Package com.itextpdf.text.pdf.security
Class OCSPVerifier
- java.lang.Object
-
- com.itextpdf.text.pdf.security.CertificateVerifier
-
- com.itextpdf.text.pdf.security.RootStoreVerifier
-
- com.itextpdf.text.pdf.security.OCSPVerifier
-
public class OCSPVerifier extends RootStoreVerifier
Class that allows you to verify a certificate against one or more OCSP responses.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.String
id_kp_OCSPSigning
protected static Logger
LOGGER
The Logger instanceprotected java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp>
ocsps
The list of OCSP responses.-
Fields inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier
rootStore
-
Fields inherited from class com.itextpdf.text.pdf.security.CertificateVerifier
onlineCheckingAllowed, verifier
-
-
Constructor Summary
Constructors Constructor Description OCSPVerifier(CertificateVerifier verifier, java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)
Creates an OCSPVerifier instance.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description org.bouncycastle.cert.ocsp.BasicOCSPResp
getOcspResponse(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert)
Gets an OCSP response online and returns it if the status is GOOD (without further checking).boolean
isSignatureValid(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
Checks if an OCSP response is genuinevoid
isValidResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)
Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.java.util.List<VerificationOK>
verify(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
Verifies if a a valid OCSP response is found for the certificate.boolean
verify(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
Verifies a certificate against a single OCSP responseboolean
verifyResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)
Deprecated.-
Methods inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier
setRootStore
-
Methods inherited from class com.itextpdf.text.pdf.security.CertificateVerifier
setOnlineCheckingAllowed
-
-
-
-
Field Detail
-
LOGGER
protected static final Logger LOGGER
The Logger instance
-
id_kp_OCSPSigning
protected static final java.lang.String id_kp_OCSPSigning
- See Also:
- Constant Field Values
-
ocsps
protected java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps
The list of OCSP responses.
-
-
Constructor Detail
-
OCSPVerifier
public OCSPVerifier(CertificateVerifier verifier, java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)
Creates an OCSPVerifier instance.- Parameters:
verifier
- the next verifier in the chainocsps
- a list of OCSP responses
-
-
Method Detail
-
verify
public java.util.List<VerificationOK> verify(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate) throws java.security.GeneralSecurityException, java.io.IOException
Verifies if a a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.- Overrides:
verify
in classRootStoreVerifier
- Parameters:
signCert
- the certificate that needs to be checkedissuerCert
- its issuersignDate
- the date the certificate needs to be valid- Returns:
- a list of
VerificationOK
objects. The list will be empty if the certificate couldn't be verified. - Throws:
java.security.GeneralSecurityException
java.io.IOException
- See Also:
RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
-
verify
public boolean verify(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate) throws java.security.GeneralSecurityException, java.io.IOException
Verifies a certificate against a single OCSP response- Parameters:
ocspResp
- the OCSP responsesignCert
- the certificate that needs to be checkedissuerCert
- the certificate of CAsignDate
- sign date- Returns:
true
, in case successful check, otherwise false.- Throws:
java.security.GeneralSecurityException
java.io.IOException
-
isValidResponse
public void isValidResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert) throws java.security.GeneralSecurityException, java.io.IOException
Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.- Parameters:
ocspResp
- the OCSP responseissuerCert
- the issuer certificate- Throws:
java.security.GeneralSecurityException
java.io.IOException
-
verifyResponse
@Deprecated public boolean verifyResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)
Deprecated.Verifies if the response is valid. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. NOTE. UseisValidResponse()
instead.- Parameters:
ocspResp
- the response objectissuerCert
- the issuer certificate- Returns:
- true if the response can be trusted
-
isSignatureValid
public boolean isSignatureValid(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
Checks if an OCSP response is genuine- Parameters:
ocspResp
- the OCSP responseresponderCert
- the responder certificate- Returns:
- true if the OCSP response verifies against the responder certificate
-
getOcspResponse
public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert)
Gets an OCSP response online and returns it if the status is GOOD (without further checking).- Parameters:
signCert
- the signing certificateissuerCert
- the issuer certificate- Returns:
- an OCSP response
-
-