Package br.ufsc.labsec.signature.conformanceVerifier.validationService

Class CertificateValidationService

java.lang.Object

br.ufsc.labsec.signature.conformanceVerifier.validationService.CertificateValidationService

All Implemented Interfaces:

CertificateValidation

Direct Known Subclasses:

CertificateVerifier

public class CertificateValidationService
extends Object
implements CertificateValidation

Esta classe realiza a validação de um certificado e sua LCR

Nested Class Summary

Nested classes/interfaces inherited from interface br.ufsc.labsec.signature.CertificateValidation

CertificateValidation.Validate

Field Summary

Fields

Modifier and Type	Field	Description
static boolean	SKIP_OLD_TIME_REFERENCES_WITH_NO_CACHE	Define o compotamento de validação de caminho de certificação.
protected ValidationServiceRepository	vsRepository	Componente de repositório PKCS12

Constructor Summary

Constructors

Constructor	Description
CertificateValidationService(ValidationServiceRepository validationService)	Construtor

Method Summary

Modifier and Type	Method	Description
CertStore	createCertStore(CertPath certPath, SignatureObject signature, SignaturePolicyInterface policyInterface, Time timeReference, Set<org.bouncycastle.util.Selector<CRL>> obtainedFromWeb)	Cria o conjunto de certificados na cadeia de certificação e LCRs do certificado a partir de um caminho de certificados construído
CertStore	createCertStoreVariable(X509Certificate x509Certificate, Set<TrustAnchor> trustAnchors)	Cria o conjunto de certificados na cadeia de certificação e LCRs do certificado dado
CertPath	generateCertPath(SignatureObject signature, org.bouncycastle.cert.X509AttributeCertificateHolder attributeCertificate, Set<TrustAnchor> trustAnchors)
CertPath	generateCertPath(Object certificate, Set<TrustAnchor> trustAnchors)	Cria o caminho de certificação do certificado dado, no caso do caminho ser construído corretamente, popula-se as coleções de ceritifcados utilizadas na verificação.
CertPath	generateCertPath(Certificate certificate, Set<TrustAnchor> trustAnchors)	Cria o caminho de certificação do certificado dado, no caso do caminho ser construído corretamente, popula-se as coleções de ceritifcados utilizadas na verificação.
CertPath	generateCertPath(org.bouncycastle.cert.X509AttributeCertificateHolder attributeCertificate, Set<TrustAnchor> trustAnchors)
Optional<List<org.apache.commons.lang3.tuple.Pair<Object,org.bouncycastle.cert.ocsp.OCSPResp>>>	getCertPathOCSPResponses(CertPath certPath, SignatureObject signatureObject, Time timeReference)	Busca as respostas de servidores OCSP para cada certificado do caminho de certificação
Optional<X509CRL>	getCRLFromCertificateAndIssuer(Object certificate, Object issuer, Time timeReference, Set<TrustAnchor> trustAnchors, SignatureObject... signatureObjects)
Optional<X509CRL>	getCRLFromCertificateAndSelector(Object certificate, AbstractSignatureIdentityInformation.CRLSelector selector, Time timeReference, SignatureObject... signatureObject)
Optional<X509CRL>	getCRLFromSelector(AbstractSignatureIdentityInformation.CRLSelector selector, Time timeReference, SignatureObject... signatureObjects)
Optional<Certificate>	getCRLIssuer(Object certificate, SignatureObject signature, Set<TrustAnchor> trustAnchors, CertificateCollection collection)
Optional<Object>	getCRLIssuerCertificate(Object certificate, X509CRL crl, Object issuer, Set<TrustAnchor> trustAnchor, SignatureObject... signatureObjects)
List<CRL>	getCRLsFromCertificate(Object certificate, org.bouncycastle.asn1.x500.X500Name issuerName, Time timeReference, SignatureObject... signatureObject)
List<X509CRL>	getCRLsFromSelector(AbstractSignatureIdentityInformation.CRLSelector selector, Time timeReference, SignatureObject... signatureObject)
Optional<Certificate>	getIssuerCertificate(SignatureObject signatureObject, Object certificate, Set<TrustAnchor> trustAnchors)
Optional<org.bouncycastle.cert.ocsp.OCSPResp>	getOCSPResponse(Object certificate, Object issuer, Time timeReference)	Busca a resposta do servidor OCSP para o certificado dado
ValidationResult	postValidate(ValidationResult validationResult, boolean proofOfExistance, Time earliestReference)
ValidationResult	validate(CertPath certPath, SignatureObject signatureObject, SignaturePolicyInterface policyInterface, Time timeReference, boolean verifyAlgorithm)
ValidationResult	validate(CertPath certPath, SignatureObject signatureObject, SignaturePolicyInterface policyInterface, Time timeReference, Time currentTimeReference, Time earliestTimeReference, boolean verifyAlgorithm)
ValidationResult	validate(CertPath certPath, CertStore certStore, List<org.apache.commons.lang3.tuple.Pair<Object,org.bouncycastle.cert.ocsp.OCSPResp>> ocspResponses, SignaturePolicyInterface signaturePolicyInterface, CertificateValidation.Validate validate, Time timeReference, boolean validateICPBRAlgorithms)	Valida o certificado e seu caminho de certificação
ValidationResult	validateAttributeCertificate(RevReq.EnuRevReq requirement, org.bouncycastle.cert.X509AttributeCertificateHolder certificate, X509Certificate anchor, Optional<X509CRL> optionalCRL, Optional<org.bouncycastle.cert.ocsp.OCSPResp> optionalOCSP, Time timeReference, boolean validateICPBRAlgorithms)
ValidationResult	validateAttributeCertificate(org.bouncycastle.cert.X509AttributeCertificateHolder certificate, Time timeReference, boolean verifyICPBRAlgorithms)
void	validateAttributeCertificateWithReport(SignatureObject signature, Object signerCertificate, SignaturePolicyInterface policyInterface, SignatureReport signatureReport, List<Time> timeReferences)
static ValidationResult	validateCertificateAlgorithm(Object certificate)
static ValidationResult	validateCertificateKey(Object certificate)
ValidationResult	validateWithReport(CertPath certPath, SignatureObject signature, SignaturePolicyInterface signaturePolicyInterface, CertificateValidation.Validate validate, List<Time> timeReferences, SignatureReport signatureReport)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface br.ufsc.labsec.signature.CertificateValidation

getCRLFromCertificateAndIssuer, getCRLFromCertificateAndSelector, getCRLFromCertificateWithoutIssuer, getCRLFromCertificateWithoutIssuer, getCRLFromSelector, getCRLsFromSelector

Field Details

SKIP_OLD_TIME_REFERENCES_WITH_NO_CACHE

public static final boolean SKIP_OLD_TIME_REFERENCES_WITH_NO_CACHE

Define o compotamento de validação de caminho de certificação.

See Also:

Constant Field Values

vsRepository

protected final ValidationServiceRepository vsRepository

Componente de repositório PKCS12

Constructor Details

CertificateValidationService

public CertificateValidationService(ValidationServiceRepository validationService)

Construtor

Parameters:

validationService - Componente de repositório PKCS12

Method Details

validateWithReport

public ValidationResult validateWithReport(CertPath certPath,
SignatureObject signature,
SignaturePolicyInterface signaturePolicyInterface,
CertificateValidation.Validate validate,
List<Time> timeReferences,
SignatureReport signatureReport)

Specified by:

validateWithReport in interface CertificateValidation

postValidate

public ValidationResult postValidate(ValidationResult validationResult,
boolean proofOfExistance,
Time earliestReference)

validate

public ValidationResult validate(CertPath certPath,
SignatureObject signatureObject,
SignaturePolicyInterface policyInterface,
Time timeReference,
boolean verifyAlgorithm)
                          throws CRLException

Throws:

CRLException

validate

public ValidationResult validate(CertPath certPath,
SignatureObject signatureObject,
SignaturePolicyInterface policyInterface,
Time timeReference,
Time currentTimeReference,
Time earliestTimeReference,
boolean verifyAlgorithm)
                          throws CRLException

Throws:

CRLException

validate

public ValidationResult validate(CertPath certPath,
CertStore certStore,
List<org.apache.commons.lang3.tuple.Pair<Object,org.bouncycastle.cert.ocsp.OCSPResp>> ocspResponses,
SignaturePolicyInterface signaturePolicyInterface,
CertificateValidation.Validate validate,
Time timeReference,
boolean validateICPBRAlgorithms)

Valida o certificado e seu caminho de certificação

Specified by:

validate in interface CertificateValidation

Parameters:

certPath - O caminho de certificados a ser validado

signaturePolicyInterface - interface de política que permite obter as âncoras de confiança para o caminho de certificação

validate - sinaliza a verificação de um caminho de assinatura ou carimbo de tempo

timeReference - Data de referência da validação

validateICPBRAlgorithms -

certStore - O repositório de certificados

ocspResponses - Lista de respostas OCSP

Returns:

O resultado da validação

validateAttributeCertificate

public ValidationResult validateAttributeCertificate(RevReq.EnuRevReq requirement,
org.bouncycastle.cert.X509AttributeCertificateHolder certificate,
X509Certificate anchor,
Optional<X509CRL> optionalCRL,
Optional<org.bouncycastle.cert.ocsp.OCSPResp> optionalOCSP,
Time timeReference,
boolean validateICPBRAlgorithms)
                                              throws org.bouncycastle.cert.ocsp.OCSPException,
IOException,
CRLException,
CertificateEncodingException

Throws:

org.bouncycastle.cert.ocsp.OCSPException

IOException

CRLException

CertificateEncodingException

validateCertificateAlgorithm

public static ValidationResult validateCertificateAlgorithm(Object certificate)

validateCertificateKey

public static ValidationResult validateCertificateKey(Object certificate)

validateAttributeCertificate

public ValidationResult validateAttributeCertificate(org.bouncycastle.cert.X509AttributeCertificateHolder certificate,
Time timeReference,
boolean verifyICPBRAlgorithms)

validateAttributeCertificateWithReport

public void validateAttributeCertificateWithReport(SignatureObject signature,
Object signerCertificate,
SignaturePolicyInterface policyInterface,
SignatureReport signatureReport,
List<Time> timeReferences)

Specified by:

validateAttributeCertificateWithReport in interface CertificateValidation

getCRLIssuer

public Optional<Certificate> getCRLIssuer(Object certificate,
SignatureObject signature,
Set<TrustAnchor> trustAnchors,
CertificateCollection collection)
                                   throws CRLException

Specified by:

getCRLIssuer in interface CertificateValidation

Throws:

CRLException

getIssuerCertificate

public Optional<Certificate> getIssuerCertificate(SignatureObject signatureObject,
Object certificate,
Set<TrustAnchor> trustAnchors)

getCRLIssuerCertificate

public Optional<Object> getCRLIssuerCertificate(Object certificate,
X509CRL crl,
Object issuer,
Set<TrustAnchor> trustAnchor,
SignatureObject... signatureObjects)

Specified by:

getCRLIssuerCertificate in interface CertificateValidation

getCRLFromCertificateAndIssuer

public Optional<X509CRL> getCRLFromCertificateAndIssuer(Object certificate,
Object issuer,
Time timeReference,
Set<TrustAnchor> trustAnchors,
SignatureObject... signatureObjects)
                                                 throws CRLException

Specified by:

getCRLFromCertificateAndIssuer in interface CertificateValidation

Throws:

CRLException

getCRLFromSelector

public Optional<X509CRL> getCRLFromSelector(AbstractSignatureIdentityInformation.CRLSelector selector,
Time timeReference,
SignatureObject... signatureObjects)
                                     throws CRLException

Specified by:

getCRLFromSelector in interface CertificateValidation

Throws:

CRLException

getCRLsFromSelector

public List<X509CRL> getCRLsFromSelector(AbstractSignatureIdentityInformation.CRLSelector selector,
Time timeReference,
SignatureObject... signatureObject)

Specified by:

getCRLsFromSelector in interface CertificateValidation

getCRLFromCertificateAndSelector

public Optional<X509CRL> getCRLFromCertificateAndSelector(Object certificate,
AbstractSignatureIdentityInformation.CRLSelector selector,
Time timeReference,
SignatureObject... signatureObject)
                                                   throws CRLException

Specified by:

getCRLFromCertificateAndSelector in interface CertificateValidation

Throws:

CRLException

getCRLsFromCertificate

public List<CRL> getCRLsFromCertificate(Object certificate,
org.bouncycastle.asn1.x500.X500Name issuerName,
Time timeReference,
SignatureObject... signatureObject)
                                 throws IOException

Throws:

IOException

generateCertPath

public CertPath generateCertPath(Object certificate,
Set<TrustAnchor> trustAnchors)
                          throws CertificateException

Cria o caminho de certificação do certificado dado, no caso do caminho ser construído corretamente, popula-se as coleções de ceritifcados utilizadas na verificação.

Specified by:

generateCertPath in interface CertificateValidation

Parameters:

certificate - O certificado

trustAnchors - Conjunto de âncoras de confiança para o caminho de certificação

Returns:

O caminho de certificação gerado

Throws:

CertificateException

generateCertPath

public CertPath generateCertPath(Certificate certificate,
Set<TrustAnchor> trustAnchors)

Cria o caminho de certificação do certificado dado, no caso do caminho ser construído corretamente, popula-se as coleções de ceritifcados utilizadas na verificação.

Specified by:

generateCertPath in interface CertificateValidation

Parameters:

certificate - O certificado

trustAnchors - Conjunto de âncoras de confiança para o caminho de certificação

Returns:

O caminho de certificação gerado

generateCertPath

public CertPath generateCertPath(org.bouncycastle.cert.X509AttributeCertificateHolder attributeCertificate,
Set<TrustAnchor> trustAnchors)

Specified by:

generateCertPath in interface CertificateValidation

generateCertPath

public CertPath generateCertPath(SignatureObject signature,
org.bouncycastle.cert.X509AttributeCertificateHolder attributeCertificate,
Set<TrustAnchor> trustAnchors)

Specified by:

generateCertPath in interface CertificateValidation

createCertStoreVariable

public CertStore createCertStoreVariable(X509Certificate x509Certificate,
Set<TrustAnchor> trustAnchors)

Cria o conjunto de certificados na cadeia de certificação e LCRs do certificado dado

Parameters:

x509Certificate - O certificado no qual será construído o CertStore

trustAnchors - O conjunto de âncoras de confiança

Returns:

O conjunto de certificados criado

createCertStore

public CertStore createCertStore(CertPath certPath,
SignatureObject signature,
SignaturePolicyInterface policyInterface,
Time timeReference,
Set<org.bouncycastle.util.Selector<CRL>> obtainedFromWeb)
                          throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException

Cria o conjunto de certificados na cadeia de certificação e LCRs do certificado a partir de um caminho de certificados construído

Specified by:

createCertStore in interface CertificateValidation

Parameters:

certPath - O caminho de certificados que se deseja-se obter o conjunto

Returns:

O conjunto de certificados e CRLs em CertStore

Throws:

InvalidAlgorithmParameterException - Exceção em caso de algoritmo inválido

NoSuchAlgorithmException - Exceção em caso de algoritmo inexistente

LCRException - Exceção caso a LCR não for encontrada

getOCSPResponse

public Optional<org.bouncycastle.cert.ocsp.OCSPResp> getOCSPResponse(Object certificate,
Object issuer,
Time timeReference)

Busca a resposta do servidor OCSP para o certificado dado

Specified by:

getOCSPResponse in interface CertificateValidation

Parameters:

certificate - Certificado a ser validado

issuer - Certificado do emissor

Returns:

A resposta do servidor OCSP

getCertPathOCSPResponses

public Optional<List<org.apache.commons.lang3.tuple.Pair<Object,org.bouncycastle.cert.ocsp.OCSPResp>>> getCertPathOCSPResponses(CertPath certPath,
SignatureObject signatureObject,
Time timeReference)

Busca as respostas de servidores OCSP para cada certificado do caminho de certificação

Specified by:

getCertPathOCSPResponses in interface CertificateValidation

Parameters:

certPath - O caminho de certificado do usuário construção do caminho de certificação

Returns:

Lista de pares de cada certificado do caminho de certificação com sua respectiva resposta do servidor OCSP