Package eu.europa.esig.dss.spi.validation

Interface CertificateVerifier

All Known Implementing Classes:

CommonCertificateVerifier

public interface CertificateVerifier

Provides information on the sources to be used in the validation process in the context of a signature.

Method Summary

Modifier and Type	Method	Description
void	addAdjunctCertSources(CertificateSource... certSources)	Adds adjunct certificate sources to an existing list of adjunct certificate sources
void	addTrustedCertSources(CertificateSource... certSources)	Adds trusted certificate sources to an existing list of trusted certificate sources
ListCertificateSource	getAdjunctCertSources()	Returns the list of adjunct certificate sources assigned to this verifier.
AIASource	getAIASource()	Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
StatusAlert	getAlertOnExpiredCertificate()	This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time).
StatusAlert	getAlertOnInvalidSignature()	This method returns the defined execution behaviour on invalid signature.
StatusAlert	getAlertOnInvalidTimestamp()	This method returns the defined execution behaviour on invalid timestamp.
StatusAlert	getAlertOnMissingRevocationData()	This method returns the defined execution behaviour on missing revocation data.
StatusAlert	getAlertOnNoRevocationAfterBestSignatureTime()	This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
StatusAlert	getAlertOnNotYetValidCertificate()	This method returns the defined behavior on signature creation with a not yet valid signing-certificate
StatusAlert	getAlertOnRevokedCertificate()	This method returns the defined execution behaviour on revoked certificate.
StatusAlert	getAlertOnUncoveredPOE()	This method returns the defined execution behaviour on uncovered POE (timestamp).
StatusAlert	getAugmentationAlertOnHigherSignatureLevel()	This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.
StatusAlert	getAugmentationAlertOnSelfSignedCertificateChains()	This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.
StatusAlert	getAugmentationAlertOnSignatureWithoutCertificates()	This method returns the defined augmentation behaviour for a signature without certificates.
RevocationSource<CRL>	getCrlSource()	Returns the CRL source associated with this verifier.
RevocationSource<OCSP>	getOcspSource()	Returns the OCSP source associated with this verifier.
RevocationDataLoadingStrategyFactory	getRevocationDataLoadingStrategyFactory()	Returns a factory used to create revocation data loading strategy associated with this verifier.
RevocationDataVerifier	getRevocationDataVerifier()	Returns a RevocationDataVerifier associated with this verifier.
TimestampTokenVerifier	getTimestampTokenVerifier()	Returns a TimestampTokenVerifier associated with this verifier.
TrustAnchorVerifier	getTrustAnchorVerifier()	Returns a TrustAnchorVerifier associated with this verifier.
ListCertificateSource	getTrustedCertSources()	Returns the trusted certificate sources associated with this verifier.
boolean	isCheckRevocationForUntrustedChains()	This method returns true if revocation check is enabled for untrusted certificate chains.
boolean	isRevocationFallback()	Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
void	setAdjunctCertSources(CertificateSource... certSources)	Sets multiple adjunct certificate sources.
void	setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)	Sets a list of adjunct certificate sources
void	setAIASource(AIASource aiaSource)	Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
void	setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)	This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time).
void	setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)	This method allows to change the behavior on invalid signature (T/LT/LTA augmentation).
void	setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)	This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).
void	setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)	This method allows to change the behavior on missing revocation data (LT/LTA augmentation).
void	setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)	This method allows to change the behavior on revocation data issued after a control time.
void	setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)	This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) NULL value provides a possibility to skip check execution.
void	setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)	This method allows to change the behavior on revoked certificates (LT/LTA augmentation).
void	setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)	This method allows to change the behavior on uncovered POE (timestamp).
void	setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)	This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature.
void	setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)	This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains.
void	setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)	This method allows to change the augmentation behaviour for a signature without certificates.
void	setCheckRevocationForUntrustedChains(boolean enable)	This method allows enabling of revocation checking for untrusted certificate chains.
void	setCrlSource(RevocationSource<CRL> crlSource)	Defines the source of CRL used by this class
void	setOcspSource(RevocationSource<OCSP> ocspSource)	Defines the source of OCSP used by this class
void	setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)	Creates a strategy used to fetch OCSP or CRL for certificate validation.
void	setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)	Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data.
void	setRevocationFallback(boolean revocationFallback)	Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL).
void	setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)	Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.
void	setTrustAnchorVerifier(TrustAnchorVerifier trustAnchorVerifier)	Sets TrustAnchorVerifier used to validate acceptance of the trust anchors
void	setTrustedCertSources(CertificateSource... certSources)	Sets multiple trusted certificate sources.
void	setTrustedCertSources(ListCertificateSource trustedListCertificateSource)	Sets a list of trusted certificate sources

Method Details

getCrlSource

RevocationSource<CRL> getCrlSource()

Returns the CRL source associated with this verifier.

Returns:

the used CRL source for external access (web, filesystem, cached,...)

setCrlSource

void setCrlSource(RevocationSource<CRL> crlSource)

Defines the source of CRL used by this class

Parameters:

crlSource - the CRL source to set for external access (web, filesystem, cached,...)

getOcspSource

RevocationSource<OCSP> getOcspSource()

Returns the OCSP source associated with this verifier.

Returns:

the used OCSP source for external access (web, filesystem, cached,...)

setOcspSource

void setOcspSource(RevocationSource<OCSP> ocspSource)

Defines the source of OCSP used by this class

Parameters:

ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

getRevocationDataLoadingStrategyFactory

RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()

Returns a factory used to create revocation data loading strategy associated with this verifier.

Returns:

creates the defined strategy to fetch OCSP or CRL for certificate validation

setRevocationDataLoadingStrategyFactory

void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)

Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after

Parameters:

revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

getRevocationDataVerifier

RevocationDataVerifier getRevocationDataVerifier()

Returns a RevocationDataVerifier associated with this verifier.

Returns:

RevocationDataVerifier

setRevocationDataVerifier

void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)

Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

Parameters:

revocationDataVerifier - RevocationDataVerifier

isRevocationFallback

boolean isRevocationFallback()

Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).

Returns:

revocation fallback

setRevocationFallback

void setRevocationFallback(boolean revocationFallback)

Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

Parameters:

revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

getTimestampTokenVerifier

TimestampTokenVerifier getTimestampTokenVerifier()

Returns a TimestampTokenVerifier associated with this verifier.

Returns:

TimestampTokenVerifier

setTimestampTokenVerifier

void setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)

Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.

NOTE: This object is not synchronized by default with the used XML Validation Policy. Please configure the object yourself in case a customized behavior is expected for acceptance of timestamp tokens.

Parameters:

timestampTokenVerifier - TimestampTokenVerifier

getTrustAnchorVerifier

TrustAnchorVerifier getTrustAnchorVerifier()

Returns a TrustAnchorVerifier associated with this verifier.

Returns:

TrustAnchorVerifier

setTrustAnchorVerifier

void setTrustAnchorVerifier(TrustAnchorVerifier trustAnchorVerifier)

Sets TrustAnchorVerifier used to validate acceptance of the trust anchors

NOTE: This object is not synchronized by default with the used XML Validation Policy. The trusted certificate source set within CertificateVerifier is synchronized automatically unless explicitly defined within TrustAnchorVerifier. Please configure the object yourself in case a customized behavior is expected for acceptance of trust anchors.

Parameters:

trustAnchorVerifier - TrustAnchorVerifier

getTrustedCertSources

ListCertificateSource getTrustedCertSources()

Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.

Returns:

the certificate sources which contain trusted certificates

setTrustedCertSources

void setTrustedCertSources(CertificateSource... certSources)

Sets multiple trusted certificate sources.

Parameters:

certSources - The certificate sources with known trusted certificates

addTrustedCertSources

void addTrustedCertSources(CertificateSource... certSources)

Adds trusted certificate sources to an existing list of trusted certificate sources

Parameters:

certSources - The certificate sources with known trusted certificates

setTrustedCertSources

void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)

Sets a list of trusted certificate sources

Parameters:

trustedListCertificateSource - ListCertificateSource of trusted cert sources

getAdjunctCertSources

ListCertificateSource getAdjunctCertSources()

Returns the list of adjunct certificate sources assigned to this verifier.

Returns:

the certificate source which contains additional certificate (missing CA,...)

setAdjunctCertSources

void setAdjunctCertSources(CertificateSource... certSources)

Sets multiple adjunct certificate sources.

Parameters:

certSources - the certificate sources with additional and/or missing certificates

addAdjunctCertSources

void addAdjunctCertSources(CertificateSource... certSources)

Adds adjunct certificate sources to an existing list of adjunct certificate sources

Parameters:

certSources - The certificate sources with additional certificates

setAdjunctCertSources

void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)

Sets a list of adjunct certificate sources

Parameters:

adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

getAIASource

AIASource getAIASource()

Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token

Returns:

aiaSource AIASource

setAIASource

void setAIASource(AIASource aiaSource)

Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token

Parameters:

aiaSource - AIASource

setAlertOnInvalidSignature

void setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)

This method allows to change the behavior on invalid signature (T/LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnInvalidSignature - defines a behaviour in case of invalid signature

getAlertOnInvalidSignature

StatusAlert getAlertOnInvalidSignature()

This method returns the defined execution behaviour on invalid signature.

Returns:

StatusAlert to be processed in case of an invalid signature

setAlertOnInvalidTimestamp

void setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)

This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

getAlertOnInvalidTimestamp

StatusAlert getAlertOnInvalidTimestamp()

This method returns the defined execution behaviour on invalid timestamp.

Returns:

StatusAlert to be processed in case of an invalid timestamp

setAlertOnMissingRevocationData

void setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)

This method allows to change the behavior on missing revocation data (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

getAlertOnMissingRevocationData

StatusAlert getAlertOnMissingRevocationData()

This method returns the defined execution behaviour on missing revocation data.

Returns:

StatusAlert to be processed in case of missing revocation data

setAlertOnRevokedCertificate

void setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)

This method allows to change the behavior on revoked certificates (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

getAlertOnRevokedCertificate

StatusAlert getAlertOnRevokedCertificate()

This method returns the defined execution behaviour on revoked certificate.

Returns:

StatusAlert to be processed in case of revoked certificate

setAlertOnNoRevocationAfterBestSignatureTime

void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)

This method allows to change the behavior on revocation data issued after a control time. NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.

Parameters:

alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

getAlertOnNoRevocationAfterBestSignatureTime

StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()

This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime

Returns:

StatusAlert to be processed in case of no revocation data after best signature time

setAlertOnUncoveredPOE

void setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)

This method allows to change the behavior on uncovered POE (timestamp). NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.

Parameters:

alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

getAlertOnUncoveredPOE

StatusAlert getAlertOnUncoveredPOE()

This method returns the defined execution behaviour on uncovered POE (timestamp).

Returns:

StatusAlert to be processed in case of uncovered POE

setAlertOnExpiredCertificate

void setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)

This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnExpiredCertificate - defines behavior in case of an expired signing-certificate

getAlertOnExpiredCertificate

StatusAlert getAlertOnExpiredCertificate()

This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation.

Returns:

StatusAlert to process in case of a signature with an expired certificate

setAlertOnNotYetValidCertificate

void setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)

This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnNotYetValidCertificate - defines behavior in case of a not yet valid signing-certificate

getAlertOnNotYetValidCertificate

StatusAlert getAlertOnNotYetValidCertificate()

This method returns the defined behavior on signature creation with a not yet valid signing-certificate

Returns:

StatusAlert to process in case of a signature with a not yet valid signing-certificate

setAugmentationAlertOnHigherSignatureLevel

void setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)

This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnHigherSignatureLevel - defines augmentation behaviour for a signature of a higher level or a document containing a such signature.

getAugmentationAlertOnHigherSignatureLevel

StatusAlert getAugmentationAlertOnHigherSignatureLevel()

This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.

Returns:

StatusAlert to be processed in case of a signature of a higher level or a document containing a such signature.

setAugmentationAlertOnSignatureWithoutCertificates

void setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)

This method allows to change the augmentation behaviour for a signature without certificates. The alert is triggered when no certificate is defined within the signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnSignatureWithoutCertificates - defines augmentation behaviour for a signature without certificates.

getAugmentationAlertOnSignatureWithoutCertificates

StatusAlert getAugmentationAlertOnSignatureWithoutCertificates()

This method returns the defined augmentation behaviour for a signature without certificates.

Returns:

StatusAlert to be processed in case of a signature without certificates

setAugmentationAlertOnSelfSignedCertificateChains

void setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)

This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains. The alert is triggered when all used certificates are self-signed. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnSelfSignedCertificateChains - defines augmentation behaviour for a signature containing only self-signed certificate chains.

getAugmentationAlertOnSelfSignedCertificateChains

StatusAlert getAugmentationAlertOnSelfSignedCertificateChains()

This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.

Returns:

StatusAlert to be processed in case of a signature containing only self-signed certificate chains

setCheckRevocationForUntrustedChains

void setCheckRevocationForUntrustedChains(boolean enable)

This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)

Parameters:

enable - true if revocation checking is allowed for untrusted certificate chains

isCheckRevocationForUntrustedChains

boolean isCheckRevocationForUntrustedChains()

This method returns true if revocation check is enabled for untrusted certificate chains.

Returns:

true if external revocation check is done for untrusted certificate chains