lv.pasts.eme.cert

Class CertValidator

java.lang.Object

lv.pasts.eme.cert.CertValidator

public final class CertValidator
extends Object

CertValidator class provides service to validate certificate chains.

Constructor Summary

Constructors

Constructor and Description
CertValidator(TrustStore trustStore)

Method Summary

Modifier and Type	Method and Description
static void	checkValidity(X509Certificate cert, Date validationDate)
static CertValidatorResult.OCSPResult	getOCSPResult(LinkedHashMap<BigInteger,X509Certificate> certificateMap, String responderURL) Requests the OCSP responder the status of the given certificates.
static X509Certificate	parse(byte[] data) Generates X509Certificate from the given data.
static X509Certificate	parseWithBouncyCastleProvider(byte[] data)
void	setTargetCertCrlEnabled(boolean targetCertCrlEnabled)
void	setTrustedListAsPrimarySource(boolean trustedListAsPrimarySource)
CertValidatorResult	validateCertificatePath(CertPath certPath, Date validationDate, boolean crlEnabled, boolean ocspEnabled)
CertValidatorResult	validateCertificatePath(CertPath certPath, Date validationDate, boolean crlEnabled, OCSPClient ocspClient)
CertValidatorResult	validateCertificatePath(CertPath certPath, Date validationDate, List<byte[]> crlData, List<byte[]> ocspData) OFFLINE validation.
static CertValidatorResult	validateCertPath(CertPath certPath, Date validationDate, boolean crlEnabled, boolean ocspEnabled) Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, boolean, boolean)
static CertValidatorResult	validateCertPath(CertPath certPath, Date validationDate, boolean crlEnabled, OCSPClient ocspClient) Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, boolean, OCSPClient)
static CertValidatorResult	validateCertPath(CertPath certPath, Date validationDate, Collection<X509CRL> crls) Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, List, List)
CertValidatorResult.CRLResult	validateCertStatusUsingCRL(X509Certificate cert, Date validationDate)
static CertValidatorResult.OCSPResult	validateCertStatusUsingOCSP(BigInteger serialNumber, String issuerSubject, String issuerSubjectKeyIdentifier, Date validationDate, String responderURL) Validates certificate status using OCSP responder service.
static CertValidatorResult.OCSPResult	validateCertStatusUsingOCSP(X509Certificate cert, Date validationDate) Validates certificate status using OCSP responder service.
static CertValidatorResult.OCSPResult	validateCertStatusUsingOCSP(X509Certificate cert, Date validationDate, boolean useResultCache) Validates certificate status using OCSP responder service.
static CertValidatorResult.OCSPResult	validateCertStatusUsingOCSP(X509Certificate cert, Date validationDate, OCSPClient ocspClient) Validates certificate status using OCSP responder service.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertValidator

public CertValidator(TrustStore trustStore)

Method Detail

setTargetCertCrlEnabled

public void setTargetCertCrlEnabled(boolean targetCertCrlEnabled)

setTrustedListAsPrimarySource

public void setTrustedListAsPrimarySource(boolean trustedListAsPrimarySource)

validateCertPath

@Deprecated
public static CertValidatorResult validateCertPath(CertPath certPath,
                                                                Date validationDate,
                                                                Collection<X509CRL> crls)
                                                         throws CertValidatorException

Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, List, List)

Validates the given certificate chain using the given validation date. Certificate chain MUST be ordered starting with the target certificate and ending with a certificate issued by the trust anchor.

This method uses the following EDOC configuration properties:

• crl.local.dir - absolute pathname of the local CRL directory.

Parameters:

certPath - the certification path.

validationDate - validation date.

crls - revocation data

Returns:

the result of the validation process.

Throws:

CertValidatorException - if certification path cannot be validated.

validateCertPath

@Deprecated
public static CertValidatorResult validateCertPath(CertPath certPath,
                                                                Date validationDate,
                                                                boolean crlEnabled,
                                                                boolean ocspEnabled)
                                                         throws CertValidatorException

Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, boolean, boolean)

Validates the given certificate chain using the given validation date. Certificate chain MUST be ordered starting with the target certificate and ending with a certificate issued by the trust anchor.

This method uses the following EDOC configuration properties:

• crl.local.dir - absolute pathname of the local CRL directory.

Parameters:

certPath - the certification path.

validationDate - validation date.

crlEnabled - true if CRL checking is enabled.

ocspEnabled - true if OCSP checking is enabled.

Returns:

the result of the validation process.

Throws:

CertValidatorException - if certification path cannot be validated.

validateCertificatePath

public CertValidatorResult validateCertificatePath(CertPath certPath,
                                                   Date validationDate,
                                                   boolean crlEnabled,
                                                   boolean ocspEnabled)
                                            throws CertValidatorException

Throws:

CertValidatorException

validateCertPath

@Deprecated
public static CertValidatorResult validateCertPath(CertPath certPath,
                                                                Date validationDate,
                                                                boolean crlEnabled,
                                                                OCSPClient ocspClient)
                                                         throws CertValidatorException

Deprecated. as of 2016-01-26 use validateCertificatePath(CertPath, Date, boolean, OCSPClient)

Validates the given certificate chain using the given validation date. Certificate chain MUST be ordered starting with the target certificate and ending with a certificate issued by the trust anchor.

Parameters:

certPath - the certification path.

validationDate - validation date.

crlEnabled - true if CRL checking is enabled.

ocspClient - OCSPClient used to obtain OCSP responses.

Returns:

the result of the validation process.

Throws:

CertValidatorException - if certification path cannot be validated.

validateCertificatePath

public CertValidatorResult validateCertificatePath(CertPath certPath,
                                                   Date validationDate,
                                                   boolean crlEnabled,
                                                   OCSPClient ocspClient)
                                            throws CertValidatorException

Throws:

CertValidatorException

validateCertificatePath

public CertValidatorResult validateCertificatePath(CertPath certPath,
                                                   Date validationDate,
                                                   List<byte[]> crlData,
                                                   List<byte[]> ocspData)
                                            throws CertValidatorException

OFFLINE validation.

Parameters:

certPath - the certification path.

validationDate - validation date.

crlData - CRL data, or null if CRL disabled.

ocspData - OCSP data, or null if OCSP disabled.

Returns:

the result of the validation process.

Throws:

CertValidatorException - if certification path cannot be validated.

validateCertStatusUsingOCSP

public static CertValidatorResult.OCSPResult validateCertStatusUsingOCSP(BigInteger serialNumber,
                                                                         String issuerSubject,
                                                                         String issuerSubjectKeyIdentifier,
                                                                         Date validationDate,
                                                                         String responderURL)
                                                                  throws CertValidatorException

Validates certificate status using OCSP responder service. Certificate and certification path integrity is not validated.

Parameters:

serialNumber - serial number of the certificate.

issuerSubject - subject name of the certificate issuer.

The subject name must be specified using the grammar defined in RFC 1779 or RFC 2253 (either format is acceptable), e.g. "CN=VAS Latvijas Pasts SI(CA1), OU=Sertifikacijas pakalpojumi, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, C=LV".

issuerSubjectKeyIdentifier - subject key identifier of the certificate issuer.

The subject key identifier must be specified as hexadecimal string of the DER encoded value (excluding tag and length) of the subject public key field in the certificate, e.g. "2c3e036e9239e283072795b10feffe633a6a9017".

validationDate - validation date.

responderURL - a URL that identifies the location of the OCSP responder.

Returns:

the result of the OCSP request.

Throws:

CertValidatorException - if certification path cannot be validated.

Since:

1.4.0

validateCertStatusUsingOCSP

public static CertValidatorResult.OCSPResult validateCertStatusUsingOCSP(X509Certificate cert,
                                                                         Date validationDate)
                                                                  throws CertValidatorException

Validates certificate status using OCSP responder service. Certificate and certification path integrity is not validated.

Parameters:

cert - the certificate.

validationDate - validation date.

Returns:

the result of the OCSP request.

Throws:

CertValidatorException - if certification path cannot be validated.

Since:

1.4.0

validateCertStatusUsingOCSP

public static CertValidatorResult.OCSPResult validateCertStatusUsingOCSP(X509Certificate cert,
                                                                         Date validationDate,
                                                                         boolean useResultCache)
                                                                  throws CertValidatorException

Validates certificate status using OCSP responder service. Certificate and certification path integrity is not validated.

Parameters:

cert - the certificate.

validationDate - validation date.

useResultCache - true if to use the OCSP result cache.

Returns:

the result of the OCSP request.

Throws:

CertValidatorException - if certification path cannot be validated.

Since:

1.4.4

validateCertStatusUsingOCSP

public static CertValidatorResult.OCSPResult validateCertStatusUsingOCSP(X509Certificate cert,
                                                                         Date validationDate,
                                                                         OCSPClient ocspClient)
                                                                  throws CertValidatorException

Validates certificate status using OCSP responder service. Certificate and certification path integrity is not validated.

Parameters:

cert - the certificate.

validationDate - validation date.

ocspClient - OCSPClient used to obtain OCSP responses.

Returns:

the result of the OCSP request.

Throws:

CertValidatorException - if certification path cannot be validated.

getOCSPResult

public static CertValidatorResult.OCSPResult getOCSPResult(LinkedHashMap<BigInteger,X509Certificate> certificateMap,
                                                           String responderURL)
                                                    throws CertValidatorException

Requests the OCSP responder the status of the given certificates. Revocation status of the given certificates is not checked.

Parameters:

certificateMap - map containing certificate identifiers.

responderURL - a URL that identifies the location of the OCSP responder.

Returns:

the result of the OCSP request.

Throws:

CertValidatorException - if OCSP request cannot be processed.

Since:

1.4.0

validateCertStatusUsingCRL

public CertValidatorResult.CRLResult validateCertStatusUsingCRL(X509Certificate cert,
                                                                Date validationDate)
                                                         throws CertValidatorException

Throws:

CertValidatorException

parse

public static X509Certificate parse(byte[] data)
                             throws CertificateException

Generates X509Certificate from the given data.

Parameters:

data - the certificate data.

Returns:

the generated certificate.

Throws:

CertificateException - if certificate can not be parsed.

Since:

1.4.3

parseWithBouncyCastleProvider

public static X509Certificate parseWithBouncyCastleProvider(byte[] data)
                                                     throws CertificateException

Throws:

CertificateException

checkValidity

public static void checkValidity(X509Certificate cert,
                                 Date validationDate)
                          throws CertValidatorException

Throws:

CertValidatorException