Field Detail

• LOGGER

  protected static final Logger LOGGER

  The Logger instance

• ocsps

  protected List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps

  The list of OCSP responses.

Constructor Detail

• OCSPVerifier

  public OCSPVerifier(CertificateVerifier verifier,
              List<org.bouncycastle.cert.ocsp.BasicOCSPResp> ocsps)

  Creates an OCSPVerifier instance.

  Parameters:

  verifier - the next verifier in the chain

  ocsps - a list of OCSP responses

Method Detail

• verify

  public List<VerificationOK> verify(X509Certificate signCert,
                            X509Certificate issuerCert,
                            Date signDate)
                              throws GeneralSecurityException,
                                     IOException

  Verifies if a a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.

  Overrides:

  verify in class RootStoreVerifier

  Parameters:

  signCert - the certificate that needs to be checked

  issuerCert - its issuer

  signDate - the date the certificate needs to be valid

  Returns:

  a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

  Throws:

  GeneralSecurityException

  IOException

  See Also:

  RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)

• verify

  public boolean verify(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
               X509Certificate signCert,
               X509Certificate issuerCert,
               Date signDate)
                 throws GeneralSecurityException,
                        IOException

  Verifies a certificate against a single OCSP response

  Parameters:

  ocspResp - the OCSP response

  serialNumber - the serial number of the certificate that needs to be checked

  issuerCert -

  signDate -

  Returns:

  Throws:

  GeneralSecurityException

  IOException

• isValidResponse

  public void isValidResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                     X509Certificate issuerCert)
                       throws GeneralSecurityException,
                              IOException

  Verifies if an OCSP response is genuine

  Parameters:

  ocspResp - the OCSP response

  issuerCert - the issuer certificate

  Throws:

  GeneralSecurityException

  IOException

• verifyResponse

  public boolean verifyResponse(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                       X509Certificate responderCert)

  Verifies if the signature of the response is valid. If it doesn't verify against the responder certificate, it may verify using a trusted anchor.

  Parameters:

  ocspResp - the response object

  responderCert - the certificate that may be used to sign the response

  Returns:

  true if the response can be trusted

• isSignatureValid

  public boolean isSignatureValid(org.bouncycastle.cert.ocsp.BasicOCSPResp ocspResp,
                         Certificate responderCert)

  Checks if an OCSP response is genuine

  Parameters:

  ocspResp - the OCSP response

  responderCert - the responder certificate

  Returns:

  true if the OCSP response verifies against the responder certificate

• getOcspResponse

  public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcspResponse(X509Certificate signCert,
                                                         X509Certificate issuerCert)

  Gets an OCSP response online and returns it if the status is GOOD (without further checking).

  Parameters:

  signCert - the signing certificate

  issuerCert - the issuer certificate

  Returns:

  an OCSP response