Package eu.europa.esig.dss.validation

Interface CertificateVerifier

All Known Implementing Classes:
CommonCertificateVerifier
public interface CertificateVerifier
Provides information on the sources to be used in the validation process in the context of a signature.

  • Method Details

    • getCrlSource

      RevocationSource<CRL> getCrlSource()
      Returns the CRL source associated with this verifier.
      Returns:
      the used CRL source for external access (web, filesystem, cached,...)

    • setCrlSource

      void setCrlSource(RevocationSource<CRL> crlSource)
      Defines the source of CRL used by this class
      Parameters:
      crlSource - the CRL source to set for external access (web, filesystem, cached,...)

    • getOcspSource

      RevocationSource<OCSP> getOcspSource()
      Returns the OCSP source associated with this verifier.
      Returns:
      the used OCSP source for external access (web, filesystem, cached,...)

    • setOcspSource

      void setOcspSource(RevocationSource<OCSP> ocspSource)
      Defines the source of OCSP used by this class
      Parameters:
      ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

    • getRevocationDataLoadingStrategyFactory

      RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()
      Returns a factory used to create revocation data loading strategy associated with this verifier.
      Returns:
      creates the defined strategy to fetch OCSP or CRL for certificate validation

    • setRevocationDataLoadingStrategyFactory

      void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)
      Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after
      Parameters:
      revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

    • getRevocationDataVerifier

      RevocationDataVerifier getRevocationDataVerifier()
      Returns a RevocationDataVerifier associated with this verifier.
      Returns:
      RevocationDataVerifier

    • setRevocationDataVerifier

      void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)
      Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

      NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

      Parameters:
      revocationDataVerifier - RevocationDataVerifier

    • isRevocationFallback

      boolean isRevocationFallback()
      Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
      Returns:
      revocation fallback

    • setRevocationFallback

      void setRevocationFallback(boolean revocationFallback)
      Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

      NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

      Parameters:
      revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

    • getTrustedCertSources

      ListCertificateSource getTrustedCertSources()
      Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.
      Returns:
      the certificate sources which contain trusted certificates

    • setTrustedCertSources

      void setTrustedCertSources(CertificateSource... certSources)
      Sets multiple trusted certificate sources.
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • addTrustedCertSources

      void addTrustedCertSources(CertificateSource... certSources)
      Adds trusted certificate sources to an existing list of trusted certificate sources
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • setTrustedCertSources

      void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)
      Sets a list of trusted certificate sources
      Parameters:
      trustedListCertificateSource - ListCertificateSource of trusted cert sources

    • getAdjunctCertSources

      ListCertificateSource getAdjunctCertSources()
      Returns the list of adjunct certificate sources assigned to this verifier.
      Returns:
      the certificate source which contains additional certificate (missing CA,...)

    • setAdjunctCertSources

      void setAdjunctCertSources(CertificateSource... certSources)
      Sets multiple adjunct certificate sources.
      Parameters:
      certSources - the certificate sources with additional and/or missing certificates

    • addAdjunctCertSources

      void addAdjunctCertSources(CertificateSource... certSources)
      Adds adjunct certificate sources to an existing list of adjunct certificate sources
      Parameters:
      certSources - The certificate sources with additional certificates

    • setAdjunctCertSources

      void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)
      Sets a list of adjunct certificate sources
      Parameters:
      adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

    • getAIASource

      AIASource getAIASource()
      Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Returns:
      aiaSource AIASource

    • setAIASource

      void setAIASource(AIASource aiaSource)
      Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Parameters:
      aiaSource - AIASource

    • setDefaultDigestAlgorithm

      void setDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)
      This method allows to change the Digest Algorithm that will be used for tokens' digest calculation Default : DigestAlgorithm.SHA256
      Parameters:
      digestAlgorithm - DigestAlgorithm to use

    • getDefaultDigestAlgorithm

      DigestAlgorithm getDefaultDigestAlgorithm()
      This method returns a default Digest Algorithm what will be used for digest calculation
      Returns:
      DigestAlgorithm

    • setAlertOnInvalidTimestamp

      void setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)
      This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

    • getAlertOnInvalidTimestamp

      StatusAlert getAlertOnInvalidTimestamp()
      This method returns the defined execution behaviour on invalid timestamp.
      Returns:
      StatusAlert to be processed in case of an invalid timestamp

    • setAlertOnMissingRevocationData

      void setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)
      This method allows to change the behavior on missing revocation data (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

    • getAlertOnMissingRevocationData

      StatusAlert getAlertOnMissingRevocationData()
      This method returns the defined execution behaviour on missing revocation data.
      Returns:
      StatusAlert to be processed in case of missing revocation data

    • setAlertOnRevokedCertificate

      void setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)
      This method allows to change the behavior on revoked certificates (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

    • getAlertOnRevokedCertificate

      StatusAlert getAlertOnRevokedCertificate()
      This method returns the defined execution behaviour on revoked certificate.
      Returns:
      StatusAlert to be processed in case of revoked certificate

    • setAlertOnNoRevocationAfterBestSignatureTime

      void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)
      This method allows to change the behavior on revocation data issued after a control time. Default : LogOnStatusAlert - log a warning.
      Parameters:
      alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

    • getAlertOnNoRevocationAfterBestSignatureTime

      StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()
      This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
      Returns:
      StatusAlert to be processed in case of no revocation data after best signature time

    • setAlertOnUncoveredPOE

      void setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)
      This method allows to change the behavior on uncovered POE (timestamp). Default : LogOnStatusAlert - log a warning.
      Parameters:
      alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

    • getAlertOnUncoveredPOE

      StatusAlert getAlertOnUncoveredPOE()
      This method returns the defined execution behaviour on uncovered POE (timestamp).
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • setAlertOnExpiredSignature

      void setAlertOnExpiredSignature(StatusAlert alertOnUncoveredPOE)
      This method allows to change the behavior on expired signature (if the signing certificate or its POE(s) has been expired). Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnUncoveredPOE - defines a behaviour in case of an expired signature

    • getAlertOnExpiredSignature

      StatusAlert getAlertOnExpiredSignature()
      This method returns the defined execution behaviour on expired signature (if the signing certificate or its POE(s) has been expired).
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • setCheckRevocationForUntrustedChains

      void setCheckRevocationForUntrustedChains(boolean enable)
      This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)
      Parameters:
      enable - true if revocation checking is allowed for untrusted certificate chains

    • isCheckRevocationForUntrustedChains

      boolean isCheckRevocationForUntrustedChains()
      This method returns true if revocation check is enabled for untrusted certificate chains.
      Returns:
      true if external revocation check is done for untrusted certificate chains

    • setExtractPOEFromUntrustedChains

      void setExtractPOEFromUntrustedChains(boolean enable)
      This method allows enabling of POE extraction from timestamps coming from untrusted certificate chains. Default : FALSE (timestamps created with untrusted certificate chains are not considered as POE)
      Parameters:
      enable - true if POE extraction is allowed for timestamps from untrusted certificate chains

    • isExtractPOEFromUntrustedChains

      boolean isExtractPOEFromUntrustedChains()
      This method returns whether POEs should be extracted from timestamps coming from untrusted certificate chains.
      Returns:
      true if POEs should be extracted from timestamp with untrusted certificate chains