com.itextpdf.signatures.validation.TrustedCertificatesStore Maven / Gradle / Ivy
The newest version!
/*
This file is part of the iText (R) project.
Copyright (c) 1998-2025 Apryse Group NV
Authors: Apryse Software.
This program is offered under a commercial and under the AGPL license.
For commercial licensing, contact us at https://itextpdf.com/sales. For AGPL licensing, see below.
AGPL licensing:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see > generallyTrustedCertificates = new HashMap<>();
private final Map> ocspTrustedCertificates = new HashMap<>();
private final Map> timestampTrustedCertificates = new HashMap<>();
private final Map> crlTrustedCertificates = new HashMap<>();
private final Map> caTrustedCertificates = new HashMap<>();
/**
* Add collection of certificates to be trusted for any possible usage.
*
* @param certificates {@link Collection} of {@link Certificate} instances
*/
public void addGenerallyTrustedCertificates(Collection certificates) {
for (Certificate certificate : certificates) {
addCertificateToMap(certificate, generallyTrustedCertificates);
}
}
/**
* Add collection of certificates to be trusted for OCSP response signing.
* These certificates are considered to be valid trust anchors for
* arbitrarily long certificate chain responsible for OCSP response generation.
*
* @param certificates {@link Collection} of {@link Certificate} instances
*/
public void addOcspTrustedCertificates(Collection certificates) {
for (Certificate certificate : certificates) {
addCertificateToMap(certificate, ocspTrustedCertificates);
}
}
/**
* Add collection of certificates to be trusted for CRL signing.
* These certificates are considered to be valid trust anchors for
* arbitrarily long certificate chain responsible for CRL generation.
*
* @param certificates {@link Collection} of {@link Certificate} instances
*/
public void addCrlTrustedCertificates(Collection certificates) {
for (Certificate certificate : certificates) {
addCertificateToMap(certificate, crlTrustedCertificates);
}
}
/**
* Add collection of certificates to be trusted for timestamping.
* These certificates are considered to be valid trust anchors for
* arbitrarily long certificate chain responsible for timestamp generation.
*
* @param certificates {@link Collection} of {@link Certificate} instances
*/
public void addTimestampTrustedCertificates(Collection certificates) {
for (Certificate certificate : certificates) {
addCertificateToMap(certificate, timestampTrustedCertificates);
}
}
/**
* Add collection of certificates to be trusted to be CA certificates.
* These certificates are considered to be valid trust anchors for certificate generation.
*
* @param certificates {@link Collection} of {@link Certificate} instances
*/
public void addCATrustedCertificates(Collection certificates) {
for (Certificate certificate : certificates) {
addCertificateToMap(certificate, caTrustedCertificates);
}
}
/**
* Check if provided certificate is configured to be trusted for any purpose.
*
* @param certificate {@link Certificate} to be checked
*
* @return {@code true} is provided certificate is generally trusted, {@code false} otherwise
*/
public boolean isCertificateGenerallyTrusted(Certificate certificate) {
return mapContainsCertificate(certificate, generallyTrustedCertificates);
}
/**
* Check if provided certificate is configured to be trusted for OCSP response generation.
*
* @param certificate {@link Certificate} to be checked
*
* @return {@code true} is provided certificate is trusted for OCSP generation, {@code false} otherwise
*/
public boolean isCertificateTrustedForOcsp(Certificate certificate) {
return mapContainsCertificate(certificate, ocspTrustedCertificates);
}
/**
* Check if provided certificate is configured to be trusted for CRL generation.
*
* @param certificate {@link Certificate} to be checked
*
* @return {@code true} is provided certificate is trusted for CRL generation, {@code false} otherwise
*/
public boolean isCertificateTrustedForCrl(Certificate certificate) {
return mapContainsCertificate(certificate, crlTrustedCertificates);
}
/**
* Check if provided certificate is configured to be trusted for timestamp generation.
*
* @param certificate {@link Certificate} to be checked
*
* @return {@code true} is provided certificate is trusted for timestamp generation, {@code false} otherwise
*/
public boolean isCertificateTrustedForTimestamp(Certificate certificate) {
return mapContainsCertificate(certificate, timestampTrustedCertificates);
}
/**
* Check if provided certificate is configured to be trusted to be CA.
*
* @param certificate {@link Certificate} to be checked
*
* @return {@code true} is provided certificate is trusted for certificates generation, {@code false} otherwise
*/
public boolean isCertificateTrustedForCA(Certificate certificate) {
return mapContainsCertificate(certificate, caTrustedCertificates);
}
/**
* Get certificates, if any, which is trusted for any usage, which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getGenerallyTrustedCertificates(String certificateName) {
return generallyTrustedCertificates.getOrDefault(certificateName, Collections.emptySet());
}
/**
* Get certificates, if any, which is trusted for OCSP response generation,
* which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getCertificatesTrustedForOcsp(String certificateName) {
return ocspTrustedCertificates.getOrDefault(certificateName, Collections.emptySet());
}
/**
* Get certificates, if any, which is trusted for CRL generation,
* which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getCertificatesTrustedForCrl(String certificateName) {
return crlTrustedCertificates.getOrDefault(certificateName, Collections.emptySet());
}
/**
* Get certificate, if any, which is trusted for timestamp generation,
* which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getCertificatesTrustedForTimestamp(String certificateName) {
return timestampTrustedCertificates.getOrDefault(certificateName, Collections.emptySet());
}
/**
* Get certificates, if any,
* which is trusted to be a CA, which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getCertificatesTrustedForCA(String certificateName) {
return caTrustedCertificates.getOrDefault(certificateName, Collections.emptySet());
}
/**
* Get certificates, if any, which corresponds to the provided certificate name.
*
* @param certificateName {@link String} certificate name
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getKnownCertificates(String certificateName) {
Set result = new HashSet<>();
addMatched(result, generallyTrustedCertificates, certificateName);
addMatched(result, ocspTrustedCertificates, certificateName);
addMatched(result, crlTrustedCertificates, certificateName);
addMatched(result, timestampTrustedCertificates, certificateName);
addMatched(result, caTrustedCertificates, certificateName);
return result;
}
/**
* Get all the certificates, which where provided to this storage as trusted certificate.
*
* @return {@link Collection} of {@link Certificate} instances
*/
public Collection getAllTrustedCertificates() {
Set certificates = new HashSet<>();
for (Set set : generallyTrustedCertificates.values()) {
certificates.addAll(set);
}
for (Set set : ocspTrustedCertificates.values()) {
certificates.addAll(set);
}
for (Set set : crlTrustedCertificates.values()) {
certificates.addAll(set);
}
for (Set set : timestampTrustedCertificates.values()) {
certificates.addAll(set);
}
for (Set set : caTrustedCertificates.values()) {
certificates.addAll(set);
}
return certificates;
}
/**
* Get all the certificates having name as subject, which where provided to this storage as trusted certificate.
*
* @param name the subject name value for which to retrieve all trusted certificate
*
* @return set of {@link Certificate} which correspond to the provided certificate name
*/
public Set getAllTrustedCertificates(String name) {
Set certificates = new HashSet<>();
Set set = generallyTrustedCertificates.get(name);
if (set != null) {
certificates.addAll(set);
}
set = ocspTrustedCertificates.get(name);
if (set != null) {
certificates.addAll(set);
}
set = crlTrustedCertificates.get(name);
if (set != null) {
certificates.addAll(set);
}
set = timestampTrustedCertificates.get(name);
if (set != null) {
certificates.addAll(set);
}
set = caTrustedCertificates.get(name);
if (set != null) {
certificates.addAll(set);
}
return certificates;
}
private static void addCertificateToMap(Certificate certificate, Map> map) {
String name = ((X509Certificate) certificate).getSubjectX500Principal().getName();
Set set = map.computeIfAbsent(name, k -> new HashSet<>());
set.add(certificate);
}
private static boolean mapContainsCertificate(Certificate certificate, Map> map) {
Set set = map.get(((X509Certificate) certificate).getSubjectX500Principal().getName());
if (set == null) {
return false;
}
return set.contains(certificate);
}
private static void addMatched(Set target, Map> source,
String certificateName) {
Set subset = source.get(certificateName);
if (subset != null) {
target.addAll(subset);
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy