Package eu.europa.esig.dss.spi.validation

Class CommonCertificateVerifier

java.lang.Object
eu.europa.esig.dss.spi.validation.CommonCertificateVerifier
All Implemented Interfaces:
CertificateVerifier
public class CommonCertificateVerifier extends Object implements CertificateVerifier
This class provides the different sources used to verify the status of a certificate using the trust model. There are four different types of sources to be defined:
- Trusted certificates source;
- Adjunct certificates source (not trusted);
- OCSP source;
- CRL source;
- AIA source to give access to the certificates through AIA.

  • Constructor Details

    • CommonCertificateVerifier

      public CommonCertificateVerifier()
      The default constructor. The DataLoader is created to allow the retrieval of certificates through AIA.

    • CommonCertificateVerifier

      public CommonCertificateVerifier(boolean simpleCreationOnly)
      This constructor allows creating of CommonCertificateVerifier without DataLoader. It means that only a -B profile signature can be created.
      Parameters:
      simpleCreationOnly - if true the CommonCertificateVerifier will not contain AIASource.

  • Method Details

    • getCrlSource

      public RevocationSource<CRL> getCrlSource()
      Description copied from interface: CertificateVerifier
      Returns the CRL source associated with this verifier.
      Specified by:
      getCrlSource in interface CertificateVerifier
      Returns:
      the used CRL source for external access (web, filesystem, cached,...)

    • setCrlSource

      public void setCrlSource(RevocationSource<CRL> crlSource)
      Description copied from interface: CertificateVerifier
      Defines the source of CRL used by this class
      Specified by:
      setCrlSource in interface CertificateVerifier
      Parameters:
      crlSource - the CRL source to set for external access (web, filesystem, cached,...)

    • getOcspSource

      public RevocationSource<OCSP> getOcspSource()
      Description copied from interface: CertificateVerifier
      Returns the OCSP source associated with this verifier.
      Specified by:
      getOcspSource in interface CertificateVerifier
      Returns:
      the used OCSP source for external access (web, filesystem, cached,...)

    • setOcspSource

      public void setOcspSource(RevocationSource<OCSP> ocspSource)
      Description copied from interface: CertificateVerifier
      Defines the source of OCSP used by this class
      Specified by:
      setOcspSource in interface CertificateVerifier
      Parameters:
      ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

    • getRevocationDataLoadingStrategyFactory

      public RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()
      Description copied from interface: CertificateVerifier
      Returns a factory used to create revocation data loading strategy associated with this verifier.
      Specified by:
      getRevocationDataLoadingStrategyFactory in interface CertificateVerifier
      Returns:
      creates the defined strategy to fetch OCSP or CRL for certificate validation

    • setRevocationDataLoadingStrategyFactory

      public void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)
      Description copied from interface: CertificateVerifier
      Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after
      Specified by:
      setRevocationDataLoadingStrategyFactory in interface CertificateVerifier
      Parameters:
      revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

    • getRevocationDataVerifier

      public RevocationDataVerifier getRevocationDataVerifier()
      Description copied from interface: CertificateVerifier
      Returns a RevocationDataVerifier associated with this verifier.
      Specified by:
      getRevocationDataVerifier in interface CertificateVerifier
      Returns:
      RevocationDataVerifier

    • setRevocationDataVerifier

      public void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)
      Description copied from interface: CertificateVerifier
      Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

      NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

      Specified by:
      setRevocationDataVerifier in interface CertificateVerifier
      Parameters:
      revocationDataVerifier - RevocationDataVerifier

    • isRevocationFallback

      public boolean isRevocationFallback()
      Description copied from interface: CertificateVerifier
      Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
      Specified by:
      isRevocationFallback in interface CertificateVerifier
      Returns:
      revocation fallback

    • setRevocationFallback

      public void setRevocationFallback(boolean revocationFallback)
      Description copied from interface: CertificateVerifier
      Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

      NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

      Specified by:
      setRevocationFallback in interface CertificateVerifier
      Parameters:
      revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

    • getTimestampTokenVerifier

      public TimestampTokenVerifier getTimestampTokenVerifier()
      Description copied from interface: CertificateVerifier
      Returns a TimestampTokenVerifier associated with this verifier.
      Specified by:
      getTimestampTokenVerifier in interface CertificateVerifier
      Returns:
      TimestampTokenVerifier

    • setTimestampTokenVerifier

      public void setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)
      Description copied from interface: CertificateVerifier
      Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.

      NOTE: This object is not synchronized by default with the used XML Validation Policy. Please configure the object yourself in case a customized behavior is expected for acceptance of timestamp tokens.

      Specified by:
      setTimestampTokenVerifier in interface CertificateVerifier
      Parameters:
      timestampTokenVerifier - TimestampTokenVerifier

    • getTrustAnchorVerifier

      public TrustAnchorVerifier getTrustAnchorVerifier()
      Description copied from interface: CertificateVerifier
      Returns a TrustAnchorVerifier associated with this verifier.
      Specified by:
      getTrustAnchorVerifier in interface CertificateVerifier
      Returns:
      TrustAnchorVerifier

    • setTrustAnchorVerifier

      public void setTrustAnchorVerifier(TrustAnchorVerifier trustAnchorVerifier)
      Description copied from interface: CertificateVerifier
      Sets TrustAnchorVerifier used to validate acceptance of the trust anchors

      NOTE: This object is not synchronized by default with the used XML Validation Policy. The trusted certificate source set within CertificateVerifier is synchronized automatically unless explicitly defined within TrustAnchorVerifier. Please configure the object yourself in case a customized behavior is expected for acceptance of trust anchors.

      Specified by:
      setTrustAnchorVerifier in interface CertificateVerifier
      Parameters:
      trustAnchorVerifier - TrustAnchorVerifier

    • getTrustedCertSources

      public ListCertificateSource getTrustedCertSources()
      Description copied from interface: CertificateVerifier
      Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.
      Specified by:
      getTrustedCertSources in interface CertificateVerifier
      Returns:
      the certificate sources which contain trusted certificates

    • setTrustedCertSources

      public void setTrustedCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Sets multiple trusted certificate sources.
      Specified by:
      setTrustedCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • addTrustedCertSources

      public void addTrustedCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Adds trusted certificate sources to an existing list of trusted certificate sources
      Specified by:
      addTrustedCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with known trusted certificates

    • setTrustedCertSources

      public void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)
      Description copied from interface: CertificateVerifier
      Sets a list of trusted certificate sources
      Specified by:
      setTrustedCertSources in interface CertificateVerifier
      Parameters:
      trustedListCertificateSource - ListCertificateSource of trusted cert sources

    • getAdjunctCertSources

      public ListCertificateSource getAdjunctCertSources()
      Description copied from interface: CertificateVerifier
      Returns the list of adjunct certificate sources assigned to this verifier.
      Specified by:
      getAdjunctCertSources in interface CertificateVerifier
      Returns:
      the certificate source which contains additional certificate (missing CA,...)

    • setAdjunctCertSources

      public void setAdjunctCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Sets multiple adjunct certificate sources.
      Specified by:
      setAdjunctCertSources in interface CertificateVerifier
      Parameters:
      certSources - the certificate sources with additional and/or missing certificates

    • addAdjunctCertSources

      public void addAdjunctCertSources(CertificateSource... certSources)
      Description copied from interface: CertificateVerifier
      Adds adjunct certificate sources to an existing list of adjunct certificate sources
      Specified by:
      addAdjunctCertSources in interface CertificateVerifier
      Parameters:
      certSources - The certificate sources with additional certificates

    • setAdjunctCertSources

      public void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)
      Description copied from interface: CertificateVerifier
      Sets a list of adjunct certificate sources
      Specified by:
      setAdjunctCertSources in interface CertificateVerifier
      Parameters:
      adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

    • getAIASource

      public AIASource getAIASource()
      Description copied from interface: CertificateVerifier
      Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Specified by:
      getAIASource in interface CertificateVerifier
      Returns:
      aiaSource AIASource

    • setAIASource

      public void setAIASource(AIASource aiaSource)
      Description copied from interface: CertificateVerifier
      Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
      Specified by:
      setAIASource in interface CertificateVerifier
      Parameters:
      aiaSource - AIASource

    • getAlertOnInvalidSignature

      public StatusAlert getAlertOnInvalidSignature()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on invalid signature.
      Specified by:
      getAlertOnInvalidSignature in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of an invalid signature

    • setAlertOnInvalidSignature

      public void setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on invalid signature (T/LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnInvalidSignature in interface CertificateVerifier
      Parameters:
      alertOnInvalidSignature - defines a behaviour in case of invalid signature

    • getAlertOnInvalidTimestamp

      public StatusAlert getAlertOnInvalidTimestamp()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on invalid timestamp.
      Specified by:
      getAlertOnInvalidTimestamp in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of an invalid timestamp

    • setAlertOnInvalidTimestamp

      public void setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnInvalidTimestamp in interface CertificateVerifier
      Parameters:
      alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

    • getAlertOnMissingRevocationData

      public StatusAlert getAlertOnMissingRevocationData()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on missing revocation data.
      Specified by:
      getAlertOnMissingRevocationData in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of missing revocation data

    • setAlertOnMissingRevocationData

      public void setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on missing revocation data (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnMissingRevocationData in interface CertificateVerifier
      Parameters:
      alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

    • getAlertOnUncoveredPOE

      public StatusAlert getAlertOnUncoveredPOE()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on uncovered POE (timestamp).
      Specified by:
      getAlertOnUncoveredPOE in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of uncovered POE

    • setAlertOnUncoveredPOE

      public void setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on uncovered POE (timestamp). NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.
      Specified by:
      setAlertOnUncoveredPOE in interface CertificateVerifier
      Parameters:
      alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

    • getAlertOnRevokedCertificate

      public StatusAlert getAlertOnRevokedCertificate()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour on revoked certificate.
      Specified by:
      getAlertOnRevokedCertificate in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of revoked certificate

    • setAlertOnRevokedCertificate

      public void setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on revoked certificates (LT/LTA augmentation). NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnRevokedCertificate in interface CertificateVerifier
      Parameters:
      alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

    • getAlertOnNoRevocationAfterBestSignatureTime

      public StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()
      Description copied from interface: CertificateVerifier
      This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
      Specified by:
      getAlertOnNoRevocationAfterBestSignatureTime in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of no revocation data after best signature time

    • setAlertOnNoRevocationAfterBestSignatureTime

      public void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)
      Description copied from interface: CertificateVerifier
      This method allows to change the behavior on revocation data issued after a control time. NULL value provides a possibility to skip check execution. Default : LogOnStatusAlert - log a warning.
      Specified by:
      setAlertOnNoRevocationAfterBestSignatureTime in interface CertificateVerifier
      Parameters:
      alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

    • getAlertOnExpiredCertificate

      public StatusAlert getAlertOnExpiredCertificate()
      Description copied from interface: CertificateVerifier
      This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation.
      Specified by:
      getAlertOnExpiredCertificate in interface CertificateVerifier
      Returns:
      StatusAlert to process in case of a signature with an expired certificate

    • setAlertOnExpiredCertificate

      public void setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)
      Description copied from interface: CertificateVerifier
      This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnExpiredCertificate in interface CertificateVerifier
      Parameters:
      alertOnExpiredCertificate - defines behavior in case of an expired signing-certificate

    • getAlertOnNotYetValidCertificate

      public StatusAlert getAlertOnNotYetValidCertificate()
      Description copied from interface: CertificateVerifier
      This method returns the defined behavior on signature creation with a not yet valid signing-certificate
      Specified by:
      getAlertOnNotYetValidCertificate in interface CertificateVerifier
      Returns:
      StatusAlert to process in case of a signature with a not yet valid signing-certificate

    • setAlertOnNotYetValidCertificate

      public void setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)
      Description copied from interface: CertificateVerifier
      This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAlertOnNotYetValidCertificate in interface CertificateVerifier
      Parameters:
      alertOnNotYetValidCertificate - defines behavior in case of a not yet valid signing-certificate

    • getAugmentationAlertOnHigherSignatureLevel

      public StatusAlert getAugmentationAlertOnHigherSignatureLevel()
      Description copied from interface: CertificateVerifier
      This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.
      Specified by:
      getAugmentationAlertOnHigherSignatureLevel in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of a signature of a higher level or a document containing a such signature.

    • setAugmentationAlertOnHigherSignatureLevel

      public void setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)
      Description copied from interface: CertificateVerifier
      This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAugmentationAlertOnHigherSignatureLevel in interface CertificateVerifier
      Parameters:
      augmentationAlertOnHigherSignatureLevel - defines augmentation behaviour for a signature of a higher level or a document containing a such signature.

    • getAugmentationAlertOnSignatureWithoutCertificates

      public StatusAlert getAugmentationAlertOnSignatureWithoutCertificates()
      Description copied from interface: CertificateVerifier
      This method returns the defined augmentation behaviour for a signature without certificates.
      Specified by:
      getAugmentationAlertOnSignatureWithoutCertificates in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of a signature without certificates

    • setAugmentationAlertOnSignatureWithoutCertificates

      public void setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)
      Description copied from interface: CertificateVerifier
      This method allows to change the augmentation behaviour for a signature without certificates. The alert is triggered when no certificate is defined within the signature. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAugmentationAlertOnSignatureWithoutCertificates in interface CertificateVerifier
      Parameters:
      augmentationAlertOnSignatureWithoutCertificates - defines augmentation behaviour for a signature without certificates.

    • getAugmentationAlertOnSelfSignedCertificateChains

      public StatusAlert getAugmentationAlertOnSelfSignedCertificateChains()
      Description copied from interface: CertificateVerifier
      This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.
      Specified by:
      getAugmentationAlertOnSelfSignedCertificateChains in interface CertificateVerifier
      Returns:
      StatusAlert to be processed in case of a signature containing only self-signed certificate chains

    • setAugmentationAlertOnSelfSignedCertificateChains

      public void setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)
      Description copied from interface: CertificateVerifier
      This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains. The alert is triggered when all used certificates are self-signed. NULL value provides a possibility to skip check execution. Default : ExceptionOnStatusAlert - throw an exception.
      Specified by:
      setAugmentationAlertOnSelfSignedCertificateChains in interface CertificateVerifier
      Parameters:
      augmentationAlertOnSelfSignedCertificateChains - defines augmentation behaviour for a signature containing only self-signed certificate chains.

    • isCheckRevocationForUntrustedChains

      public boolean isCheckRevocationForUntrustedChains()
      Description copied from interface: CertificateVerifier
      This method returns true if revocation check is enabled for untrusted certificate chains.
      Specified by:
      isCheckRevocationForUntrustedChains in interface CertificateVerifier
      Returns:
      true if external revocation check is done for untrusted certificate chains

    • setCheckRevocationForUntrustedChains

      public void setCheckRevocationForUntrustedChains(boolean checkRevocationForUntrustedChains)
      Description copied from interface: CertificateVerifier
      This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)
      Specified by:
      setCheckRevocationForUntrustedChains in interface CertificateVerifier
      Parameters:
      checkRevocationForUntrustedChains - true if revocation checking is allowed for untrusted certificate chains