PDFBOX-5936: make issuers a Set

git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1923257 13f79535-47bb-0310-9956-ffa450edef68
apache · Jan 20, 2025 · 9c7b962 · 9c7b962
1 parent a2d376b
commit 9c7b962
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 9 deletions.
diff --git a/...c/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java b/...c/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
@@ -279,7 +279,7 @@ private void addRevocationDataRecursive(CertSignatureInformation certInfo) throw
         boolean isRevocationInfoFound = foundRevocationInformation.contains(certInfo.getCertificate());
         if (!isRevocationInfoFound)
         {
-            if (certInfo.getOcspUrl() != null && certInfo.getIssuerCertificate() != null)
+            if (certInfo.getOcspUrl() != null && !certInfo.getIssuerCertificates().isEmpty())
             {
                 isRevocationInfoFound = fetchOcspData(certInfo);
             }
@@ -328,7 +328,8 @@ private boolean fetchOcspData(CertSignatureInformation certInfo) throws IOExcept
         }
         catch (OCSPException | CertificateProccessingException | IOException | URISyntaxException e)
         {
-            LOG.error("Failed fetching OCSP at {}", certInfo.getOcspUrl(), e);
+            LOG.error("Failed fetching OCSP at '{}' for '{}'", certInfo.getOcspUrl(), 
+                    certInfo.getCertificate().getSubjectX500Principal(), e);
             return false;
         }
         catch (RevokedCertificateException e)
@@ -371,13 +372,21 @@ private void addOcspData(CertSignatureInformation certInfo) throws IOException,
             CertificateProccessingException, RevokedCertificateException, URISyntaxException
     {
         X509Certificate certificate = certInfo.getCertificate();
-        X509Certificate issuerCertificate = certInfo.getIssuerCertificate();
-        String ocspURL = certInfo.getOcspUrl();
         if (ocspChecked.contains(certificate))
         {
             // This certificate has been OCSP-checked before
             return;
         }
+        for (X509Certificate issuerCertificate : certInfo.getIssuerCertificates())
+        {
+            addOcspData(certificate, issuerCertificate, certInfo.getOcspUrl());
+        }
+    }
+
+    private void addOcspData(X509Certificate certificate, X509Certificate issuerCertificate, String ocspURL)
+            throws IOException, OCSPException, CertificateProccessingException,
+            RevokedCertificateException, URISyntaxException
+    {
         OcspHelper ocspHelper = new OcspHelper(
                 certificate,
                 signDate.getTime(),

diff --git a/...c/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java b/...c/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java
@@ -106,6 +106,9 @@ private CertSignatureInformation getCertInfo(byte[] signatureContent)
     {
         rootCertInfo = new CertSignatureInformation();
 
+        // https://www.etsi.org/deliver/etsi_ts/102700_102799/10277804/01.01.02_60/ts_10277804v010102p.pdf
+        // The key of each entry in this dictionary is the base-16-encoded (uppercase)
+        // SHA1 digest of the signature to which it applies
         rootCertInfo.signatureHash = CertInformationHelper.getSha1Hash(signatureContent);
 
         try
@@ -251,7 +254,7 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
                 certificate.verify(issuer.getPublicKey(), SecurityProvider.getProvider());
                 LOG.info("Found issuer for Cert: {}\n{}",
                         certificate.getSubjectX500Principal(), issuer.getSubjectX500Principal());
-                certInfo.issuerCertificate = issuer;
+                certInfo.issuerCertificates.add(issuer);
                 certInfo.certChain = new CertSignatureInformation();
                 traverseChain(issuer, certInfo.certChain, maxDepth - 1);
                 ++count;
@@ -261,7 +264,7 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
                 // not the issuer
             }                
         }
-        if (certInfo.issuerCertificate == null)
+        if (certInfo.issuerCertificates.isEmpty())
         {
             throw new IOException(
                     "No Issuer Certificate found for Cert: '" +
@@ -412,7 +415,7 @@ public static class CertSignatureInformation
         private String ocspUrl;
         private String crlUrl;
         private String issuerUrl;
-        private X509Certificate issuerCertificate;
+        private final Set<X509Certificate> issuerCertificates = new HashSet<>();
         private CertSignatureInformation certChain;
         private CertSignatureInformation tsaCerts;
         private CertSignatureInformation alternativeCertChain;
@@ -447,9 +450,9 @@ public boolean isSelfSigned()
             return isSelfSigned;
         }
 
-        public X509Certificate getIssuerCertificate()
+        public Set<X509Certificate> getIssuerCertificates()
         {
-            return issuerCertificate;
+            return issuerCertificates;
         }
 
         public String getSignatureHash()