Signature plugin: fix unable to get CRL error

2022-05-08 16:30:03 +02:00 · 2022-05-08 16:30:03 +02:00 · e492b53a7b
parent 27bed729b5
commit e492b53a7b
2 changed files with 21 additions and 1 deletions
--- a/Pdf4QtLib/sources/pdfsignaturehandler.cpp
+++ b/Pdf4QtLib/sources/pdfsignaturehandler.cpp
@ -348,6 +348,15 @@ void PDFSignatureVerificationResult::addCertificateQualifiedStatementNotVerified
    }
 }

+void PDFSignatureVerificationResult::addCertificateUnableToGetCRLWarning()
+{
+    if (!m_flags.testFlag(Warning_Certificate_UnableToGetCRL))
+    {
+        m_flags.setFlag(Warning_Certificate_UnableToGetCRL);
+        m_warnings << PDFTranslationContext::tr("Unable to get CRL.");
+    }
+}
+
 void PDFSignatureVerificationResult::setSignatureFieldQualifiedName(const QString& signatureFieldQualifiedName)
 {
    m_signatureFieldQualifiedName = signatureFieldQualifiedName;
@ -977,6 +986,15 @@ int PDFSignatureHandler_ETSI_base::verifyCallback(int ok, X509_STORE_CTX* contex
            return 1;
        }

+        case X509_V_ERR_UNABLE_TO_GET_CRL:
+        {
+            // We will treat this as only warning. It means that
+            // CRL cannot be downloaded or other error occured.
+            s_ETSI_currentResult->addCertificateUnableToGetCRLWarning();
+            X509_STORE_CTX_set_error(context, X509_V_OK);
+            return 1;
+        }
+
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
        {
            // We must handle all critical extensions manually
--- a/Pdf4QtLib/sources/pdfsignaturehandler.h
+++ b/Pdf4QtLib/sources/pdfsignaturehandler.h
@ -319,6 +319,7 @@ public:
        Warning_Signature_NotCoveredBytes               = 0x00200000,  ///< Some bytes in source data are not covered by signature
        Warning_Certificate_CRLValidityTimeExpired      = 0x00400000,  ///< Certificate revocation list was not checked, because it's validity expired
        Warning_Certificate_QualifiedStatement          = 0x00800000,  ///< Qualified certificate statement not verified
+        Warning_Certificate_UnableToGetCRL              = 0x01000000,  ///< Unable to get CRL

        Error_Certificates_Mask = Error_Certificate_Invalid | Error_Certificate_NoSignatures | Error_Certificate_Missing | Error_Certificate_Generic |
                                  Error_Certificate_Expired | Error_Certificate_SelfSigned | Error_Certificate_SelfSignedChain | Error_Certificate_TrustedNotFound |
@ -327,7 +328,7 @@ public:
        Error_Signatures_Mask = Error_Signature_Invalid | Error_Signature_SourceCertificateMissing | Error_Signature_NoSignaturesFound |
                                Error_Signature_DigestFailure | Error_Signature_DataOther | Error_Signature_DataCoveredBySignatureMissing,

-        Warning_Certificates_Mask = Warning_Certificate_CRLValidityTimeExpired | Warning_Certificate_QualifiedStatement,
+        Warning_Certificates_Mask = Warning_Certificate_CRLValidityTimeExpired | Warning_Certificate_QualifiedStatement | Warning_Certificate_UnableToGetCRL,
        Warning_Signatures_Mask = Warning_Signature_NotCoveredBytes,

        Warnings_Mask = Warning_Certificates_Mask | Warning_Signatures_Mask
@ -361,6 +362,7 @@ public:
    void addSignatureNotCoveredBytesWarning(PDFInteger count);
    void addCertificateCRLValidityTimeExpiredWarning();
    void addCertificateQualifiedStatementNotVerifiedWarning();
+    void addCertificateUnableToGetCRLWarning();

    bool isValid() const { return hasFlag(OK); }
    bool isCertificateValid() const { return hasFlag(Certificate_OK); }