hausherr in branch 'pdfbox/branches/issue45'
[ https://svn.apache.org/r1881005 ]
PDFBOX-3017: improve log message, inspired by SO question 63457413
Commit 1882328 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882328 ]
PDFBOX-3017: certify signature must be the first one (mentioned by Dr. Bernd Wild in OctoberPDFest webinar)
Commit 1882329 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882329 ]
PDFBOX-3017: certify signature must be the first one (mentioned by Dr. Bernd Wild in OctoberPDFest webinar)
tilman>certify signature must be the first one (mentioned by Dr. Bernd Wild in OctoberPDFest webinar)
This only is true if one strictly differentiates between signatures and document time stamps. If one handles the latter as special signatures, though, the situation is different, since ISO 32000-2 document timestamps can come before the certification signature!
In particular the requirement "it shall be the first signed field in the document" for the signature field that contains a DocMDP transform method has been dropped and replaced by the requirement "These shall follow the certification signature if one is present" for approval signatures.
So your new check is too harsh.
Commit 1882390 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882390 ]
PDFBOX-3017: don't bother with timestamp signatures, as mentioned by Michael Klink
Commit 1882391 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882391 ]
PDFBOX-3017: don't bother with timestamp signatures, as mentioned by Michael Klink
Commit 1882698 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882698 ]
PDFBOX-3017: /Type is optional in signature dictionary
Commit 1882699 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882699 ]
PDFBOX-3017: /Type is optional in signature dictionary
Commit 1882700 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882700 ]
PDFBOX-3017: remove unneeded code
Commit 1882701 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882701 ]
PDFBOX-3017: remove unneeded code
Commit 1882736 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882736 ]
PDFBOX-3017: don't add LTV when MDP prevents this
Commit 1882737 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882737 ]
PDFBOX-3017: don't add LTV when MDP prevents this
Commit 1882740 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882740 ]
PDFBOX-3017: avoid NPE; refactor
Commit 1882741 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882741 ]
PDFBOX-3017: avoid NPE; refactor
don't add LTV when MDP prevents this
MDP cannot prevent LTV, cf. ISO 32000-2:
A value of 1 for P indicates that the document shall be final; that is, any changes shall invalidate the signature with the exception of subsequent DSS (see 12.8.4.3, "Document Security Store (DSS)") and/or document timestamp (see 12.8.5, "Document timestamp (DTS) dictionary") incremental updates.
If you encounter a PDF validator that claims the LTV additions break MDP restrictions, that viewer is not working according to to the standard or you actually add more than required for DSS/DTS addition.
This one Eingangsbestaetigung-376670811-sig.pdf Eingangsbestaetigung-376670811-sig_ocsp.pdf from hauser@acm.org
Commit 1882765 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882765 ]
PDFBOX-3017: close stream; avoid ClassCastException
Commit 1882766 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882766 ]
PDFBOX-3017: close stream; avoid ClassCastException
Commit 1882769 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882769 ]
PDFBOX-3017: remove diamond syntax
This one Eingangsbestaetigung-376670811-sig.pdf Eingangsbestaetigung-376670811-sig_ocsp.pdf from hauser@acm.org
It is interesting that Adobe Reader does not accept the DSS incremental update here as a PDF-2 conform validator would have to accept it.
I did some tests and indeed, Adobe Reader apparently is not yet ISO 32000-2 conform in respect to DocMdp and adding DSS (see DocMdpAndDss test testPdf20DocMdp1Dss).
Nonetheless, in my opinion you shouldn't forbid a user of the library something that's respecting the specification, both in letter and in spirit. In particular you shouldn't forbid adding a DSS to a DocMdp 1 document.
You may consider adding a flag (e.g. "AdobeAcrobatCompatibility", even though that might prove to be a moving target), and only if that flag is set, you forbid adding DSS to DocMdp 1 documents.
mkl just curious - which version of Adobe Reader did you use for testing.
Commit 1882862 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882862 ]
PDFBOX-3017: warn about DSS changes, don't stop
Commit 1882863 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882863 ]
PDFBOX-3017: warn about DSS changes, don't stop
Thanks mkl, I've replaced it with a warning. This is example code so in theory people should read it and decide on their own. I'll fix the timestamp example later.
Commit 1882864 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882864 ]
PDFBOX-3017: MDP not relevant because only signature content is changed
Commit 1882865 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882865 ]
PDFBOX-3017: MDP not relevant because only signature content is changed
msahyoun> just curious - which version of Adobe Reader did you use for testing.
Adobe Acrobat Reader DC version 2019.012.20040 for Windows which happens to be installed on my office computer.
I just tested the files on my home computer with DC version 2020.012.20048 (which appears to be current) with the same result.
tilman>I've replaced it with a warning. This is example code so in theory people should read it and decide on their own.
Great!
Yes, you're right, this is example code, so such a warning indeed is the most appropriate way to put it.
Commit 1882876 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882876 ]
PDFBOX-3017: make sure that CRL is valid right now
Commit 1882877 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882877 ]
PDFBOX-3017: make sure that CRL is valid right now
I am investigating the history of this change in 32K-2 as well as the Acrobat implementation. I will report back here as soon as I know more about either...
lrosenthol>I am investigating the history of this change in 32K-2 as well as the Acrobat implementation. I will report back here as soon as I know more about either...
That's great!
But it's not merely a question of 32K-2 support, PAdES since TS 102778-4 required that addition of DSS or DTS must always be possible, whatever the DocMDP level may be. Thus, already support for PAdES (at least in documents marked by an appropriate ESIC or ADBE extension entry) requires support for this.
Commit 1882885 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882885 ]
PDFBOX-3017: make image optional, see wish / comment by IsmailSahin in SO 44311502
Commit 1882886 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882886 ]
PDFBOX-3017: make image optional, see wish / comment by IsmailSahin in SO 44311502
Commit 1882887 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882887 ]
PDFBOX-3017: improve parameter handling of previous commit so that -tsa is possible without image
Commit 1882888 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882888 ]
PDFBOX-3017: improve parameter handling of previous commit so that -tsa is possible without image
Commit 1882889 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882889 ]
PDFBOX-3017: use log instead of exception because test signature points to outdated CRL
Commit 1882890 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882890 ]
PDFBOX-3017: use log instead of exception because test signature points to outdated CRL
Commit 1882925 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1882925 ]
PDFBOX-3017: need to check all certs for remote issuer certs, not just the first one
Commit 1882926 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1882926 ]
PDFBOX-3017: need to check all certs for remote issuer certs, not just the first one
Commit 1883016 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1883016 ]
PDFBOX-3017: use _LTV instead of _ocsp
Commit 1883017 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1883017 ]
PDFBOX-3017: use _LTV instead of _ocsp
Got an update from lrosenthol:
Wanted to get back to you that we have logged a bug around this and will address it in a future release.
Thanks for calling this to our attention.
Further
Me: For my understanding - it's correct that adding LTV after signing should be possible but currently wrongly flagged by Acrobat?
Leonard: Correct
Obviously the "... thanks ..." got to mkl and tilman.
So to me our implementation should be to the spec with Acrobat being able to validate after the issue has been fixed.
So to me our implementation should be to the spec with Acrobat being able to validate after the issue has been fixed.
That remains to be seen: It's only allowed to add LTV (DSS and DTS) to a DocMDP no-changes-allowed document. Thus, the tiniest object added which is not necessary for adding LTV may be interpreted as invalid change. And ever since the Shadow Attacks publication Adobe is likely to be especially cautious not to allow any unnecessary additions, see PDFBOX-4997.
I think there was a word missing
... should be made to the spec ...
Didn't want to stipulate that it already is - hope that makes it clearer.
Setting this one to resolved because it's been open long enough. The issues (on top) that haven't been done should be done in new issues.
Commit 1886698 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1886698 ]
PDFBOX-3017: add comment and set print flag to avoid weird problems described by Waldemar Dick on the users mailing list
Commit 1886699 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1886699 ]
PDFBOX-3017: add comment and set print flag to avoid weird problems described by Waldemar Dick on the users mailing list
msahyoun - Any news on the Acrobat DocMDP/DSS issue from lrosenthol yet?
I don't like these "chained" calls in the visible signature stuff. I didn't like these calls in the 80ies, when I first saw them. Isn't this against the "law of demeter"?