Package eu.europa.esig.dss.validation
Class CommonCertificateVerifier
java.lang.Object
eu.europa.esig.dss.validation.CommonCertificateVerifier
- All Implemented Interfaces:
CertificateVerifier
public class CommonCertificateVerifier extends Object implements CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are
four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source.
The
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source.
The
DataLoader should be provided to give access to the certificates through AIA.-
Constructor Summary
Constructors Constructor Description CommonCertificateVerifier()The default constructor.CommonCertificateVerifier(boolean simpleCreationOnly)This constructor allows to createCommonCertificateVerifierwithoutDataLoader.CommonCertificateVerifier(List<CertificateSource> trustedCertSources, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)The constructor with key parameters. -
Method Summary
Modifier and Type Method Description voidaddAdjunctCertSources(CertificateSource... certSources)Adds adjunct certificate sources to an existing list of adjunct certificate sourcesvoidaddTrustedCertSources(CertificateSource... certSources)Adds trusted certificate sources to an existing list of trusted certificate sourcesListCertificateSourcegetAdjunctCertSources()Returns the list of adjunct certificate sources assigned to this verifier.StatusAlertgetAlertOnInvalidTimestamp()This method returns true if an exception needs to be thrown on invalid timestamp.StatusAlertgetAlertOnMissingRevocationData()This method returns true if an exception needs to be thrown on missing revocation data.StatusAlertgetAlertOnNoRevocationAfterBestSignatureTime()This method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTimeStatusAlertgetAlertOnRevokedCertificate()This method returns true if an exception needs to be thrown on revoked certificate.StatusAlertgetAlertOnUncoveredPOE()This method returns true if an exception needs to be thrown on uncovered POE(timestamp).RevocationSource<CRL>getCrlSource()Returns the CRL source associated with this verifier.DataLoadergetDataLoader()The data loader used to access AIA certificate source.DigestAlgorithmgetDefaultDigestAlgorithm()This method returns a default Digest Algorithm what will be used for digest calculationRevocationSource<OCSP>getOcspSource()Returns the OCSP source associated with this verifier.ListCertificateSourcegetSignatureCertificateSource()This method returns the Certificate Source (information extracted from signatures)ListRevocationSource<CRL>getSignatureCRLSource()This method returns the CRL source (information extracted from signatures).ListRevocationSource<OCSP>getSignatureOCSPSource()This method returns the OCSP source (information extracted from signatures).ListCertificateSourcegetTrustedCertSources()Returns the trusted certificate sources associated with this verifier.booleanisCheckRevocationForUntrustedChains()This method returns true if revocation check is enabled for untrusted certificate chains.voidsetAdjunctCertSource(CertificateSource adjunctCertSource)Deprecated.voidsetAdjunctCertSources(CertificateSource... certSources)Sets multiple adjunct certificate sources.voidsetAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)Sets a list of adjunct certificate sourcesvoidsetAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).voidsetAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)This method allows to change the behavior on missing revocation data (LT/LTA augmentation).voidsetAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)This method allows to change the behavior on revocation data issued after a control time.voidsetAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)This method allows to change the behavior on revoked certificates (LT/LTA augmentation).voidsetAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)This method allows to change the behavior on uncovered POE (timestamp).voidsetCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)This method allows to enable revocation checking for untrusted certificate chains (default : false)voidsetCrlSource(RevocationSource<CRL> crlSource)Defines the source of CRL used by this classvoidsetDataLoader(DataLoader dataLoader)The data loader used to access AIA certificate source.voidsetDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)This method allows to change the Digest Algorithm that will be used for tokens' digest calculationvoidsetOcspSource(RevocationSource<OCSP> ocspSource)Defines the source of OCSP used by this classvoidsetSignatureCertificateSource(ListCertificateSource signatureCertificateSource)This method allows to set the Certificate source (information extracted from signatures).voidsetSignatureCRLSource(ListRevocationSource<CRL> signatureCRLSource)This method allows to set the CRL source (information extracted from signatures).voidsetSignatureOCSPSource(ListRevocationSource<OCSP> signatureOCSPSource)This method allows to set the OCSP source (information extracted from signatures).voidsetTrustedCertSource(CertificateSource trustedCertSource)Deprecated.voidsetTrustedCertSources(CertificateSource... certSources)Sets multiple trusted certificate sources.voidsetTrustedCertSources(ListCertificateSource trustedListCertificateSource)Sets a list of trusted certificate sources
-
Constructor Details
-
CommonCertificateVerifier
public CommonCertificateVerifier()The default constructor. TheDataLoaderis created to allow the retrieval of certificates through AIA. -
CommonCertificateVerifier
public CommonCertificateVerifier(boolean simpleCreationOnly)This constructor allows to createCommonCertificateVerifierwithoutDataLoader. It means that only a profile -B signatures can be created.- Parameters:
simpleCreationOnly- if true theCommonCertificateVerifierwill not containDataLoader.
-
CommonCertificateVerifier
public CommonCertificateVerifier(List<CertificateSource> trustedCertSources, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)The constructor with key parameters.- Parameters:
trustedCertSources- the reference to the trusted certificate sources.crlSource- contains the reference to theOCSPSource.ocspSource- contains the reference to theCRLSource.dataLoader- contains the reference to a data loader used to access AIA certificate source.
-
-
Method Details
-
getTrustedCertSources
Description copied from interface:CertificateVerifierReturns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.- Specified by:
getTrustedCertSourcesin interfaceCertificateVerifier- Returns:
- the certificate sources which contain trusted certificates
-
getOcspSource
Description copied from interface:CertificateVerifierReturns the OCSP source associated with this verifier.- Specified by:
getOcspSourcein interfaceCertificateVerifier- Returns:
- the used OCSP source for external access (web, filesystem, cached,...)
-
getCrlSource
Description copied from interface:CertificateVerifierReturns the CRL source associated with this verifier.- Specified by:
getCrlSourcein interfaceCertificateVerifier- Returns:
- the used CRL source for external access (web, filesystem, cached,...)
-
setCrlSource
Description copied from interface:CertificateVerifierDefines the source of CRL used by this class- Specified by:
setCrlSourcein interfaceCertificateVerifier- Parameters:
crlSource- the CRL source to set for external access (web, filesystem, cached,...)
-
setOcspSource
Description copied from interface:CertificateVerifierDefines the source of OCSP used by this class- Specified by:
setOcspSourcein interfaceCertificateVerifier- Parameters:
ocspSource- the OCSP source to set for external access (web, filesystem, cached,...)
-
setTrustedCertSource
Deprecated.Description copied from interface:CertificateVerifierSets the trusted certificate source.- Specified by:
setTrustedCertSourcein interfaceCertificateVerifier- Parameters:
trustedCertSource- The certificates source with known trusted certificates
-
setTrustedCertSources
Description copied from interface:CertificateVerifierSets multiple trusted certificate sources.- Specified by:
setTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with known trusted certificates
-
addTrustedCertSources
Description copied from interface:CertificateVerifierAdds trusted certificate sources to an existing list of trusted certificate sources- Specified by:
addTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with known trusted certificates
-
setTrustedCertSources
Description copied from interface:CertificateVerifierSets a list of trusted certificate sources- Specified by:
setTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
trustedListCertificateSource-ListCertificateSourceof trusted cert sources
-
getAdjunctCertSources
Description copied from interface:CertificateVerifierReturns the list of adjunct certificate sources assigned to this verifier.- Specified by:
getAdjunctCertSourcesin interfaceCertificateVerifier- Returns:
- the certificate source which contains additional certificate (missing CA,...)
-
setAdjunctCertSource
Deprecated.Description copied from interface:CertificateVerifierSets an adjunct certificate source to this verifier.- Specified by:
setAdjunctCertSourcein interfaceCertificateVerifier- Parameters:
adjunctCertSource- the certificate source with additional and missing certificates
-
setAdjunctCertSources
Description copied from interface:CertificateVerifierSets multiple adjunct certificate sources.- Specified by:
setAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- the certificate sources with additional and/or missing certificates
-
addAdjunctCertSources
Description copied from interface:CertificateVerifierAdds adjunct certificate sources to an existing list of adjunct certificate sources- Specified by:
addAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with additional certificates
-
setAdjunctCertSources
Description copied from interface:CertificateVerifierSets a list of adjunct certificate sources- Specified by:
setAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
adjunctListCertificateSource-ListCertificateSourceof adjunct cert sources
-
getDataLoader
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source.- Specified by:
getDataLoaderin interfaceCertificateVerifier- Returns:
- the used data loaded to load AIA resources and policy files
-
setDataLoader
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source. If this property is not set the defaultCommonsHttpDataLoaderis created.- Specified by:
setDataLoaderin interfaceCertificateVerifier- Parameters:
dataLoader- the used data loaded to load AIA resources and policy files
-
getSignatureCRLSource
Description copied from interface:CertificateVerifierThis method returns the CRL source (information extracted from signatures).- Specified by:
getSignatureCRLSourcein interfaceCertificateVerifier- Returns:
- the CRL sources from the signature
-
setSignatureCRLSource
Description copied from interface:CertificateVerifierThis method allows to set the CRL source (information extracted from signatures).- Specified by:
setSignatureCRLSourcein interfaceCertificateVerifier- Parameters:
signatureCRLSource- the CRL sources from the signature
-
getSignatureOCSPSource
Description copied from interface:CertificateVerifierThis method returns the OCSP source (information extracted from signatures).- Specified by:
getSignatureOCSPSourcein interfaceCertificateVerifier- Returns:
- the OCSP sources from the signatures
-
setSignatureOCSPSource
Description copied from interface:CertificateVerifierThis method allows to set the OCSP source (information extracted from signatures).- Specified by:
setSignatureOCSPSourcein interfaceCertificateVerifier- Parameters:
signatureOCSPSource- the OCSP sources from the signature
-
getSignatureCertificateSource
Description copied from interface:CertificateVerifierThis method returns the Certificate Source (information extracted from signatures)- Specified by:
getSignatureCertificateSourcein interfaceCertificateVerifier- Returns:
- the certificate sources from the signatures
-
setSignatureCertificateSource
Description copied from interface:CertificateVerifierThis method allows to set the Certificate source (information extracted from signatures).- Specified by:
setSignatureCertificateSourcein interfaceCertificateVerifier- Parameters:
signatureCertificateSource- the Certificate sources from the signatures
-
getAlertOnInvalidTimestamp
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on invalid timestamp.- Specified by:
getAlertOnInvalidTimestampin interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of an invalid timestamp
-
setAlertOnInvalidTimestamp
Description copied from interface:CertificateVerifierThis method allows to change the behavior on invalid timestamp (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnInvalidTimestampin interfaceCertificateVerifier- Parameters:
alertOnInvalidTimestamp- defines a behaviour in case of invalid timestamp
-
getAlertOnMissingRevocationData
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on missing revocation data.- Specified by:
getAlertOnMissingRevocationDatain interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of missing revocation data
-
setAlertOnMissingRevocationData
Description copied from interface:CertificateVerifierThis method allows to change the behavior on missing revocation data (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnMissingRevocationDatain interfaceCertificateVerifier- Parameters:
alertOnMissingRevocationData- defines a behaviour in case of missing revocation data
-
getAlertOnUncoveredPOE
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on uncovered POE(timestamp).- Specified by:
getAlertOnUncoveredPOEin interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of uncovered POE
-
setAlertOnUncoveredPOE
Description copied from interface:CertificateVerifierThis method allows to change the behavior on uncovered POE (timestamp). Default :LogOnStatusAlert- log a warning.- Specified by:
setAlertOnUncoveredPOEin interfaceCertificateVerifier- Parameters:
alertOnUncoveredPOE- defines a behaviour in case of uncovered POE
-
getAlertOnRevokedCertificate
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on revoked certificate.- Specified by:
getAlertOnRevokedCertificatein interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of revoked certificate
-
setAlertOnRevokedCertificate
Description copied from interface:CertificateVerifierThis method allows to change the behavior on revoked certificates (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnRevokedCertificatein interfaceCertificateVerifier- Parameters:
alertOnRevokedCertificate- defines a behaviour in case of revoked certificate
-
getAlertOnNoRevocationAfterBestSignatureTime
Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTime- Specified by:
getAlertOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of no revocation data after best signature time
-
setAlertOnNoRevocationAfterBestSignatureTime
public void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)Description copied from interface:CertificateVerifierThis method allows to change the behavior on revocation data issued after a control time. Default :LogOnStatusAlert- log a warning.- Specified by:
setAlertOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Parameters:
alertOnNoRevocationAfterBestSignatureTime- defines a behaviour in case of no revocation data issued after the bestSignatureTime
-
isCheckRevocationForUntrustedChains
public boolean isCheckRevocationForUntrustedChains()Description copied from interface:CertificateVerifierThis method returns true if revocation check is enabled for untrusted certificate chains.- Specified by:
isCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Returns:
- true if external revocation check is done for untrusted certificate chains
-
setCheckRevocationForUntrustedChains
public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)Description copied from interface:CertificateVerifierThis method allows to enable revocation checking for untrusted certificate chains (default : false)- Specified by:
setCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Parameters:
checkRevocationForUntrustedChains- true if revocation checking is allowed for untrusted certificate chains
-
setDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method allows to change the Digest Algorithm that will be used for tokens' digest calculation- Specified by:
setDefaultDigestAlgorithmin interfaceCertificateVerifier- Parameters:
digestAlgorithm-DigestAlgorithmto use
-
getDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method returns a default Digest Algorithm what will be used for digest calculation- Specified by:
getDefaultDigestAlgorithmin interfaceCertificateVerifier- Returns:
DigestAlgorithm
-