com.itextpdf.signatures

Class IssuingCertificateRetriever

java.lang.Object

com.itextpdf.signatures.IssuingCertificateRetriever

All Implemented Interfaces:

IIssuingCertificateRetriever

public class IssuingCertificateRetriever
extends Object
implements IIssuingCertificateRetriever

IIssuingCertificateRetriever default implementation.

Constructor Summary

Constructors

Constructor and Description
IssuingCertificateRetriever() Creates IssuingCertificateRetriever instance.
IssuingCertificateRetriever(IResourceRetriever resourceRetriever) Creates IssuingCertificateRetriever instance.

Method Summary

Modifier and Type	Method and Description
void	addKnownCertificates(Collection<Certificate> certificates) Add certificates collection to known certificates storage, which is used for issuer certificates retrieval.
void	addTrustedCertificates(Collection<Certificate> certificates) Add trusted certificates collection to trusted certificates storage.
List<X509Certificate[]>	buildCertificateChains(X509Certificate certificate) This method tries to rebuild certificate issuer chain.
List<X509Certificate[]>	buildCertificateChains(X509Certificate[] certificate) This method tries to rebuild certificate issuer chain.
Certificate[]	getCrlIssuerCertificates(CRL crl) Retrieves the certificate chain for the certificate that should be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.
Certificate[][]	getCrlIssuerCertificatesByName(CRL crl) Retrieves the certificate chaind for the certificates that could be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.
protected InputStream	getIssuerCertByURI(String uri) Get CA issuers certificates represented as InputStream.
TrustedCertificatesStore	getTrustedCertificatesStore() Gets TrustedCertificatesStore to be used to provide more complex trusted certificates configuration.
boolean	isCertificateTrusted(Certificate certificate) Check if provided certificate is present in trusted certificates storage.
protected Collection<Certificate>	parseCertificates(InputStream certsData) Parses certificates represented as byte array.
List<X509Certificate>	retrieveIssuerCertificate(Certificate certificate) Retrieve issuer certificate for the provided certificate.
Certificate[]	retrieveMissingCertificates(Certificate[] chain) Retrieves missing certificates in chain using certificate Authority Information Access (AIA) Extension.
Set<Certificate>	retrieveOCSPResponderByNameCertificate(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp ocspResp) Retrieves OCSP responder certificate candidates either from the response certs or trusted store in case responder certificate isn't found in /Certs.
void	setTrustedCertificates(Collection<Certificate> certificates) Sets trusted certificate list to be used as certificates trusted for any possible usage.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IssuingCertificateRetriever

public IssuingCertificateRetriever()

Creates IssuingCertificateRetriever instance.

IssuingCertificateRetriever

public IssuingCertificateRetriever(IResourceRetriever resourceRetriever)

Creates IssuingCertificateRetriever instance.

Parameters:

resourceRetriever - an @{link IResourceRetriever} instance to use for performing http requests.

Method Detail

retrieveMissingCertificates

public Certificate[] retrieveMissingCertificates(Certificate[] chain)

Retrieves missing certificates in chain using certificate Authority Information Access (AIA) Extension.

Specified by:

retrieveMissingCertificates in interface IIssuingCertificateRetriever

Parameters:

chain - certificate chain to restore with at least signing certificate.

Returns:

full chain of trust or maximum chain that could be restored in case missing certificates cannot be retrieved from AIA extension.

buildCertificateChains

public List<X509Certificate[]> buildCertificateChains(X509Certificate certificate)

This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate based on issuer names and public keys.

Parameters:

certificate - X509Certificate for which issuer chains shall be built

Returns:

all possible issuer chains

buildCertificateChains

public List<X509Certificate[]> buildCertificateChains(X509Certificate[] certificate)

This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate array based on issuer names and public keys.

Parameters:

certificate - X509Certificate array for which issuer chains shall be built

Returns:

all possible issuer chains

retrieveIssuerCertificate

public List<X509Certificate> retrieveIssuerCertificate(Certificate certificate)

Retrieve issuer certificate for the provided certificate.

Parameters:

certificate - Certificate for which issuer certificate shall be retrieved

Returns:

issuer certificate. null if there is no issuer certificate, or it cannot be retrieved.

retrieveOCSPResponderByNameCertificate

public Set<Certificate> retrieveOCSPResponderByNameCertificate(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp ocspResp)

Retrieves OCSP responder certificate candidates either from the response certs or trusted store in case responder certificate isn't found in /Certs.

Parameters:

ocspResp - basic OCSP response to get responder certificate for

Returns:

retrieved OCSP responder candidates or an empty set in case none were found.

getCrlIssuerCertificates

public Certificate[] getCrlIssuerCertificates(CRL crl)

Retrieves the certificate chain for the certificate that should be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.

Specified by:

getCrlIssuerCertificates in interface IIssuingCertificateRetriever

Parameters:

crl - CRL response to retrieve issuer for.

Returns:

certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

getCrlIssuerCertificatesByName

public Certificate[][] getCrlIssuerCertificatesByName(CRL crl)

Retrieves the certificate chaind for the certificates that could be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.

Specified by:

getCrlIssuerCertificatesByName in interface IIssuingCertificateRetriever

Parameters:

crl - CRL response to retrieve issuer for.

Returns:

certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

setTrustedCertificates

public void setTrustedCertificates(Collection<Certificate> certificates)

Sets trusted certificate list to be used as certificates trusted for any possible usage. In case more specific trusted is desired to be configured getTrustedCertificatesStore() method is expected to be used.

Specified by:

setTrustedCertificates in interface IIssuingCertificateRetriever

Parameters:

certificates - certificate list to be used as certificates trusted for any possible usage.

addTrustedCertificates

public void addTrustedCertificates(Collection<Certificate> certificates)

Add trusted certificates collection to trusted certificates storage.

Parameters:

certificates - certificates Collection to be added

addKnownCertificates

public void addKnownCertificates(Collection<Certificate> certificates)

Add certificates collection to known certificates storage, which is used for issuer certificates retrieval.

Parameters:

certificates - certificates Collection to be added

getTrustedCertificatesStore

public TrustedCertificatesStore getTrustedCertificatesStore()

Gets TrustedCertificatesStore to be used to provide more complex trusted certificates configuration.

Returns:

TrustedCertificatesStore storage

isCertificateTrusted

public boolean isCertificateTrusted(Certificate certificate)

Check if provided certificate is present in trusted certificates storage.

Parameters:

certificate - Certificate to be checked

Returns:

true if certificate is present in trusted certificates storage, false otherwise

getIssuerCertByURI

protected InputStream getIssuerCertByURI(String uri)
                                  throws IOException

Get CA issuers certificates represented as InputStream.

Parameters:

uri - URL URI, which is expected to be used to get issuer certificates from. Usually CA Issuers value from Authority Information Access (AIA) certificate extension.

Returns:

CA issuer certificate (or chain) bytes, represented as InputStream.

Throws:

IOException - if an I/O error occurs.

parseCertificates

protected Collection<Certificate> parseCertificates(InputStream certsData)
                                             throws CertificateException

Parses certificates represented as byte array.

Parameters:

certsData - stream which contains one or more X509 certificates.

Returns:

a (possibly empty) collection of the certificates read from the given byte array.

Throws:

CertificateException - if parsing error occurs.