Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
IAIK High-Level API
version 1.1
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

iaik.hlapi
Class PkixCertValidator

java.lang.Object
  extended by iaik.hlapi.CertValidator
      extended by iaik.hlapi.PkixCertValidator

public class PkixCertValidator
extends CertValidator

This is an implementation of a CertValidator that validates certificate chains according to the PKIX standard RFC 3280. By default, any policy is accepted, policy mapping is not inhibited, no explicit policy is required and the any policy OID is not inhibited.

It also performs revocation checking with OCSP and CRLs. Revocation checking can be disabled using CertValidator.setRevocationChecking(boolean).

Constructor Summary
PkixCertValidator()
          Create an new certificate validator that works according to PKIX RFC 3280.
 
Method Summary
 void addCertificate(X509Certificate cert)
          Add the given certificate to this validator.
 void addCRL(X509CRL crl)
          Add the given certificate revocation list (CRL) to this validator for revocation checking.
 void addTrustedCertificate(X509Certificate cert)
          Add the given certificate as a trusted root certificate to this validator.
 X509Certificate getTrustedRoot()
          Get the trusted root certificate that was used to validate the most recently validated chain.
 void setRevocationChecking(boolean enable)
          Enable or disable revocation checking.
 X509Certificate[] validate(X509Certificate cert, Date date)
          Validate the given certificate for which to construct and validate a certificate chain.
 void validateChain(X509Certificate[] certChain, Date date)
          Validate the given certificate chain, which is a complete chain excluding the trusted root certificate.
 
Methods inherited from class iaik.hlapi.CertValidator
validate, validateChain
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PkixCertValidator

public PkixCertValidator()
Create an new certificate validator that works according to PKIX RFC 3280.

Method Detail

addTrustedCertificate

public void addTrustedCertificate(X509Certificate cert)
Description copied from class: CertValidator
Add the given certificate as a trusted root certificate to this validator. Certificates added via this method represent end-points of certificate chains.

The application may call this method more than once to add several trusted root certificates. The validation method will select a suitable root certificate automatically.

Specified by:
addTrustedCertificate in class CertValidator
Parameters:
cert - The certificate.

addCertificate

public void addCertificate(X509Certificate cert)
Description copied from class: CertValidator
Add the given certificate to this validator. It can use it for chain building. However, this certificate is considered neither trusted nor untrusted. It inherits its trust level from the issuer certificate.

This method does not influence certificates added via CertValidator.addTrustedCertificate(X509Certificate).

Specified by:
addCertificate in class CertValidator
Parameters:
cert - The certificate.

addCRL

public void addCRL(X509CRL crl)
Description copied from class: CertValidator
Add the given certificate revocation list (CRL) to this validator for revocation checking. This method is especially useful for validating certificate with respect to a time in the past, which is usually the case for signatures that were created some time ago. If the signature is an archive signature that contains CRLs, like an extended CAdES or XAdES signature, the contained CRLs can be passed to this method.

Specified by:
addCRL in class CertValidator
Parameters:
crl - The CRL object.

setRevocationChecking

public void setRevocationChecking(boolean enable)
Description copied from class: CertValidator
Enable or disable revocation checking. Per default, it is enabled.

If disabled, the class will no perform any kind of revocation checking.

Specified by:
setRevocationChecking in class CertValidator
Parameters:
enable - true to enable, false to disable.

validateChain

public void validateChain(X509Certificate[] certChain,
                          Date date)
                   throws CertificateValidationException,
                          HlApiException
Description copied from class: CertValidator
Validate the given certificate chain, which is a complete chain excluding the trusted root certificate. The application can specify the date for which the validity should be determined.

If the certificate chain could be validated, the trusted root of this chain can be fetched using CertValidator.getTrustedRoot().

If validation of the chain failed or could not be completed, an exception is thrown.

The application must add at least one trusted root certificate using CertValidator.addTrustedCertificate(X509Certificate) before calling this method. Otherwise, an exception is thrown.

Specified by:
validateChain in class CertValidator
Parameters:
certChain - The certificate chain with the end-entity certificate first but excluding the trusted root.
date - The date for which to validate the chain, i.e. the date when the certificate (chain) was used e.g. for signing. null means the current date.
Throws:
CertificateValidationException - If the chain is invalid.
HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

validate

public X509Certificate[] validate(X509Certificate cert,
                                  Date date)
                           throws CertificateValidationException,
                                  HlApiException
Description copied from class: CertValidator
Validate the given certificate for which to construct and validate a certificate chain. For construction, all certificates are taken into account that were added using CertValidator.addCertificate(X509Certificate).

If the certificate chain could be constructed and validated, the validated chain is returned. The trusted root certificate is excluded. It can be fetched using CertValidator.getTrustedRoot().

If validation of the chain failed or could not be completed, an exception is thrown.

The application must add at least one trusted root certificate using CertValidator.addTrustedCertificate(X509Certificate) before calling this method.

Specified by:
validate in class CertValidator
Parameters:
cert - The certificate for which to construct and validate a chain.
date - The date for which to construct and validate the chain, i.e. the date when the certificate (chain) was used e.g. for signing. null means the current date.
Returns:
The validated chain.
Throws:
CertificateValidationException - If a valid chain could not be constructed.
HlApiException - If the validation failed for some other reason, e.g. no trusted root has been set, invalid certificate format or unsupported algorithms.

getTrustedRoot

public X509Certificate getTrustedRoot()
Description copied from class: CertValidator
Get the trusted root certificate that was used to validate the most recently validated chain. If the most recent validation failed, this method returns null.

Note, that the returned certificate will always one of the trusted certificates, which were added using CertValidator.addTrustedCertificate(X509Certificate).

Specified by:
getTrustedRoot in class CertValidator
Returns:
The trusted root or null.
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
IAIK High-Level API
version 1.1
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2007, IAIK, Graz University of Technology
Copyright © 2007, Stiftung SIC