[poppler] poppler/Form.cc poppler/Form.h poppler/SignatureHandler.cc poppler/SignatureHandler.h qt5/src qt6/src utils/pdfsig.1 utils/pdfsig.cc
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Sep 21 08:33:52 UTC 2021
poppler/Form.cc | 8 ++++----
poppler/Form.h | 4 ++--
poppler/SignatureHandler.cc | 10 +++++++---
poppler/SignatureHandler.h | 4 ++--
qt5/src/poppler-form.cc | 2 +-
qt5/src/poppler-form.h | 1 +
qt6/src/poppler-form.cc | 2 +-
qt6/src/poppler-form.h | 1 +
utils/pdfsig.1 | 10 ++++++++--
utils/pdfsig.cc | 4 +++-
10 files changed, 30 insertions(+), 16 deletions(-)
New commits:
commit d90f153e70b5a2f58d48c3381e7e26a40a891047
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Sep 20 14:41:13 2021 +0200
SignatureHandler::validateCertificate: Add option to not do OCSP revocaction check
OCSP contacts the internet so we may not want to do it either because
the device doesn't have internet or because we don't want to "leak"
information that we're validating something.
diff --git a/poppler/Form.cc b/poppler/Form.cc
index 66b52860..2e1bbc98 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -538,9 +538,9 @@ const GooString *FormWidgetSignature::getSignature() const
return static_cast<FormFieldSignature *>(field)->getSignature();
}
-SignatureInfo *FormWidgetSignature::validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime)
+SignatureInfo *FormWidgetSignature::validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime, bool ocspRevocationCheck)
{
- return static_cast<FormFieldSignature *>(field)->validateSignature(doVerifyCert, forceRevalidation, validationTime);
+ return static_cast<FormFieldSignature *>(field)->validateSignature(doVerifyCert, forceRevalidation, validationTime, ocspRevocationCheck);
}
#ifdef ENABLE_NSS3
@@ -2141,7 +2141,7 @@ void FormWidgetSignature::setSignatureType(FormSignatureType fst)
static_cast<FormFieldSignature *>(field)->setSignatureType(fst);
}
-SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime)
+SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime, bool ocspRevocationCheck)
{
#ifdef ENABLE_NSS3
if (signature_info->getSignatureValStatus() != SIGNATURE_NOT_VERIFIED && !forceRevalidation) {
@@ -2212,7 +2212,7 @@ SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool for
return signature_info;
}
- const CertificateValidationStatus cert_val_state = signature_handler.validateCertificate(validationTime);
+ const CertificateValidationStatus cert_val_state = signature_handler.validateCertificate(validationTime, ocspRevocationCheck);
signature_info->setCertificateValStatus(cert_val_state);
signature_info->setCertificateInfo(signature_handler.getCertificateInfo());
diff --git a/poppler/Form.h b/poppler/Form.h
index 8e4239f7..572b035f 100644
--- a/poppler/Form.h
+++ b/poppler/Form.h
@@ -296,7 +296,7 @@ public:
void setSignatureType(FormSignatureType fst);
// Use -1 for now as validationTime
- SignatureInfo *validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime);
+ SignatureInfo *validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime, bool ocspRevocationCheck);
// returns a list with the boundaries of the signed ranges
// the elements of the list are of type Goffset
@@ -596,7 +596,7 @@ public:
FormFieldSignature(PDFDoc *docA, Object &&dict, const Ref ref, FormField *parent, std::set<int> *usedParents);
// Use -1 for now as validationTime
- SignatureInfo *validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime);
+ SignatureInfo *validateSignature(bool doVerifyCert, bool forceRevalidation, time_t validationTime, bool ocspRevocationCheck);
// returns a list with the boundaries of the signed ranges
// the elements of the list are of type Goffset
diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
index f860c0b6..f4a3bbc5 100644
--- a/poppler/SignatureHandler.cc
+++ b/poppler/SignatureHandler.cc
@@ -6,7 +6,7 @@
//
// Copyright 2015, 2016 André Guerreiro <aguerreiro1985 at gmail.com>
// Copyright 2015 André Esser <bepandre at hotmail.com>
-// Copyright 2015, 2016, 2018, 2019 Albert Astals Cid <aacid at kde.org>
+// Copyright 2015, 2016, 2018, 2019, 2021 Albert Astals Cid <aacid at kde.org>
// Copyright 2015 Markus Kilås <digital at markuspage.com>
// Copyright 2017 Sebastian Rasmussen <sebras at gmail.com>
// Copyright 2017 Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
@@ -944,7 +944,7 @@ SignatureValidationStatus SignatureHandler::validateSignature()
}
}
-CertificateValidationStatus SignatureHandler::validateCertificate(time_t validation_time)
+CertificateValidationStatus SignatureHandler::validateCertificate(time_t validation_time, bool ocspRevocationCheck)
{
CERTCertificate *cert;
@@ -959,7 +959,11 @@ CertificateValidationStatus SignatureHandler::validateCertificate(time_t validat
vTime = 1000000 * (PRTime)validation_time;
CERTValInParam inParams[3];
inParams[0].type = cert_pi_revocationFlags;
- inParams[0].value.pointer.revocation = CERT_GetClassicOCSPEnabledSoftFailurePolicy();
+ if (ocspRevocationCheck) {
+ inParams[0].value.pointer.revocation = CERT_GetClassicOCSPEnabledSoftFailurePolicy();
+ } else {
+ inParams[0].value.pointer.revocation = CERT_GetClassicOCSPDisabledPolicy();
+ }
inParams[1].type = cert_pi_date;
inParams[1].value.scalar.time = vTime;
inParams[2].type = cert_pi_end;
diff --git a/poppler/SignatureHandler.h b/poppler/SignatureHandler.h
index c4d24c92..32277898 100644
--- a/poppler/SignatureHandler.h
+++ b/poppler/SignatureHandler.h
@@ -6,7 +6,7 @@
//
// Copyright 2015 André Guerreiro <aguerreiro1985 at gmail.com>
// Copyright 2015 André Esser <bepandre at hotmail.com>
-// Copyright 2015, 2017, 2019 Albert Astals Cid <aacid at kde.org>
+// Copyright 2015, 2017, 2019, 2021 Albert Astals Cid <aacid at kde.org>
// Copyright 2017 Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
// Copyright 2018 Chinmoy Ranjan Pradhan <chinmoyrp65 at protonmail.com>
// Copyright 2018 Oliver Sander <oliver.sander at tu-dresden.de>
@@ -55,7 +55,7 @@ public:
void restartHash();
SignatureValidationStatus validateSignature();
// Use -1 as validation_time for now
- CertificateValidationStatus validateCertificate(time_t validation_time);
+ CertificateValidationStatus validateCertificate(time_t validation_time, bool ocspRevocationCheck);
std::unique_ptr<X509CertificateInfo> getCertificateInfo() const;
static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCertificates();
std::unique_ptr<GooString> signDetached(const char *password) const;
diff --git a/qt5/src/poppler-form.cc b/qt5/src/poppler-form.cc
index 326a59b5..b07f97e2 100644
--- a/qt5/src/poppler-form.cc
+++ b/qt5/src/poppler-form.cc
@@ -980,7 +980,7 @@ SignatureValidationInfo FormFieldSignature::validate(int opt, const QDateTime &v
{
FormWidgetSignature *fws = static_cast<FormWidgetSignature *>(m_formData->fm);
const time_t validationTimeT = validationTime.isValid() ? validationTime.toSecsSinceEpoch() : -1;
- SignatureInfo *si = fws->validateSignature(opt & ValidateVerifyCertificate, opt & ValidateForceRevalidation, validationTimeT);
+ SignatureInfo *si = fws->validateSignature(opt & ValidateVerifyCertificate, opt & ValidateForceRevalidation, validationTimeT, !(opt & ValidateWithoutOCSPRevocationCheck));
// get certificate info
const X509CertificateInfo *ci = si->getCertificateInfo();
diff --git a/qt5/src/poppler-form.h b/qt5/src/poppler-form.h
index 386df7de..dce89632 100644
--- a/qt5/src/poppler-form.h
+++ b/qt5/src/poppler-form.h
@@ -787,6 +787,7 @@ public:
{
ValidateVerifyCertificate = 1, ///< Validate the certificate.
ValidateForceRevalidation = 2, ///< Force revalidation of the certificate.
+ ValidateWithoutOCSPRevocationCheck = 4 ///< Do not contact OCSP servers to check for certificate revocation status \since 21.10
};
/// \cond PRIVATE
diff --git a/qt6/src/poppler-form.cc b/qt6/src/poppler-form.cc
index 58e84110..cc947055 100644
--- a/qt6/src/poppler-form.cc
+++ b/qt6/src/poppler-form.cc
@@ -980,7 +980,7 @@ SignatureValidationInfo FormFieldSignature::validate(int opt, const QDateTime &v
{
FormWidgetSignature *fws = static_cast<FormWidgetSignature *>(m_formData->fm);
const time_t validationTimeT = validationTime.isValid() ? validationTime.toSecsSinceEpoch() : -1;
- SignatureInfo *si = fws->validateSignature(opt & ValidateVerifyCertificate, opt & ValidateForceRevalidation, validationTimeT);
+ SignatureInfo *si = fws->validateSignature(opt & ValidateVerifyCertificate, opt & ValidateForceRevalidation, validationTimeT, !(opt & ValidateWithoutOCSPRevocationCheck));
// get certificate info
const X509CertificateInfo *ci = si->getCertificateInfo();
diff --git a/qt6/src/poppler-form.h b/qt6/src/poppler-form.h
index 9704f847..94b75c9d 100644
--- a/qt6/src/poppler-form.h
+++ b/qt6/src/poppler-form.h
@@ -739,6 +739,7 @@ public:
{
ValidateVerifyCertificate = 1, ///< Validate the certificate.
ValidateForceRevalidation = 2, ///< Force revalidation of the certificate.
+ ValidateWithoutOCSPRevocationCheck = 4 ///< Do not contact OCSP servers to check for certificate revocation status \since 21.10
};
/// \cond PRIVATE
diff --git a/utils/pdfsig.1 b/utils/pdfsig.1
index dac1fe3b..09b6be52 100644
--- a/utils/pdfsig.1
+++ b/utils/pdfsig.1
@@ -17,8 +17,11 @@ the type of the signature as stated in the PDF and
the signed ranges with a statement wether the total document is signed.
It can also sign PDF documents (options -add-signature or -sign).
.PP
-The signer certificate validation uses the trusted certificates stored in the
-Network Security Services (NSS) Database. The NSS Database is searched for in the following locations:
+pdfsig uses the trusted certificates stored in the Network Security Services (NSS) Database.
+.PP
+pdfsig also uses the Online Certificate Status Protocol (OCSP) (refer to http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) to look up the certificate online and check if it has been revoked (unless -no-ocsp has been specified).
+.PP
+The NSS Database is searched for in the following locations:
.IP \(bu
If the \-nssdir option is specified, the directory specified by this option.
.IP \(bu
@@ -40,6 +43,9 @@ Specify the password needed to access the NSS database (if any).
.B \-nocert
Do not validate the certificate.
.TP
+.B \-no-ocsp
+Do not perform online OCSP certificate revocation check (local Certificate Revocation Lists (CRL) are still used).
+.TP
.B \-dump
Dump all signatures into current directory.
.TP
diff --git a/utils/pdfsig.cc b/utils/pdfsig.cc
index cf2c3d6d..3849387c 100644
--- a/utils/pdfsig.cc
+++ b/utils/pdfsig.cc
@@ -129,6 +129,7 @@ static GooString nssPassword;
static bool printVersion = false;
static bool printHelp = false;
static bool dontVerifyCert = false;
+static bool noOCSPRevocationCheck = false;
static bool dumpSignatures = false;
static bool etsiCAdESdetached = false;
static int signatureNumber = 0;
@@ -143,6 +144,7 @@ static GooString newSignatureFieldName;
static const ArgDesc argDesc[] = { { "-nssdir", argGooString, &nssDir, 0, "path to directory of libnss3 database" },
{ "-nss-pwd", argGooString, &nssPassword, 0, "password to access the NSS database (if any)" },
{ "-nocert", argFlag, &dontVerifyCert, 0, "don't perform certificate validation" },
+ { "-no-ocsp", argFlag, &noOCSPRevocationCheck, 0, "don't perform online OCSP certificate revocation check" },
{ "-dump", argFlag, &dumpSignatures, 0, "dump all signatures into current directory" },
{ "-add-signature", argFlag, &addNewSignature, 0, "adds a new signature to the document" },
{ "-new-signature-field-name", argGooString, &newSignatureFieldName, 0, "field name used for the newly added signature. A random ID will be used if empty" },
@@ -395,7 +397,7 @@ int main(int argc, char *argv[])
}
for (unsigned int i = 0; i < sigCount; i++) {
- const SignatureInfo *sig_info = signatures.at(i)->validateSignature(!dontVerifyCert, false, -1 /* now */);
+ const SignatureInfo *sig_info = signatures.at(i)->validateSignature(!dontVerifyCert, false, -1 /* now */, !noOCSPRevocationCheck);
printf("Signature #%u:\n", i + 1);
printf(" - Signer Certificate Common Name: %s\n", sig_info->getSignerName());
printf(" - Signer full Distinguished Name: %s\n", sig_info->getSubjectDN());
More information about the poppler
mailing list