Package com.itextpdf.text.pdf.security

Class CRLVerifier

java.lang.Object

com.itextpdf.text.pdf.security.CertificateVerifier

com.itextpdf.text.pdf.security.RootStoreVerifier

com.itextpdf.text.pdf.security.CRLVerifier

public class CRLVerifier
extends RootStoreVerifier

Class that allows you to verify a certificate against one or more Certificate Revocation Lists.

Field Summary

Fields

Modifier and Type	Field	Description
protected static Logger	LOGGER	The Logger instance

Fields inherited from class com.itextpdf.text.pdf.security.CertificateVerifier

onlineCheckingAllowed, verifier

Fields inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier

rootStore

Constructor Summary

Constructors

Constructor	Description
CRLVerifier(CertificateVerifier verifier, List<X509CRL> crls)	Creates a CRLVerifier instance.

Method Summary

Modifier and Type	Method	Description
X509CRL	getCRL(X509Certificate signCert, X509Certificate issuerCert)	Fetches a CRL for a specific certificate online (without further checking).
boolean	isSignatureValid(X509CRL crl, X509Certificate crlIssuer)	Checks if a CRL verifies against the issuer certificate or a trusted anchor.
List<VerificationOK>	verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate)	Verifies if a a valid CRL is found for the certificate.
boolean	verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate)	Verifies a certificate against a single CRL.

Methods inherited from class com.itextpdf.text.pdf.security.CertificateVerifier

setOnlineCheckingAllowed

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from class com.itextpdf.text.pdf.security.RootStoreVerifier

setRootStore

Field Detail

LOGGER

protected static final Logger LOGGER

The Logger instance

Constructor Detail

CRLVerifier

public CRLVerifier(CertificateVerifier verifier,
                   List<X509CRL> crls)

Creates a CRLVerifier instance.

Parameters:

verifier - the next verifier in the chain

crls - a list of CRLs

Method Detail

verify

public List<VerificationOK> verify(X509Certificate signCert,
                                   X509Certificate issuerCert,
                                   Date signDate)
                            throws GeneralSecurityException,
                                   IOException

Verifies if a a valid CRL is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any CRL that was available.

Overrides:

verify in class RootStoreVerifier

Parameters:

signCert - the certificate that needs to be checked

issuerCert - its issuer

signDate - the date the certificate needs to be valid

Returns:

a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Throws:

GeneralSecurityException

IOException

See Also:

RootStoreVerifier.verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)

verify

public boolean verify(X509CRL crl,
                      X509Certificate signCert,
                      X509Certificate issuerCert,
                      Date signDate)
               throws GeneralSecurityException

Verifies a certificate against a single CRL.

Parameters:

crl - the Certificate Revocation List

signCert - a certificate that needs to be verified

issuerCert - its issuer

signDate - the sign date

Returns:

true if the verification succeeded

Throws:

GeneralSecurityException

getCRL

public X509CRL getCRL(X509Certificate signCert,
                      X509Certificate issuerCert)

Fetches a CRL for a specific certificate online (without further checking).

Parameters:

signCert - the certificate

issuerCert - its issuer

Returns:

an X509CRL object

isSignatureValid

public boolean isSignatureValid(X509CRL crl,
                                X509Certificate crlIssuer)

Checks if a CRL verifies against the issuer certificate or a trusted anchor.

Parameters:

crl - the CRL

crlIssuer - the trusted anchor

Returns:

true if the CRL can be trusted