Package eu.europa.esig.dss.validation
Class CommonCertificateVerifier
java.lang.Object
eu.europa.esig.dss.validation.CommonCertificateVerifier
- All Implemented Interfaces:
CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are
four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source;
- AIA source to give access to the certificates through AIA.
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source;
- AIA source to give access to the certificates through AIA.
-
Constructor Summary
ConstructorsConstructorDescriptionThe default constructor.CommonCertificateVerifier(boolean simpleCreationOnly) This constructor allows creating ofCommonCertificateVerifierwithoutDataLoader. -
Method Summary
Modifier and TypeMethodDescriptionvoidaddAdjunctCertSources(CertificateSource... certSources) Adds adjunct certificate sources to an existing list of adjunct certificate sourcesvoidaddTrustedCertSources(CertificateSource... certSources) Adds trusted certificate sources to an existing list of trusted certificate sourcesReturns the list of adjunct certificate sources assigned to this verifier.Gets the AIASource used to load aeu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the tokenThis method returns the defined execution behaviour on expired signature (if the signing certificate or its POE(s) has been expired).This method returns the defined execution behaviour on invalid timestamp.This method returns the defined execution behaviour on missing revocation data.This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTimeThis method returns the defined execution behaviour on revoked certificate.This method returns the defined execution behaviour on uncovered POE (timestamp).Returns the CRL source associated with this verifier.This method returns a default Digest Algorithm what will be used for digest calculationReturns the OCSP source associated with this verifier.Returns a factory used to create revocation data loading strategy associated with this verifier.Returns aRevocationDataVerifierassociated with this verifier.Returns the trusted certificate sources associated with this verifier.booleanThis method returns true if revocation check is enabled for untrusted certificate chains.booleanThis method returns whether POEs should be extracted from timestamps coming from untrusted certificate chains.booleanReturns whether revocation data still shall be returned if validation of requested revocation data failed (i.e.voidsetAdjunctCertSources(CertificateSource... certSources) Sets multiple adjunct certificate sources.voidsetAdjunctCertSources(ListCertificateSource adjunctListCertificateSource) Sets a list of adjunct certificate sourcesvoidsetAIASource(AIASource aiaSource) Sets the AIASource used to load aeu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the tokenvoidsetAlertOnExpiredSignature(StatusAlert alertOnExpiredSignature) This method allows to change the behavior on expired signature (if the signing certificate or its POE(s) has been expired).voidsetAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp) This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).voidsetAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData) This method allows to change the behavior on missing revocation data (LT/LTA augmentation).voidsetAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime) This method allows to change the behavior on revocation data issued after a control time.voidsetAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate) This method allows to change the behavior on revoked certificates (LT/LTA augmentation).voidsetAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE) This method allows to change the behavior on uncovered POE (timestamp).voidsetCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains) This method allows enabling of revocation checking for untrusted certificate chains.voidsetCrlSource(RevocationSource<CRL> crlSource) Defines the source of CRL used by this classvoidsetDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm) This method allows to change the Digest Algorithm that will be used for tokens' digest calculation Default :DigestAlgorithm.SHA256voidsetExtractPOEFromUntrustedChains(boolean extractPOEFromUntrustedChains) This method allows enabling of POE extraction from timestamps coming from untrusted certificate chains.voidsetOcspSource(RevocationSource<OCSP> ocspSource) Defines the source of OCSP used by this classvoidsetRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory) Creates a strategy used to fetch OCSP or CRL for certificate validation.voidsetRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier) SetsRevocationDataVerifierused to validate acceptance of the retrieved (from offline or online sources) revocation data.voidsetRevocationFallback(boolean revocationFallback) Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e.voidsetTrustedCertSources(CertificateSource... certSources) Sets multiple trusted certificate sources.voidsetTrustedCertSources(ListCertificateSource trustedListCertificateSource) Sets a list of trusted certificate sources
-
Constructor Details
-
CommonCertificateVerifier
public CommonCertificateVerifier()The default constructor. TheDataLoaderis created to allow the retrieval of certificates through AIA. -
CommonCertificateVerifier
public CommonCertificateVerifier(boolean simpleCreationOnly) This constructor allows creating ofCommonCertificateVerifierwithoutDataLoader. It means that only a -B profile signature can be created.- Parameters:
simpleCreationOnly- if true theCommonCertificateVerifierwill not containAIASource.
-
-
Method Details
-
getCrlSource
Description copied from interface:CertificateVerifierReturns the CRL source associated with this verifier.- Specified by:
getCrlSourcein interfaceCertificateVerifier- Returns:
- the used CRL source for external access (web, filesystem, cached,...)
-
setCrlSource
Description copied from interface:CertificateVerifierDefines the source of CRL used by this class- Specified by:
setCrlSourcein interfaceCertificateVerifier- Parameters:
crlSource- the CRL source to set for external access (web, filesystem, cached,...)
-
getOcspSource
Description copied from interface:CertificateVerifierReturns the OCSP source associated with this verifier.- Specified by:
getOcspSourcein interfaceCertificateVerifier- Returns:
- the used OCSP source for external access (web, filesystem, cached,...)
-
setOcspSource
Description copied from interface:CertificateVerifierDefines the source of OCSP used by this class- Specified by:
setOcspSourcein interfaceCertificateVerifier- Parameters:
ocspSource- the OCSP source to set for external access (web, filesystem, cached,...)
-
getRevocationDataLoadingStrategyFactory
Description copied from interface:CertificateVerifierReturns a factory used to create revocation data loading strategy associated with this verifier.- Specified by:
getRevocationDataLoadingStrategyFactoryin interfaceCertificateVerifier- Returns:
- creates the defined strategy to fetch OCSP or CRL for certificate validation
-
setRevocationDataLoadingStrategyFactory
public void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory) Description copied from interface:CertificateVerifierCreates a strategy used to fetch OCSP or CRL for certificate validation. Default:OCSPFirstRevocationDataLoadingStrategyFactoryused to create a strategy to extract OCSP token first and CRL after- Specified by:
setRevocationDataLoadingStrategyFactoryin interfaceCertificateVerifier- Parameters:
revocationDataLoadingStrategyFactory-RevocationDataLoadingStrategyFactory
-
getRevocationDataVerifier
Description copied from interface:CertificateVerifierReturns aRevocationDataVerifierassociated with this verifier.- Specified by:
getRevocationDataVerifierin interfaceCertificateVerifier- Returns:
RevocationDataVerifier
-
setRevocationDataVerifier
Description copied from interface:CertificateVerifierSetsRevocationDataVerifierused to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.NOTE: It is not recommended to use the same instance of
RevocationDataVerifierwithin differentCertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a newRevocationDataVerifierper eachCertificateVerifier.- Specified by:
setRevocationDataVerifierin interfaceCertificateVerifier- Parameters:
revocationDataVerifier-RevocationDataVerifier
-
isRevocationFallback
public boolean isRevocationFallback()Description copied from interface:CertificateVerifierReturns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).- Specified by:
isRevocationFallbackin interfaceCertificateVerifier- Returns:
- revocation fallback
-
setRevocationFallback
public void setRevocationFallback(boolean revocationFallback) Description copied from interface:CertificateVerifierSets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation
- Specified by:
setRevocationFallbackin interfaceCertificateVerifier- Parameters:
revocationFallback- whether invalid revocation data shall be returned, when not valid revocation available
-
getTrustedCertSources
Description copied from interface:CertificateVerifierReturns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.- Specified by:
getTrustedCertSourcesin interfaceCertificateVerifier- Returns:
- the certificate sources which contain trusted certificates
-
setTrustedCertSources
Description copied from interface:CertificateVerifierSets multiple trusted certificate sources.- Specified by:
setTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with known trusted certificates
-
addTrustedCertSources
Description copied from interface:CertificateVerifierAdds trusted certificate sources to an existing list of trusted certificate sources- Specified by:
addTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with known trusted certificates
-
setTrustedCertSources
Description copied from interface:CertificateVerifierSets a list of trusted certificate sources- Specified by:
setTrustedCertSourcesin interfaceCertificateVerifier- Parameters:
trustedListCertificateSource-ListCertificateSourceof trusted cert sources
-
getAdjunctCertSources
Description copied from interface:CertificateVerifierReturns the list of adjunct certificate sources assigned to this verifier.- Specified by:
getAdjunctCertSourcesin interfaceCertificateVerifier- Returns:
- the certificate source which contains additional certificate (missing CA,...)
-
setAdjunctCertSources
Description copied from interface:CertificateVerifierSets multiple adjunct certificate sources.- Specified by:
setAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- the certificate sources with additional and/or missing certificates
-
addAdjunctCertSources
Description copied from interface:CertificateVerifierAdds adjunct certificate sources to an existing list of adjunct certificate sources- Specified by:
addAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
certSources- The certificate sources with additional certificates
-
setAdjunctCertSources
Description copied from interface:CertificateVerifierSets a list of adjunct certificate sources- Specified by:
setAdjunctCertSourcesin interfaceCertificateVerifier- Parameters:
adjunctListCertificateSource-ListCertificateSourceof adjunct cert sources
-
getAIASource
Description copied from interface:CertificateVerifierGets the AIASource used to load aeu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token- Specified by:
getAIASourcein interfaceCertificateVerifier- Returns:
- aiaSource
AIASource
-
setAIASource
Description copied from interface:CertificateVerifierSets the AIASource used to load aeu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token- Specified by:
setAIASourcein interfaceCertificateVerifier- Parameters:
aiaSource-AIASource
-
getAlertOnInvalidTimestamp
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour on invalid timestamp.- Specified by:
getAlertOnInvalidTimestampin interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of an invalid timestamp
-
setAlertOnInvalidTimestamp
Description copied from interface:CertificateVerifierThis method allows to change the behavior on invalid timestamp (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnInvalidTimestampin interfaceCertificateVerifier- Parameters:
alertOnInvalidTimestamp- defines a behaviour in case of invalid timestamp
-
getAlertOnMissingRevocationData
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour on missing revocation data.- Specified by:
getAlertOnMissingRevocationDatain interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of missing revocation data
-
setAlertOnMissingRevocationData
Description copied from interface:CertificateVerifierThis method allows to change the behavior on missing revocation data (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnMissingRevocationDatain interfaceCertificateVerifier- Parameters:
alertOnMissingRevocationData- defines a behaviour in case of missing revocation data
-
getAlertOnUncoveredPOE
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour on uncovered POE (timestamp).- Specified by:
getAlertOnUncoveredPOEin interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of uncovered POE
-
setAlertOnUncoveredPOE
Description copied from interface:CertificateVerifierThis method allows to change the behavior on uncovered POE (timestamp). Default :LogOnStatusAlert- log a warning.- Specified by:
setAlertOnUncoveredPOEin interfaceCertificateVerifier- Parameters:
alertOnUncoveredPOE- defines a behaviour in case of uncovered POE
-
getAlertOnRevokedCertificate
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour on revoked certificate.- Specified by:
getAlertOnRevokedCertificatein interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of revoked certificate
-
setAlertOnRevokedCertificate
Description copied from interface:CertificateVerifierThis method allows to change the behavior on revoked certificates (LT/LTA augmentation). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnRevokedCertificatein interfaceCertificateVerifier- Parameters:
alertOnRevokedCertificate- defines a behaviour in case of revoked certificate
-
getAlertOnNoRevocationAfterBestSignatureTime
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime- Specified by:
getAlertOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of no revocation data after best signature time
-
setAlertOnNoRevocationAfterBestSignatureTime
public void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime) Description copied from interface:CertificateVerifierThis method allows to change the behavior on revocation data issued after a control time. Default :LogOnStatusAlert- log a warning.- Specified by:
setAlertOnNoRevocationAfterBestSignatureTimein interfaceCertificateVerifier- Parameters:
alertOnNoRevocationAfterBestSignatureTime- defines a behaviour in case of no revocation data issued after the bestSignatureTime
-
setAlertOnExpiredSignature
Description copied from interface:CertificateVerifierThis method allows to change the behavior on expired signature (if the signing certificate or its POE(s) has been expired). Default :ExceptionOnStatusAlert- throw an exception.- Specified by:
setAlertOnExpiredSignaturein interfaceCertificateVerifier- Parameters:
alertOnExpiredSignature- defines a behaviour in case of an expired signature
-
getAlertOnExpiredSignature
Description copied from interface:CertificateVerifierThis method returns the defined execution behaviour on expired signature (if the signing certificate or its POE(s) has been expired).- Specified by:
getAlertOnExpiredSignaturein interfaceCertificateVerifier- Returns:
StatusAlertto be processed in case of uncovered POE
-
isCheckRevocationForUntrustedChains
public boolean isCheckRevocationForUntrustedChains()Description copied from interface:CertificateVerifierThis method returns true if revocation check is enabled for untrusted certificate chains.- Specified by:
isCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Returns:
- true if external revocation check is done for untrusted certificate chains
-
setCheckRevocationForUntrustedChains
public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains) Description copied from interface:CertificateVerifierThis method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)- Specified by:
setCheckRevocationForUntrustedChainsin interfaceCertificateVerifier- Parameters:
checkRevocationForUntrustedChains- true if revocation checking is allowed for untrusted certificate chains
-
isExtractPOEFromUntrustedChains
public boolean isExtractPOEFromUntrustedChains()Description copied from interface:CertificateVerifierThis method returns whether POEs should be extracted from timestamps coming from untrusted certificate chains.- Specified by:
isExtractPOEFromUntrustedChainsin interfaceCertificateVerifier- Returns:
- true if POEs should be extracted from timestamp with untrusted certificate chains
-
setExtractPOEFromUntrustedChains
public void setExtractPOEFromUntrustedChains(boolean extractPOEFromUntrustedChains) Description copied from interface:CertificateVerifierThis method allows enabling of POE extraction from timestamps coming from untrusted certificate chains. Default : FALSE (timestamps created with untrusted certificate chains are not considered as POE)- Specified by:
setExtractPOEFromUntrustedChainsin interfaceCertificateVerifier- Parameters:
extractPOEFromUntrustedChains- true if POE extraction is allowed for timestamps from untrusted certificate chains
-
setDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method allows to change the Digest Algorithm that will be used for tokens' digest calculation Default :DigestAlgorithm.SHA256- Specified by:
setDefaultDigestAlgorithmin interfaceCertificateVerifier- Parameters:
digestAlgorithm-DigestAlgorithmto use
-
getDefaultDigestAlgorithm
Description copied from interface:CertificateVerifierThis method returns a default Digest Algorithm what will be used for digest calculation- Specified by:
getDefaultDigestAlgorithmin interfaceCertificateVerifier- Returns:
DigestAlgorithm
-