Package org.apache.pdfbox.examples.signature.cert

Class CertificateVerifier

java.lang.Object

org.apache.pdfbox.examples.signature.cert.CertificateVerifier

public final class CertificateVerifier
extends Object

Copied from Apache CXF 2.4.9, initial version: https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.9/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/

Field Summary

Fields

Modifier and Type	Field	Description
private static final org.apache.commons.logging.Log	LOG

Constructor Summary

Constructors

Modifier	Constructor	Description
private	CertificateVerifier()

Method Summary

Modifier and Type	Method	Description
private static void	checkRevocations(X509Certificate cert, Set<X509Certificate> additionalCerts, Date signDate)
private static void	checkRevocationsWithIssuer(X509Certificate cert, X509Certificate issuerCert, Set<X509Certificate> additionalCerts, Date signDate)
static Set<X509Certificate>	downloadExtraCertificates(X509Extension ext)	Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension.
private static String	extractOCSPURL(X509Certificate cert)	Extract the OCSP URL from an X.509 certificate if available.
static boolean	isSelfSigned(X509Certificate cert)	Checks whether given X.509 certificate is self-signed.
private static PKIXCertPathBuilderResult	verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors, Set<X509Certificate> intermediateCerts, Date signDate)	Attempts to build a certification chain for given certificate and to verify it.
static PKIXCertPathBuilderResult	verifyCertificate(X509Certificate cert, Set<X509Certificate> additionalCerts, boolean verifySelfSignedCert, Date signDate)	Attempts to build a certification chain for given certificate and to verify it.
private static void	verifyOCSP(OcspHelper ocspHelper, Set<X509Certificate> additionalCerts)	Verify whether the certificate has been revoked at signing date, and verify whether the certificate of the responder has been revoked now.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOG

private static final org.apache.commons.logging.Log LOG

Constructor Details

CertificateVerifier

private CertificateVerifier()

Method Details

verifyCertificate

public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert,
 Set<X509Certificate> additionalCerts,
 boolean verifySelfSignedCert,
 Date signDate)
                                                   throws CertificateVerificationException

Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates and intermediate certificates that will be used for building the certification chain. The verification process assumes that all self-signed certificates in the set are trusted root CA certificates and all other certificates in the set are intermediate certificates.

Parameters:

cert - - certificate for validation

additionalCerts - - set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.

verifySelfSignedCert - true if a self-signed certificate is accepted, false if not.

signDate - the date when the signing took place

Returns:

the certification chain (if verification is successful)

Throws:

CertificateVerificationException - - if the certification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired or CRL checks are failed)

checkRevocations

private static void checkRevocations(X509Certificate cert,
 Set<X509Certificate> additionalCerts,
 Date signDate)
                              throws IOException,
CertificateVerificationException,
org.bouncycastle.cert.ocsp.OCSPException,
RevokedCertificateException,
GeneralSecurityException,
URISyntaxException

Throws:

IOException

CertificateVerificationException

org.bouncycastle.cert.ocsp.OCSPException

RevokedCertificateException

GeneralSecurityException

URISyntaxException

checkRevocationsWithIssuer

private static void checkRevocationsWithIssuer(X509Certificate cert,
 X509Certificate issuerCert,
 Set<X509Certificate> additionalCerts,
 Date signDate)
                                        throws org.bouncycastle.cert.ocsp.OCSPException,
CertificateVerificationException,
RevokedCertificateException,
GeneralSecurityException,
IOException,
URISyntaxException

Throws:

org.bouncycastle.cert.ocsp.OCSPException

CertificateVerificationException

RevokedCertificateException

GeneralSecurityException

IOException

URISyntaxException

isSelfSigned

public static boolean isSelfSigned(X509Certificate cert)

Checks whether given X.509 certificate is self-signed.

Parameters:

cert - The X.509 certificate to check.

Returns:

true if the certificate is self-signed, false if error or not self-signed.

downloadExtraCertificates

public static Set<X509Certificate> downloadExtraCertificates(X509Extension ext)

Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension. The method is lenient, i.e. catches all exceptions.

Parameters:

ext - an X509 object that can have extensions.

Returns:

a certificate set, never null.

verifyCertificate

private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert,
 Set<TrustAnchor> trustAnchors,
 Set<X509Certificate> intermediateCerts,
 Date signDate)
                                                    throws GeneralSecurityException

Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates (trust anchors) and a set of intermediate certificates (to be used as part of the chain).

Parameters:

cert - - certificate for validation

trustAnchors - - set of trust anchors

intermediateCerts - - set of intermediate certificates

signDate - the date when the signing took place

Returns:

the certification chain (if verification is successful)

Throws:

GeneralSecurityException - - if the verification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired)

extractOCSPURL

private static String extractOCSPURL(X509Certificate cert)
                              throws IOException

Extract the OCSP URL from an X.509 certificate if available.

Parameters:

cert - X.509 certificate

Returns:

the URL of the OCSP validation service

Throws:

IOException

verifyOCSP

private static void verifyOCSP(OcspHelper ocspHelper,
 Set<X509Certificate> additionalCerts)
                        throws RevokedCertificateException,
IOException,
org.bouncycastle.cert.ocsp.OCSPException,
CertificateVerificationException,
URISyntaxException

Verify whether the certificate has been revoked at signing date, and verify whether the certificate of the responder has been revoked now.

Parameters:

ocspHelper - the OCSP helper.

additionalCerts -

Throws:

RevokedCertificateException

IOException

URISyntaxException

org.bouncycastle.cert.ocsp.OCSPException

CertificateVerificationException