Package xades4j.providers.impl

Class PKIXCertificateValidationProvider

java.lang.Object

xades4j.providers.impl.PKIXCertificateValidationProvider

All Implemented Interfaces:

CertificateValidationProvider

public final class PKIXCertificateValidationProvider
extends Object
implements CertificateValidationProvider

Implementation of CertificateValidationProvider using a PKIX CertPathBuilder.

Since the Java's PKIX API doesn't allow to access the CRLs used in the certification path validation, this is manually done. There has to be a CRL for each issuer in the path which is valid at the moment of validation (signature and date).

The builder(KeyStore) builder} method can be used to configure and create a new instance.

Author:

Luís

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	PKIXCertificateValidationProvider.Builder

Method Summary

Modifier and Type	Method	Description
static PKIXCertificateValidationProvider.Builder	builder(KeyStore trustAnchors)	Create a builder to configure a new PKIXCertificateValidationProvider.
ValidationData	validate(X509CertSelector certSelector, Date validationDate, Collection<X509Certificate> otherCerts)	Validates the certificate identified by the given certificate selector and returns the resulting validation data (certificate chain and possibly CRLs).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

builder

public static PKIXCertificateValidationProvider.Builder builder(KeyStore trustAnchors)

Create a builder to configure a new PKIXCertificateValidationProvider.

Parameters:

trustAnchors - the keystore with the trust-anchors (TrustedCertificateEntry)

Returns:

the builder

validate

public ValidationData validate(X509CertSelector certSelector,
 Date validationDate,
 Collection<X509Certificate> otherCerts)
                        throws CertificateValidationException,
UnexpectedJCAException

Description copied from interface: CertificateValidationProvider

Validates the certificate identified by the given certificate selector and returns the resulting validation data (certificate chain and possibly CRLs).

This method receives a set of certificates collected from the validation context that can be used to build the acertification path. For instance, when verifying the signature's certificate, certificates collected from KeyInfo are supplied; when verifying a timestamp token, the certificates contained on the timestamp token itself are supplied.

Additional certificates may be needed to build a certification path. This means that the provider must have access to those additional certificates out of band.

Specified by:

validate in interface CertificateValidationProvider

Parameters:

certSelector - identifies the intended leaf certificate for the current validation. This certificate may or may not be available on the validation context (usually is). This selector is created using information from the different X509Data elements within KeyInfo.

validationDate - the time for which the validity of the certification path should be determined

otherCerts - a set of certificates that can be used to validate the leaf certificate, collected from the validation context. May include the certificate that will be selected by certSelector.

Returns:

the validation data resulting from the validation of the certificate selected by certSelector

Throws:

CertificateValidationException - if the certificate cannot be validated (see subclasses of the exception)

UnexpectedJCAException