Package eu.europa.esig.dss.spi.validation

Interface CertificateVerifier

All Known Implementing Classes:

CommonCertificateVerifier

public interface CertificateVerifier

Provides information on the sources to be used in the validation process in the context of a signature.

Method Summary

Modifier and Type	Method	Description
void	addAdjunctCertSources(CertificateSource... certSources)	Adds adjunct certificate sources to an existing list of adjunct certificate sources
void	addTrustedCertSources(CertificateSource... certSources)	Adds trusted certificate sources to an existing list of trusted certificate sources
ListCertificateSource	getAdjunctCertSources()	Returns the list of adjunct certificate sources assigned to this verifier.
AIASource	getAIASource()	Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
StatusAlert	getAlertOnExpiredCertificate()	This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time).
StatusAlert	getAlertOnExpiredSignature()	Deprecated. since DSS 6.1.
StatusAlert	getAlertOnInvalidSignature()	This method returns the defined execution behaviour on invalid signature.
StatusAlert	getAlertOnInvalidTimestamp()	This method returns the defined execution behaviour on invalid timestamp.
StatusAlert	getAlertOnMissingRevocationData()	This method returns the defined execution behaviour on missing revocation data.
StatusAlert	getAlertOnNoRevocationAfterBestSignatureTime()	This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime
StatusAlert	getAlertOnNotYetValidCertificate()	This method returns the defined behavior on signature creation with a not yet valid signing-certificate
StatusAlert	getAlertOnRevokedCertificate()	This method returns the defined execution behaviour on revoked certificate.
StatusAlert	getAlertOnUncoveredPOE()	This method returns the defined execution behaviour on uncovered POE (timestamp).
StatusAlert	getAugmentationAlertOnHigherSignatureLevel()	This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.
StatusAlert	getAugmentationAlertOnSelfSignedCertificateChains()	This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.
StatusAlert	getAugmentationAlertOnSignatureWithoutCertificates()	This method returns the defined augmentation behaviour for a signature without certificates.
RevocationSource<CRL>	getCrlSource()	Returns the CRL source associated with this verifier.
DigestAlgorithm	getDefaultDigestAlgorithm()	Deprecated. since DSS 6.1
RevocationSource<OCSP>	getOcspSource()	Returns the OCSP source associated with this verifier.
RevocationDataLoadingStrategyFactory	getRevocationDataLoadingStrategyFactory()	Returns a factory used to create revocation data loading strategy associated with this verifier.
RevocationDataVerifier	getRevocationDataVerifier()	Returns a RevocationDataVerifier associated with this verifier.
TimestampTokenVerifier	getTimestampTokenVerifier()	Returns a TimestampTokenVerifier associated with this verifier.
ListCertificateSource	getTrustedCertSources()	Returns the trusted certificate sources associated with this verifier.
boolean	isCheckRevocationForUntrustedChains()	This method returns true if revocation check is enabled for untrusted certificate chains.
boolean	isExtractPOEFromUntrustedChains()	Deprecated. since DSS 6.1.
boolean	isRevocationFallback()	Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).
void	setAdjunctCertSources(CertificateSource... certSources)	Sets multiple adjunct certificate sources.
void	setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)	Sets a list of adjunct certificate sources
void	setAIASource(AIASource aiaSource)	Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token
void	setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)	This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time).
void	setAlertOnExpiredSignature(StatusAlert alertOnUncoveredPOE)	Deprecated. since DSS 6.1.
void	setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)	This method allows to change the behavior on invalid signature (T/LT/LTA augmentation).
void	setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)	This method allows to change the behavior on invalid timestamp (LT/LTA augmentation).
void	setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)	This method allows to change the behavior on missing revocation data (LT/LTA augmentation).
void	setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)	This method allows to change the behavior on revocation data issued after a control time.
void	setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)	This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) Default : ExceptionOnStatusAlert - throw an exception.
void	setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)	This method allows to change the behavior on revoked certificates (LT/LTA augmentation).
void	setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)	This method allows to change the behavior on uncovered POE (timestamp).
void	setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)	This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature.
void	setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)	This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains.
void	setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)	This method allows to change the augmentation behaviour for a signature without certificates.
void	setCheckRevocationForUntrustedChains(boolean enable)	This method allows enabling of revocation checking for untrusted certificate chains.
void	setCrlSource(RevocationSource<CRL> crlSource)	Defines the source of CRL used by this class
void	setDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)	Deprecated. since DSS 6.1.
void	setExtractPOEFromUntrustedChains(boolean enable)	Deprecated. since DSS 6.1.
void	setOcspSource(RevocationSource<OCSP> ocspSource)	Defines the source of OCSP used by this class
void	setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)	Creates a strategy used to fetch OCSP or CRL for certificate validation.
void	setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)	Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data.
void	setRevocationFallback(boolean revocationFallback)	Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL).
void	setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)	Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.
void	setTrustedCertSources(CertificateSource... certSources)	Sets multiple trusted certificate sources.
void	setTrustedCertSources(ListCertificateSource trustedListCertificateSource)	Sets a list of trusted certificate sources

Method Details

getCrlSource

RevocationSource<CRL> getCrlSource()

Returns the CRL source associated with this verifier.

Returns:

the used CRL source for external access (web, filesystem, cached,...)

setCrlSource

void setCrlSource(RevocationSource<CRL> crlSource)

Defines the source of CRL used by this class

Parameters:

crlSource - the CRL source to set for external access (web, filesystem, cached,...)

getOcspSource

RevocationSource<OCSP> getOcspSource()

Returns the OCSP source associated with this verifier.

Returns:

the used OCSP source for external access (web, filesystem, cached,...)

setOcspSource

void setOcspSource(RevocationSource<OCSP> ocspSource)

Defines the source of OCSP used by this class

Parameters:

ocspSource - the OCSP source to set for external access (web, filesystem, cached,...)

getRevocationDataLoadingStrategyFactory

RevocationDataLoadingStrategyFactory getRevocationDataLoadingStrategyFactory()

Returns a factory used to create revocation data loading strategy associated with this verifier.

Returns:

creates the defined strategy to fetch OCSP or CRL for certificate validation

setRevocationDataLoadingStrategyFactory

void setRevocationDataLoadingStrategyFactory(RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory)

Creates a strategy used to fetch OCSP or CRL for certificate validation. Default: OCSPFirstRevocationDataLoadingStrategyFactory used to create a strategy to extract OCSP token first and CRL after

Parameters:

revocationDataLoadingStrategyFactory - RevocationDataLoadingStrategyFactory

getRevocationDataVerifier

RevocationDataVerifier getRevocationDataVerifier()

Returns a RevocationDataVerifier associated with this verifier.

Returns:

RevocationDataVerifier

setRevocationDataVerifier

void setRevocationDataVerifier(RevocationDataVerifier revocationDataVerifier)

Sets RevocationDataVerifier used to validate acceptance of the retrieved (from offline or online sources) revocation data. This class is used to verify revocation data extracted from the validating document itself, as well the revocation data retrieved from remote sources during the validation process.

NOTE: It is not recommended to use the same instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

Parameters:

revocationDataVerifier - RevocationDataVerifier

isRevocationFallback

boolean isRevocationFallback()

Returns whether revocation data still shall be returned if validation of requested revocation data failed (i.e. both for OCSP and CRL).

Returns:

revocation fallback

setRevocationFallback

void setRevocationFallback(boolean revocationFallback)

Sets whether a revocation data still have to be returned to the validation process, in case validation of obtained revocation data has failed (i.e. both for OCSP and CRL). Default: FALSE (invalid revocation data not returned)

NOTE: Revocation fallback is enforced to TRUE (return even invalid revocation data, when no valid found) on signature validation

Parameters:

revocationFallback - whether invalid revocation data shall be returned, when not valid revocation available

getTimestampTokenVerifier

TimestampTokenVerifier getTimestampTokenVerifier()

Returns a TimestampTokenVerifier associated with this verifier.

Returns:

TimestampTokenVerifier

setTimestampTokenVerifier

void setTimestampTokenVerifier(TimestampTokenVerifier timestampTokenVerifier)

Sets TimestampTokenVerifier used to validate acceptance of the timestamp tokens encapsulated within the signature.

NOTE: This object is not synchronized by default with the used XML Validation Policy. Please configure the object yourself in case a customized behavior is expected for acceptance of timestamp tokens.

Parameters:

timestampTokenVerifier - TimestampTokenVerifier

getTrustedCertSources

ListCertificateSource getTrustedCertSources()

Returns the trusted certificate sources associated with this verifier. These sources are used to identify the trusted anchors.

Returns:

the certificate sources which contain trusted certificates

setTrustedCertSources

void setTrustedCertSources(CertificateSource... certSources)

Sets multiple trusted certificate sources.

Parameters:

certSources - The certificate sources with known trusted certificates

addTrustedCertSources

void addTrustedCertSources(CertificateSource... certSources)

Adds trusted certificate sources to an existing list of trusted certificate sources

Parameters:

certSources - The certificate sources with known trusted certificates

setTrustedCertSources

void setTrustedCertSources(ListCertificateSource trustedListCertificateSource)

Sets a list of trusted certificate sources

Parameters:

trustedListCertificateSource - ListCertificateSource of trusted cert sources

getAdjunctCertSources

ListCertificateSource getAdjunctCertSources()

Returns the list of adjunct certificate sources assigned to this verifier.

Returns:

the certificate source which contains additional certificate (missing CA,...)

setAdjunctCertSources

void setAdjunctCertSources(CertificateSource... certSources)

Sets multiple adjunct certificate sources.

Parameters:

certSources - the certificate sources with additional and/or missing certificates

addAdjunctCertSources

void addAdjunctCertSources(CertificateSource... certSources)

Adds adjunct certificate sources to an existing list of adjunct certificate sources

Parameters:

certSources - The certificate sources with additional certificates

setAdjunctCertSources

void setAdjunctCertSources(ListCertificateSource adjunctListCertificateSource)

Sets a list of adjunct certificate sources

Parameters:

adjunctListCertificateSource - ListCertificateSource of adjunct cert sources

getAIASource

AIASource getAIASource()

Gets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token

Returns:

aiaSource AIASource

setAIASource

void setAIASource(AIASource aiaSource)

Sets the AIASource used to load a eu.europa.esig.dss.model.x509.CertificateToken's issuer by defined AIA URI(s) within the token

Parameters:

aiaSource - AIASource

setDefaultDigestAlgorithm

@Deprecated
void setDefaultDigestAlgorithm(DigestAlgorithm digestAlgorithm)

Deprecated.

since DSS 6.1. Use DocumentValidator#setDefaultDigestAlgorithm method instead

This method allows to change the Digest Algorithm that will be used for tokens' digest calculation Default : DigestAlgorithm.SHA256

Parameters:

digestAlgorithm - DigestAlgorithm to use

getDefaultDigestAlgorithm

@Deprecated
DigestAlgorithm getDefaultDigestAlgorithm()

Deprecated.

since DSS 6.1

This method returns a default Digest Algorithm what will be used for digest calculation

Returns:

DigestAlgorithm

setAlertOnInvalidSignature

void setAlertOnInvalidSignature(StatusAlert alertOnInvalidSignature)

This method allows to change the behavior on invalid signature (T/LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnInvalidSignature - defines a behaviour in case of invalid signature

getAlertOnInvalidSignature

StatusAlert getAlertOnInvalidSignature()

This method returns the defined execution behaviour on invalid signature.

Returns:

StatusAlert to be processed in case of an invalid signature

setAlertOnInvalidTimestamp

void setAlertOnInvalidTimestamp(StatusAlert alertOnInvalidTimestamp)

This method allows to change the behavior on invalid timestamp (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnInvalidTimestamp - defines a behaviour in case of invalid timestamp

getAlertOnInvalidTimestamp

StatusAlert getAlertOnInvalidTimestamp()

This method returns the defined execution behaviour on invalid timestamp.

Returns:

StatusAlert to be processed in case of an invalid timestamp

setAlertOnMissingRevocationData

void setAlertOnMissingRevocationData(StatusAlert alertOnMissingRevocationData)

This method allows to change the behavior on missing revocation data (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnMissingRevocationData - defines a behaviour in case of missing revocation data

getAlertOnMissingRevocationData

StatusAlert getAlertOnMissingRevocationData()

This method returns the defined execution behaviour on missing revocation data.

Returns:

StatusAlert to be processed in case of missing revocation data

setAlertOnRevokedCertificate

void setAlertOnRevokedCertificate(StatusAlert alertOnRevokedCertificate)

This method allows to change the behavior on revoked certificates (LT/LTA augmentation). Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnRevokedCertificate - defines a behaviour in case of revoked certificate

getAlertOnRevokedCertificate

StatusAlert getAlertOnRevokedCertificate()

This method returns the defined execution behaviour on revoked certificate.

Returns:

StatusAlert to be processed in case of revoked certificate

setAlertOnNoRevocationAfterBestSignatureTime

void setAlertOnNoRevocationAfterBestSignatureTime(StatusAlert alertOnNoRevocationAfterBestSignatureTime)

This method allows to change the behavior on revocation data issued after a control time. Default : LogOnStatusAlert - log a warning.

Parameters:

alertOnNoRevocationAfterBestSignatureTime - defines a behaviour in case of no revocation data issued after the bestSignatureTime

getAlertOnNoRevocationAfterBestSignatureTime

StatusAlert getAlertOnNoRevocationAfterBestSignatureTime()

This method returns the defined execution behaviour if no revocation data obtained with an issuance time after the bestSignatureTime

Returns:

StatusAlert to be processed in case of no revocation data after best signature time

setAlertOnUncoveredPOE

void setAlertOnUncoveredPOE(StatusAlert alertOnUncoveredPOE)

This method allows to change the behavior on uncovered POE (timestamp). Default : LogOnStatusAlert - log a warning.

Parameters:

alertOnUncoveredPOE - defines a behaviour in case of uncovered POE

getAlertOnUncoveredPOE

StatusAlert getAlertOnUncoveredPOE()

This method returns the defined execution behaviour on uncovered POE (timestamp).

Returns:

StatusAlert to be processed in case of uncovered POE

setAlertOnExpiredSignature

@Deprecated
void setAlertOnExpiredSignature(StatusAlert alertOnUncoveredPOE)

Deprecated.

since DSS 6.1. Please use #setAlertOnExpiredCertificate instead

This method allows to change the behavior on expired signature during the signature augmentation process (if the signing certificate or its POE(s) has been expired). Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnUncoveredPOE - defines a behaviour in case of an expired signature

getAlertOnExpiredSignature

@Deprecated
StatusAlert getAlertOnExpiredSignature()

Deprecated.

since DSS 6.1. Please use #getAlertOnExpiredCertificate instead

This method returns the defined execution behaviour on expired signature (if the signing certificate or its POE(s) has been expired).

Returns:

StatusAlert to be processed in case of uncovered POE

setAlertOnExpiredCertificate

void setAlertOnExpiredCertificate(StatusAlert alertOnExpiredCertificate)

This method allows to change a behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnExpiredCertificate - defines behavior in case of an expired signing-certificate

getAlertOnExpiredCertificate

StatusAlert getAlertOnExpiredCertificate()

This method returns the defined behavior on signature creation or augmentation with an expired signing-certificate (notAfter is before the current time). Validated the available POEs in case of existing signature augmentation.

Returns:

StatusAlert to process in case of a signature with an expired certificate

setAlertOnNotYetValidCertificate

void setAlertOnNotYetValidCertificate(StatusAlert alertOnNotYetValidCertificate)

This method allows to change a behavior on signature creation with a not yet valid signing-certificate (notBefore is after the current time) Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

alertOnNotYetValidCertificate - defines behavior in case of a not yet valid signing-certificate

getAlertOnNotYetValidCertificate

StatusAlert getAlertOnNotYetValidCertificate()

This method returns the defined behavior on signature creation with a not yet valid signing-certificate

Returns:

StatusAlert to process in case of a signature with a not yet valid signing-certificate

setAugmentationAlertOnHigherSignatureLevel

void setAugmentationAlertOnHigherSignatureLevel(StatusAlert augmentationAlertOnHigherSignatureLevel)

This method allows to change the augmentation behaviour for a signature of a higher level or a document containing a such signature. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnHigherSignatureLevel - defines augmentation behaviour for a signature of a higher level or a document containing a such signature.

getAugmentationAlertOnHigherSignatureLevel

StatusAlert getAugmentationAlertOnHigherSignatureLevel()

This method returns the defined augmentation behaviour for a signature of a higher level or a document containing a such signature.

Returns:

StatusAlert to be processed in case of a signature of a higher level or a document containing a such signature.

setAugmentationAlertOnSignatureWithoutCertificates

void setAugmentationAlertOnSignatureWithoutCertificates(StatusAlert augmentationAlertOnSignatureWithoutCertificates)

This method allows to change the augmentation behaviour for a signature without certificates. The alert is triggered when no certificate is defined within the signature. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnSignatureWithoutCertificates - defines augmentation behaviour for a signature without certificates.

getAugmentationAlertOnSignatureWithoutCertificates

StatusAlert getAugmentationAlertOnSignatureWithoutCertificates()

This method returns the defined augmentation behaviour for a signature without certificates.

Returns:

StatusAlert to be processed in case of a signature without certificates

setAugmentationAlertOnSelfSignedCertificateChains

void setAugmentationAlertOnSelfSignedCertificateChains(StatusAlert augmentationAlertOnSelfSignedCertificateChains)

This method allows to change the augmentation behaviour for a signature containing only self-signed certificate chains. The alert is triggered when all used certificates are self-signed. Default : ExceptionOnStatusAlert - throw an exception.

Parameters:

augmentationAlertOnSelfSignedCertificateChains - defines augmentation behaviour for a signature containing only self-signed certificate chains.

getAugmentationAlertOnSelfSignedCertificateChains

StatusAlert getAugmentationAlertOnSelfSignedCertificateChains()

This method returns the defined augmentation behaviour for a signature containing only self-signed certificate chains.

Returns:

StatusAlert to be processed in case of a signature containing only self-signed certificate chains

setCheckRevocationForUntrustedChains

void setCheckRevocationForUntrustedChains(boolean enable)

This method allows enabling of revocation checking for untrusted certificate chains. Default : FALSE (revocation data is not checked for untrusted certificate chains)

Parameters:

enable - true if revocation checking is allowed for untrusted certificate chains

isCheckRevocationForUntrustedChains

boolean isCheckRevocationForUntrustedChains()

This method returns true if revocation check is enabled for untrusted certificate chains.

Returns:

true if external revocation check is done for untrusted certificate chains

setExtractPOEFromUntrustedChains

@Deprecated
void setExtractPOEFromUntrustedChains(boolean enable)

Deprecated.

since DSS 6.1. Please use TimestampTokenVerifier timestampTokenVerifier = TimestampTokenVerifier.createDefaultTimestampTokenVerifier(); timestampTokenVerifier.setAcceptUntrustedCertificateChains(true); certificateVerifier.setTimestampTokenVerifier(timestampTokenVerifier);

This method allows enabling of POE extraction from timestamps coming from untrusted certificate chains. Default : FALSE (timestamps created with untrusted certificate chains are not considered as POE)

Parameters:

enable - true if POE extraction is allowed for timestamps from untrusted certificate chains

isExtractPOEFromUntrustedChains

@Deprecated
boolean isExtractPOEFromUntrustedChains()

Deprecated.

since DSS 6.1. Please use TimestampTokenVerifier timestampTokenVerifier = certificateVerifier.getTimestampTokenVerifier(); boolean extractPOEFromUntrustedChains = timestampTokenVerifier.getAcceptUntrustedCertificateChains();

This method returns whether POEs should be extracted from timestamps coming from untrusted certificate chains.

Returns:

true if POEs should be extracted from timestamp with untrusted certificate chains