Class SimpleCertificateValidator
java.lang.Object
se.idsec.signservice.security.certificate.impl.SimpleCertificateValidator
- All Implemented Interfaces:
CertificateValidator
A simple validator that does not perform revocation checking and only relies upon the supplied certificates when
building the chain.
Note: If no trust anchors are defined, the path root must be available as the last element of the
additionalCertificates parameter. This certificate must be self-signed.
- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected List<X509Certificate> The trust anchors.protected DateThe date/time when the certificate status should be determined. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected PKIXBuilderParametersbuildParameters(X509Certificate subjectCertificate, Set<TrustAnchor> trustAnchors, List<CertStore> certStores) Builds the parameters for path building and validation.getCertStores(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls) Gets the certificate stores that should be used during path building and validation.Gets the trusted (root) certificates for this validator.The date/time when the certificate status should be determined.booleanAlways returnsfalse.voidsetDefaultTrustAnchors(List<X509Certificate> defaultTrustAnchors) Assigns the default trust anchors for this validator.protected Set<TrustAnchor> setupTrustAnchors(List<X509Certificate> trustAnchors, List<X509Certificate> additionalCertificates) The implementation creates a set of trust anchors based on thetrustAnchorsparameter.voidsetValidationDate(Date validationDate) Assigns the date/time when the certificate status should be determined.protected X509CertSelectortoCertSelector(X509Certificate subjectCertificate) Creates aX509CertSelectorfor the supplied subject certificate.validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls) Validates the supplied subject certificate.validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls, List<X509Certificate> trustAnchors) Validates the supplied subject certificate.
-
Field Details
-
validationDate
The date/time when the certificate status should be determined. For testing mainly. -
defaultTrustAnchors
The trust anchors.
-
-
Constructor Details
-
SimpleCertificateValidator
public SimpleCertificateValidator()Default constructor.
-
-
Method Details
-
validate
public CertificateValidationResult validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls) throws CertPathBuilderException, CertPathValidatorException, GeneralSecurityException Validates the supplied subject certificate.- Specified by:
validatein interfaceCertificateValidator- Parameters:
subjectCertificate- the certificate to validateadditionalCertificates- other certificates that may be useful when building a certificate path (may be null or empty)crls- optional list of CRL:s that may be useful during path validation (may be null or empty)- Returns:
- a validator result
- Throws:
CertPathBuilderException- if a valid certificate path could not be builtCertPathValidatorException- if the path failed to verifyGeneralSecurityException- for general errors
-
validate
public CertificateValidationResult validate(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls, List<X509Certificate> trustAnchors) throws CertPathBuilderException, CertPathValidatorException, GeneralSecurityException Validates the supplied subject certificate. The supplied trust anchors overrides the trust configured for this validator (CertificateValidator.getDefaultTrustAnchors()).- Specified by:
validatein interfaceCertificateValidator- Parameters:
subjectCertificate- the certificate to validateadditionalCertificates- other certificates that may be useful when building a certificate path (may be null or empty)crls- optional list of CRL:s that may be useful during path validation (may be null or empty)trustAnchors- the trust anchors to use during validation (null or empty list means "trust any root")- Returns:
- a validator result
- Throws:
CertPathBuilderException- if a valid certificate path could not be builtCertPathValidatorException- if the path failed to verifyGeneralSecurityException- for general errors
-
setupTrustAnchors
protected Set<TrustAnchor> setupTrustAnchors(List<X509Certificate> trustAnchors, List<X509Certificate> additionalCertificates) throws CertPathBuilderException The implementation creates a set of trust anchors based on thetrustAnchorsparameter. This parameter was either supplied in a call tovalidate(X509Certificate, List, List, List)or set as the default anchors (setDefaultTrustAnchors(List)).If no trust anchors is available, this implementation uses the last certificate from the supplied
additionalCertificatesparameter as the root.- Parameters:
trustAnchors- the trust anchorsadditionalCertificates- additional certs- Returns:
- a set of trust anchors
- Throws:
CertPathBuilderException- if trust can not be setup
-
getCertStores
protected List<CertStore> getCertStores(X509Certificate subjectCertificate, List<X509Certificate> additionalCertificates, List<X509CRL> crls) throws GeneralSecurityException Gets the certificate stores that should be used during path building and validation. The default implementation builds one store holding the certificates supplied insubjectCertificateandadditionalCertificates.- Parameters:
subjectCertificate- the certificate to validateadditionalCertificates- other certificates that may be useful when building a certificate pathcrls- optional list of CRL:s that may be useful during path validation- Returns:
- a list of cert stores
- Throws:
GeneralSecurityException- for cert store creation errors
-
buildParameters
protected PKIXBuilderParameters buildParameters(X509Certificate subjectCertificate, Set<TrustAnchor> trustAnchors, List<CertStore> certStores) throws GeneralSecurityException Builds the parameters for path building and validation. This implementation disables revocation checking and uses default settings from thePKIXBuilderParametersclass.- Parameters:
subjectCertificate- the subject certificatetrustAnchors- the trust anchorscertStores- the cert stores- Returns:
- a PKIXBuilderParameters object
- Throws:
GeneralSecurityException- for errors setting up the params
-
toCertSelector
Creates aX509CertSelectorfor the supplied subject certificate.- Parameters:
subjectCertificate- the certificate- Returns:
- a X509CertSelector
-
isRevocationCheckingActive
public boolean isRevocationCheckingActive()Always returnsfalse.- Specified by:
isRevocationCheckingActivein interfaceCertificateValidator- Returns:
- true if revocation checking is active and false otherwise
-
getDefaultTrustAnchors
Gets the trusted (root) certificates for this validator. An empty list indicates "trust any root".Note: These anchors may be overridden by supplying an alternative set to
CertificateValidator.validate(X509Certificate, List, List, List).- Specified by:
getDefaultTrustAnchorsin interfaceCertificateValidator- Returns:
- trusted certificates
-
setDefaultTrustAnchors
Assigns the default trust anchors for this validator.- Parameters:
defaultTrustAnchors- trusted root certificates
-
getValidationDate
The date/time when the certificate status should be determined. For testing mainly. Ifnullis returned, this indicates "now".- Returns:
- the validation date/time, or null for "now"
-
setValidationDate
Assigns the date/time when the certificate status should be determined. For testing mainly. Ifnull, which is the default, is assigned this indicates "now".- Parameters:
validationDate- the validation date/time, or null for "now"
-