Package com.itextpdf.signatures

Class OCSPVerifier

java.lang.Object

com.itextpdf.signatures.CertificateVerifier

com.itextpdf.signatures.RootStoreVerifier

com.itextpdf.signatures.OCSPVerifier

       public class OCSPVerifier extends RootStoreVerifier
      

Class that allows you to verify a certificate against one or more OCSP responses.

Field Summary

Fields

Modifier and Type	Field	Description
protected static final String	id_kp_OCSPSigning
protected static final org.slf4j.Logger	LOGGER	The Logger instance
protected List<IBasicOCSPResp>	ocsps	The list of IBasicOCSPResp OCSP response wrappers.

Fields inherited from class com.itextpdf.signatures.RootStoreVerifier

rootStore

Fields inherited from class com.itextpdf.signatures.CertificateVerifier

onlineCheckingAllowed, verifier

Constructor Summary

Constructors

Constructor	Description
OCSPVerifier(CertificateVerifier verifier, List<IBasicOCSPResp> ocsps)	Creates an OCSPVerifier instance.

Method Summary

Modifier and Type	Method	Description
IBasicOCSPResp	getOcspResponse(X509Certificate signCert, X509Certificate issuerCert)	Gets an OCSP response online and returns it without further checking.
boolean	isSignatureValid(IBasicOCSPResp ocspResp, Certificate responderCert)	Checks if an OCSP response is genuine.
void	isValidResponse(IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate)	Verifies if an OCSP response is genuine.
void	setCrlClient(ICrlClient crlClient)	Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.
void	setOcspClient(IOcspClient ocspClient)	Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder).
boolean	verify(IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate)	Verifies a certificate against a single OCSP response.
List<VerificationOK>	verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate)	Verifies if a valid OCSP response is found for the certificate.

Methods inherited from class com.itextpdf.signatures.RootStoreVerifier

setRootStore

Methods inherited from class com.itextpdf.signatures.CertificateVerifier

setOnlineCheckingAllowed

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOGGER

             protected static final org.slf4j.Logger LOGGER
            

The Logger instance

id_kp_OCSPSigning

             protected static final String id_kp_OCSPSigning
            

See Also:

• Constant Field Values

ocsps

             protected List<IBasicOCSPResp> ocsps
            

The list of IBasicOCSPResp OCSP response wrappers.

Constructor Details

OCSPVerifier

             public OCSPVerifier
             (CertificateVerifier verifier, List<IBasicOCSPResp> ocsps)
            

Creates an OCSPVerifier instance.

Parameters:

verifier - the next verifier in the chain

ocsps - a list of IBasicOCSPResp OCSP response wrappers for the certificate verification

Method Details

setOcspClient

             public void setOcspClient
             (IOcspClient ocspClient)
            

Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder). Also, should be used in case responder's certificate doesn't have any method of revocation checking.

See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

Optional. Default one is OcspClientBouncyCastle.

Parameters:

ocspClient - IOcspClient to provide an Authorized Responder revocation data.

setCrlClient

             public void setCrlClient
             (ICrlClient crlClient)
            

Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.

See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

Optional. Default one is CrlClientOnline.

Parameters:

crlClient - ICrlClient to provide an Authorized Responder revocation data.

verify

             public List<VerificationOK> verify
             (X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
            

Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.

Overrides:

verify in class RootStoreVerifier

Parameters:

signCert - the certificate that needs to be checked

issuerCert - issuer of the certificate to be checked

signDate - the date the certificate needs to be valid

Returns:

a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Throws:

GeneralSecurityException - thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown in Certificate#verify.

See Also:

• RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)

verify

             public boolean verify
             (IBasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
            

Verifies a certificate against a single OCSP response.

Parameters:

ocspResp - IBasicOCSPResp the OCSP response wrapper for a certificate verification

signCert - the certificate that needs to be checked

issuerCert - the certificate that issued signCert – immediate parent. This certificate is considered trusted and valid by this method.

signDate - sign date (or the date the certificate needs to be valid)

Returns:

true in case check is successful, false otherwise.

Throws:

GeneralSecurityException - if OCSP response verification cannot be done or failed.

isValidResponse

             public void isValidResponse
             (IBasicOCSPResp ocspResp, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException
            

Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.

Parameters:

ocspResp - IBasicOCSPResp the OCSP response wrapper

issuerCert - the issuer certificate. This certificate is considered trusted and valid by this method.

signDate - sign date for backwards compatibility

Throws:

GeneralSecurityException - if OCSP response verification cannot be done or failed.

isSignatureValid

             public boolean isSignatureValid
             (IBasicOCSPResp ocspResp, Certificate responderCert)
            

Checks if an OCSP response is genuine.

Parameters:

ocspResp - IBasicOCSPResp the OCSP response wrapper

responderCert - the responder certificate

Returns:

true if the OCSP response verifies against the responder certificate.

getOcspResponse

             public IBasicOCSPResp getOcspResponse
             (X509Certificate signCert, X509Certificate issuerCert)
            

Gets an OCSP response online and returns it without further checking.

Parameters:

signCert - the signing certificate

issuerCert - the issuer certificate

Returns:

IBasicOCSPResp an OCSP response wrapper.