java.lang.Object
- org.apache.pdfbox.examples.signature.cert.CertificateVerifier

```
public final class CertificateVerifier
extends java.lang.Object
```
Copied from Apache CXF 2.4.9, initial version: https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.9/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/

Field Summary

Fields
Modifier and Type Field Description

private static org.apache.commons.logging.Log LOG

Constructor Summary

Constructors
Modifier Constructor Description

private CertificateVerifier()

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method	Description
`private static void`	`checkRevocations(java.security.cert.X509Certificate cert, java.util.Set<java.security.cert.X509Certificate> additionalCerts, java.util.Date signDate)`
`private static void`	`checkRevocationsWithIssuer(java.security.cert.X509Certificate cert, java.security.cert.X509Certificate issuerCert, java.util.Set<java.security.cert.X509Certificate> additionalCerts, java.util.Date signDate)`
`static java.util.Set<java.security.cert.X509Certificate>`	`downloadExtraCertificates(java.security.cert.X509Extension ext)`	Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension.
`private static java.lang.String`	`extractOCSPURL(java.security.cert.X509Certificate cert)`	Extract the OCSP URL from an X.509 certificate if available.
`static boolean`	`isSelfSigned(java.security.cert.X509Certificate cert)`	Checks whether given X.509 certificate is self-signed.
`private static java.security.cert.PKIXCertPathBuilderResult`	`verifyCertificate(java.security.cert.X509Certificate cert, java.util.Set<java.security.cert.TrustAnchor> trustAnchors, java.util.Set<java.security.cert.X509Certificate> intermediateCerts, java.util.Date signDate)`	Attempts to build a certification chain for given certificate and to verify it.
`static java.security.cert.PKIXCertPathBuilderResult`	`verifyCertificate(java.security.cert.X509Certificate cert, java.util.Set<java.security.cert.X509Certificate> additionalCerts, boolean verifySelfSignedCert, java.util.Date signDate)`	Attempts to build a certification chain for given certificate and to verify it.
`private static void`	`verifyOCSP(OcspHelper ocspHelper, java.util.Set<java.security.cert.X509Certificate> additionalCerts)`	Verify whether the certificate has been revoked at signing date, and verify whether the certificate of the responder has been revoked now.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.apache.commons.logging.Log LOG

Constructor Detail
- CertificateVerifier
```
private CertificateVerifier()
```

Method Detail

verifyCertificate
```
public static java.security.cert.PKIXCertPathBuilderResult verifyCertificate(java.security.cert.X509Certificate cert,
                                                                             java.util.Set<java.security.cert.X509Certificate> additionalCerts,
                                                                             boolean verifySelfSignedCert,
                                                                             java.util.Date signDate)
                                                                      throws CertificateVerificationException
```
Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates and intermediate certificates that will be used for building the certification chain. The verification process assumes that all self-signed certificates in the set are trusted root CA certificates and all other certificates in the set are intermediate certificates.

Parameters:

cert - - certificate for validation

additionalCerts - - set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.

verifySelfSignedCert - true if a self-signed certificate is accepted, false if not.

signDate - the date when the signing took place

Returns:

the certification chain (if verification is successful)

Throws:

CertificateVerificationException - - if the certification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired or CRL checks are failed)

checkRevocations

private static void checkRevocations(java.security.cert.X509Certificate cert,
                                     java.util.Set<java.security.cert.X509Certificate> additionalCerts,
                                     java.util.Date signDate)
                              throws java.io.IOException,
                                     CertificateVerificationException,
                                     org.bouncycastle.cert.ocsp.OCSPException,
                                     RevokedCertificateException,
                                     java.security.GeneralSecurityException,
                                     java.net.URISyntaxException

Throws:: java.io.IOException; CertificateVerificationException; org.bouncycastle.cert.ocsp.OCSPException; RevokedCertificateException; java.security.GeneralSecurityException; java.net.URISyntaxException

checkRevocationsWithIssuer

private static void checkRevocationsWithIssuer(java.security.cert.X509Certificate cert,
                                               java.security.cert.X509Certificate issuerCert,
                                               java.util.Set<java.security.cert.X509Certificate> additionalCerts,
                                               java.util.Date signDate)
                                        throws org.bouncycastle.cert.ocsp.OCSPException,
                                               CertificateVerificationException,
                                               RevokedCertificateException,
                                               java.security.GeneralSecurityException,
                                               java.io.IOException,
                                               java.net.URISyntaxException

Throws:: org.bouncycastle.cert.ocsp.OCSPException; CertificateVerificationException; RevokedCertificateException; java.security.GeneralSecurityException; java.io.IOException; java.net.URISyntaxException

isSelfSigned
```
public static boolean isSelfSigned(java.security.cert.X509Certificate cert)
```
Checks whether given X.509 certificate is self-signed.

Parameters:

cert - The X.509 certificate to check.

Returns:

true if the certificate is self-signed, false if error or not self-signed.

downloadExtraCertificates
```
public static java.util.Set<java.security.cert.X509Certificate> downloadExtraCertificates(java.security.cert.X509Extension ext)
```
Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension. The method is lenient, i.e. catches all exceptions.

Parameters:

ext - an X509 object that can have extensions.

Returns:

a certificate set, never null.

verifyCertificate
```
private static java.security.cert.PKIXCertPathBuilderResult verifyCertificate(java.security.cert.X509Certificate cert,
                                                                              java.util.Set<java.security.cert.TrustAnchor> trustAnchors,
                                                                              java.util.Set<java.security.cert.X509Certificate> intermediateCerts,
                                                                              java.util.Date signDate)
                                                                       throws java.security.GeneralSecurityException
```
Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates (trust anchors) and a set of intermediate certificates (to be used as part of the chain).

Parameters:

cert - - certificate for validation

trustAnchors - - set of trust anchors

intermediateCerts - - set of intermediate certificates

signDate - the date when the signing took place

Returns:

the certification chain (if verification is successful)

Throws:

java.security.GeneralSecurityException - - if the verification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired)

extractOCSPURL
```
private static java.lang.String extractOCSPURL(java.security.cert.X509Certificate cert)
                                        throws java.io.IOException
```
Extract the OCSP URL from an X.509 certificate if available.

Parameters:

cert - X.509 certificate

Returns:

the URL of the OCSP validation service

Throws:

java.io.IOException

verifyOCSP

private static void verifyOCSP(OcspHelper ocspHelper,
                               java.util.Set<java.security.cert.X509Certificate> additionalCerts)
                        throws RevokedCertificateException,
                               java.io.IOException,
                               org.bouncycastle.cert.ocsp.OCSPException,
                               CertificateVerificationException,
                               java.net.URISyntaxException

Verify whether the certificate has been revoked at signing date, and verify whether the certificate of the responder has been revoked now.

Parameters:: ocspHelper - the OCSP helper.; additionalCerts -
Throws:: RevokedCertificateException; java.io.IOException; java.net.URISyntaxException; org.bouncycastle.cert.ocsp.OCSPException; CertificateVerificationException

Class CertificateVerifier

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

LOG

Constructor Detail

CertificateVerifier

Method Detail

verifyCertificate

checkRevocations

checkRevocationsWithIssuer

isSelfSigned

downloadExtraCertificates

verifyCertificate

extractOCSPURL

verifyOCSP