diff -Nru itext-2.1.7/src/core/com/lowagie/text/pdf/OcspClientBouncyCastle.java itext-2.1.7.bouncycastle/src/core/com/lowagie/text/pdf/OcspClientBouncyCastle.java --- itext-2.1.7/src/core/com/lowagie/text/pdf/OcspClientBouncyCastle.java 2009-06-09 10:31:05.000000000 +0200 +++ itext-2.1.7.bouncycastle/src/core/com/lowagie/text/pdf/OcspClientBouncyCastle.java 2015-06-28 03:29:55.209352087 +0200 @@ -59,20 +59,29 @@ import java.net.HttpURLConnection; import java.net.URL; import java.security.Security; +import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Vector; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.asn1.x509.X509Extensions; -import org.bouncycastle.ocsp.BasicOCSPResp; -import org.bouncycastle.ocsp.CertificateID; -import org.bouncycastle.ocsp.CertificateStatus; -import org.bouncycastle.ocsp.OCSPException; -import org.bouncycastle.ocsp.OCSPReq; -import org.bouncycastle.ocsp.OCSPReqGenerator; -import org.bouncycastle.ocsp.OCSPResp; -import org.bouncycastle.ocsp.SingleResp; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.cert.ocsp.BasicOCSPResp; +import org.bouncycastle.cert.ocsp.CertificateID; +import org.bouncycastle.cert.ocsp.CertificateStatus; +import org.bouncycastle.cert.ocsp.OCSPException; +import org.bouncycastle.cert.ocsp.OCSPReq; +import org.bouncycastle.cert.ocsp.OCSPReqBuilder; +import org.bouncycastle.cert.ocsp.OCSPResp; +import org.bouncycastle.cert.ocsp.SingleResp; +import org.bouncycastle.operator.DigestCalculator; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorException; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; /** * OcspClient implementation using BouncyCastle. @@ -107,28 +116,26 @@ * @throws OCSPException * @throws IOException */ - private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException { + private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException { //Add provider BC Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder(); + DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build(); + DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1); // Generate the id for the certificate we are looking for - CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber); + CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(issuerCert), serialNumber); // basic request generation with nonce - OCSPReqGenerator gen = new OCSPReqGenerator(); + OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(id); // create details for nonce extension - Vector oids = new Vector(); - Vector values = new Vector(); + Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded())); + gen.setRequestExtensions(new Extensions(new Extension[]{ext})); - oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); - values.add(new X509Extension(false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()))); - - gen.setRequestExtensions(new X509Extensions(oids, values)); - - return gen.generate(); + return gen.build(); } /** @@ -167,7 +174,7 @@ if (status == CertificateStatus.GOOD) { return basicResponse.getEncoded(); } - else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) { + else if (status instanceof org.bouncycastle.cert.ocsp.RevokedStatus) { throw new IOException("OCSP Status is revoked!"); } else { diff -Nru itext-2.1.7/src/core/com/lowagie/text/pdf/PdfPKCS7.java itext-2.1.7.bouncycastle/src/core/com/lowagie/text/pdf/PdfPKCS7.java --- itext-2.1.7/src/core/com/lowagie/text/pdf/PdfPKCS7.java 2015-06-28 03:29:57.603235703 +0200 +++ itext-2.1.7.bouncycastle/src/core/com/lowagie/text/pdf/PdfPKCS7.java 2015-06-28 03:18:52.706561173 +0200 @@ -113,9 +113,12 @@ import org.bouncycastle.asn1.x509.X509Extensions; import org.bouncycastle.cms.SignerInformationVerifier; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; -import org.bouncycastle.ocsp.BasicOCSPResp; -import org.bouncycastle.ocsp.CertificateID; -import org.bouncycastle.ocsp.SingleResp; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.cert.ocsp.BasicOCSPResp; +import org.bouncycastle.cert.ocsp.CertificateID; +import org.bouncycastle.cert.ocsp.SingleResp; +import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; import org.bouncycastle.tsp.TimeStampToken; /** @@ -903,7 +906,7 @@ if (!keystore.isCertificateEntry(alias)) continue; X509Certificate certStoreX509 = (X509Certificate)keystore.getCertificate(alias); - if (ocsp.verify(certStoreX509.getPublicKey(), provider)) + if (ocsp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey()))) return true; } catch (Exception ex) { @@ -997,7 +1000,8 @@ CertificateID cid = sr.getCertID(); X509Certificate sigcer = getSigningCertificate(); X509Certificate isscer = cs[1]; - CertificateID tis = new CertificateID(CertificateID.HASH_SHA1, isscer, sigcer.getSerialNumber()); + CertificateID tis = new CertificateID( + new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber()); return tis.equals(cid); } catch (Exception ex) {