Class OCSPVerifier


  • @Deprecated
    public class OCSPVerifier
    extends RootStoreVerifier
    Deprecated.
    starting from 8.0.5. OCSPValidator should be used instead.
    Class that allows you to verify a certificate against one or more OCSP responses.
    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      private boolean checkCrlResponses​(ICrlClient client, java.security.cert.X509Certificate responderCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
       
      IBasicOCSPResp getOcspResponse​(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert)
      Deprecated.
      Gets an OCSP response online and returns it without further checking.
      boolean isSignatureValid​(IBasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
      Deprecated.
      Checks if an OCSP response is genuine.
      void isValidResponse​(IBasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
      Verifies if an OCSP response is genuine.
      void setCrlClient​(ICrlClient crlClient)
      Deprecated.
      Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.
      void setOcspClient​(IOcspClient ocspClient)
      Deprecated.
      Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder).
      boolean verify​(IBasicOCSPResp ocspResp, java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
      Verifies a certificate against a single OCSP response.
      java.util.List<VerificationOK> verify​(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
      Verifies if a valid OCSP response is found for the certificate.
      private boolean verifyCrl​(java.security.cert.CRL crl, java.security.cert.X509Certificate certificate, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
       
      private boolean verifyOcsp​(IBasicOCSPResp ocspResp, java.security.cert.X509Certificate certificate, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Deprecated.
       
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • BOUNCY_CASTLE_FACTORY

        private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY
        Deprecated.
      • LOGGER

        protected static final org.slf4j.Logger LOGGER
        Deprecated.
        The Logger instance
      • id_kp_OCSPSigning

        protected static final java.lang.String id_kp_OCSPSigning
        Deprecated.
        See Also:
        Constant Field Values
      • ocspClient

        private IOcspClient ocspClient
        Deprecated.
        Ocsp client to check OCSP Authorized Responder's revocation data.
      • crlClient

        private ICrlClient crlClient
        Deprecated.
        Ocsp client to check OCSP Authorized Responder's revocation data.
    • Constructor Detail

      • OCSPVerifier

        public OCSPVerifier​(CertificateVerifier verifier,
                            java.util.List<IBasicOCSPResp> ocsps)
        Deprecated.
        Creates an OCSPVerifier instance.
        Parameters:
        verifier - the next verifier in the chain
        ocsps - a list of IBasicOCSPResp OCSP response wrappers for the certificate verification
    • Method Detail

      • setOcspClient

        public void setOcspClient​(IOcspClient ocspClient)
        Deprecated.
        Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder). Also, should be used in case responder's certificate doesn't have any method of revocation checking.

        See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

        Optional. Default one is OcspClientBouncyCastle.

        Parameters:
        ocspClient - IOcspClient to provide an Authorized Responder revocation data.
      • setCrlClient

        public void setCrlClient​(ICrlClient crlClient)
        Deprecated.
        Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.

        See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

        Optional. Default one is CrlClientOnline.

        Parameters:
        crlClient - ICrlClient to provide an Authorized Responder revocation data.
      • verify

        public java.util.List<VerificationOK> verify​(java.security.cert.X509Certificate signCert,
                                                     java.security.cert.X509Certificate issuerCert,
                                                     java.util.Date signDate)
                                              throws java.security.GeneralSecurityException
        Deprecated.
        Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.
        Overrides:
        verify in class RootStoreVerifier
        Parameters:
        signCert - the certificate that needs to be checked
        issuerCert - issuer of the certificate to be checked
        signDate - the date the certificate needs to be valid
        Returns:
        a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.
        Throws:
        java.security.GeneralSecurityException - thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown in Certificate#verify.
        See Also:
        RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
      • verify

        public boolean verify​(IBasicOCSPResp ocspResp,
                              java.security.cert.X509Certificate signCert,
                              java.security.cert.X509Certificate issuerCert,
                              java.util.Date signDate)
                       throws java.security.GeneralSecurityException
        Deprecated.
        Verifies a certificate against a single OCSP response.
        Parameters:
        ocspResp - IBasicOCSPResp the OCSP response wrapper for a certificate verification
        signCert - the certificate that needs to be checked
        issuerCert - the certificate that issued signCert – immediate parent. This certificate is considered trusted and valid by this method.
        signDate - sign date (or the date the certificate needs to be valid)
        Returns:
        true in case check is successful, false otherwise.
        Throws:
        java.security.GeneralSecurityException - if OCSP response verification cannot be done or failed.
      • isValidResponse

        public void isValidResponse​(IBasicOCSPResp ocspResp,
                                    java.security.cert.X509Certificate issuerCert,
                                    java.util.Date signDate)
                             throws java.security.GeneralSecurityException
        Deprecated.
        Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.
        Parameters:
        ocspResp - IBasicOCSPResp the OCSP response wrapper
        issuerCert - the issuer certificate. This certificate is considered trusted and valid by this method.
        signDate - sign date for backwards compatibility
        Throws:
        java.security.GeneralSecurityException - if OCSP response verification cannot be done or failed.
      • isSignatureValid

        public boolean isSignatureValid​(IBasicOCSPResp ocspResp,
                                        java.security.cert.Certificate responderCert)
        Deprecated.
        Checks if an OCSP response is genuine.
        Parameters:
        ocspResp - IBasicOCSPResp the OCSP response wrapper
        responderCert - the responder certificate
        Returns:
        true if the OCSP response verifies against the responder certificate.
      • getOcspResponse

        public IBasicOCSPResp getOcspResponse​(java.security.cert.X509Certificate signCert,
                                              java.security.cert.X509Certificate issuerCert)
        Deprecated.
        Gets an OCSP response online and returns it without further checking.
        Parameters:
        signCert - the signing certificate
        issuerCert - the issuer certificate
        Returns:
        IBasicOCSPResp an OCSP response wrapper.
      • verifyOcsp

        private boolean verifyOcsp​(IBasicOCSPResp ocspResp,
                                   java.security.cert.X509Certificate certificate,
                                   java.security.cert.X509Certificate issuerCert,
                                   java.util.Date signDate)
                            throws java.security.GeneralSecurityException
        Deprecated.
        Throws:
        java.security.GeneralSecurityException
      • checkCrlResponses

        private boolean checkCrlResponses​(ICrlClient client,
                                          java.security.cert.X509Certificate responderCert,
                                          java.security.cert.X509Certificate issuerCert,
                                          java.util.Date signDate)
                                   throws java.security.GeneralSecurityException
        Deprecated.
        Throws:
        java.security.GeneralSecurityException
      • verifyCrl

        private boolean verifyCrl​(java.security.cert.CRL crl,
                                  java.security.cert.X509Certificate certificate,
                                  java.security.cert.X509Certificate issuerCert,
                                  java.util.Date signDate)
                           throws java.security.GeneralSecurityException
        Deprecated.
        Throws:
        java.security.GeneralSecurityException