Package eu.europa.esig.dss.validation

Class RevocationDataVerifier

java.lang.Object
eu.europa.esig.dss.validation.RevocationDataVerifier
public class RevocationDataVerifier extends Object
This class is used to verify acceptance of a revocation data for the following validation process, whether the revocation data has been extracted from a document or obtained from an online source. The class verifies the consistency of the given revocation information and applicability of the used cryptographic constraints used to create this token. NOTE: It is not recommended to use a single instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

  • Field Details

    • trustedListCertificateSource

      protected ListCertificateSource trustedListCertificateSource
      The trusted certificate source is used to accept trusted OCSPToken's certificate issuers

    • acceptableDigestAlgorithms

      protected Collection<DigestAlgorithm> acceptableDigestAlgorithms
      A collection of Digest Algorithms to accept from CRL/OCSP responders. NOTE : revocation tokens created with digest algorithms other than listed in this collection will be skipped. DEFAULT : collection of algorithms is synchronized with ETSI 119 312 V1.4.2

    • acceptableEncryptionAlgorithmKeyLength

      protected Map<EncryptionAlgorithm,Integer> acceptableEncryptionAlgorithmKeyLength
      Map of acceptable Encryption Algorithms with a corresponding minimal acceptable key length for each algorithm. NOTE : revocation tokens created with encryption algorithms other than listed in this map or with a key size smaller than defined in the map will be skipped. DEFAULT : collection of algorithms is synchronized with ETSI 119 312 V1.4.2

  • Method Details

    • createDefaultRevocationDataVerifier

      public static RevocationDataVerifier createDefaultRevocationDataVerifier()
      This method is used to instantiate a new RevocationDataVerifier, using the default validation constraints (synchronized with default validation policy).
      Returns:
      RevocationDataVerifier

    • createRevocationDataVerifierFromPolicy

      public static RevocationDataVerifier createRevocationDataVerifierFromPolicy(ValidationPolicy validationPolicy)
      This method is used to instantiate a RevocationDataVerifier from a given ValidationPolicy in order to synchronize the validation constraints at the current validation time.
      Parameters:
      validationPolicy - ValidationPolicy to be used
      Returns:
      RevocationDataVerifier

    • createRevocationDataVerifierFromPolicyWithTime

      public static RevocationDataVerifier createRevocationDataVerifierFromPolicyWithTime(ValidationPolicy validationPolicy, Date validationTime)
      This method is used to instantiate a RevocationDataVerifier from a given ValidationPolicy in order to synchronize the validation constraints with a provided validationTime.
      Parameters:
      validationPolicy - ValidationPolicy to be used
      validationTime - Date the target validation time
      Returns:
      RevocationDataVerifier

    • setAcceptableDigestAlgorithms

      public void setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> acceptableDigestAlgorithms)
      Sets a collection of Digest Algorithms for acceptance. If a revocation token is signed with an algorithm other than listed in the collection, the token will be skipped. DEFAULT : collection of algorithms is synchronized with ETSI 119 312 V1.4.2
      Parameters:
      acceptableDigestAlgorithms - a collection if DigestAlgorithms

    • setAcceptableEncryptionAlgorithmKeyLength

      public void setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm,Integer> acceptableEncryptionAlgorithmKeyLength)
      Sets a map of acceptable Encryption Algorithms and their corresponding minimal key length values. If a revocation token is signed with an algorithm other than listed in the collection or with a smaller key size, than the token will be skipped. DEFAULT : collection of algorithms is synchronized with ETSI 119 312 V1.4.2
      Parameters:
      acceptableEncryptionAlgorithmKeyLength - a map of EncryptionAlgorithms and their corresponding minimal supported key lengths

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken)
      This method verifies the validity of the given RevocationToken using the embedded issuer certificate token
      Parameters:
      revocationToken - RevocationToken
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken)
      This method verifies the validity of the given RevocationToken
      Parameters:
      revocationToken - RevocationToken
      issuerCertificateToken - CertificateToken issued the current revocation
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise