feat(core): check validity of signer certificate before signing

author: Thomas <> 2023-11-07 15:20:49 +0100
committer: Thomas <> 2023-11-07 15:20:49 +0100
commit: dd3da582f803f21abd4480413f2d288a22f102c5 (patch)
tree: b6b909f24f40ed03cae90852273ad8ea29f9a687
parent: 79e0ad14f12bf4a3b46e9bb1cdd4f152c9274a43 (diff)
download: pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.tar.gz
pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.tar.bz2
pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.zip
2 files changed, 21 insertions, 2 deletions
diff --git a/pdf-as-common/src/main/resources/resources/messages/error.properties b/pdf-as-common/src/main/resources/resources/messages/error.properties
index 6ed97e59..dd873f1e 100644
--- a/pdf-as-common/src/main/resources/resources/messages/error.properties
+++ b/pdf-as-common/src/main/resources/resources/messages/error.properties
@@ -22,6 +22,7 @@
 11018=Given Alias contains no private key
 11019=Signature was created for wrong certificate
 11020=Failed to process PDF document. Reason: {0} 
+11021=Signer certificate is not valid, because notBefore or notAfter does not match 
 
 13001=Invalid Configuration Objects
 13002=Given certificate is invalid
diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java
index 1235e4e7..ebd8ec90 100644
--- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java
+++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java
@@ -27,6 +27,7 @@ import java.awt.Image;
 import java.io.File;
 import java.io.IOException;
 import java.util.Calendar;
+import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 
@@ -165,8 +166,9 @@ public class PdfAsImpl implements PdfAs, IConfigurationConstants,
 
       status.setRequestedSignature(requestedSignature);
 
-      try {
-        requestedSignature.setCertificate(status.getSignParamter().getPlainSigner().getCertificate(parameter));
+      try {        
+        requestedSignature.setCertificate(getValidCertificate(
+            status.getSignParamter().getPlainSigner().getCertificate(parameter)));
 
       } finally {
         if (parameter instanceof BKUHeaderHolder) {
@@ -267,6 +269,22 @@ public class PdfAsImpl implements PdfAs, IConfigurationConstants,
     }
   }
 
+  private X509Certificate getValidCertificate(X509Certificate certificate) throws PDFASError {
+    Date notAfter = certificate.getNotAfter();
+    Date notBefore = certificate.getNotBefore();
+    Date now = new Date();
+    
+    if (now.after(notAfter) || now.before(notBefore)) {
+      logger.warn("Signer certificate is not valid. notBefore:{} | notAfter:{} | now:{}",
+          notBefore, notAfter, now);
+      throw new PDFASError(11021);
+      
+    } else {
+      return certificate;
+      
+    }
+  }
+
   @Override
   public List<VerifyResult> verify(VerifyParameter parameter)
       throws PDFASError {
author	Thomas <>	2023-11-07 15:20:49 +0100
committer	Thomas <>	2023-11-07 15:20:49 +0100
commit	dd3da582f803f21abd4480413f2d288a22f102c5 (patch)
tree	b6b909f24f40ed03cae90852273ad8ea29f9a687
parent	79e0ad14f12bf4a3b46e9bb1cdd4f152c9274a43 (diff)
download	pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.tar.gz pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.tar.bz2 pdf-as-4-dd3da582f803f21abd4480413f2d288a22f102c5.zip