Package eu.europa.esig.dss.validation
Class CommonCertificateVerifier
- java.lang.Object
-
- eu.europa.esig.dss.validation.CommonCertificateVerifier
-
- All Implemented Interfaces:
CertificateVerifier
public class CommonCertificateVerifier extends Object implements CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source.
TheDataLoadershould be provided to give access to the certificates through AIA.
-
-
Constructor Summary
Constructors Constructor Description CommonCertificateVerifier()The default constructor.CommonCertificateVerifier(boolean simpleCreationOnly)This constructor allows to createCommonCertificateVerifierwithoutDataLoader.CommonCertificateVerifier(CertificateSource trustedCertSource, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)The constructor with key parameters.
-
Method Summary
Modifier and Type Method Description CertificatePoolcreateValidationPool()This method creates the validation pool of certificates which is used during the validation process.CertificateSourcegetAdjunctCertSource()Returns the adjunct certificates source associated with this verifier.CRLSourcegetCrlSource()Returns the CRL source associated with this verifier.DataLoadergetDataLoader()The data loader used to access AIA certificate source.DigestAlgorithmgetDefaultDigestAlgorithm()This method returns a default Digest Algorithm what will be used for digest calculationOCSPSourcegetOcspSource()Returns the OCSP source associated with this verifier.ListCRLSourcegetSignatureCRLSource()This method returns the CRL source (information extracted from signatures).ListOCSPSourcegetSignatureOCSPSource()This method returns the OCSP source (information extracted from signatures).CertificateSourcegetTrustedCertSource()Returns the trusted certificates source associated with this verifier.booleanisCheckRevocationForUntrustedChains()This method returns true if revocation check is enabled for untrusted certificate chains.booleanisExceptionOnInvalidTimestamp()This method returns true if an exception needs to be thrown on invalid timestamp.booleanisExceptionOnMissingRevocationData()This method returns true if an exception needs to be thrown on missing revocation data.booleanisExceptionOnNoRevocationAfterBestSignatureTime()This method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTimebooleanisExceptionOnRevokedCertificate()This method returns true if an exception needs to be thrown on revoked certificate.booleanisExceptionOnUncoveredPOE()This method returns true if an exception needs to be thrown on uncovered POE(timestamp).booleanisIncludeCertificateRevocationValues()This method returns true if the revocation data need to be exported in the diagnostic data report.booleanisIncludeCertificateTokenValues()This method returns true if the certificate tokens need to be exported in the diagnostic data report.booleanisIncludeTimestampTokenValues()This method returns true if the timestamp tokens need to be exported in the diagnostic data report.voidsetAdjunctCertSource(CertificateSource adjunctCertSource)Associates an adjunct certificates source to this verifier.voidsetCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)This method allows to enable revocation checking for untrusted certificate chains (default : false)voidsetCrlSource(CRLSource crlSource)Defines the source of CRL used by this classvoidsetDataLoader(DataLoader dataLoader)The data loader used to access AIA certificate source.voidsetDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)This method allows to change the Digest Algorithm that will be used for tokens' digest calculationvoidsetExceptionOnInvalidTimestamp(boolean throwExceptionOnInvalidTimestamp)This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).voidsetExceptionOnMissingRevocationData(boolean throwExceptionOnMissingRevocationData)This method allows to change the behavior on missing revocation data (LT/LTA augmentation).voidsetExceptionOnNoRevocationAfterBestSignatureTime(boolean exceptionOnNoRevocationAfterBestSignatureTime)This method allows to change the behavior on revocation data issued after a control time.voidsetExceptionOnRevokedCertificate(boolean exceptionOnRevokedCertificate)This method allows to change the behavior on revoked certificates (LT/LTA augmentation).voidsetExceptionOnUncoveredPOE(boolean exceptionOnUncoveredPOE)This method allows to change the behavior on uncovered POE (timestamp).voidsetIncludeCertificateRevocationValues(boolean include)This method allows to change the behavior by including raw revocation data in the diagnostic data report.voidsetIncludeCertificateTokenValues(boolean includeCertificateTokens)This method allows to change the behavior by including raw certificate tokens in the diagnostic data report.voidsetIncludeTimestampTokenValues(boolean include)This method allows to change the behavior by including raw timestamp tokens in the diagnostic data report.voidsetOcspSource(OCSPSource ocspSource)Defines the source of OCSP used by this classvoidsetSignatureCRLSource(ListCRLSource signatureCRLSource)This method allows to set the CRL source (information extracted from signatures).voidsetSignatureOCSPSource(ListOCSPSource signatureOCSPSource)This method allows to set the OCSP source (information extracted from signatures).voidsetTrustedCertSource(CertificateSource trustedCertSource)Sets the trusted certificates source.
-
-
-
Constructor Detail
-
CommonCertificateVerifier
public CommonCertificateVerifier()
The default constructor. TheDataLoaderis created to allow the retrieval of certificates through AIA.
-
CommonCertificateVerifier
public CommonCertificateVerifier(boolean simpleCreationOnly)
This constructor allows to createCommonCertificateVerifierwithoutDataLoader. It means that only a profile -B signatures can be created.- Parameters:
simpleCreationOnly- if true theCommonCertificateVerifierwill not containDataLoader.
-
CommonCertificateVerifier
public CommonCertificateVerifier(CertificateSource trustedCertSource, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)
The constructor with key parameters.- Parameters:
trustedCertSource- the reference to the trusted certificate source.crlSource- contains the reference to theOCSPSource.ocspSource- contains the reference to theCRLSource.dataLoader- contains the reference to a data loader used to access AIA certificate source.
-
-
Method Detail
-
getTrustedCertSource
public CertificateSource getTrustedCertSource()
Description copied from interface:CertificateVerifierReturns the trusted certificates source associated with this verifier. This source is used to identify the trusted anchors.- Specified by:
getTrustedCertSourcein interfaceCertificateVerifier- Returns:
- the certificate source which contains trusted certificates
-
getOcspSource
public OCSPSource getOcspSource()
Description copied from interface:CertificateVerifierReturns the OCSP source associated with this verifier.- Specified by:
getOcspSourcein interfaceCertificateVerifier- Returns:
- the used OCSP source for external access (web, filesystem, cached,...)
-
getCrlSource
public CRLSource getCrlSource()
Description copied from interface:CertificateVerifierReturns the CRL source associated with this verifier.- Specified by:
getCrlSourcein interfaceCertificateVerifier- Returns:
- the used CRL source for external access (web, filesystem, cached,...)
-
setCrlSource
public void setCrlSource(CRLSource crlSource)
Description copied from interface:CertificateVerifierDefines the source of CRL used by this class- Specified by:
setCrlSourcein interfaceCertificateVerifier- Parameters:
crlSource- the CRL source to set for external access (web, filesystem, cached,...)
-
setOcspSource
public void setOcspSource(OCSPSource ocspSource)
Description copied from interface:CertificateVerifierDefines the source of OCSP used by this class- Specified by:
setOcspSourcein interfaceCertificateVerifier- Parameters:
ocspSource- the OCSP source to set for external access (web, filesystem, cached,...)
-
setTrustedCertSource
public void setTrustedCertSource(CertificateSource trustedCertSource)
Description copied from interface:CertificateVerifierSets the trusted certificates source.- Specified by:
setTrustedCertSourcein interfaceCertificateVerifier- Parameters:
trustedCertSource- The certificates source with known trusted certificates
-
getAdjunctCertSource
public CertificateSource getAdjunctCertSource()
Description copied from interface:CertificateVerifierReturns the adjunct certificates source associated with this verifier.- Specified by:
getAdjunctCertSourcein interfaceCertificateVerifier- Returns:
- the certificate source which contains additional certificate (missing CA,...)
-
setAdjunctCertSource
public void setAdjunctCertSource(CertificateSource adjunctCertSource)
Description copied from interface:CertificateVerifierAssociates an adjunct certificates source to this verifier.- Specified by:
setAdjunctCertSourcein interfaceCertificateVerifier- Parameters:
adjunctCertSource- the certificate source with additional and missing certificates
-
getDataLoader
public DataLoader getDataLoader()
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source.- Specified by:
getDataLoaderin interfaceCertificateVerifier- Returns:
- the used data loaded to load AIA resources and policy files
-
setDataLoader
public void setDataLoader(DataLoader dataLoader)
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source. If this property is not set the defaultCommonsHttpDataLoaderis created.- Specified by:
setDataLoaderin interfaceCertificateVerifier- Parameters:
dataLoader- the used data loaded to load AIA resources and policy files
-
getSignatureCRLSource
public ListCRLSource getSignatureCRLSource()
Description copied from interface:CertificateVerifierThis method returns the CRL source (information extracted from signatures).- Specified by:
getSignatureCRLSourcein interfaceCertificateVerifier- Returns:
- the CRL sources from the signature
-
setSignatureCRLSource
public void setSignatureCRLSource(ListCRLSource signatureCRLSource)
Description copied from interface:CertificateVerifierThis method allows to set the CRL source (information extracted from signatures).- Specified by:
setSignatureCRLSourcein interfaceCertificateVerifier- Parameters:
signatureCRLSource- the CRL sources from the signature
-
getSignatureOCSPSource
public ListOCSPSource getSignatureOCSPSource()
Description copied from interface:CertificateVerifierThis method returns the OCSP source (information extracted from signatures).- Specified by:
getSignatureOCSPSourcein interfaceCertificateVerifier- Returns:
- the OCSP sources from the signature
-
setSignatureOCSPSource
public void setSignatureOCSPSource(ListOCSPSource signatureOCSPSource)
Description copied from interface:CertificateVerifierThis method allows to set the OCSP source (information extracted from signatures).- Specified by:
setSignatureOCSPSourcein interfaceCertificateVerifier- Parameters:
signatureOCSPSource- the OCSP sources from the signature
-
setExceptionOnMissingRevocationData
public void setExceptionOnMissingRevocationData(boolean throwExceptionOnMissingRevocationData)
Description copied from interface:CertificateVerifierThis method allows to change the behavior on missing revocation data (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnMissingRevocationDatain interfaceCertificateVerifier- Parameters:
throwExceptionOnMissingRevocationData- true if an exception is raised on missing revocation data, false will only display a warning message
-
isExceptionOnMissingRevocationData
public boolean isExceptionOnMissingRevocationData()
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on missing revocation data.- Specified by:
isExceptionOnMissingRevocationDatain interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
isExceptionOnUncoveredPOE
public boolean isExceptionOnUncoveredPOE()
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on uncovered POE(timestamp).- Specified by:
isExceptionOnUncoveredPOEin interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnUncoveredPOE
public void setExceptionOnUncoveredPOE(boolean exceptionOnUncoveredPOE)
Description copied from interface:CertificateVerifierThis method allows to change the behavior on uncovered POE (timestamp). (default : false)- Specified by:
setExceptionOnUncoveredPOEin interfaceCertificateVerifier- Parameters:
exceptionOnUncoveredPOE- true if an exception is raised on uncovered timestamp, false will only display a warning message
-
isExceptionOnRevokedCertificate
public boolean isExceptionOnRevokedCertificate()
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on revoked certificate.- Specified by:
isExceptionOnRevokedCertificatein interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnRevokedCertificate
public void setExceptionOnRevokedCertificate(boolean exceptionOnRevokedCertificate)
Description copied from interface:CertificateVerifierThis method allows to change the behavior on revoked certificates (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnRevokedCertificatein interfaceCertificateVerifier- Parameters:
exceptionOnRevokedCertificate- true if an exception is raised on revoked certificate, false will only display a warning message
-
setExceptionOnInvalidTimestamp
public void setExceptionOnInvalidTimestamp(boolean throwExceptionOnInvalidTimestamp)
Description copied from interface:CertificateVerifierThis method allows to change the behavior on invalid timestamp (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnInvalidTimestampin interfaceCertificateVerifier- Parameters:
throwExceptionOnInvalidTimestamp- true if an exception is raised on invalid timestamp, false will only display a warning message
-
isExceptionOnInvalidTimestamp
public boolean isExceptionOnInvalidTimestamp()
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on invalid timestamp.- Specified by:
isExceptionOnInvalidTimestampin interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnNoRevocationAfterBestSignatureTime
public void setExceptionOnNoRevocationAfterBestSignatureTime(boolean exceptionOnNoRevocationAfterBestSignatureTime)
Description copied from interface:CertificateVerifierThis method allows to change the behavior on revocation data issued after a control time. (default : false)- Specified by:
setExceptionOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Parameters:
exceptionOnNoRevocationAfterBestSignatureTime- true if an exception is raised on no revocation data issued after the bestSignatureTime, false will only display a warning message
-
isExceptionOnNoRevocationAfterBestSignatureTime
public boolean isExceptionOnNoRevocationAfterBestSignatureTime()
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTime- Specified by:
isExceptionOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
isCheckRevocationForUntrustedChains
public boolean isCheckRevocationForUntrustedChains()
Description copied from interface:CertificateVerifierThis method returns true if revocation check is enabled for untrusted certificate chains.- Specified by:
isCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Returns:
- true if external revocation check is done for untrusted certificate chains
-
setCheckRevocationForUntrustedChains
public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)
Description copied from interface:CertificateVerifierThis method allows to enable revocation checking for untrusted certificate chains (default : false)- Specified by:
setCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Parameters:
checkRevocationForUntrustedChains- true if revocation checking is allowed for untrusted certificate chains
-
createValidationPool
public CertificatePool createValidationPool()
Description copied from interface:CertificateVerifierThis method creates the validation pool of certificates which is used during the validation process.- Specified by:
createValidationPoolin interfaceCertificateVerifier
-
setDefaultDigestAlgorithm
public void setDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)
Description copied from interface:CertificateVerifierThis method allows to change the Digest Algorithm that will be used for tokens' digest calculation- Specified by:
setDefaultDigestAlgorithmin interfaceCertificateVerifier- Parameters:
digestAlgorithm-DigestAlgorithmto use
-
getDefaultDigestAlgorithm
public DigestAlgorithm getDefaultDigestAlgorithm()
Description copied from interface:CertificateVerifierThis method returns a default Digest Algorithm what will be used for digest calculation- Specified by:
getDefaultDigestAlgorithmin interfaceCertificateVerifier- Returns:
DigestAlgorithm
-
setIncludeCertificateTokenValues
public void setIncludeCertificateTokenValues(boolean includeCertificateTokens)
Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw certificate tokens in the diagnostic data report.- Specified by:
setIncludeCertificateTokenValuesin interfaceCertificateVerifier- Parameters:
includeCertificateTokens- true if raw certificate tokens should be included (default: false)
-
isIncludeCertificateTokenValues
public boolean isIncludeCertificateTokenValues()
Description copied from interface:CertificateVerifierThis method returns true if the certificate tokens need to be exported in the diagnostic data report.- Specified by:
isIncludeCertificateTokenValuesin interfaceCertificateVerifier- Returns:
- true if raw certificate tokens should be included in the diagnotic data report (default: false)
-
setIncludeCertificateRevocationValues
public void setIncludeCertificateRevocationValues(boolean include)
Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw revocation data in the diagnostic data report.- Specified by:
setIncludeCertificateRevocationValuesin interfaceCertificateVerifier- Parameters:
include- true if raw revocation data should be included (default: false)
-
isIncludeCertificateRevocationValues
public boolean isIncludeCertificateRevocationValues()
Description copied from interface:CertificateVerifierThis method returns true if the revocation data need to be exported in the diagnostic data report.- Specified by:
isIncludeCertificateRevocationValuesin interfaceCertificateVerifier- Returns:
- true if raw revocation data should be included in the diagnotic data report (default: false)
-
setIncludeTimestampTokenValues
public void setIncludeTimestampTokenValues(boolean include)
Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw timestamp tokens in the diagnostic data report.- Specified by:
setIncludeTimestampTokenValuesin interfaceCertificateVerifier- Parameters:
include- true if raw timestamp tokens should be included (default: false)
-
isIncludeTimestampTokenValues
public boolean isIncludeTimestampTokenValues()
Description copied from interface:CertificateVerifierThis method returns true if the timestamp tokens need to be exported in the diagnostic data report.- Specified by:
isIncludeTimestampTokenValuesin interfaceCertificateVerifier- Returns:
- true if raw timestamp tokens should be included in the diagnotic data report (default: false)
-
-