Package com.itextpdf.signatures

Class IssuingCertificateRetriever

java.lang.Object
com.itextpdf.signatures.IssuingCertificateRetriever
All Implemented Interfaces:
IIssuingCertificateRetriever
public class IssuingCertificateRetriever extends Object implements IIssuingCertificateRetriever
IIssuingCertificateRetriever default implementation.

  • Constructor Details

  • Method Details

    • retrieveMissingCertificates

      public Certificate[] retrieveMissingCertificates (Certificate[] chain)
      Retrieves all possible chains using certificate Authority Information Access (AIA) Extension, known certificates and trust anchors.
      Specified by:
      retrieveMissingCertificates in interface IIssuingCertificateRetriever
      Parameters:
      chain - certificate chain to restore with at least signing certificate.
      Returns:
      all possible chains of trust or maximum chains that could be restored in case missing certificates cannot be retrieved from AIA extension, known certificates and trust anchors.

    • buildCertificateChains

      public List<X509Certificate[]> buildCertificateChains (X509Certificate certificate)
      This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate based on issuer names and public keys.
      Parameters:
      certificate - X509Certificate for which issuer chains shall be built
      Returns:
      all possible issuer chains

    • buildCertificateChains

      public List<X509Certificate[]> buildCertificateChains (X509Certificate[] certificate)
      This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate array based on issuer names and public keys.
      Parameters:
      certificate - X509Certificate array for which issuer chains shall be built
      Returns:
      all possible issuer chains

    • withResourceRetriever

      public IssuingCertificateRetriever withResourceRetriever (IAdvancedResourceRetriever resourceRetriever)
      Sets a resource retriever for this CA issuer certificates retriever.

      This method allows you to provide a custom implementation of IAdvancedResourceRetriever to be used for fetching CA issuer certificates. By default, DefaultResourceRetriever is used.

      Parameters:
      resourceRetriever - the custom resource retriever to be used for fetching CA issuer certificates
      Returns:
      the current instance of IssuingCertificateRetriever

    • getResourceRetriever

      public IAdvancedResourceRetriever getResourceRetriever()
      Gets the resource retriever currently being used in this CA issuer certificates retriever.
      Returns:
      resource retriever

    • retrieveIssuerCertificate

      public List<X509Certificate> retrieveIssuerCertificate (Certificate certificate)
      Retrieve issuer certificate for the provided certificate.
      Parameters:
      certificate - Certificate for which issuer certificate shall be retrieved
      Returns:
      issuer certificate. null if there is no issuer certificate, or it cannot be retrieved.

    • retrieveOCSPResponderByNameCertificate

      public Set<Certificate> retrieveOCSPResponderByNameCertificate (IBasicOCSPResp ocspResp)
      Retrieves OCSP responder certificate candidates either from the response certs or trusted store in case responder certificate isn't found in /Certs.
      Parameters:
      ocspResp - basic OCSP response to get responder certificate for
      Returns:
      retrieved OCSP responder candidates or an empty set in case none were found.

    • getCrlIssuerCertificates

      public Certificate[] getCrlIssuerCertificates (CRL crl)
      Retrieves the certificate chain for the certificate that should be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.
      Specified by:
      getCrlIssuerCertificates in interface IIssuingCertificateRetriever
      Parameters:
      crl - CRL response to retrieve issuer for.
      Returns:
      certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

    • getCrlIssuerCertificatesByName

      public Certificate[][] getCrlIssuerCertificatesByName (CRL crl)
      Retrieves the certificate chaind for the certificates that could be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.
      Specified by:
      getCrlIssuerCertificatesByName in interface IIssuingCertificateRetriever
      Parameters:
      crl - CRL response to retrieve issuer for.
      Returns:
      certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

    • setTrustedCertificates

      public void setTrustedCertificates (Collection<Certificate> certificates)
      Sets trusted certificate list to be used as certificates trusted for any possible usage. In case more specific trusted is desired to be configured getTrustedCertificatesStore() method is expected to be used.
      Specified by:
      setTrustedCertificates in interface IIssuingCertificateRetriever
      Parameters:
      certificates - certificate list to be used as certificates trusted for any possible usage.

    • addTrustedCertificates

      public void addTrustedCertificates (Collection<Certificate> certificates)
      Add trusted certificates collection to trusted certificates storage.
      Parameters:
      certificates - certificates Collection to be added

    • addKnownCertificates

      public void addKnownCertificates (Collection<Certificate> certificates)
      Adds certificates collection to known certificates storage, which is used for issuer certificates retrieval.
      Parameters:
      certificates - certificates Collection to be added

    • addKnownCertificates

      public void addKnownCertificates (Collection<Certificate> certificates, CertificateOrigin dataOrigin)
      Adds certificates collection to known certificates storage, which is used for issuer certificates retrieval.

      Additionally, adds stores the provided origin for all these certificates.

      Parameters:
      certificates - certificates Collection to be added
      dataOrigin - RevocationDataOrigin from which these certificates come from

    • getCertificateOrigin

      public CertificateOrigin getCertificateOrigin (Certificate certificate)
      Gets certificate origin for provided Certificate.
      Parameters:
      certificate - Certificate for which origin is requested
      Returns:
      RevocationDataOrigin for the certificate

    • getTrustedCertificatesStore

      public TrustedCertificatesStore getTrustedCertificatesStore()
      Gets TrustedCertificatesStore to be used to provide more complex trusted certificates configuration.
      Returns:
      TrustedCertificatesStore storage

    • isCertificateTrusted

      public boolean isCertificateTrusted (Certificate certificate)
      Check if provided certificate is present in trusted certificates storage.
      Parameters:
      certificate - Certificate to be checked
      Returns:
      true if certificate is present in trusted certificates storage, false otherwise

    • getIssuerCertByURI

      protected InputStream getIssuerCertByURI (String uri) throws IOException
      Get CA issuers certificates represented as InputStream.
      Parameters:
      uri - URL URI, which is expected to be used to get issuer certificates from. Usually CA Issuers value from Authority Information Access (AIA) certificate extension.
      Returns:
      CA issuer certificate (or chain) bytes, represented as InputStream.
      Throws:
      IOException - if an I/O error occurs.

    • parseCertificates

      protected Collection<Certificate> parseCertificates (InputStream certsData) throws CertificateException
      Parses certificates represented as byte array.
      Parameters:
      certsData - stream which contains one or more X509 certificates.
      Returns:
      a (possibly empty) collection of the certificates read from the given byte array.
      Throws:
      CertificateException - if parsing error occurs.