PDFBOX-5936: traverse all chains if there are several issuers + react…

…ivate test code from 5203 git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1923235 13f79535-47bb-0310-9956-ffa450edef68
apache · Jan 19, 2025 · 0b7570d · 0b7570d
1 parent b10b616
commit 0b7570d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/...c/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java b/...c/main/java/org/apache/pdfbox/examples/signature/validation/CertInformationCollector.java
@@ -243,17 +243,18 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
             return;
         }
 
+        int count = 0;
         for (X509Certificate issuer : certificateSet)
         {
             try
             {
                 certificate.verify(issuer.getPublicKey(), SecurityProvider.getProvider());
-                LOG.info("Found the right Issuer Cert! for Cert: {}\n{}",
+                LOG.info("Found issuer for Cert: {}\n{}",
                         certificate.getSubjectX500Principal(), issuer.getSubjectX500Principal());
                 certInfo.issuerCertificate = issuer;
                 certInfo.certChain = new CertSignatureInformation();
                 traverseChain(issuer, certInfo.certChain, maxDepth - 1);
-                break;
+                ++count;
             }
             catch (GeneralSecurityException ex)
             {
@@ -267,6 +268,11 @@ private void traverseChain(X509Certificate certificate, CertSignatureInformation
                             certificate.getSubjectX500Principal() + "', i.e. Cert '" +
                             certificate.getIssuerX500Principal() + "' is missing in the chain");
         }
+        if (count > 1)
+        {
+            // not a bug, see comment by mkl in PDFBOX-5203
+            LOG.info("Several issuers for Cert: '{}", certificate.getSubjectX500Principal());
+        }
     }
 
     /**

diff --git a/examples/src/test/java/org/apache/pdfbox/examples/pdmodel/TestCreateSignature.java b/examples/src/test/java/org/apache/pdfbox/examples/pdmodel/TestCreateSignature.java
@@ -963,11 +963,11 @@ private void checkLTV(File outFile)
                 {
                     continue; // not relevant here
                 }
-                // disabled until PDFBOX-5203 is fixed
-//                assertTrue(sigCertHolderSetFromVRIArray.contains(holder),
-//                        "File '" + outFile + "' Root/DSS/VRI/" + hexSignatureHash +
-//                                "/Cert array doesn't contain a certificate with subject '" +
-//                                holder.getSubject() + "' and serial " + holder.getSerialNumber());
+                assertTrue(sigCertHolderSetFromVRIArray.contains(holder),
+                        "File '" + outFile + "' Root/DSS/VRI/" + hexSignatureHash +
+                                "/Cert array doesn't contain a certificate with subject '" +
+                                holder.getSubject() +
+                                "' and serial " + holder.getSerialNumber().toString(16).toUpperCase());
             }
             // Get all certificates. Each one should either be issued (= signed) by a certificate of the set
             Set<X509Certificate> certSet = new HashSet<>();
@@ -995,9 +995,8 @@ private void checkLTV(File outFile)
                         // not the issuer
                     }
                 }
-                // disabled until PDFBOX-5203 is fixed
-//                assertTrue(verified,
-//                    "Certificate " + cert.getSubjectX500Principal() + " not issued by any certificate in the Certs array");
+                assertTrue(verified,
+                    "Certificate " + cert.getSubjectX500Principal() + " not issued by any certificate in the Certs array");
             }
             // Each CRL should be signed by one of the certificates in Certs
             Set<X509CRL> crlSet = new HashSet<>();