Package eu.europa.esig.dss.spi.validation

Class RevocationDataVerifier

java.lang.Object
eu.europa.esig.dss.spi.validation.RevocationDataVerifier
public class RevocationDataVerifier extends Object
This class is used to verify acceptance of a revocation data for the following validation process, whether the revocation data has been extracted from a document or obtained from an online source. The class verifies the consistency of the given revocation information and applicability of the used cryptographic constraints used to create this token. NOTE: It is not recommended to use a single instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

  • Constructor Details

    • RevocationDataVerifier

      protected RevocationDataVerifier()
      Default constructor

  • Method Details

    • createEmptyRevocationDataVerifier

      public static RevocationDataVerifier createEmptyRevocationDataVerifier()
      Creates an empty instance of RevocationDataVerifier. All constraints should be configured manually.
      Returns:
      RevocationDataVerifier

    • createDefaultRevocationDataVerifier

      public static RevocationDataVerifier createDefaultRevocationDataVerifier()
      This method is used to instantiate a new RevocationDataVerifier, using the default validation constraints (synchronized with default validation policy).
      Returns:
      RevocationDataVerifier

    • getProcessedRevocations

      @Deprecated protected Collection<RevocationToken<?>> getProcessedRevocations()
      Deprecated.
      since DSS 6.3. Please use validationContext instead.
      Gets a collection of processed revocations, when present. This method is used internally during a eu.europa.esig.dss.validation.SignatureValidationContext execution, to verify presence of the collection of processed revocation data
      Returns:
      a collection of RevocationTokens

    • setProcessedRevocations

      @Deprecated protected void setProcessedRevocations(Collection<RevocationToken<?>> processedRevocations)
      Deprecated.
      since DSS 6.3. Please provide revocation data within validationContext instead.
      This method sets a collection of processed revocation tokens, for validation of timestamp's certificate chain. Note : This method is used internally during a eu.europa.esig.dss.validation.SignatureValidationContext initialization, in order to provide the same revocation data as the one used within the certificate validation process.
      Parameters:
      processedRevocations - a collection of RevocationTokens

    • setAcceptableDigestAlgorithms

      public void setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> acceptableDigestAlgorithms)
      Sets a collection of Digest Algorithms for acceptance. If a revocation token is signed with an algorithm other than listed in the collection, the token will be skipped. Default : collection of algorithms is synchronized with ETSI 119 312 V1.4.2
      Parameters:
      acceptableDigestAlgorithms - a collection if DigestAlgorithms

    • setAcceptableEncryptionAlgorithmKeyLength

      public void setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm,Integer> acceptableEncryptionAlgorithmKeyLength)
      Sets a map of acceptable Encryption Algorithms and their corresponding minimal key length values. If a revocation token is signed with an algorithm other than listed in the collection or with a smaller key size, than the token will be skipped. Default : collection of algorithms is synchronized with ETSI 119 312 V1.4.2
      Parameters:
      acceptableEncryptionAlgorithmKeyLength - a map of EncryptionAlgorithms and their corresponding minimal supported key lengths

    • setRevocationSkipCertificateExtensions

      public void setRevocationSkipCertificateExtensions(Collection<String> revocationSkipCertificateExtensions)
      Sets a collection of certificate extension OIDs indicating the revocation check shall be skipped for the given certificate Default : valassured-ST-certs (OID: "0.4.0.194121.2.1") and ocsp_noCheck (OID: "1.3.6.1.5.5.7.48.1.5") (extracted from validation policy)
      Parameters:
      revocationSkipCertificateExtensions - a collection of Strings certificate extension OIDs

    • setRevocationSkipCertificatePolicies

      public void setRevocationSkipCertificatePolicies(Collection<String> revocationSkipCertificatePolicies)
      Sets a collection of certificate policy OIDs indicating the revocation check shall be skipped for the given certificate Default : empty list (extracted from validation policy)
      Parameters:
      revocationSkipCertificatePolicies - a collection of Strings certificate policy OIDs

    • setSignatureMaximumRevocationFreshness

      public void setSignatureMaximumRevocationFreshness(Long signatureMaximumRevocationFreshness)
      Sets maximum accepted freshness for revocation data issued for signature's certificate chain certificates. NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the best-signature-time)
      Parameters:
      signatureMaximumRevocationFreshness - Long in milliseconds to evaluate revocation freshness,

    • setTimestampMaximumRevocationFreshness

      public void setTimestampMaximumRevocationFreshness(Long timestampMaximumRevocationFreshness)
      Sets maximum accepted freshness for revocation data issued for time-stamp's certificate chain certificates. NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the time-stamp's lowest POE) Note : algorithm always ensures that there is a revocation data issued after the usage time of the time-stamp's certificate
      Parameters:
      timestampMaximumRevocationFreshness - Long in milliseconds

    • setRevocationMaximumRevocationFreshness

      public void setRevocationMaximumRevocationFreshness(Long revocationMaximumRevocationFreshness)
      Sets maximum accepted freshness for revocation data issued for revocation data's certificate chain certificates (CRL or OCSP). NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the best-signature-time) Note : the signature or timestamp constraint takes precedence in case of conflict
      Parameters:
      revocationMaximumRevocationFreshness - Long in milliseconds

    • setCheckRevocationFreshnessNextUpdate

      public void setCheckRevocationFreshnessNextUpdate(boolean checkRevocationFreshnessNextUpdate)
      Sets whether the difference between revocation's nextUpdate and thisUpdate fields shall be taken as a maximum acceptable revocation freshness in case no maximum revocation freshness constraint is defined for the given context Default : FALSE (no revocation freshness check is performed when maximum revocation freshness is not defined)
      Parameters:
      checkRevocationFreshnessNextUpdate - whether revocation freshness should be checked against nextUpdate field

    • setAcceptTimestampCertificatesWithoutRevocation

      public void setAcceptTimestampCertificatesWithoutRevocation(boolean acceptTimestampCertificatesWithoutRevocation)
      This method sets whether a timestamp certificate without a valid revocation data should be accepted by the verifier
      Parameters:
      acceptTimestampCertificatesWithoutRevocation - whether a timestamp certificate without revocation data should be accepted

    • setAcceptRevocationCertificatesWithoutRevocation

      public void setAcceptRevocationCertificatesWithoutRevocation(boolean acceptRevocationCertificatesWithoutRevocation)
      This method sets whether a revocation certificate without a valid revocation data should be accepted by the verifier
      Parameters:
      acceptRevocationCertificatesWithoutRevocation - whether a revocation certificate without revocation data should be accepted

    • getTrustAnchorVerifier

      public TrustAnchorVerifier getTrustAnchorVerifier()
      Gets a trust anchor verifier. This method is used internally within eu.europa.esig.dss.validation.SignatureValidationContext to identify whether the configuration is already present and a trustAnchorVerifier should be set.
      Returns:
      TrustAnchorVerifier

    • setTrustAnchorVerifier

      public void setTrustAnchorVerifier(TrustAnchorVerifier trustAnchorVerifier)
      Sets whether a certificate token can be considered as a trust anchor at the given control time Note : This method is used internally during a eu.europa.esig.dss.validation.SignatureValidationContext initialization, when not defined explicitly, in order to provide the same configuration as the one used within a eu.europa.esig.dss.validation.CertificateVerifier.
      Parameters:
      trustAnchorVerifier - TrustAnchorVerifier

    • setValidationContext

      protected void setValidationContext(ValidationContext validationContext)
      Sets validation context for certificates validation
      Parameters:
      validationContext - ValidationContext

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken)
      This method verifies the validity of the given RevocationToken using the embedded issuer certificate token at the current time
      Parameters:
      revocationToken - RevocationToken
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken, Date controlTime)
      This method verifies the validity of the given RevocationToken at the given controlTime using the embedded issuer certificate token
      Parameters:
      revocationToken - RevocationToken
      controlTime - Date
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken)
      This method verifies the validity of the given RevocationToken at the current time
      Parameters:
      revocationToken - RevocationToken
      issuerCertificateToken - CertificateToken issued the current revocation
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken, Date controlTime)
      This method verifies the validity of the given RevocationToken at controlTime
      Parameters:
      revocationToken - RevocationToken
      issuerCertificateToken - CertificateToken issued the current revocation
      controlTime - Date
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isAcceptable

      public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken, List<CertificateToken> certificateChain, Date controlTime)
      This method verifies the validity of the given RevocationToken at controlTime
      Parameters:
      revocationToken - RevocationToken
      issuerCertificateToken - CertificateToken issued the current revocation
      certificateChain - a list of CertificateTokens, representing a certificate chain of the issuer
      controlTime - Date
      Returns:
      TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

    • isRevocationTokenValid

      protected boolean isRevocationTokenValid(RevocationToken<?> revocationToken)
      Verifies whether the revocation token is cryptographically valid
      Parameters:
      revocationToken - RevocationToken to be verified
      Returns:
      TRUE if the revocation token is valid, FALSE otherwise

    • isRevocationDataComplete

      protected boolean isRevocationDataComplete(RevocationToken<?> revocationToken)
      Verifies whether the revocation token contains all required data
      Parameters:
      revocationToken - RevocationToken to be verifies
      Returns:
      TRUE if the revocation token is complete, FALSE otherwise

    • isGoodIssuer

      protected boolean isGoodIssuer(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken, Date controlTime)
      Verifies validity if the issuerCertificateToken of revocationToken
      Parameters:
      revocationToken - RevocationToken concerned revocation token
      issuerCertificateToken - CertificateToken issued the revocation token
      controlTime - Date validation time
      Returns:
      TRUE if the issuer certificate token is valid at the control time, FALSE otherwise

    • isConsistent

      protected boolean isConsistent(RevocationToken<?> revocation)
      Verifies whether the revocation token is consistent
      Parameters:
      revocation - RevocationToken to be verified
      Returns:
      TRUE if the revocation token is consistent, FALSE otherwise

    • isAcceptableSignatureAlgorithm

      protected boolean isAcceptableSignatureAlgorithm(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken)
      Verifies validity of the used signature algorithm on revocation data creation is still valid according to the specified cryptographic constraints.
      Parameters:
      revocationToken - RevocationToken to be verified
      issuerCertificateToken - CertificateToken issued the revocation token
      Returns:
      TRUE if the signature algorithm used on revocation token creation, FALSE otherwise

    • isRevocationDataSkip

      public boolean isRevocationDataSkip(CertificateToken certificateToken)
      Checks and returns whether the revocation check shall be skipped for the given certificate at the current time
      Parameters:
      certificateToken - CertificateToken to check
      Returns:
      TRUE if the revocation check shall be skipped, FALSE otherwise

    • isRevocationDataSkip

      public boolean isRevocationDataSkip(CertificateToken certificateToken, Date controlTime)
      Checks and returns whether the revocation check shall be skipped for the given certificate at the controlTime
      Parameters:
      certificateToken - CertificateToken to check
      controlTime - Date the validation time
      Returns:
      TRUE if the revocation check shall be skipped, FALSE otherwise

    • isTrustedAtTime

      protected boolean isTrustedAtTime(CertificateToken certificateToken, Date controlTime)
      This method verifies whether the certificateToken is trusted at controlTime
      Parameters:
      certificateToken - CertificateToken to check
      controlTime - Date the validation time
      Returns:
      TRUE if the certificate is trusted at the given time, FALSE otherwise

    • isRevocationDataFresh

      public boolean isRevocationDataFresh(RevocationToken<?> revocationToken, Date validationTime, Context context)
      This method verifies if the revocationToken considered within context is fresh enough relatively to the given validationTime
      Parameters:
      revocationToken - RevocationToken to be validated
      validationTime - Date the target time after which revocation token is expected to be refreshed
      context - Context of the current revocation token's validation process
      Returns:
      TRUE if the revocation token is considered fresh enough, FALSE otherwise

    • isRevocationThisUpdateAfterValidationTime

      protected boolean isRevocationThisUpdateAfterValidationTime(RevocationToken<?> revocationToken, Date validationTime, long maximumRevocationFreshness)
      This method verifies whether the revocation's thisUpdate time is after the validationTime minus the acceptable maximumRevocationFreshness
      Parameters:
      revocationToken - RevocationToken to be validated
      validationTime - Date
      maximumRevocationFreshness - long
      Returns:
      TRUE if the revocation's thisUpdate is after the validation time minus the maximum acceptable revocation freshness, FALSE otherwise

    • isRevocationThisUpdateAfterValidationTimeNullConstraint

      protected boolean isRevocationThisUpdateAfterValidationTimeNullConstraint(RevocationToken<?> revocationToken, Date validationTime)
      This method verifies whether the revocation's thisUpdate time is after the validationTime minus the difference between nextUpdate and thisUpdate field values
      Parameters:
      revocationToken - RevocationToken to be validated
      validationTime - Date
      Returns:
      TRUE if the revocation freshness check succeeds against revocation's nextUpdate, FALSE otherwise

    • checkCertificateNotRevoked

      public boolean checkCertificateNotRevoked(RevocationToken<?> revocationToken, Date controlTime)
      This method verifies whether a certificate was not revoked at controlTime
      Parameters:
      revocationToken - RevocationToken to check
      controlTime - Date time to check at
      Returns:
      TRUE if the certificate was not revoked at control time, FALSE otherwise

    • isAfterThisUpdateAndBeforeNextUpdate

      public boolean isAfterThisUpdateAndBeforeNextUpdate(RevocationToken<?> revocationToken, Date date)
      Verifies whether the controlTime is within revocation data's thisUpdate and nextUpdate times
      Parameters:
      revocationToken - RevocationToken to validate
      date - Date validation time
      Returns:
      TRUE if the control time is within thisUpdate and nextUpdate times, FALSE otherwise

    • isCertificateChainValid

      public boolean isCertificateChainValid(List<CertificateToken> certificateTokenChain, Date controlTime, Context context)
      This method verifies whether the certificate chain is valid at control time
      Parameters:
      certificateTokenChain - a list of CertificateTokens
      controlTime - Date validation time
      context - Context validation context
      Returns:
      TRUE if the certificate chain is valid at control time, FALSE otherwise

    • isCertificateValid

      @Deprecated protected boolean isCertificateValid(CertificateToken certificateToken, Date controlTime)
      Deprecated.
      since DSS 6.3. Please use #isCertificateValid(certificateToken, certificateChain, controlTime) instead.
      Verifies if the certificate is valid
      Parameters:
      certificateToken - CertificateToken
      controlTime - Date
      Returns:
      TRUE if the certificate token is valid, FALSE otherwise

    • isCertificateValid

      protected boolean isCertificateValid(CertificateToken certificateToken, Collection<CertificateToken> certificateChain, Date controlTime)
      Verifies if the certificate is valid
      Parameters:
      certificateToken - CertificateToken
      certificateChain - collection of CertificateTokens
      controlTime - Date
      Returns:
      TRUE if the certificate token is valid, FALSE otherwise

    • isCertificateNotRevoked

      @Deprecated protected boolean isCertificateNotRevoked(CertificateToken certificateToken, Date controlTime)
      Deprecated.
      since DSS 6.3. Please use #isCertificateNotRevoked(certificateToken, certificateChain, controlTime) instead.
      This method verifies whether a certificate token is not revoked at control time
      Parameters:
      certificateToken - CertificateToken to validated
      controlTime - Date validation time
      Returns:
      TRUE if the certificate token is valid at control time, FALSE otherwise

    • isCertificateNotRevoked

      protected boolean isCertificateNotRevoked(CertificateToken certificateToken, Collection<CertificateToken> certificateChain, Date controlTime)
      This method verifies whether a certificate token is not revoked at control time
      Parameters:
      certificateToken - CertificateToken to validated
      certificateChain - collection of CertificateTokens
      controlTime - Date validation time
      Returns:
      TRUE if the certificate token is valid at control time, FALSE otherwise

    • isSelfIssuedRevocation

      protected boolean isSelfIssuedRevocation(CertificateToken certificateToken, RevocationToken<?> revocationData)
      Verifies whether the verified certificate does not occur in the revocation's issuer certificate chain
      Parameters:
      certificateToken - CertificateToken to be verified
      revocationData - RevocationToken
      Returns:
      TRUE if the certificate occurs in the revocation's certificate chain, FALSE otherwise