com.itextpdf.signatures.CertificateVerifier Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of sign-android Show documentation
There is a newer version: 8.0.5
/*
    This file is part of the iText (R) project.
    Copyright (c) 1998-2024 Apryse Group NV
    Authors: Apryse Software.

    This program is offered under a commercial and under the AGPL license.
    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.

    AGPL licensing:
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see .
 */
package com.itextpdf.signatures;

import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;

/**
 * Superclass for a series of certificate verifiers that will typically
 * be used in a chain. It wraps another CertificateVerifier
 * that is the next element in the chain of which the verify()
 * method will be called.
 */
public class CertificateVerifier {

    /** The previous CertificateVerifier in the chain of verifiers. */
    protected CertificateVerifier verifier;

    /** Indicates if going online to verify a certificate is allowed. */
    protected boolean onlineCheckingAllowed = true;

    /**
     * Creates the final CertificateVerifier in a chain of verifiers.
     *
     * @param verifier	the previous verifier in the chain
     */
    public CertificateVerifier(CertificateVerifier verifier) {
        this.verifier = verifier;
    }

    /**
     * Decide whether or not online checking is allowed.
     *
     * @param onlineCheckingAllowed a boolean indicating whether the certificate can be verified using online verification results.
     */
    public void setOnlineCheckingAllowed(boolean onlineCheckingAllowed) {
        this.onlineCheckingAllowed = onlineCheckingAllowed;
    }

    /**
     * Checks the validity of the certificate, and calls the next
     * verifier in the chain, if any.
     * @param signCert	                the certificate that needs to be checked
     * @param issuerCert	            its issuer
     * @param signDate		            the date the certificate needs to be valid
     * @return a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.
     * @throws GeneralSecurityException thrown if the certificate has expired, isn't valid yet, or if an exception has been thrown in {@link java.security.cert.Certificate#verify(PublicKey) Certificate#verify}.
     */
    public List verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate)
            throws GeneralSecurityException {
        // Check if the certificate is valid on the signDate
        if (signDate != null) {
            signCert.checkValidity(signDate);
        }
        // Check if the signature is valid
        if (issuerCert != null) {
            signCert.verify(issuerCert.getPublicKey());
        }
        // Also in case, the certificate is self-signed
        else {
            signCert.verify(signCert.getPublicKey());
        }
        List result = new ArrayList<>();
        if (verifier != null)
            result.addAll(verifier.verify(signCert, issuerCert, signDate));
        return result;
    }
}