Package com.itextpdf.signatures

Class OCSPVerifier

java.lang.Object
com.itextpdf.signatures.CertificateVerifier
com.itextpdf.signatures.RootStoreVerifier
com.itextpdf.signatures.OCSPVerifier
public class OCSPVerifier extends RootStoreVerifier
Class that allows you to verify a certificate against one or more OCSP responses.

  • Field Details

    • LOGGER

      protected static final org.slf4j.Logger LOGGER
      The Logger instance

    • id_kp_OCSPSigning

      protected static final String id_kp_OCSPSigning
      See Also:

    • ocsps

      protected List ocsps
      The list of OCSP responses.

  • Constructor Details

    • OCSPVerifier

      public OCSPVerifier (CertificateVerifier verifier, List ocsps)
      Creates an OCSPVerifier instance.
      Parameters:
      verifier - the next verifier in the chain
      ocsps - a list of OCSP responses

  • Method Details

    • verify

      public List<VerificationOK> verify (X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
      Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.
      Overrides:
      verify in class RootStoreVerifier
      Parameters:
      signCert - the certificate that needs to be checked
      issuerCert - its issuer
      signDate - the date the certificate needs to be valid
      Returns:
      a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.
      Throws:
      GeneralSecurityException - thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown in Certificate#verify.
      See Also:

    • verify

      public boolean verify (org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
      Verifies a certificate against a single OCSP response
      Parameters:
      ocspResp - the OCSP response
      signCert - the certificate that needs to be checked
      issuerCert - the certificate of CA (certificate that issued signCert). This certificate is considered trusted and valid by this method.
      signDate - sign date
      Returns:
      true, in case successful check, otherwise false.
      Throws:
      GeneralSecurityException - if OCSP response verification cannot be done or failed

    • isValidResponse

      public void isValidResponse (org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
      Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.
      Parameters:
      ocspResp - the OCSP response
      issuerCert - the issuer certificate. This certificate is considered trusted and valid by this method.
      signDate - sign date
      Throws:
      GeneralSecurityException - if OCSP response verification cannot be done or failed

    • isSignatureValid

      public boolean isSignatureValid (org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, Certificate responderCert)
      Checks if an OCSP response is genuine
      Parameters:
      ocspResp - the OCSP response
      responderCert - the responder certificate
      Returns:
      true if the OCSP response verifies against the responder certificate

    • getOcspResponse

      public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse (X509Certificate signCert, X509Certificate issuerCert)
      Gets an OCSP response online and returns it if the status is GOOD (without further checking!).
      Parameters:
      signCert - the signing certificate
      issuerCert - the issuer certificate
      Returns:
      an OCSP response