com.entrust.toolkit.x509

Class CertVerifier

java.lang.Object

com.entrust.toolkit.x509.CertVerifier

All Implemented Interfaces:

ValidationInfo

public class CertVerifier
extends java.lang.Object
implements ValidationInfo

Validates certificates according to RFC 3280.

Constructor Summary

Constructors

Constructor and Description
CertVerifier(X509Certificate[] rootsOfTrust, LdapDirectory directory, ClientSettings clientSettings) Constructor with multiple roots of trust.
CertVerifier(X509Certificate[] rootsOfTrust, LdapDirectory directory, ClientSettings clientSettings, UserRevocationInfo revInfo) Constructor with multiple roots of trust.
CertVerifier(X509Certificate rootOfTrust, LdapDirectory directory, ClientSettings clientSettings) Constructor.
CertVerifier(X509Certificate rootOfTrust, LdapDirectory directory, ClientSettings clientSettings, UserRevocationInfo revInfo) Constructor.

Method Summary

Modifier and Type	Method and Description
CollectionCS	getCertificateStore() Returns the certificate store.
ClientSettings	getClientSettings() Returns the client settings.
LdapDirectory	getDirectory() Returns the LDAP Directory
ExtensionTester	getExtensionTester() Returns the extension tester.
boolean	getForceV1CertAsCA() Return whether a V1 X509Certificate will always be considered a CA certificate (true), or whether it will always be considered an End-Entity (false)
RevocationChecker	getRevocationChecker()
UserRevocationInfo	getRevocationInfo() Return the UserRevocation Information
RevocationManager	getRevocationManager() Returns the Revocation Manager for this CertVerifier.
CollectionRS	getRevocationStore() Returns the revocation store.
X509Certificate	getRootOfTrust() Returns the root of trust.
X509Certificate[]	getRootsOfTrust() Returns all roots of trust.
ValidationConfig	getValidationConfig() Return the ValidationConfig that is configured in the associated CollectionCS certificate store object.
static boolean	readForceV1CertsAsCAUsage() This method sets the global default usage for determining whether V1 X509Certificates should be considered CA certificates, or End-Entity certificates.
void	setDirectory(LdapDirectory dir) Changes the directory on-the-fly
void	setForceV1CertAsCA(boolean enforceV1CertAsCA) This setting is used to determine whether V1 X509Certificates should be considered CA certificates, or End-Entity certificates.
void	setRevocationInfo(UserRevocationInfo revInfo) Allows a customized revocation configuration to be used for revocation checking.
void	setValidationConfig(ValidationConfig validationConfig) Configure this CertVerifier to use the specified ValidationConfig.
X509Certificate[]	validate(X509Certificate certificate) Validates an X.509 certificate.
X509Certificate[]	validate(X509Certificate certificate, java.util.Date validationTime) Validates an X.509 certificate at a given point in time.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertVerifier

public CertVerifier(X509Certificate rootOfTrust,
                    LdapDirectory directory,
                    ClientSettings clientSettings)

Constructor.

Parameters:

rootOfTrust - A trusted certificate used as the trust anchor for certificate validation.

directory - A connection to the Directory to retrieve CRLs and certificates from, or null if no Directory is required. If a Directory is used, it is a good idea to set connection and search timeout values. If no Directory is provided, revocation checking is turned off. This can be changed later by calling getRevocationStore().requireCRL(true);

clientSettings - Controls whether arbitrary certificates can be trusted, and the initial inputs to the path validation algorithm:

• inhibitAnyPolicy - whether or not the special policy anyPolicy is allowed.
• inhibitPolicyMapping - whether or not policy mapping is allowed
• acceptablePolicies - the set of acceptable policies.

Setting this value to null causes the default values to be used. That is, anyPolicy and policy mapping are allowed, and the acceptable policy set is all policies.

Throws:

java.lang.RuntimeException - if the signature on the root-of-trust certificate cannot be verified

CertVerifier

public CertVerifier(X509Certificate[] rootsOfTrust,
                    LdapDirectory directory,
                    ClientSettings clientSettings)
             throws CertificationRootException

Constructor with multiple roots of trust.

Parameters:

rootsOfTrust - An array of trusted certificates, each being a trust anchor for certificate validation.

directory - A connection to the Directory to retrieve CRLs and certificates from, or null if no Directory is required. If a Directory is used, it is a good idea to set connection and search timeout values. If no Directory is provided, revocation checking is turned off. This can be changed later by calling getRevocationStore().requireCRL(true);

clientSettings - Controls whether arbitrary certificates can be trusted, and the initial inputs to the path validation algorithm:

• inhibitAnyPolicy - whether or not the special policy anyPolicy is allowed.
• inhibitPolicyMapping - whether or not policy mapping is allowed
• acceptablePolicies - the set of acceptable policies.

Setting this value to null causes the default values to be used. That is, anyPolicy and policy mapping are allowed, and the acceptable policy set is all policies.

Throws:

CertificationRootException - if the signature on the self-signed CA certificate cannot be verified

Since:

7.0

CertVerifier

public CertVerifier(X509Certificate rootOfTrust,
                    LdapDirectory directory,
                    ClientSettings clientSettings,
                    UserRevocationInfo revInfo)

Constructor.

Parameters:

rootOfTrust - A trusted certificate used as the trust anchor for certificate validation.

directory - A connection to the Directory to retrieve CRLs and certificates from, or null if no Directory is required. If a Directory is used, it is a good idea to set connection and search timeout values. If no Directory is provided, revocation checking is turned off. This can be changed later by calling getRevocationStore().requireCRL(true);

clientSettings - Controls whether arbitrary certificates can be trusted, and the initial inputs to the path validation algorithm:

• inhibitAnyPolicy - whether or not the special policy anyPolicy is allowed.
• inhibitPolicyMapping - whether or not policy mapping is allowed
• acceptablePolicies - the set of acceptable policies.

Setting this value to null causes the default values to be used. That is, anyPolicy and policy mapping are allowed, and the acceptable policy set is all policies.

revInfo - The Revocation Information used to configure the RevocationConfiguration which is used to setup the revocation checking parameters.

Throws:

java.lang.RuntimeException - if the signature on the root-of-trust certificate cannot be verified

Since:

7.2

CertVerifier

public CertVerifier(X509Certificate[] rootsOfTrust,
                    LdapDirectory directory,
                    ClientSettings clientSettings,
                    UserRevocationInfo revInfo)
             throws CertificationRootException

Constructor with multiple roots of trust.

Parameters:

rootsOfTrust - An array of trusted certificates, each being a trust anchor for certificate validation.

directory - A connection to the Directory to retrieve CRLs and certificates from, or null if no Directory is required. If a Directory is used, it is a good idea to set connection and search timeout values. If no Directory is provided, revocation checking is turned off. This can be changed later by calling getRevocationStore().requireCRL(true);

clientSettings - Controls whether arbitrary certificates can be trusted, and the initial inputs to the path validation algorithm:

• inhibitAnyPolicy - whether or not the special policy anyPolicy is allowed.
• inhibitPolicyMapping - whether or not policy mapping is allowed
• acceptablePolicies - the set of acceptable policies.

Setting this value to null causes the default values to be used. That is, anyPolicy and policy mapping are allowed, and the acceptable policy set is all policies. * @param revInfo The Revocation Information used to configure the RevocationConfiguration which is used to setup the revocation checking parameters.

Throws:

CertificationRootException - if there are no CA certificates in the provided rootsOfTrust array, or the signature on the self-signed CA certificate cannot be verified

Since:

7.2

Method Detail

getCertificateStore

public CollectionCS getCertificateStore()

Returns the certificate store.

Specified by:

getCertificateStore in interface ValidationInfo

Returns:

the certificate store.

getExtensionTester

public ExtensionTester getExtensionTester()

Returns the extension tester.

Specified by:

getExtensionTester in interface ValidationInfo

Returns:

the extension tester.

getRevocationStore

public CollectionRS getRevocationStore()

Returns the revocation store.

Specified by:

getRevocationStore in interface ValidationInfo

Returns:

the revocation store.

getRevocationChecker

public RevocationChecker getRevocationChecker()

Specified by:

getRevocationChecker in interface ValidationInfo

getDirectory

public LdapDirectory getDirectory()

Returns the LDAP Directory

Specified by:

getDirectory in interface ValidationInfo

Returns:

the LDAP Directory

setDirectory

public void setDirectory(LdapDirectory dir)

Changes the directory on-the-fly

Specified by:

setDirectory in interface ValidationInfo

Parameters:

dir - the new Directory to use for searches.

setRevocationInfo

public void setRevocationInfo(UserRevocationInfo revInfo)

Allows a customized revocation configuration to be used for revocation checking.

Specified by:

setRevocationInfo in interface ValidationInfo

Parameters:

revInfo - - The UserRevocationInfo object used to configure revocation.

setForceV1CertAsCA

public void setForceV1CertAsCA(boolean enforceV1CertAsCA)

This setting is used to determine whether V1 X509Certificates should be considered CA certificates, or End-Entity certificates. Since V1 X509Certificates do not contain a Basic Constraints extension, there is no way to know. This setting may be used on a per CertVerifier basis. The default value is set by the following Java System property:

 com.entrust.toolkit.x509.CertVerifier.ForceV1CertAsCA=<true|false>
 

When set to true, V1 certificates will be considered as CA certificates. When set to false, V1 certificates are considered End Entity certificates. If the System property is not set, the default is false.

Parameters:

enforceV1CertAsCA - true to indicate V1 certificates are CA certificates, False to indicate End entity certificates.

setValidationConfig

public void setValidationConfig(ValidationConfig validationConfig)

Configure this CertVerifier to use the specified ValidationConfig. Calling this method will override the defaults specified in the constructor

Parameters:

validationConfig - The validationConfig

Since:

8.0

getValidationConfig

public ValidationConfig getValidationConfig()

Return the ValidationConfig that is configured in the associated CollectionCS certificate store object.

Returns:

The ValidationConfig from the associated CollectionsCS certificate store object

Since:

8.0

readForceV1CertsAsCAUsage

public static boolean readForceV1CertsAsCAUsage()

This method sets the global default usage for determining whether V1 X509Certificates should be considered CA certificates, or End-Entity certificates. It reads the System property:

com.entrust.toolkit.x509.CertVerifier.ForceV1CertAsCA

It will only return true if a value of 'true' is passed in as the value of the system property, otherwise it will return false.

Returns:

true if System property is set to true, false otherwise

Since:

7.2 SP2 Patch

getForceV1CertAsCA

public boolean getForceV1CertAsCA()

Return whether a V1 X509Certificate will always be considered a CA certificate (true), or whether it will always be considered an End-Entity (false)

Specified by:

getForceV1CertAsCA in interface ValidationInfo

Returns:

true if V1 X509Certificates should be treated as CA certificates, false if they should not.

getRevocationManager

public RevocationManager getRevocationManager()

Returns the Revocation Manager for this CertVerifier.

Specified by:

getRevocationManager in interface ValidationInfo

getRootOfTrust

public X509Certificate getRootOfTrust()

Returns the root of trust.

Specified by:

getRootOfTrust in interface ValidationInfo

Returns:

the root of trust.

getRootsOfTrust

public X509Certificate[] getRootsOfTrust()

Returns all roots of trust.

Returns:

the roots of trust.

Since:

7.0

getClientSettings

public ClientSettings getClientSettings()

Returns the client settings.

Specified by:

getClientSettings in interface ValidationInfo

Returns:

the client settings.

validate

public X509Certificate[] validate(X509Certificate certificate)
                           throws CertificationException

Validates an X.509 certificate.

Validation consists of three steps:

1. Find a certificate chain from certificate to the root of trust
2. Validate the chain with all certificate extensions
3. Verify that no certificate in the chain is revoked

This may cause the Directory to be contacted, which could cause this call to run for a long time if the Directory is slow to respond. If possible, set Directory connection and search timeout values.

This method returns a certificate chain from the root of trust to the given certificate if a chain is found and successfully validated. It throws a CertificateException if no chain is found, or if a chain is found but fails to validate.

Parameters:

certificate - the certificate to validate

Returns:

The valid certificate chain from the root of trust to the given certificate.

Throws:

CertificationException - if no valid certificate chain is found

validate

public X509Certificate[] validate(X509Certificate certificate,
                                  java.util.Date validationTime)
                           throws CertificationException,
                                  RevocationWarningException

Validates an X.509 certificate at a given point in time.

Validation consists of three steps:

1. Find a certificate chain from certificate to the root of trust
2. Validate the chain with all certificate extensions
3. Verify that no certificate in the chain is revoked

This may cause the Directory to be contacted, which could cause this call to run for a long time if the Directory is slow to respond. If possible, set Directory connection and search timeout values.

The validation of a trusted certificate does not check its extension or revocation.

This method returns a certificate chain from the root of trust to the given certificate if a chain is found and successfully validated without any errors or warnings.

Parameters:

certificate - the certificate being validated

validationTime - the time at which the validation is being done for

Returns:

the valid certificate chain from the root of trust to the given certificate

Throws:

CertificationException - thrown if no valid certificate chain is found

RevocationWarningException - thrown if the certificate is revoked, but was revoked after the time of validation

Since:

7.0

getRevocationInfo

public UserRevocationInfo getRevocationInfo()

Return the UserRevocation Information

Specified by:

getRevocationInfo in interface ValidationInfo