org.imixs.archive.signature.pdf.cert

Class CertificateVerifier

java.lang.Object

org.imixs.archive.signature.pdf.cert.CertificateVerifier

public final class CertificateVerifier
extends Object

Copied from Apache CXF 2.4.9, initial version: https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.9/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/

Method Summary

Modifier and Type	Method and Description
static Set<X509Certificate>	downloadExtraCertificates(X509Extension ext) Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension.
static boolean	isSelfSigned(X509Certificate cert) Checks whether given X.509 certificate is self-signed.
static PKIXCertPathBuilderResult	verifyCertificate(X509Certificate cert, Set<X509Certificate> additionalCerts, boolean verifySelfSignedCert, Date signDate) Attempts to build a certification chain for given certificate and to verify it.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

verifyCertificate

public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert,
                                                          Set<X509Certificate> additionalCerts,
                                                          boolean verifySelfSignedCert,
                                                          Date signDate)
                                                   throws CertificateVerificationException

Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates and intermediate certificates that will be used for building the certification chain. The verification process assumes that all self-signed certificates in the set are trusted root CA certificates and all other certificates in the set are intermediate certificates.

Parameters:

cert - - certificate for validation

additionalCerts - - set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.

verifySelfSignedCert - true if a self-signed certificate is accepted, false if not.

signDate - the date when the signing took place

Returns:

the certification chain (if verification is successful)

Throws:

CertificateVerificationException - - if the certification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired or CRL checks are failed)

isSelfSigned

public static boolean isSelfSigned(X509Certificate cert)
                            throws GeneralSecurityException

Checks whether given X.509 certificate is self-signed.

Parameters:

cert - The X.509 certificate to check.

Returns:

true if the certificate is self-signed, false if not.

Throws:

GeneralSecurityException

downloadExtraCertificates

public static Set<X509Certificate> downloadExtraCertificates(X509Extension ext)

Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority information access" extension. The method is lenient, i.e. catches all exceptions.

Parameters:

ext - an X509 object that can have extensions.

Returns:

a certificate set, never null.