Don't sign if it remain less than hour till CRL expiration (clock dev…

…iation safety margin).
vovodroid · Jun 4, 2015 · de56df1 · de56df1
1 parent 74312c8
commit de56df1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/res/net/sf/jsignpdf/translations/messages.properties b/res/net/sf/jsignpdf/translations/messages.properties
@@ -183,7 +183,7 @@ hlp.bgScale            = background image scale for visible signatures. Insert p
 hlp.certLevel          = level of certification. Default value is NOT_CERTIFIED. Available values are {0}
 hlp.contact            = signer's contact details (a signature field)
 hlp.crl                = enable CRL certificate validation
-hlp.crlCache           = enable CRL cache and use this folder
+hlp.crlCache           = enable CRL cache and use this folder (no proxy support)
 hlp.crlCacheTime       = validity time for cached CRL, hours, default 24
 hlp.disableAcro6Layers = disables the Acrobat 6 layer mode i.e. all signature layers will be created. Acrobat 6.0 and higher recommends that only layer n2 and n4 be present.
 hlp.disableAnnot       = deny modify annotations in encrypted documents

diff --git a/src/net/sf/jsignpdf/crl/CRLInfo.java b/src/net/sf/jsignpdf/crl/CRLInfo.java
@@ -53,6 +53,7 @@
 
 import org.apache.commons.io.input.CountingInputStream;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.time.DurationFormatUtils;
 import org.apache.log4j.Logger;
 import org.bouncycastle.asn1.DERString;
 import org.bouncycastle.asn1.x509.CRLDistPoint;
@@ -63,6 +64,8 @@
 import org.bouncycastle.asn1.x509.X509Extension;
 import org.bouncycastle.x509.extension.X509ExtensionUtil;
 
+import sun.security.x509.X509CRLImpl;
+
 /**
  * Helper bean for holding CRL related data.
  * 
@@ -118,7 +121,7 @@ public long getByteCount() throws Exception {
   private FileInputStream getCrlStream(String urlStr) throws FileNotFoundException
   {
     File cache = new File(options.getCrlCache()+"/"+urlStr.replaceAll("[:/]", "_")+".crl"); 
-    long age = ((new Date()).getTime() - cache.lastModified())/1000/3600;
+    long age = (System.currentTimeMillis() - cache.lastModified())/1000/3600;
 
   	if (age >= options.getCrlCacheTime()) {
   		LOGGER.info(RES.get("console.crlinfo.loadCrl", urlStr));
@@ -169,6 +172,11 @@ private void initCrls() throws Exception {
       final CertificateFactory cf = CertificateFactory.getInstance(Constants.CERT_TYPE_X509);
       final CRL crl = cf.generateCRL(inStream);
 
+	  long msec_till_update = ( ((X509CRLImpl)crl).getNextUpdate().getTime() - System.currentTimeMillis());
+
+      if (msec_till_update < 3600 * 1000)
+    	  throw new CRLException("CRL expires in less than hour");
+
 	  if (inStream instanceof CountingInputStream)
 	    tmpBytesRead = ((CountingInputStream)inStream).getByteCount();