Package eu.europa.esig.dss.validation

Class CommonCertificateVerifier

java.lang.Object
eu.europa.esig.dss.validation.CommonCertificateVerifier
All Implemented Interfaces:
CertificateVerifier
public class CommonCertificateVerifier extends Object implements CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source;
- AIA source to give access to the certificates through AIA.

  • Constructor Details

    • CommonCertificateVerifier

      public CommonCertificateVerifier()
      The default constructor. The DataLoader is created to allow the retrieval of certificates through AIA.

    • CommonCertificateVerifier

      public CommonCertificateVerifier(boolean simpleCreationOnly)
      This constructor allows creating of CommonCertificateVerifier without DataLoader. It means that only a -B profile signature can be created.
      Parameters:
      simpleCreationOnly - if true the CommonCertificateVerifier will not contain AIASource.

  • Method Details

    • getCrlSource

      public RevocationSource<eu.europa.esig.dss.model.x509.revocation.crl.CRL> getCrlSource()
      Description copied from interface: CertificateVerifier
      Returns the CRL source associated with this verifier.
      Specified by:
      getCrlSource in interface CertificateVerifier
      Returns:
      the used CRL source for external access (web, filesystem, cached,...)

    • setCrlSource

      public void setCrlSource(RevocationSource<eu.europa.esig.dss.model.x509.revocation.crl.CRL> crlSource)
      Description copied from interface: CertificateVerifier
      Defines the source of CRL used by this class
      Specified by:
      setCrlSource in interface CertificateVerifier
      Parameters:
      crlSource - the CRL source to set for external access (web, filesystem, cached,...)

    • getOcspSource

      public RevocationSource<eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP> getOcspSource()
      Description copied from interface: CertificateVerifier
      Returns the OCSP source associated with this verifier.
      Specified by:
      getOcspSource in interface CertificateVerifier
      Returns:
      the used OCSP source for external access (web, filesystem, cached,...)

    • setOcspSource

      public void setOcspSource(RevocationSource<eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP> ocspSource)
      Description copied from interface: CertificateVerifier
      Defines the source of OCSP used by this class
      Specified by:
      setOcspSource in interface CertificateVerifier
      Parameters:
      ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

    • getRevocationDataLoadingStrategyFactory

      public RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()
      Description copied from interface: CertificateVerifier
      Returns a factory used to create revocation data loading strategy associated with this verifier.
      Specified by:
      getRevocationDataLoadingStrategyFactory in interface CertificateVerifier
      Returns:
      creates the defined strategy to fetch OCSP or CRL for certificate validation

    • setRevocationDataLoadingStrategyFactory

      public void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)
      Description copied from interface: CertificateVerifier
      Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after
      Specified by:
      setRevocationDataLoadingStrategyFactory in interface CertificateVerifier
      Parameters:
      revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

    • getRevocationDataVerifier

      public RevocationDataVerifier getRevocationDataVerifier()
      Description copied from interface: CertificateVerifier
      Returns a RevocationDataVerifier associated with this verifier.
      Specified by:
      getRevocationDataVerifier in interface CertificateVerifier
      Returns:
      RevocationDataVerifier

    • setRevocationDataVerifier

      public void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)
      Description copied from interface: CertificateVerifier
      Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

      NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

      Specified by:
      setRevocationDataVerifier in interface CertificateVerifier
      Parameters:
      revocationDataVerifier - RevocationDataVerifier

    • isRevocationFallback

      public boolean isRevocationFallback()
      Description copied from interface: CertificateVerifier
      Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
      Specified by:
      isRevocationFallback in interface CertificateVerifier
      Returns:
      revocation fallback

    • setRevocationFallback

      public void setRevocationFallback(boolean revocationFallback)
      Description copied from interface: CertificateVerifier
      Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

      NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

      Specified by:
      setRevocationFallback in interface CertificateVerifier
      Parameters:
      revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

    • getTrustedCertSources

      public ListCertificateSource getTrustedCertSources()
      Description copied from interface: CertificateVerifier
      Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.
      Specified by:
      getTrustedCertSources in interface CertificateVerifier
      Returns:
      the certificate sources which contain trusted certificates

    • setTrustedCertSources

      public void setTrustedCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Sets multiple trusted certificate sources.
      Specified by:
      setTrustedCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • addTrustedCertSources

      public void addTrustedCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Adds trusted certificate sources to an existing list of trusted certificate sources
      Specified by:
      addTrustedCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • setTrustedCertSources

      public void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)
      Description copied from interface: CertificateVerifier
      Sets a list of trusted certificate sources
      Specified by:
      setTrustedCertSources in interface CertificateVerifier
      Parameters:
      trustedListCertificateSource - ListCertificateSource of trusted cert sources

    • getAdjunctCertSources

      public ListCertificateSource getAdjunctCertSources()
      Description copied from interface: CertificateVerifier
      Returns the list of adjunct certificate sources assigned to this verifier.
      Specified by:
      getAdjunctCertSources in interface CertificateVerifier
      Returns:
      the certificate source which contains additional certificate (missing CA,...)

    • setAdjunctCertSources

      public void setAdjunctCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Sets multiple adjunct certificate sources.
      Specified by:
      setAdjunctCertSources in interface CertificateVerifier
      Parameters:
      certSources - the certificate sources with additional and/or missing certificates

    • addAdjunctCertSources

      public void addAdjunctCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Adds adjunct certificate sources to an existing list of adjunct certificate sources
      Specified by:
      addAdjunctCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with additional certificates

    • setAdjunctCertSources

      public void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)
      Description copied from interface: CertificateVerifier
      Sets a list of adjunct certificate sources
      Specified by:
      setAdjunctCertSources in interface CertificateVerifier
      Parameters:
      adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

    • getAIASource

      public AIASource getAIASource()
      Description copied from interface: CertificateVerifier
      Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Specified by:
      getAIASource in interface CertificateVerifier
      Returns:
      aiaSource AIASource

    • setAIASource

      public void setAIASource(AIASource aiaSource)
      Description copied from interface: CertificateVerifier
      Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Specified by:
      setAIASource in interface CertificateVerifier
      Parameters:
      aiaSource - AIASource

    • getAlertOnInvalidTimestamp

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnInvalidTimestamp()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on invalid timestamp.
      Specified by:
      getAlertOnInvalidTimestamp in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of an invalid timestamp

    • setAlertOnInvalidTimestamp

      public void setAlertOnInvalidTimestamp(eu.europa.esig.dss.alert.StatusAlert alertOnInvalidTimestamp)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnInvalidTimestamp in interface CertificateVerifier
      Parameters:
      alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

    • getAlertOnMissingRevocationData

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnMissingRevocationData()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on missing revocation data.
      Specified by:
      getAlertOnMissingRevocationData in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of missing revocation data

    • setAlertOnMissingRevocationData

      public void setAlertOnMissingRevocationData(eu.europa.esig.dss.alert.StatusAlert alertOnMissingRevocationData)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on missing revocation data (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnMissingRevocationData in interface CertificateVerifier
      Parameters:
      alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

    • getAlertOnUncoveredPOE

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnUncoveredPOE()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on uncovered POE (timestamp).
      Specified by:
      getAlertOnUncoveredPOE in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • setAlertOnUncoveredPOE

      public void setAlertOnUncoveredPOE(eu.europa.esig.dss.alert.StatusAlert alertOnUncoveredPOE)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on uncovered POE (timestamp). Default : LogOnStatusAlert - log a warning.
      Specified by:
      setAlertOnUncoveredPOE in interface CertificateVerifier
      Parameters:
      alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

    • getAlertOnRevokedCertificate

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnRevokedCertificate()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on revoked certificate.
      Specified by:
      getAlertOnRevokedCertificate in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of revoked certificate

    • setAlertOnRevokedCertificate

      public void setAlertOnRevokedCertificate(eu.europa.esig.dss.alert.StatusAlert alertOnRevokedCertificate)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on revoked certificates (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnRevokedCertificate in interface CertificateVerifier
      Parameters:
      alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

    • getAlertOnNoRevocationAfterBestSignatureTime

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
      Specified by:
      getAlertOnNoRevocationAfterBestSignatureTime in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of no revocation data after best signature time

    • setAlertOnNoRevocationAfterBestSignatureTime

      public void setAlertOnNoRevocationAfterBestSignatureTime(eu.europa.esig.dss.alert.StatusAlert alertOnNoRevocationAfterBestSignatureTime)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on revocation data issued after a control time. Default : LogOnStatusAlert - log a warning.
      Specified by:
      setAlertOnNoRevocationAfterBestSignatureTime in interface CertificateVerifier
      Parameters:
      alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

    • setAlertOnExpiredSignature

      public void setAlertOnExpiredSignature(eu.europa.esig.dss.alert.StatusAlert alertOnExpiredSignature)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on expired signature (if the signing certificate or its POE(s) has been expired). Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnExpiredSignature in interface CertificateVerifier
      Parameters:
      alertOnExpiredSignature - defines a behaviour in case of an expired signature

    • getAlertOnExpiredSignature

      public eu.europa.esig.dss.alert.StatusAlert getAlertOnExpiredSignature()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on expired signature (if the signing certificate or its POE(s) has been expired).
      Specified by:
      getAlertOnExpiredSignature in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • isCheckRevocationForUntrustedChains

      public boolean isCheckRevocationForUntrustedChains()
      Description copied from interface: CertificateVerifier
      This method returns true if revocation check is enabled for untrusted certificate chains.
      Specified by:
      isCheckRevocationForUntrustedChains in interface CertificateVerifier
      Returns:
      true if external revocation check is done for untrusted certificate chains

    • setCheckRevocationForUntrustedChains

      public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)
      Description copied from interface: CertificateVerifier
      This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)
      Specified by:
      setCheckRevocationForUntrustedChains in interface CertificateVerifier
      Parameters:
      checkRevocationForUntrustedChains - true if revocation checking is allowed for untrusted certificate chains

    • isExtractPOEFromUntrustedChains

      public boolean isExtractPOEFromUntrustedChains()
      Description copied from interface: CertificateVerifier
      This method returns whether POEs should be extracted from timestamps coming from untrusted certificate chains.
      Specified by:
      isExtractPOEFromUntrustedChains in interface CertificateVerifier
      Returns:
      true if POEs should be extracted from timestamp with untrusted certificate chains

    • setExtractPOEFromUntrustedChains

      public void setExtractPOEFromUntrustedChains(boolean extractPOEFromUntrustedChains)
      Description copied from interface: CertificateVerifier
      This method allows enabling of POE extraction from timestamps coming from untrusted certificate chains. Default : FALSE (timestamps created with untrusted certificate chains are not considered as POE)
      Specified by:
      setExtractPOEFromUntrustedChains in interface CertificateVerifier
      Parameters:
      extractPOEFromUntrustedChains - true if POE extraction is allowed for timestamps from untrusted certificate chains

    • setDefaultDigestAlgorithm

      public void setDefaultDigestAlgorithm(eu.europa.esig.dss.enumerations.DigestAlgorithm digestAlgorithm)
      Description copied from interface: CertificateVerifier
      This method allows to change the Digest Algorithm that will be used for tokens' digest calculation Default : DigestAlgorithm.SHA256
      Specified by:
      setDefaultDigestAlgorithm in interface CertificateVerifier
      Parameters:
      digestAlgorithm - DigestAlgorithm to use

    • getDefaultDigestAlgorithm

      public eu.europa.esig.dss.enumerations.DigestAlgorithm getDefaultDigestAlgorithm()
      Description copied from interface: CertificateVerifier
      This method returns a default Digest Algorithm what will be used for digest calculation
      Specified by:
      getDefaultDigestAlgorithm in interface CertificateVerifier
      Returns:
      DigestAlgorithm