Class OCSPValidator

java.lang.Object

com.itextpdf.signatures.validation.OCSPValidator

public class OCSPValidator
extends Object

Class that allows you to validate a single OCSP response.

Field Summary

Fields

Modifier and Type	Field	Description
private static final IBouncyCastleFactory	BOUNCY_CASTLE_FACTORY
private final ValidatorChainBuilder	builder
(package private) static final String	CERT_IS_EXPIRED
(package private) static final String	CERT_IS_REVOKED
(package private) static final String	CERT_STATUS_IS_UNKNOWN
private final IssuingCertificateRetriever	certificateRetriever
(package private) static final String	FRESHNESS_CHECK
(package private) static final String	INVALID_OCSP
(package private) static final String	ISSUER_MISSING
(package private) static final String	ISSUERS_DO_NOT_MATCH
(package private) static final String	OCSP_CHECK
(package private) static final String	OCSP_COULD_NOT_BE_VERIFIED
(package private) static final String	OCSP_IS_NO_LONGER_VALID
(package private) static final String	OCSP_RESPONDER_DID_NOT_SIGN
(package private) static final String	OCSP_RESPONDER_IS_CA
(package private) static final String	OCSP_RESPONDER_NOT_RETRIEVED
(package private) static final String	OCSP_RESPONDER_NOT_VERIFIED
(package private) static final String	OCSP_RESPONDER_TRUST_NOT_RETRIEVED
(package private) static final String	OCSP_RESPONDER_TRUSTED
private final SignatureValidationProperties	properties
(package private) static final String	SERIAL_NUMBERS_DO_NOT_MATCH
(package private) static final String	UNABLE_TO_CHECK_IF_ISSUERS_MATCH
(package private) static final String	UNABLE_TO_RETRIEVE_ISSUER

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	OCSPValidator(ValidatorChainBuilder builder)	Creates new OCSPValidator instance.

Method Summary

Modifier and Type	Method	Description
private static void	addResponderValidationReport(ValidationReport report, ValidationReport responderReport)
private Date	getArchiveCutoffExtension(IBasicOCSPResp ocspResp)
void	validate(ValidationReport report, ValidationContext context, X509Certificate certificate, ISingleResp singleResp, IBasicOCSPResp ocspResp, Date validationDate, Date responseGenerationDate)	Validates a certificate against single OCSP Response.
private void	verifyOcspResponder(ValidationReport report, ValidationContext context, IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date responseGenerationDate)	Verifies if an OCSP response is genuine.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

CERT_IS_EXPIRED

static final String CERT_IS_EXPIRED

See Also:

• Constant Field Values

CERT_IS_REVOKED

static final String CERT_IS_REVOKED

See Also:

• Constant Field Values

CERT_STATUS_IS_UNKNOWN

static final String CERT_STATUS_IS_UNKNOWN

See Also:

• Constant Field Values

INVALID_OCSP

static final String INVALID_OCSP

See Also:

• Constant Field Values

ISSUERS_DO_NOT_MATCH

static final String ISSUERS_DO_NOT_MATCH

See Also:

• Constant Field Values

ISSUER_MISSING

static final String ISSUER_MISSING

See Also:

• Constant Field Values

FRESHNESS_CHECK

static final String FRESHNESS_CHECK

See Also:

• Constant Field Values

OCSP_COULD_NOT_BE_VERIFIED

static final String OCSP_COULD_NOT_BE_VERIFIED

See Also:

• Constant Field Values

OCSP_RESPONDER_NOT_RETRIEVED

static final String OCSP_RESPONDER_NOT_RETRIEVED

See Also:

• Constant Field Values

OCSP_RESPONDER_NOT_VERIFIED

static final String OCSP_RESPONDER_NOT_VERIFIED

See Also:

• Constant Field Values

OCSP_RESPONDER_DID_NOT_SIGN

static final String OCSP_RESPONDER_DID_NOT_SIGN

See Also:

• Constant Field Values

OCSP_RESPONDER_TRUST_NOT_RETRIEVED

static final String OCSP_RESPONDER_TRUST_NOT_RETRIEVED

See Also:

• Constant Field Values

OCSP_RESPONDER_TRUSTED

static final String OCSP_RESPONDER_TRUSTED

See Also:

• Constant Field Values

OCSP_RESPONDER_IS_CA

static final String OCSP_RESPONDER_IS_CA

See Also:

• Constant Field Values

OCSP_IS_NO_LONGER_VALID

static final String OCSP_IS_NO_LONGER_VALID

See Also:

• Constant Field Values

SERIAL_NUMBERS_DO_NOT_MATCH

static final String SERIAL_NUMBERS_DO_NOT_MATCH

See Also:

• Constant Field Values

UNABLE_TO_CHECK_IF_ISSUERS_MATCH

static final String UNABLE_TO_CHECK_IF_ISSUERS_MATCH

See Also:

• Constant Field Values

UNABLE_TO_RETRIEVE_ISSUER

static final String UNABLE_TO_RETRIEVE_ISSUER

See Also:

• Constant Field Values

OCSP_CHECK

static final String OCSP_CHECK

See Also:

• Constant Field Values

BOUNCY_CASTLE_FACTORY

private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY

certificateRetriever

private final IssuingCertificateRetriever certificateRetriever

properties

private final SignatureValidationProperties properties

builder

private final ValidatorChainBuilder builder

Constructor Details

OCSPValidator

protected OCSPValidator(ValidatorChainBuilder builder)

Creates new OCSPValidator instance.

Parameters:

builder - See ValidatorChainBuilder

Method Details

validate

public void validate(ValidationReport report,
 ValidationContext context,
 X509Certificate certificate,
 ISingleResp singleResp,
 IBasicOCSPResp ocspResp,
 Date validationDate,
 Date responseGenerationDate)

Validates a certificate against single OCSP Response.

Parameters:

report - to store all the chain verification results

context - the context in which to perform the validation

certificate - the certificate to check for

singleResp - single response to check

ocspResp - basic OCSP response which contains single response to check

validationDate - validation date to check for

responseGenerationDate - trusted date at which response is generated

verifyOcspResponder

private void verifyOcspResponder(ValidationReport report,
 ValidationContext context,
 IBasicOCSPResp ocspResp,
 X509Certificate issuerCert,
 Date responseGenerationDate)

Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.

Parameters:

report - to store all the chain verification results

context - the context in which to perform the validation

ocspResp - IBasicOCSPResp the OCSP response wrapper

issuerCert - the issuer of the certificate for which the OCSP is checked

addResponderValidationReport

private static void addResponderValidationReport(ValidationReport report,
 ValidationReport responderReport)

getArchiveCutoffExtension

private Date getArchiveCutoffExtension(IBasicOCSPResp ocspResp)