Package com.itextpdf.text.pdf.security

Class OCSPVerifier

java.lang.Object

com.itextpdf.text.pdf.security.CertificateVerifier

com.itextpdf.text.pdf.security.RootStoreVerifier

com.itextpdf.text.pdf.security.OCSPVerifier

public class OCSPVerifier
extends RootStoreVerifier

Class that allows you to verify a certificate against one or more OCSP responses.

Field Summary

Fields

Modifier and Type	Field	Description
protected static java.lang.String	id_kp_OCSPSigning
protected static Logger	LOGGER	The Logger instance
protected java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp>	ocsps	The list of OCSP responses.

Fields inherited from class com.itextpdf.text.pdf.security.CertificateVerifier

onlineCheckingAllowed, verifier

Fields inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier

rootStore

Constructor Summary

Constructors

Constructor	Description
OCSPVerifier(CertificateVerifier verifier, java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)	Creates an OCSPVerifier instance.

Method Summary

Modifier and Type	Method	Description
org.bouncycastle.cert.ocsp.BasicOCSPResp	getOcspResponse(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert)	Gets an OCSP response online and returns it if the status is GOOD (without further checking).
boolean	isSignatureValid(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)	Checks if an OCSP response is genuine
void	isValidResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)	Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.
java.util.List<VerificationOK>	verify(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)	Verifies if a a valid OCSP response is found for the certificate.
boolean	verify(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)	Verifies a certificate against a single OCSP response
boolean	verifyResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)	Deprecated.

Methods inherited from class com.itextpdf.text.pdf.security.CertificateVerifier

setOnlineCheckingAllowed

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier

setRootStore

Field Detail

LOGGER

protected static final Logger LOGGER

The Logger instance

id_kp_OCSPSigning

protected static final java.lang.String id_kp_OCSPSigning

See Also:

Constant Field Values

ocsps

protected java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps

The list of OCSP responses.

Constructor Detail

OCSPVerifier

public OCSPVerifier(CertificateVerifier verifier,
                    java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)

Creates an OCSPVerifier instance.

Parameters:

verifier - the next verifier in the chain

ocsps - a list of OCSP responses

Method Detail

verify

public java.util.List<VerificationOK> verify(java.security.cert.X509Certificate signCert,
                                             java.security.cert.X509Certificate issuerCert,
                                             java.util.Date signDate)
                                      throws java.security.GeneralSecurityException,
                                             java.io.IOException

Verifies if a a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.

Overrides:

verify in class RootStoreVerifier

Parameters:

signCert - the certificate that needs to be checked

issuerCert - its issuer

signDate - the date the certificate needs to be valid

Returns:

a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Throws:

java.security.GeneralSecurityException

java.io.IOException

See Also:

RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)

verify

public boolean verify(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                      java.security.cert.X509Certificate signCert,
                      java.security.cert.X509Certificate issuerCert,
                      java.util.Date signDate)
               throws java.security.GeneralSecurityException,
                      java.io.IOException

Verifies a certificate against a single OCSP response

Parameters:

ocspResp - the OCSP response

signCert - the certificate that needs to be checked

issuerCert - the certificate of CA

signDate - sign date

Returns:

true, in case successful check, otherwise false.

Throws:

java.security.GeneralSecurityException

java.io.IOException

isValidResponse

public void isValidResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                            java.security.cert.X509Certificate issuerCert)
                     throws java.security.GeneralSecurityException,
                            java.io.IOException

Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.

Parameters:

ocspResp - the OCSP response

issuerCert - the issuer certificate

Throws:

java.security.GeneralSecurityException

java.io.IOException

verifyResponse

@Deprecated
public boolean verifyResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                              java.security.cert.X509Certificate issuerCert)

Deprecated.

Verifies if the response is valid. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. NOTE. Use isValidResponse() instead.

Parameters:

ocspResp - the response object

issuerCert - the issuer certificate

Returns:

true if the response can be trusted

isSignatureValid

public boolean isSignatureValid(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                                java.security.cert.Certificate responderCert)

Checks if an OCSP response is genuine

Parameters:

ocspResp - the OCSP response

responderCert - the responder certificate

Returns:

true if the OCSP response verifies against the responder certificate

getOcspResponse

public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse(java.security.cert.X509Certificate signCert,
                                                                java.security.cert.X509Certificate issuerCert)

Gets an OCSP response online and returns it if the status is GOOD (without further checking).

Parameters:

signCert - the signing certificate

issuerCert - the issuer certificate

Returns:

an OCSP response