Package eu.europa.esig.dss.validation
Class CommonCertificateVerifier
java.lang.Object
eu.europa.esig.dss.validation.CommonCertificateVerifier
- All Implemented Interfaces:
CertificateVerifier
public class CommonCertificateVerifier extends Object implements CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are
four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source.
The
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source.
The
DataLoader should be provided to give access to the certificates through AIA.-
Constructor Summary
Constructors Constructor Description CommonCertificateVerifier()The default constructor.CommonCertificateVerifier(boolean simpleCreationOnly)This constructor allows to createCommonCertificateVerifierwithoutDataLoader.CommonCertificateVerifier(List<CertificateSource> trustedCertSources, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)The constructor with key parameters. -
Method Summary
Modifier and Type Method Description voidclearTrustedCertSources()This methods clears the list of defined trusted certificate sourcesCertificatePoolcreateValidationPool()This method creates the validation pool of certificates which is used during the validation process.CertificateSourcegetAdjunctCertSource()Returns the adjunct certificates source associated with this verifier.RevocationSource<CRLToken>getCrlSource()Returns the CRL source associated with this verifier.DataLoadergetDataLoader()The data loader used to access AIA certificate source.DigestAlgorithmgetDefaultDigestAlgorithm()This method returns a default Digest Algorithm what will be used for digest calculationRevocationSource<OCSPToken>getOcspSource()Returns the OCSP source associated with this verifier.ListCRLSourcegetSignatureCRLSource()This method returns the CRL source (information extracted from signatures).ListOCSPSourcegetSignatureOCSPSource()This method returns the OCSP source (information extracted from signatures).List<CertificateSource>getTrustedCertSources()Returns the trusted certificate sources associated with this verifier.booleanisCheckRevocationForUntrustedChains()This method returns true if revocation check is enabled for untrusted certificate chains.booleanisExceptionOnInvalidTimestamp()This method returns true if an exception needs to be thrown on invalid timestamp.booleanisExceptionOnMissingRevocationData()This method returns true if an exception needs to be thrown on missing revocation data.booleanisExceptionOnNoRevocationAfterBestSignatureTime()This method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTimebooleanisExceptionOnRevokedCertificate()This method returns true if an exception needs to be thrown on revoked certificate.booleanisExceptionOnUncoveredPOE()This method returns true if an exception needs to be thrown on uncovered POE(timestamp).booleanisIncludeCertificateRevocationValues()This method returns true if the revocation data need to be exported in the diagnostic data report.booleanisIncludeCertificateTokenValues()This method returns true if the certificate tokens need to be exported in the diagnostic data report.booleanisIncludeTimestampTokenValues()This method returns true if the timestamp tokens need to be exported in the diagnostic data report.voidsetAdjunctCertSource(CertificateSource adjunctCertSource)Associates an adjunct certificates source to this verifier.voidsetCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)This method allows to enable revocation checking for untrusted certificate chains (default : false)voidsetCrlSource(RevocationSource<CRLToken> crlSource)Defines the source of CRL used by this classvoidsetDataLoader(DataLoader dataLoader)The data loader used to access AIA certificate source.voidsetDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)This method allows to change the Digest Algorithm that will be used for tokens' digest calculationvoidsetExceptionOnInvalidTimestamp(boolean throwExceptionOnInvalidTimestamp)This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).voidsetExceptionOnMissingRevocationData(boolean throwExceptionOnMissingRevocationData)This method allows to change the behavior on missing revocation data (LT/LTA augmentation).voidsetExceptionOnNoRevocationAfterBestSignatureTime(boolean exceptionOnNoRevocationAfterBestSignatureTime)This method allows to change the behavior on revocation data issued after a control time.voidsetExceptionOnRevokedCertificate(boolean exceptionOnRevokedCertificate)This method allows to change the behavior on revoked certificates (LT/LTA augmentation).voidsetExceptionOnUncoveredPOE(boolean exceptionOnUncoveredPOE)This method allows to change the behavior on uncovered POE (timestamp).voidsetIncludeCertificateRevocationValues(boolean include)This method allows to change the behavior by including raw revocation data in the diagnostic data report.voidsetIncludeCertificateTokenValues(boolean includeCertificateTokens)This method allows to change the behavior by including raw certificate tokens in the diagnostic data report.voidsetIncludeTimestampTokenValues(boolean include)This method allows to change the behavior by including raw timestamp tokens in the diagnostic data report.voidsetOcspSource(RevocationSource<OCSPToken> ocspSource)Defines the source of OCSP used by this classvoidsetSignatureCRLSource(ListCRLSource signatureCRLSource)This method allows to set the CRL source (information extracted from signatures).voidsetSignatureOCSPSource(ListOCSPSource signatureOCSPSource)This method allows to set the OCSP source (information extracted from signatures).voidsetTrustedCertSource(CertificateSource trustedCertSource)Sets the trusted certificates source.voidsetTrustedCertSources(CertificateSource... certSources)Sets multiple trusted certificates source.
-
Constructor Details
-
CommonCertificateVerifier
public CommonCertificateVerifier()The default constructor. TheDataLoaderis created to allow the retrieval of certificates through AIA. -
CommonCertificateVerifier
public CommonCertificateVerifier(boolean simpleCreationOnly)This constructor allows to createCommonCertificateVerifierwithoutDataLoader. It means that only a profile -B signatures can be created.- Parameters:
simpleCreationOnly- if true theCommonCertificateVerifierwill not containDataLoader.
-
CommonCertificateVerifier
public CommonCertificateVerifier(List<CertificateSource> trustedCertSources, CRLSource crlSource, OCSPSource ocspSource, DataLoader dataLoader)The constructor with key parameters.- Parameters:
trustedCertSources- the reference to the trusted certificate sources.crlSource- contains the reference to theOCSPSource.ocspSource- contains the reference to theCRLSource.dataLoader- contains the reference to a data loader used to access AIA certificate source.
-
-
Method Details
-
getTrustedCertSources
Description copied from interface:CertificateVerifierReturns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.- Specified by:
getTrustedCertSourcesin interfaceCertificateVerifier- Returns:
- the certificate sources which contain trusted certificates
-
getOcspSource
Description copied from interface:CertificateVerifierReturns the OCSP source associated with this verifier.- Specified by:
getOcspSourcein interfaceCertificateVerifier- Returns:
- the used OCSP source for external access (web, filesystem, cached,...)
-
getCrlSource
Description copied from interface:CertificateVerifierReturns the CRL source associated with this verifier.- Specified by:
getCrlSourcein interfaceCertificateVerifier- Returns:
- the used CRL source for external access (web, filesystem, cached,...)
-
setCrlSource
Description copied from interface:CertificateVerifierDefines the source of CRL used by this class- Specified by:
setCrlSourcein interfaceCertificateVerifier- Parameters:
crlSource- the CRL source to set for external access (web, filesystem, cached,...)
-
setOcspSource
Description copied from interface:CertificateVerifierDefines the source of OCSP used by this class- Specified by:
setOcspSourcein interfaceCertificateVerifier- Parameters:
ocspSource- the OCSP source to set for external access (web, filesystem, cached,...)
-
setTrustedCertSource
Description copied from interface:CertificateVerifierSets the trusted certificates source.- Specified by:
setTrustedCertSourcein interfaceCertificateVerifier- Parameters:
trustedCertSource- The certificates source with known trusted certificates
-
setTrustedCertSources
Description copied from interface:CertificateVerifierSets multiple trusted certificates source.- Specified by:
setTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with known trusted certificates
-
clearTrustedCertSources
public void clearTrustedCertSources()This methods clears the list of defined trusted certificate sources -
getAdjunctCertSource
Description copied from interface:CertificateVerifierReturns the adjunct certificates source associated with this verifier.- Specified by:
getAdjunctCertSourcein interfaceCertificateVerifier- Returns:
- the certificate source which contains additional certificate (missing CA,...)
-
setAdjunctCertSource
Description copied from interface:CertificateVerifierAssociates an adjunct certificates source to this verifier.- Specified by:
setAdjunctCertSourcein interfaceCertificateVerifier- Parameters:
adjunctCertSource- the certificate source with additional and missing certificates
-
getDataLoader
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source.- Specified by:
getDataLoaderin interfaceCertificateVerifier- Returns:
- the used data loaded to load AIA resources and policy files
-
setDataLoader
Description copied from interface:CertificateVerifierThe data loader used to access AIA certificate source. If this property is not set the defaultCommonsHttpDataLoaderis created.- Specified by:
setDataLoaderin interfaceCertificateVerifier- Parameters:
dataLoader- the used data loaded to load AIA resources and policy files
-
getSignatureCRLSource
Description copied from interface:CertificateVerifierThis method returns the CRL source (information extracted from signatures).- Specified by:
getSignatureCRLSourcein interfaceCertificateVerifier- Returns:
- the CRL sources from the signature
-
setSignatureCRLSource
Description copied from interface:CertificateVerifierThis method allows to set the CRL source (information extracted from signatures).- Specified by:
setSignatureCRLSourcein interfaceCertificateVerifier- Parameters:
signatureCRLSource- the CRL sources from the signature
-
getSignatureOCSPSource
Description copied from interface:CertificateVerifierThis method returns the OCSP source (information extracted from signatures).- Specified by:
getSignatureOCSPSourcein interfaceCertificateVerifier- Returns:
- the OCSP sources from the signature
-
setSignatureOCSPSource
Description copied from interface:CertificateVerifierThis method allows to set the OCSP source (information extracted from signatures).- Specified by:
setSignatureOCSPSourcein interfaceCertificateVerifier- Parameters:
signatureOCSPSource- the OCSP sources from the signature
-
setExceptionOnMissingRevocationData
public void setExceptionOnMissingRevocationData(boolean throwExceptionOnMissingRevocationData)Description copied from interface:CertificateVerifierThis method allows to change the behavior on missing revocation data (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnMissingRevocationDatain interfaceCertificateVerifier- Parameters:
throwExceptionOnMissingRevocationData- true if an exception is raised on missing revocation data, false will only display a warning message
-
isExceptionOnMissingRevocationData
public boolean isExceptionOnMissingRevocationData()Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on missing revocation data.- Specified by:
isExceptionOnMissingRevocationDatain interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
isExceptionOnUncoveredPOE
public boolean isExceptionOnUncoveredPOE()Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on uncovered POE(timestamp).- Specified by:
isExceptionOnUncoveredPOEin interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnUncoveredPOE
public void setExceptionOnUncoveredPOE(boolean exceptionOnUncoveredPOE)Description copied from interface:CertificateVerifierThis method allows to change the behavior on uncovered POE (timestamp). (default : false)- Specified by:
setExceptionOnUncoveredPOEin interfaceCertificateVerifier- Parameters:
exceptionOnUncoveredPOE- true if an exception is raised on uncovered timestamp, false will only display a warning message
-
isExceptionOnRevokedCertificate
public boolean isExceptionOnRevokedCertificate()Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on revoked certificate.- Specified by:
isExceptionOnRevokedCertificatein interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnRevokedCertificate
public void setExceptionOnRevokedCertificate(boolean exceptionOnRevokedCertificate)Description copied from interface:CertificateVerifierThis method allows to change the behavior on revoked certificates (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnRevokedCertificatein interfaceCertificateVerifier- Parameters:
exceptionOnRevokedCertificate- true if an exception is raised on revoked certificate, false will only display a warning message
-
setExceptionOnInvalidTimestamp
public void setExceptionOnInvalidTimestamp(boolean throwExceptionOnInvalidTimestamp)Description copied from interface:CertificateVerifierThis method allows to change the behavior on invalid timestamp (LT/LTA augmentation). (default : true)- Specified by:
setExceptionOnInvalidTimestampin interfaceCertificateVerifier- Parameters:
throwExceptionOnInvalidTimestamp- true if an exception is raised on invalid timestamp, false will only display a warning message
-
isExceptionOnInvalidTimestamp
public boolean isExceptionOnInvalidTimestamp()Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown on invalid timestamp.- Specified by:
isExceptionOnInvalidTimestampin interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
setExceptionOnNoRevocationAfterBestSignatureTime
public void setExceptionOnNoRevocationAfterBestSignatureTime(boolean exceptionOnNoRevocationAfterBestSignatureTime)Description copied from interface:CertificateVerifierThis method allows to change the behavior on revocation data issued after a control time. (default : false)- Specified by:
setExceptionOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Parameters:
exceptionOnNoRevocationAfterBestSignatureTime- true if an exception is raised on no revocation data issued after the bestSignatureTime, false will only display a warning message
-
isExceptionOnNoRevocationAfterBestSignatureTime
public boolean isExceptionOnNoRevocationAfterBestSignatureTime()Description copied from interface:CertificateVerifierThis method returns true if an exception needs to be thrown in case if no revocation data obtained with an issuance time after the bestSignatureTime- Specified by:
isExceptionOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Returns:
- true if an exception is thrown, false if a warning message is added
-
isCheckRevocationForUntrustedChains
public boolean isCheckRevocationForUntrustedChains()Description copied from interface:CertificateVerifierThis method returns true if revocation check is enabled for untrusted certificate chains.- Specified by:
isCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Returns:
- true if external revocation check is done for untrusted certificate chains
-
setCheckRevocationForUntrustedChains
public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)Description copied from interface:CertificateVerifierThis method allows to enable revocation checking for untrusted certificate chains (default : false)- Specified by:
setCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Parameters:
checkRevocationForUntrustedChains- true if revocation checking is allowed for untrusted certificate chains
-
createValidationPool
Description copied from interface:CertificateVerifierThis method creates the validation pool of certificates which is used during the validation process.- Specified by:
createValidationPoolin interfaceCertificateVerifier
-
setDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method allows to change the Digest Algorithm that will be used for tokens' digest calculation- Specified by:
setDefaultDigestAlgorithmin interfaceCertificateVerifier- Parameters:
digestAlgorithm-DigestAlgorithmto use
-
getDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method returns a default Digest Algorithm what will be used for digest calculation- Specified by:
getDefaultDigestAlgorithmin interfaceCertificateVerifier- Returns:
DigestAlgorithm
-
setIncludeCertificateTokenValues
public void setIncludeCertificateTokenValues(boolean includeCertificateTokens)Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw certificate tokens in the diagnostic data report.- Specified by:
setIncludeCertificateTokenValuesin interfaceCertificateVerifier- Parameters:
includeCertificateTokens- true if raw certificate tokens should be included (default: false)
-
isIncludeCertificateTokenValues
public boolean isIncludeCertificateTokenValues()Description copied from interface:CertificateVerifierThis method returns true if the certificate tokens need to be exported in the diagnostic data report.- Specified by:
isIncludeCertificateTokenValuesin interfaceCertificateVerifier- Returns:
- true if raw certificate tokens should be included in the diagnotic data report (default: false)
-
setIncludeCertificateRevocationValues
public void setIncludeCertificateRevocationValues(boolean include)Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw revocation data in the diagnostic data report.- Specified by:
setIncludeCertificateRevocationValuesin interfaceCertificateVerifier- Parameters:
include- true if raw revocation data should be included (default: false)
-
isIncludeCertificateRevocationValues
public boolean isIncludeCertificateRevocationValues()Description copied from interface:CertificateVerifierThis method returns true if the revocation data need to be exported in the diagnostic data report.- Specified by:
isIncludeCertificateRevocationValuesin interfaceCertificateVerifier- Returns:
- true if raw revocation data should be included in the diagnotic data report (default: false)
-
setIncludeTimestampTokenValues
public void setIncludeTimestampTokenValues(boolean include)Description copied from interface:CertificateVerifierThis method allows to change the behavior by including raw timestamp tokens in the diagnostic data report.- Specified by:
setIncludeTimestampTokenValuesin interfaceCertificateVerifier- Parameters:
include- true if raw timestamp tokens should be included (default: false)
-
isIncludeTimestampTokenValues
public boolean isIncludeTimestampTokenValues()Description copied from interface:CertificateVerifierThis method returns true if the timestamp tokens need to be exported in the diagnostic data report.- Specified by:
isIncludeTimestampTokenValuesin interfaceCertificateVerifier- Returns:
- true if raw timestamp tokens should be included in the diagnotic data report (default: false)
-