Package com.itextpdf.signatures
Class OCSPVerifier
java.lang.Object
com.itextpdf.signatures.CertificateVerifier
com.itextpdf.signatures.RootStoreVerifier
com.itextpdf.signatures.OCSPVerifier
Class that allows you to verify a certificate against one or more OCSP responses.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final Stringprotected static final LoggerThe Logger instanceprotected List<IBasicOCSPResp>The list ofIBasicOCSPRespOCSP response wrappers.Fields inherited from class com.itextpdf.signatures.RootStoreVerifier
rootStoreFields inherited from class com.itextpdf.signatures.CertificateVerifier
onlineCheckingAllowed, verifier -
Constructor Summary
ConstructorsConstructorDescriptionOCSPVerifier(CertificateVerifier verifier, List<IBasicOCSPResp> ocsps) Creates an OCSPVerifier instance. -
Method Summary
Modifier and TypeMethodDescriptiongetOcspResponse(X509Certificate signCert, X509Certificate issuerCert) Gets an OCSP response online and returns it if the status is GOOD (without further checking!).booleanisSignatureValid(IBasicOCSPResp ocspResp, Certificate responderCert) Checks if an OCSP response is genuinevoidisValidResponse(IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.booleanverify(IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) Verifies a certificate against a single OCSP responseverify(X509Certificate signCert, X509Certificate issuerCert, Date signDate) Verifies if a valid OCSP response is found for the certificate.Methods inherited from class com.itextpdf.signatures.RootStoreVerifier
setRootStoreMethods inherited from class com.itextpdf.signatures.CertificateVerifier
setOnlineCheckingAllowed
-
Field Details
-
LOGGER
The Logger instance -
id_kp_OCSPSigning
- See Also:
-
ocsps
The list ofIBasicOCSPRespOCSP response wrappers.
-
-
Constructor Details
-
OCSPVerifier
Creates an OCSPVerifier instance.- Parameters:
-
verifier- the next verifier in the chain -
ocsps- a list ofIBasicOCSPRespOCSP response wrappers
-
-
Method Details
-
verify
public List<VerificationOK> verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.- Overrides:
-
verifyin classRootStoreVerifier - Parameters:
-
signCert- the certificate that needs to be checked -
issuerCert- its issuer -
signDate- the date the certificate needs to be valid - Returns:
-
a list of
VerificationOKobjects. The list will be empty if the certificate couldn't be verified. - Throws:
-
GeneralSecurityException- thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown inCertificate#verify. - See Also:
-
verify
public boolean verify(IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies a certificate against a single OCSP response- Parameters:
-
ocspResp-IBasicOCSPRespthe OCSP response wrapper -
signCert- the certificate that needs to be checked -
issuerCert- the certificate of CA (certificate that issued signCert). This certificate is considered trusted and valid by this method. -
signDate- sign date - Returns:
-
true, in case successful check, otherwise false. - Throws:
-
GeneralSecurityException- if OCSP response verification cannot be done or failed
-
isValidResponse
public void isValidResponse(IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.- Parameters:
-
ocspResp-IBasicOCSPRespthe OCSP response wrapper -
issuerCert- the issuer certificate. This certificate is considered trusted and valid by this method. -
signDate- sign date - Throws:
-
GeneralSecurityException- if OCSP response verification cannot be done or failed
-
isSignatureValid
Checks if an OCSP response is genuine- Parameters:
-
ocspResp-IBasicOCSPRespthe OCSP response wrapper -
responderCert- the responder certificate - Returns:
- true if the OCSP response verifies against the responder certificate
-
getOcspResponse
Gets an OCSP response online and returns it if the status is GOOD (without further checking!).- Parameters:
-
signCert- the signing certificate -
issuerCert- the issuer certificate - Returns:
-
IBasicOCSPRespan OCSP response wrapper
-