PDFBOX-5936: make issuers a Set

THausherr · THausherr · commit 9c7b962bcb7d · 2025-01-20T12:07:14.000Z
git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1923257 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java b/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
@@ -279,7 +279,7 @@ private void addRevocationDataRecursive(CertSignatureInformation certInfo) throw
         boolean isRevocationInfoFound = foundRevocationInformation.contains(certInfo.getCertificate());
         if (!isRevocationInfoFound)
         {
-            if (certInfo.getOcspUrl() != null && certInfo.getIssuerCertificate() != null)
+            if (certInfo.getOcspUrl() != null && !certInfo.getIssuerCertificates().isEmpty())
             {
                 isRevocationInfoFound = fetchOcspData(certInfo);
             }
@@ -328,7 +328,8 @@ private boolean fetchOcspData(CertSignatureInformation certInfo) throws IOExcept
         }
         catch (OCSPException | CertificateProccessingException | IOException | URISyntaxException e)
         {
-            LOG.error("Failed fetching OCSP at {}", certInfo.getOcspUrl(), e);
+            LOG.error("Failed fetching OCSP at '{}' for '{}'", certInfo.getOcspUrl(), 
+                    certInfo.getCertificate().getSubjectX500Principal(), e);
             return false;
         }
         catch (RevokedCertificateException e)
@@ -371,13 +372,21 @@ private void addOcspData(CertSignatureInformation certInfo) throws IOException,
             CertificateProccessingException, RevokedCertificateException, URISyntaxException
     {
         X509Certificate certificate = certInfo.getCertificate();
-        X509Certificate issuerCertificate = certInfo.getIssuerCertificate();
-        String ocspURL = certInfo.getOcspUrl();
         if (ocspChecked.contains(certificate))
         {
             // This certificate has been OCSP-checked before
             return;
         }
+        for (X509Certificate issuerCertificate : certInfo.getIssuerCertificates())
+        {
+            addOcspData(certificate, issuerCertificate, certInfo.getOcspUrl());
+        }
+    }
+
+    private void addOcspData(X509Certificate certificate, X509Certificate issuerCertificate, String ocspURL)
+            throws IOException, OCSPException, CertificateProccessingException,
+            RevokedCertificateException, URISyntaxException
+    {
         OcspHelper ocspHelper = new OcspHelper(
                 certificate,
                 signDate.getTime(),
diff --git a/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java b/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java
@@ -106,6 +106,9 @@ private CertSignatureInformation getCertInfo(byte[] signatureContent)
     {
         rootCertInfo = new CertSignatureInformation();
 
+        // https://www.etsi.org/deliver/etsi_ts/102700_102799/10277804/01.01.02_60/ts_10277804v010102p.pdf
+        // The key of each entry in this dictionary is the base-16-encoded (uppercase)
+        // SHA1 digest of the signature to which it applies
         rootCertInfo.signatureHash = CertInformationHelper.getSha1Hash(signatureContent);
 
         try
@@ -251,7 +254,7 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
                 certificate.verify(issuer.getPublicKey(), SecurityProvider.getProvider());
                 LOG.info("Found issuer for Cert: {}\n{}",
                         certificate.getSubjectX500Principal(), issuer.getSubjectX500Principal());
-                certInfo.issuerCertificate = issuer;
+                certInfo.issuerCertificates.add(issuer);
                 certInfo.certChain = new CertSignatureInformation();
                 traverseChain(issuer, certInfo.certChain, maxDepth - 1);
                 ++count;
@@ -261,7 +264,7 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
                 // not the issuer
             }                
         }
-        if (certInfo.issuerCertificate == null)
+        if (certInfo.issuerCertificates.isEmpty())
         {
             throw new IOException(
                     "No Issuer Certificate found for Cert: '" +
@@ -412,7 +415,7 @@ public static class CertSignatureInformation
         private String ocspUrl;
         private String crlUrl;
         private String issuerUrl;
-        private X509Certificate issuerCertificate;
+        private final Set<X509Certificate> issuerCertificates = new HashSet<>();
         private CertSignatureInformation certChain;
         private CertSignatureInformation tsaCerts;
         private CertSignatureInformation alternativeCertChain;
@@ -447,9 +450,9 @@ public boolean isSelfSigned()
             return isSelfSigned;
         }
 
-        public X509Certificate getIssuerCertificate()
+        public Set<X509Certificate> getIssuerCertificates()
         {
-            return issuerCertificate;
+            return issuerCertificates;
         }
 
         public String getSignatureHash()

Original file line number	Diff line number	Diff line change
`@@ -279,7 +279,7 @@ private void addRevocationDataRecursive(CertSignatureInformation certInfo) throw`
`279`	`279`	`boolean isRevocationInfoFound = foundRevocationInformation.contains(certInfo.getCertificate());`
`280`	`280`	`if (!isRevocationInfoFound)`
`281`	`281`	`{`
`282`		`- if (certInfo.getOcspUrl() != null && certInfo.getIssuerCertificate() != null)`
	`282`	`+ if (certInfo.getOcspUrl() != null && !certInfo.getIssuerCertificates().isEmpty())`
`283`	`283`	`{`
`284`	`284`	`isRevocationInfoFound = fetchOcspData(certInfo);`
`285`	`285`	`}`
`@@ -328,7 +328,8 @@ private boolean fetchOcspData(CertSignatureInformation certInfo) throws IOExcept`
`328`	`328`	`}`
`329`	`329`	`catch (OCSPException \| CertificateProccessingException \| IOException \| URISyntaxException e)`
`330`	`330`	`{`
`331`		`- LOG.error("Failed fetching OCSP at {}", certInfo.getOcspUrl(), e);`
	`331`	`+ LOG.error("Failed fetching OCSP at '{}' for '{}'", certInfo.getOcspUrl(),`
	`332`	`+ certInfo.getCertificate().getSubjectX500Principal(), e);`
`332`	`333`	`return false;`
`333`	`334`	`}`
`334`	`335`	`catch (RevokedCertificateException e)`
`@@ -371,13 +372,21 @@ private void addOcspData(CertSignatureInformation certInfo) throws IOException,`
`371`	`372`	`CertificateProccessingException, RevokedCertificateException, URISyntaxException`
`372`	`373`	`{`
`373`	`374`	`X509Certificate certificate = certInfo.getCertificate();`
`374`		`- X509Certificate issuerCertificate = certInfo.getIssuerCertificate();`
`375`		`- String ocspURL = certInfo.getOcspUrl();`
`376`	`375`	`if (ocspChecked.contains(certificate))`
`377`	`376`	`{`
`378`	`377`	`// This certificate has been OCSP-checked before`
`379`	`378`	`return;`
`380`	`379`	`}`
	`380`	`+ for (X509Certificate issuerCertificate : certInfo.getIssuerCertificates())`
	`381`	`+ {`
	`382`	`+ addOcspData(certificate, issuerCertificate, certInfo.getOcspUrl());`
	`383`	`+ }`
	`384`	`+ }`
	`385`	`+`
	`386`	`+ private void addOcspData(X509Certificate certificate, X509Certificate issuerCertificate, String ocspURL)`
	`387`	`+ throws IOException, OCSPException, CertificateProccessingException,`
	`388`	`+ RevokedCertificateException, URISyntaxException`
	`389`	`+ {`
`381`	`390`	`OcspHelper ocspHelper = new OcspHelper(`
`382`	`391`	`certificate,`
`383`	`392`	`signDate.getTime(),`