iaik.hlapi
Class CertValidator

java.lang.Object
  iaik.hlapi.CertValidator

Direct Known Subclasses:

PkixCertValidator

public abstract class CertValidator
extends Object

Objects of this class validate X.509 certificate chains.

Per default, implementations must perform a complete validation according to the standard they adhere to. Usually, this includes revocation checking.

Method Summary

abstract void	addCertificate(X509Certificate cert) Add the given certificate to this validator.
abstract void	addCRL(X509CRL crl) Add the given certificate revocation list (CRL) to this validator for revocation checking.
abstract void	addTrustedCertificate(X509Certificate cert) Add the given certificate as a trusted root certificate to this validator.
abstract X509Certificate	getTrustedRoot() Get the trusted root certificate that was used to validate the most recently validated chain.
abstract void	setRevocationChecking(boolean enable) Enable or disable revocation checking.
X509Certificate[]	validate(X509Certificate cert) This is a shortcut for validate(cert, null) and constructs and validates a certificate chain with respect to the current time.
abstract X509Certificate[]	validate(X509Certificate cert, Date date) Validate the given certificate for which to construct and validate a certificate chain.
void	validateChain(X509Certificate[] certChain) This is a shortcut for validateChain(certChain, null) and validates the certificate chain with respect to the current time.
abstract void	validateChain(X509Certificate[] certChain, Date date) Validate the given certificate chain, which is a complete chain excluding the trusted root certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

addTrustedCertificate

public abstract void addTrustedCertificate(X509Certificate cert)

Add the given certificate as a trusted root certificate to this validator. Certificates added via this method represent end-points of certificate chains.

The application may call this method more than once to add several trusted root certificates. The validation method will select a suitable root certificate automatically.

Parameters:

cert - The certificate.

Preconditions

(cert != null)

addCertificate

public abstract void addCertificate(X509Certificate cert)

Add the given certificate to this validator. It can use it for chain building. However, this certificate is considered neither trusted nor untrusted. It inherits its trust level from the issuer certificate.

This method does not influence certificates added via addTrustedCertificate(X509Certificate).

Parameters:

cert - The certificate.

Preconditions

(cert != null)

addCRL

public abstract void addCRL(X509CRL crl)

Add the given certificate revocation list (CRL) to this validator for revocation checking. This method is especially useful for validating certificate with respect to a time in the past, which is usually the case for signatures that were created some time ago. If the signature is an archive signature that contains CRLs, like an extended CAdES or XAdES signature, the contained CRLs can be passed to this method.

Parameters:

crl - The CRL object.

Preconditions

(crl != null)

validateChain

public void validateChain(X509Certificate[] certChain)
                   throws CertificateValidationException,
                          HlApiException

This is a shortcut for validateChain(certChain, null) and validates the certificate chain with respect to the current time.

Parameters:

certChain - The certificate chain with the end-entity certificate first but excluding the trusted root.

Throws:

CertificateValidationException - If the chain is invalid.

HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

Preconditions

(chain != null), (chain.length > 0)

validateChain

public abstract void validateChain(X509Certificate[] certChain,
                                   Date date)
                            throws CertificateValidationException,
                                   HlApiException

Validate the given certificate chain, which is a complete chain excluding the trusted root certificate. The application can specify the date for which the validity should be determined.

If the certificate chain could be validated, the trusted root of this chain can be fetched using getTrustedRoot().

If validation of the chain failed or could not be completed, an exception is thrown.

The application must add at least one trusted root certificate using addTrustedCertificate(X509Certificate) before calling this method. Otherwise, an exception is thrown.

Parameters:

certChain - The certificate chain with the end-entity certificate first but excluding the trusted root.

date - The date for which to validate the chain, i.e. the date when the certificate (chain) was used e.g. for signing. null means the current date.

Throws:

CertificateValidationException - If the chain is invalid.

HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

Preconditions

(chain != null), (chain.length > 0)

validate

public X509Certificate[] validate(X509Certificate cert)
                           throws CertificateValidationException,
                                  HlApiException

This is a shortcut for validate(cert, null) and constructs and validates a certificate chain with respect to the current time.

Parameters:

cert - The certificate for which to construct and validate a chain.

Returns:

The validated chain.

Throws:

CertificateValidationException - If a valid chain could not be constructed.

HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

Preconditions

(chain != null), (chain.length > 0)

Postconditions

(result != null), (result.length > 0)

validate

public abstract X509Certificate[] validate(X509Certificate cert,
                                           Date date)
                                    throws CertificateValidationException,
                                           HlApiException

Validate the given certificate for which to construct and validate a certificate chain. For construction, all certificates are taken into account that were added using addCertificate(X509Certificate).

If the certificate chain could be constructed and validated, the validated chain is returned. The trusted root certificate is excluded. It can be fetched using getTrustedRoot().

If validation of the chain failed or could not be completed, an exception is thrown.

The application must add at least one trusted root certificate using addTrustedCertificate(X509Certificate) before calling this method.

Parameters:

cert - The certificate for which to construct and validate a chain.

date - The date for which to construct and validate the chain, i.e. the date when the certificate (chain) was used e.g. for signing. null means the current date.

Returns:

The validated chain.

Throws:

CertificateValidationException - If a valid chain could not be constructed.

HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

Preconditions

(chain != null), (chain.length > 0)

Postconditions

(result != null), (result.length > 0)

getTrustedRoot

public abstract X509Certificate getTrustedRoot()

Get the trusted root certificate that was used to validate the most recently validated chain. If the most recent validation failed, this method returns null.

Note, that the returned certificate will always one of the trusted certificates, which were added using addTrustedCertificate(X509Certificate).

Returns:

The trusted root or null.

setRevocationChecking

public abstract void setRevocationChecking(boolean enable)

Enable or disable revocation checking. Per default, it is enabled.

If disabled, the class will no perform any kind of revocation checking.

Parameters:

enable - true to enable, false to disable.