Package org.apache.pdfbox.examples.signature.cert

Class CRLVerifier

  • public final class CRLVerifier
extends java.lang.Object
    Copied from Apache CXF 2.4.9, initial version: https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.9/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private static org.apache.commons.logging.Log LOG  

    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private CRLVerifier()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static void checkRevocation​(java.security.cert.X509CRL crl, java.security.cert.X509Certificate cert, java.util.Date signDate, java.lang.String crlDistributionPointsURL)
      Check whether the certificate was revoked at signing time.
      private static java.security.cert.X509CRL downloadCRL​(java.lang.String crlURL)
      Downloads CRL from given URL.
      private static java.security.cert.X509CRL downloadCRLFromLDAP​(java.lang.String ldapURL)
      Downloads a CRL from given LDAP url, e.g.
      static java.security.cert.X509CRL downloadCRLFromWeb​(java.lang.String crlURL)
      Downloads a CRL from given HTTP/HTTPS/FTP URL, e.g.
      static java.util.List<java.lang.String> getCrlDistributionPoints​(java.security.cert.X509Certificate cert)
      Extracts all CRL distribution point URLs from the "CRL Distribution Point" extension in a X.509 certificate.
      static void verifyCertificateCRLs​(java.security.cert.X509Certificate cert, java.util.Date signDate, java.util.Set<java.security.cert.X509Certificate> additionalCerts)
      Extracts the CRL distribution points from the certificate (if available) and checks the certificate revocation status against the CRLs coming from the distribution points.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • LOG

        private static final org.apache.commons.logging.Log LOG

    • Constructor Detail

      • CRLVerifier

        private CRLVerifier()

    • Method Detail

      • verifyCertificateCRLs

        public static void verifyCertificateCRLs​(java.security.cert.X509Certificate cert,
                                         java.util.Date signDate,
                                         java.util.Set<java.security.cert.X509Certificate> additionalCerts)
                                  throws CertificateVerificationException,
                                         RevokedCertificateException
        Extracts the CRL distribution points from the certificate (if available) and checks the certificate revocation status against the CRLs coming from the distribution points. Supports HTTP, HTTPS, FTP and LDAP based URLs.
        Parameters:
        cert - the certificate to be checked for revocation
        signDate - the date when the signing took place
        additionalCerts - set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain.
        Throws:
        CertificateVerificationException - if the certificate could not be verified
        RevokedCertificateException - if the certificate is revoked

      • checkRevocation

        public static void checkRevocation​(java.security.cert.X509CRL crl,
                                   java.security.cert.X509Certificate cert,
                                   java.util.Date signDate,
                                   java.lang.String crlDistributionPointsURL)
                            throws RevokedCertificateException
        Check whether the certificate was revoked at signing time.
        Parameters:
        crl - certificate revocation list
        cert - certificate to be checked
        signDate - date the certificate was used for signing
        crlDistributionPointsURL - URL for log message or exception text
        Throws:
        RevokedCertificateException - if the certificate was revoked at signing time

      • downloadCRL

        private static java.security.cert.X509CRL downloadCRL​(java.lang.String crlURL)
                                               throws java.io.IOException,
                                                      java.security.cert.CertificateException,
                                                      java.security.cert.CRLException,
                                                      CertificateVerificationException,
                                                      javax.naming.NamingException,
                                                      java.net.URISyntaxException
        Downloads CRL from given URL. Supports http, https, ftp and ldap based URLs.
        Throws:
        java.io.IOException
        java.security.cert.CertificateException
        java.security.cert.CRLException
        CertificateVerificationException
        javax.naming.NamingException
        java.net.URISyntaxException

      • downloadCRLFromLDAP

        private static java.security.cert.X509CRL downloadCRLFromLDAP​(java.lang.String ldapURL)
                                                       throws java.security.cert.CertificateException,
                                                              javax.naming.NamingException,
                                                              java.security.cert.CRLException,
                                                              CertificateVerificationException
        Downloads a CRL from given LDAP url, e.g. ldap://ldap.infonotary.com/dc=identity-ca,dc=infonotary,dc=com
        Throws:
        java.security.cert.CertificateException
        javax.naming.NamingException
        java.security.cert.CRLException
        CertificateVerificationException

      • downloadCRLFromWeb

        public static java.security.cert.X509CRL downloadCRLFromWeb​(java.lang.String crlURL)
                                                     throws java.io.IOException,
                                                            java.security.cert.CertificateException,
                                                            java.security.cert.CRLException,
                                                            java.net.URISyntaxException
        Downloads a CRL from given HTTP/HTTPS/FTP URL, e.g. http://crl.infonotary.com/crl/identity-ca.crl
        Throws:
        java.io.IOException
        java.security.cert.CertificateException
        java.security.cert.CRLException
        java.net.URISyntaxException

      • getCrlDistributionPoints

        public static java.util.List<java.lang.String> getCrlDistributionPoints​(java.security.cert.X509Certificate cert)
                                                                 throws java.io.IOException
        Extracts all CRL distribution point URLs from the "CRL Distribution Point" extension in a X.509 certificate. If CRL distribution point extension is unavailable, returns an empty list.
        Parameters:
        cert -
        Returns:
        List of CRL distribution point URLs.
        Throws:
        java.io.IOException