Package eu.europa.esig.dss.spi.validation

Interface CertificateVerifier

All Known Implementing Classes:
CommonCertificateVerifier
public interface CertificateVerifier
Provides information on the sources to be used in the validation process in the context of a signature.

  • Method Details

    • getCrlSource

      RevocationSource<CRL> getCrlSource()
      Returns the CRL source associated with this verifier.
      Returns:
      the used CRL source for external access (web, filesystem, cached,...)

    • setCrlSource

      void setCrlSource(RevocationSource<CRL> crlSource)
      Defines the source of CRL used by this class
      Parameters:
      crlSource - the CRL source to set for external access (web, filesystem, cached,...)

    • getOcspSource

      RevocationSource<OCSP> getOcspSource()
      Returns the OCSP source associated with this verifier.
      Returns:
      the used OCSP source for external access (web, filesystem, cached,...)

    • setOcspSource

      void setOcspSource(RevocationSource<OCSP> ocspSource)
      Defines the source of OCSP used by this class
      Parameters:
      ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

    • getRevocationDataLoadingStrategyFactory

      RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()
      Returns a factory used to create revocation data loading strategy associated with this verifier.
      Returns:
      creates the defined strategy to fetch OCSP or CRL for certificate validation

    • setRevocationDataLoadingStrategyFactory

      void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)
      Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after
      Parameters:
      revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

    • getRevocationDataVerifier

      RevocationDataVerifier getRevocationDataVerifier()
      Returns a RevocationDataVerifier associated with this verifier.
      Returns:
      RevocationDataVerifier

    • setRevocationDataVerifier

      void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)
      Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

      NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

      Parameters:
      revocationDataVerifier - RevocationDataVerifier

    • isRevocationFallback

      boolean isRevocationFallback()
      Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
      Returns:
      revocation fallback

    • setRevocationFallback

      void setRevocationFallback(boolean revocationFallback)
      Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

      NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

      Parameters:
      revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

    • getTimestampTokenVerifier

      TimestampTokenVerifier getTimestampTokenVerifier()
      Returns a TimestampTokenVerifier associated with this verifier.
      Returns:
      TimestampTokenVerifier

    • setTimestampTokenVerifier

      void setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)
      Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.

      NOTE: This object is not synchronized by default with the used XML Validation Policy. Please configure the object yourself in case a customized behavior is expected for acceptance of timestamp tokens.

      Parameters:
      timestampTokenVerifier - TimestampTokenVerifier

    • getTrustAnchorVerifier

      TrustAnchorVerifier getTrustAnchorVerifier()
      Returns a TrustAnchorVerifier associated with this verifier.
      Returns:
      TrustAnchorVerifier

    • setTrustAnchorVerifier

      void setTrustAnchorVerifier(TrustAnchorVerifier trustAnchorVerifier)
      Sets TrustAnchorVerifier used to validate acceptance of the trust anchors

      NOTE: This object is not synchronized by default with the used XML Validation Policy. The trusted certificate source set within CertificateVerifier is synchronized automatically unless explicitly defined within TrustAnchorVerifier. Please configure the object yourself in case a customized behavior is expected for acceptance of trust anchors.

      Parameters:
      trustAnchorVerifier - TrustAnchorVerifier

    • getTrustedCertSources

      ListCertificateSource getTrustedCertSources()
      Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.
      Returns:
      the certificate sources which contain trusted certificates

    • setTrustedCertSources

      void setTrustedCertSources(CertificateSource... certSources)
      Sets multiple trusted certificate sources.
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • addTrustedCertSources

      void addTrustedCertSources(CertificateSource... certSources)
      Adds trusted certificate sources to an existing list of trusted certificate sources
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • setTrustedCertSources

      void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)
      Sets a list of trusted certificate sources
      Parameters:
      trustedListCertificateSource - ListCertificateSource of trusted cert sources

    • getAdjunctCertSources

      ListCertificateSource getAdjunctCertSources()
      Returns the list of adjunct certificate sources assigned to this verifier.
      Returns:
      the certificate source which contains additional certificate (missing CA,...)

    • setAdjunctCertSources

      void setAdjunctCertSources(CertificateSource... certSources)
      Sets multiple adjunct certificate sources.
      Parameters:
      certSources - the certificate sources with additional and/or missing certificates

    • addAdjunctCertSources

      void addAdjunctCertSources(CertificateSource... certSources)
      Adds adjunct certificate sources to an existing list of adjunct certificate sources
      Parameters:
      certSources - The certificate sources with additional certificates

    • setAdjunctCertSources

      void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)
      Sets a list of adjunct certificate sources
      Parameters:
      adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

    • getAIASource

      AIASource getAIASource()
      Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Returns:
      aiaSource AIASource

    • setAIASource

      void setAIASource(AIASource aiaSource)
      Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Parameters:
      aiaSource - AIASource

    • setAlertOnInvalidSignature

      void setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)
      This method allows to change the behavior on invalid signature (T/LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnInvalidSignature - defines a behaviour in case of invalid signature

    • getAlertOnInvalidSignature

      StatusAlert getAlertOnInvalidSignature()
      This method returns the defined execution behaviour on invalid signature.
      Returns:
      StatusAlert to be processed in case of an invalid signature

    • setAlertOnInvalidTimestamp

      void setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)
      This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

    • getAlertOnInvalidTimestamp

      StatusAlert getAlertOnInvalidTimestamp()
      This method returns the defined execution behaviour on invalid timestamp.
      Returns:
      StatusAlert to be processed in case of an invalid timestamp

    • setAlertOnMissingRevocationData

      void setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)
      This method allows to change the behavior on missing revocation data (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

    • getAlertOnMissingRevocationData

      StatusAlert getAlertOnMissingRevocationData()
      This method returns the defined execution behaviour on missing revocation data.
      Returns:
      StatusAlert to be processed in case of missing revocation data

    • setAlertOnRevokedCertificate

      void setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)
      This method allows to change the behavior on revoked certificates (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

    • getAlertOnRevokedCertificate

      StatusAlert getAlertOnRevokedCertificate()
      This method returns the defined execution behaviour on revoked certificate.
      Returns:
      StatusAlert to be processed in case of revoked certificate

    • setAlertOnNoRevocationAfterBestSignatureTime

      void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)
      This method allows to change the behavior on revocation data issued after a control time. NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.
      Parameters:
      alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

    • getAlertOnNoRevocationAfterBestSignatureTime

      StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()
      This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
      Returns:
      StatusAlert to be processed in case of no revocation data after best signature time

    • setAlertOnUncoveredPOE

      void setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)
      This method allows to change the behavior on uncovered POE (timestamp). NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.
      Parameters:
      alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

    • getAlertOnUncoveredPOE

      StatusAlert getAlertOnUncoveredPOE()
      This method returns the defined execution behaviour on uncovered POE (timestamp).
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • setAlertOnExpiredCertificate

      void setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)
      This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnExpiredCertificate - defines behavior in case of an expired signing-certificate

    • getAlertOnExpiredCertificate

      StatusAlert getAlertOnExpiredCertificate()
      This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation.
      Returns:
      StatusAlert to process in case of a signature with an expired certificate

    • setAlertOnNotYetValidCertificate

      void setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)
      This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      alertOnNotYetValidCertificate - defines behavior in case of a not yet valid signing-certificate

    • getAlertOnNotYetValidCertificate

      StatusAlert getAlertOnNotYetValidCertificate()
      This method returns the defined behavior on signature creation with a not yet valid signing-certificate
      Returns:
      StatusAlert to process in case of a signature with a not yet valid signing-certificate

    • setAugmentationAlertOnHigherSignatureLevel

      void setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)
      This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      augmentationAlertOnHigherSignatureLevel - defines augmentation behaviour for a signature of a higher level or a document containing a such signature.

    • getAugmentationAlertOnHigherSignatureLevel

      StatusAlert getAugmentationAlertOnHigherSignatureLevel()
      This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.
      Returns:
      StatusAlert to be processed in case of a signature of a higher level or a document containing a such signature.

    • setAugmentationAlertOnSignatureWithoutCertificates

      void setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)
      This method allows to change the augmentation behaviour for a signature without certificates. The alert is triggered when no certificate is defined within the signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      augmentationAlertOnSignatureWithoutCertificates - defines augmentation behaviour for a signature without certificates.

    • getAugmentationAlertOnSignatureWithoutCertificates

      StatusAlert getAugmentationAlertOnSignatureWithoutCertificates()
      This method returns the defined augmentation behaviour for a signature without certificates.
      Returns:
      StatusAlert to be processed in case of a signature without certificates

    • setAugmentationAlertOnSelfSignedCertificateChains

      void setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)
      This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains. The alert is triggered when all used certificates are self-signed. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Parameters:
      augmentationAlertOnSelfSignedCertificateChains - defines augmentation behaviour for a signature containing only self-signed certificate chains.

    • getAugmentationAlertOnSelfSignedCertificateChains

      StatusAlert getAugmentationAlertOnSelfSignedCertificateChains()
      This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.
      Returns:
      StatusAlert to be processed in case of a signature containing only self-signed certificate chains

    • setCheckRevocationForUntrustedChains

      void setCheckRevocationForUntrustedChains(boolean enable)
      This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)
      Parameters:
      enable - true if revocation checking is allowed for untrusted certificate chains

    • isCheckRevocationForUntrustedChains

      boolean isCheckRevocationForUntrustedChains()
      This method returns true if revocation check is enabled for untrusted certificate chains.
      Returns:
      true if external revocation check is done for untrusted certificate chains