public class CertHandler
extends Object
CertHandler
is used as a singleton to hold the trusted "root"
certificates from the TSA Service.
This is related to discovering trust using certificate chaining. In practice, the lowest level timestamp certificate is returned with each timestamp. Then, that certificate is checked using x.509 method of certificate-chaining to certificates you had trusted in advance by storing them on your computer. There are two options for where the certificates are stored on your system.
mySpecialConfigs.put(Constants.ROOT_CERTS_BY_NAME, "true");
Details about comparing the two methods: when the file system is used then the toolkit can find the list of files in a particular directory and load that "dynamic" list. But, when loading from a jar we must use predefined certificate file names and we load only the ROOT certificates.
When using option of storing certificate in directory 'com.digistamp.certificates', common usage would be to have Root and Audit certificates and no Timestamp certificates in the directory structure. In this configuration, during verification processing the Timestamp certificate is retrieved from each timestamp and then that certificate is checked for correct chaining to the Root certificate that is stored in the directory structure.
The 'com.digistamp.certificates' directory has a prescribed structure:
Modifier and Type | Method and Description |
---|---|
static void |
checkIssuer(org.bouncycastle.cert.X509CertificateHolder issuer,
org.bouncycastle.cert.X509CertificateHolder child)
did this certificate issue this child certificate? and check the
signature and path.
|
static org.bouncycastle.cms.SignerInformationVerifier |
createSIV(org.bouncycastle.cert.X509CertificateHolder issuerCertificate)
Create a SignerInformationVerifier from a single target issuer
certificate.
|
static org.bouncycastle.cert.X509CertificateHolder |
findMatch(Collection<org.bouncycastle.cert.X509CertificateHolder> certs,
org.bouncycastle.tsp.TimeStampToken aTimeStamp)
Find an UNVERIFIED match by ESScertID.
|
static org.bouncycastle.cert.X509CertificateHolder |
findMatch(org.bouncycastle.util.Store<org.bouncycastle.cert.X509CertificateHolder> aStore,
org.bouncycastle.tsp.TimeStampToken aTimeStamp)
Find an UNVERIFIED match by ESScertID.
|
static org.bouncycastle.cms.SignerInformationVerifier |
findMatchingCertificate(org.bouncycastle.asn1.x500.X500Name targetCertificate,
ArrayList<org.bouncycastle.cms.SignerInformationVerifier> issuerCertificateList)
Find an UNVERIFIED match by X500Name between a target child certificate
and its Issuer.
|
ArrayList<org.bouncycastle.cms.SignerInformationVerifier> |
getAuditCertificates()
Return all Audit Certificates associated with this CertHandler
|
static com.digistamp.tsp.CertID |
getCertID(org.bouncycastle.asn1.cms.AttributeTable aAttributeTable) |
static com.digistamp.tsp.CertID |
getCertID(org.bouncycastle.tsp.TimeStampToken aTimeStamp) |
static CertHandler |
getInstance()
Singleton accessor method
|
ArrayList<org.bouncycastle.cms.SignerInformationVerifier> |
getRootCertificates()
Return all Root Certificates associated with this CertHandler
|
ArrayList<org.bouncycastle.cms.SignerInformationVerifier> |
getTimestampCertificates()
Return all Timestamp Certificates associated with this CertHandler
|
static org.bouncycastle.cert.X509CertificateHolder |
isGoodTimestamp(org.bouncycastle.tsp.TimeStampToken aTimeStampToken,
CertHandler passedCertHandler)
This function performs thorough checking of the object's timestamp
response.
|
void |
setTestUntrusted(boolean untrusted,
boolean rootCertsByName)
Decides, and reads, the appropriate set of certificates for Trusted
Production usage, or Untrusted Test Usage.
|
public static void checkIssuer(org.bouncycastle.cert.X509CertificateHolder issuer, org.bouncycastle.cert.X509CertificateHolder child) throws org.bouncycastle.operator.OperatorCreationException, org.bouncycastle.cert.CertException, org.bouncycastle.tsp.TSPValidationException
org.bouncycastle.operator.OperatorCreationException
org.bouncycastle.cert.CertException
org.bouncycastle.tsp.TSPValidationException
public static org.bouncycastle.cms.SignerInformationVerifier createSIV(org.bouncycastle.cert.X509CertificateHolder issuerCertificate) throws Exception
Exception
public static org.bouncycastle.cert.X509CertificateHolder findMatch(Collection<org.bouncycastle.cert.X509CertificateHolder> certs, org.bouncycastle.tsp.TimeStampToken aTimeStamp)
public static org.bouncycastle.cert.X509CertificateHolder findMatch(org.bouncycastle.util.Store<org.bouncycastle.cert.X509CertificateHolder> aStore, org.bouncycastle.tsp.TimeStampToken aTimeStamp)
public static org.bouncycastle.cms.SignerInformationVerifier findMatchingCertificate(org.bouncycastle.asn1.x500.X500Name targetCertificate, ArrayList<org.bouncycastle.cms.SignerInformationVerifier> issuerCertificateList)
public ArrayList<org.bouncycastle.cms.SignerInformationVerifier> getAuditCertificates()
public static com.digistamp.tsp.CertID getCertID(org.bouncycastle.asn1.cms.AttributeTable aAttributeTable) throws org.bouncycastle.tsp.TSPValidationException
org.bouncycastle.tsp.TSPValidationException
public static com.digistamp.tsp.CertID getCertID(org.bouncycastle.tsp.TimeStampToken aTimeStamp) throws org.bouncycastle.tsp.TSPValidationException
org.bouncycastle.tsp.TSPValidationException
public static CertHandler getInstance() throws IOException
IOException
public ArrayList<org.bouncycastle.cms.SignerInformationVerifier> getRootCertificates()
public ArrayList<org.bouncycastle.cms.SignerInformationVerifier> getTimestampCertificates()
public static org.bouncycastle.cert.X509CertificateHolder isGoodTimestamp(org.bouncycastle.tsp.TimeStampToken aTimeStampToken, CertHandler passedCertHandler) throws org.bouncycastle.tsp.TSPValidationException
CertHandler
. If you did not configure
CertHandler
to have trusted 'timestamp' certificates then
certificates attached to the timestamp are searched.org.bouncycastle.tsp.TSPValidationException
public void setTestUntrusted(boolean untrusted, boolean rootCertsByName) throws IOException
IOException