Class OCSPVerifier


  • public class OCSPVerifier
    extends RootStoreVerifier
    Class that allows you to verify a certificate against one or more OCSP responses.
    • Constructor Summary

      Constructors 
      Constructor Description
      OCSPVerifier​(CertificateVerifier verifier, java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)
      Creates an OCSPVerifier instance.
    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse​(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert)
      Gets an OCSP response online and returns it if the status is GOOD (without further checking).
      boolean isSignatureValid​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
      Checks if an OCSP response is genuine
      void isValidResponse​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)
      Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.
      java.util.List<VerificationOK> verify​(java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Verifies if a a valid OCSP response is found for the certificate.
      boolean verify​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate signCert, java.security.cert.X509Certificate issuerCert, java.util.Date signDate)
      Verifies a certificate against a single OCSP response
      boolean verifyResponse​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp, java.security.cert.X509Certificate issuerCert)
      Deprecated.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • LOGGER

        protected static final Logger LOGGER
        The Logger instance
      • id_kp_OCSPSigning

        protected static final java.lang.String id_kp_OCSPSigning
        See Also:
        Constant Field Values
      • ocsps

        protected java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps
        The list of OCSP responses.
    • Constructor Detail

      • OCSPVerifier

        public OCSPVerifier​(CertificateVerifier verifier,
                            java.util.List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)
        Creates an OCSPVerifier instance.
        Parameters:
        verifier - the next verifier in the chain
        ocsps - a list of OCSP responses
    • Method Detail

      • verify

        public java.util.List<VerificationOK> verify​(java.security.cert.X509Certificate signCert,
                                                     java.security.cert.X509Certificate issuerCert,
                                                     java.util.Date signDate)
                                              throws java.security.GeneralSecurityException,
                                                     java.io.IOException
        Verifies if a a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.
        Overrides:
        verify in class RootStoreVerifier
        Parameters:
        signCert - the certificate that needs to be checked
        issuerCert - its issuer
        signDate - the date the certificate needs to be valid
        Returns:
        a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException
        See Also:
        RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
      • verify

        public boolean verify​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                              java.security.cert.X509Certificate signCert,
                              java.security.cert.X509Certificate issuerCert,
                              java.util.Date signDate)
                       throws java.security.GeneralSecurityException,
                              java.io.IOException
        Verifies a certificate against a single OCSP response
        Parameters:
        ocspResp - the OCSP response
        signCert - the certificate that needs to be checked
        issuerCert - the certificate of CA
        signDate - sign date
        Returns:
        true, in case successful check, otherwise false.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException
      • isValidResponse

        public void isValidResponse​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                                    java.security.cert.X509Certificate issuerCert)
                             throws java.security.GeneralSecurityException,
                                    java.io.IOException
        Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.
        Parameters:
        ocspResp - the OCSP response
        issuerCert - the issuer certificate
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException
      • verifyResponse

        @Deprecated
        public boolean verifyResponse​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                                      java.security.cert.X509Certificate issuerCert)
        Deprecated.
        Verifies if the response is valid. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. NOTE. Use isValidResponse() instead.
        Parameters:
        ocspResp - the response object
        issuerCert - the issuer certificate
        Returns:
        true if the response can be trusted
      • isSignatureValid

        public boolean isSignatureValid​(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                                        java.security.cert.Certificate responderCert)
        Checks if an OCSP response is genuine
        Parameters:
        ocspResp - the OCSP response
        responderCert - the responder certificate
        Returns:
        true if the OCSP response verifies against the responder certificate
      • getOcspResponse

        public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse​(java.security.cert.X509Certificate signCert,
                                                                        java.security.cert.X509Certificate issuerCert)
        Gets an OCSP response online and returns it if the status is GOOD (without further checking).
        Parameters:
        signCert - the signing certificate
        issuerCert - the issuer certificate
        Returns:
        an OCSP response