Package com.itextpdf.signatures
Class OCSPVerifier
java.lang.Object
com.itextpdf.signatures.CertificateVerifier
com.itextpdf.signatures.RootStoreVerifier
com.itextpdf.signatures.OCSPVerifier
Class that allows you to verify a certificate against one or more OCSP responses.
-
Field Summary
Modifier and TypeFieldDescriptionprotected static final String
protected static final org.slf4j.Logger
The Logger instanceprotected List<IBasicOCSPResp>
The list ofIBasicOCSPResp
OCSP response wrappers.Fields inherited from class com.itextpdf.signatures.RootStoreVerifier
rootStore
Fields inherited from class com.itextpdf.signatures.CertificateVerifier
onlineCheckingAllowed, verifier
-
Constructor Summary
ConstructorDescriptionOCSPVerifier
(CertificateVerifier verifier, List<IBasicOCSPResp> ocsps) Creates an OCSPVerifier instance. -
Method Summary
Modifier and TypeMethodDescriptiongetOcspResponse
(X509Certificate signCert, X509Certificate issuerCert) Gets an OCSP response online and returns it without further checking.boolean
isSignatureValid
(IBasicOCSPResp ocspResp, Certificate responderCert) Checks if an OCSP response is genuine.void
isValidResponse
(IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) Verifies if an OCSP response is genuine.void
setCrlClient
(ICrlClient crlClient) Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.void
setOcspClient
(IOcspClient ocspClient) Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder).boolean
verify
(IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) Verifies a certificate against a single OCSP response.verify
(X509Certificate signCert, X509Certificate issuerCert, Date signDate) Verifies if a valid OCSP response is found for the certificate.Methods inherited from class com.itextpdf.signatures.RootStoreVerifier
setRootStore
Methods inherited from class com.itextpdf.signatures.CertificateVerifier
setOnlineCheckingAllowed
-
Field Details
-
LOGGER
protected static final org.slf4j.Logger LOGGERThe Logger instance -
id_kp_OCSPSigning
- See Also:
-
ocsps
The list ofIBasicOCSPResp
OCSP response wrappers.
-
-
Constructor Details
-
OCSPVerifier
Creates an OCSPVerifier instance.- Parameters:
-
verifier
- the next verifier in the chain -
ocsps
- a list ofIBasicOCSPResp
OCSP response wrappers for the certificate verification
-
-
Method Details
-
setOcspClient
Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder). Also, should be used in case responder's certificate doesn't have any method of revocation checking.See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.
Optional. Default one is
OcspClientBouncyCastle
.- Parameters:
-
ocspClient
-IOcspClient
to provide an Authorized Responder revocation data.
-
setCrlClient
Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.
Optional. Default one is
CrlClientOnline
.- Parameters:
-
crlClient
-ICrlClient
to provide an Authorized Responder revocation data.
-
verify
public List<VerificationOK> verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.- Overrides:
-
verify
in classRootStoreVerifier
- Parameters:
-
signCert
- the certificate that needs to be checked -
issuerCert
- issuer of the certificate to be checked -
signDate
- the date the certificate needs to be valid - Returns:
-
a list of
VerificationOK
objects. The list will be empty if the certificate couldn't be verified. - Throws:
-
GeneralSecurityException
- thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown inCertificate#verify
. - See Also:
-
verify
public boolean verify(IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies a certificate against a single OCSP response.- Parameters:
-
ocspResp
-IBasicOCSPResp
the OCSP response wrapper for a certificate verification -
signCert
- the certificate that needs to be checked -
issuerCert
- the certificate that issued signCert – immediate parent. This certificate is considered trusted and valid by this method. -
signDate
- sign date (or the date the certificate needs to be valid) - Returns:
-
true
in case check is successful, false otherwise. - Throws:
-
GeneralSecurityException
- if OCSP response verification cannot be done or failed.
-
isValidResponse
public void isValidResponse(IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.- Parameters:
-
ocspResp
-IBasicOCSPResp
the OCSP response wrapper -
issuerCert
- the issuer certificate. This certificate is considered trusted and valid by this method. -
signDate
- sign date for backwards compatibility - Throws:
-
GeneralSecurityException
- if OCSP response verification cannot be done or failed.
-
isSignatureValid
Checks if an OCSP response is genuine.- Parameters:
-
ocspResp
-IBasicOCSPResp
the OCSP response wrapper -
responderCert
- the responder certificate - Returns:
- true if the OCSP response verifies against the responder certificate.
-
getOcspResponse
Gets an OCSP response online and returns it without further checking.- Parameters:
-
signCert
- the signing certificate -
issuerCert
- the issuer certificate - Returns:
-
IBasicOCSPResp
an OCSP response wrapper.
-