[Poppler-bugs] [Bug 99365] Certificate chain from PDF digital signature back to trusted root certificate not verified?
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Mar 14 21:24:39 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=99365
--- Comment #5 from Luiz Angelo Daros de Luca <luizluca at gmail.com> ---
Hello,
I also got this problem with pdfsig v0.52.0.
It seems that pdfsig simply passes to NSS the signer certificate and ask "is it
valid?"
The problem is that, normally, NSS cannot verify all the chain from the
(imported) root CA to the signer certificate because it misses all the
intermediate CA. If I manually import all intermediate CA into firefox, pdfsig
can verify the certificate correctly. However, it is not expected that the user
must import intermediate CA before checking a certificate.
A PDF file must contain all the certificate chain from the signer certificate
(first) until the last CA before root CA. It seems that pdfsig is not passing
these intermediate certificates to NSS.
I never used NSS but it must import all intermediate CA into NSS session as an
non-root CA.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170314/5128de40/attachment.html>
More information about the Poppler-bugs
mailing list