Package se.swedenconnect.sigval.cert.chain.impl

Class StatusCheckingCertificateValidatorImpl

java.lang.Object

se.swedenconnect.sigval.cert.chain.impl.StatusCheckingCertificateValidatorImpl

All Implemented Interfaces:

se.idsec.signservice.security.certificate.CertificateValidator, CertificatePathValidatorFactory

public class StatusCheckingCertificateValidatorImpl
extends Object
implements se.idsec.signservice.security.certificate.CertificateValidator, CertificatePathValidatorFactory

This is an implementation of the Certificate validator interface CertificateValidator in the sign service commons library. An instance of this interface can perform any number of validations based on validation data input. This implementation uses an implementation of the Runnable AbstractPathValidator class to perform path validation. Because the AbstractPathValidator is runnable that can be executed in a separate thread, it must be instantiated for every instance of validation. Because this class creates a new CertificatePathValidator for each instance of path validation, a Factory class is configured that provides instances of an implementation of the AbstractPathValidator. A default implementation of this factory is included here but this can be replaced by a setter. If you need to run path validation in an isolated thread as a runnable object, then use the CertificatePathValidator class directly instead of using this interface implementation.

Constructor Summary

Constructors

Constructor	Description
StatusCheckingCertificateValidatorImpl(CRLCache crlCache, CertStore certStore, X509Certificate... defaultTrustAnchors)	Constructor for the CertificateValidator implementations

Method Summary

Modifier and Type	Method	Description
List<X509Certificate>	getDefaultTrustAnchors()
AbstractPathValidator	getPathValidator(X509Certificate targetCert, List<X509Certificate> chain, List<TrustAnchor> trustAnchors, CertStore certStore, CRLCache crlCache)
boolean	isRevocationCheckingActive()
PathValidationResult	validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates)	Validate a certificate using default trust anchors
PathValidationResult	validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls)	Validate a certificate using default trust anchors
PathValidationResult	validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls, List<X509Certificate> trustAnchors)	Validate a certificate using default trust anchors

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

StatusCheckingCertificateValidatorImpl

public StatusCheckingCertificateValidatorImpl(CRLCache crlCache,
 CertStore certStore,
 X509Certificate... defaultTrustAnchors)

Constructor for the CertificateValidator implementations

Parameters:

crlCache - The CRLCache used to support CRL status checking

certStore - Optional cert store (mey be null) providing intermediary certificates

defaultTrustAnchors - Optional default trust anchors used to validate certificate paths

Method Details

validate

public PathValidationResult validate(X509Certificate subjectCertificate,
 List<X509Certificate> additionalCertificates,
 List<X509CRL> crls)
                              throws CertPathBuilderException,
CertPathValidatorException,
GeneralSecurityException

Validate a certificate using default trust anchors

This implementation does not support CRL input. the CRL input MUST be null or an empty list

Specified by:

validate in interface se.idsec.signservice.security.certificate.CertificateValidator

Parameters:

subjectCertificate - The certificate to validate

additionalCertificates - Supporting certificates used to construct a path to trusted certificates

crls - Certificate revocation lists. This MUST be null or an empty list.

Returns:

Result of certificate path building PathValidationResult

Throws:

CertPathBuilderException - if certificate path building fails

ExtendedCertPathValidatorException - if certificate validation fails

GeneralSecurityException - never thrown but required by interface

CertPathValidatorException

validate

public PathValidationResult validate(X509Certificate subjectCertificate,
 List<X509Certificate> additionalCertificates,
 List<X509CRL> crls,
 List<X509Certificate> trustAnchors)
                              throws CertPathBuilderException,
CertPathValidatorException,
GeneralSecurityException

Validate a certificate using default trust anchors

This implementation does not support CRL input. the CRL input MUST be null or an empty list

Specified by:

validate in interface se.idsec.signservice.security.certificate.CertificateValidator

Parameters:

subjectCertificate - The certificate to validate

additionalCertificates - Supporting certificates used to construct a path to trusted certificates

crls - Certificate revocation lists. This MUST be null or an empty list

trustAnchors - Trust anchors provided in addition to the default trust anchors

Returns:

Path validation result

Throws:

CertPathBuilderException - if certificate path building fails

ExtendedCertPathValidatorException - if certificate validation fails

GeneralSecurityException - never thrown but required by interface

CertPathValidatorException

validate

public PathValidationResult validate(X509Certificate subjectCertificate,
 List<X509Certificate> additionalCertificates)
                              throws CertPathBuilderException,
CertPathValidatorException,
GeneralSecurityException

Validate a certificate using default trust anchors

Parameters:

subjectCertificate - The certificate to validate

additionalCertificates - Supporting certificates used to construct a path to trusted certificates

Returns:

Result of certificate path building PathValidationResult

Throws:

CertPathBuilderException - if certificate path building fails

ExtendedCertPathValidatorException - if certificate validation fails

GeneralSecurityException - never thrown but required by interface

CertPathValidatorException

getPathValidator

public AbstractPathValidator getPathValidator(X509Certificate targetCert,
 List<X509Certificate> chain,
 List<TrustAnchor> trustAnchors,
 CertStore certStore,
 CRLCache crlCache)

Specified by:

getPathValidator in interface CertificatePathValidatorFactory

isRevocationCheckingActive

public boolean isRevocationCheckingActive()

Specified by:

isRevocationCheckingActive in interface se.idsec.signservice.security.certificate.CertificateValidator

getDefaultTrustAnchors

public List<X509Certificate> getDefaultTrustAnchors()

Specified by:

getDefaultTrustAnchors in interface se.idsec.signservice.security.certificate.CertificateValidator