SignDoc SDK (Java)
5.0.0
|
Parameters for verifying a certificate chain. More...
Public Member Functions | |
SignDocVerificationParameters () throws SignDocException | |
Constructor. More... | |
void | setForUpdateDSS () throws SignDocException |
Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2(). More... | |
synchronized void | setString (String aName, String aValue) throws SignDocException |
Set a string parameter. More... | |
synchronized void | setInteger (String aName, int aValue) throws SignDocException |
Set an integer parameter. More... | |
synchronized void | setBlob (String aName, byte[] aValue) throws SignDocException |
Set a blob parameter. More... | |
synchronized void | close () |
Destroy the underlying native object (for java.lang.AutoCloseable). More... | |
Static Public Attributes | |
static final int | ccvp_dont_verify = 0 |
Value for integer parameter "CertificateChainVerificationPolicy": don't verify. More... | |
static final int | ccvp_accept_self_signed = 1 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates. More... | |
static final int | ccvp_accept_self_signed_with_bio = 2 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present. More... | |
static final int | ccvp_accept_self_signed_with_rsa_bio = 3 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present. More... | |
static final int | ccvp_require_trusted_root = 4 |
Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate. More... | |
static final int | crvp_dont_check = 0 |
Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates. More... | |
static final int | crvp_offline = 1 |
Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server. More... | |
static final int | crvp_online = 2 |
Value for integer parameter "CertificateRevocationVerificationPolicy": require online server. More... | |
static final int | vm_minimal = 0 |
Value for integer parameter "VerificationModel": minimal. More... | |
static final int | vm_chain = 1 |
Value for integer parameter "VerificationModel": chain model. More... | |
static final int | vm_modified_shell = 2 |
Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model). More... | |
static final int | vm_shell = 3 |
Value for integer parameter "VerificationModel": shell model. More... | |
static final int | vf_check_revocation = 0x01 |
Flag for integer parameter "VerificationFlags": check the revocation state of the certificates. More... | |
static final int | vf_use_crl_only = 0x02 |
Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates. More... | |
static final int | vf_use_ocsp_only = 0x04 |
Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates. More... | |
static final int | vf_offline = 0x08 |
Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses. More... | |
static final int | vf_enforce_next_update = 0x10 |
Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses. More... | |
static final int | vf_enforce_ocsp_signer = 0x20 |
Flag for integer parameter "VerificationFlags": enforce correct OCSP signer. More... | |
static final int | vf_online = 0x40 |
Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses. More... | |
static final int | vf_no_ocsp_nonce = 0x80 |
Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests. More... | |
static final int | vf_crl_first = 0x100 |
Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points. More... | |
static final int | vf_ignore_no_revocation = 0x200 |
Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points. More... | |
Protected Member Functions | |
void | finalize () throws Throwable |
Finalize this object. More... | |
Parameters for verifying a certificate chain.
If you use null instead of a SignDocVerificationParameters object, the following default values will be used (those are identical to the default values for a freshly created SignDocVerificationParameters object):
However, for SignDocDocument.updateDSS() and SignDocDocument.updateDSS2(), the following default values will be used if a null pointer is passed (those are identical to the values set by setForUpdateDSS()):
To make the signature maximally meaningful, verification parameters for SignDocDocument.addSignature() should include vf_check_revocation in integer parameter "VerificationFlags".
If integer parameter "CertificateChainVerificationPolicy" is ccvp_dont_verify, integer parameter "CertificateRevocationVerificationPolicy" must be crvp_dont_check.
SignDocVerificationParameters | ( | ) | throws SignDocException |
synchronized void close | ( | ) |
Destroy the underlying native object (for java.lang.AutoCloseable).
After calling this method, all methods but close() will throw SignDocUnexpectedErrorException.
|
protected |
Finalize this object.
Do not call this method unless you know what you are doing.
synchronized void setBlob | ( | String | aName, |
byte[] | aValue | ||
) | throws SignDocException |
Set a blob parameter.
Available blob parameters are:
This function throws SignDocUnknownParameterException if aName is not the name of a blob parameter, SignDocInvalidValueException if aValue is invalid.
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
void setForUpdateDSS | ( | ) | throws SignDocException |
Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2().
See SignDocVerificationParameters for the values set by this function.
synchronized void setInteger | ( | String | aName, |
int | aValue | ||
) | throws SignDocException |
Set an integer parameter.
Available integer parameters are:
This function throws SignDocUnknownParameterException if aName is not the name of an integer parameter, SignDocInvalidValueException if aValue is invalid.
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
synchronized void setString | ( | String | aName, |
String | aValue | ||
) | throws SignDocException |
Set a string parameter.
Available string parameters are:
This function throws SignDocUnknownParameterException if aName is not the name of a string parameter, SignDocInvalidValueException if aValue is invalid.
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
|
static |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates.
Accept self-signed certificates. If the signing certificate is not self-signed, it must chain up to a trusted root certificate.
|
static |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present.
If the signing certificate is not self-signed or if there is no biometric data, the certificate must chain up to a trusted root certificate.
|
static |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present.
If the signing certificate is not self-signed or if there is no biometric data or if the biometric data is not encrypted with RSA, the certificate must chain up to a trusted root certificate.
|
static |
Value for integer parameter "CertificateChainVerificationPolicy": don't verify.
Don't verify the certificate chain, always pretend that the certificate chain is OK.
|
static |
Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate.
The signing certificate must chain up to a trusted root certificate.
|
static |
Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates.
Don't verify revocation of certificates, always pretend that certificates have not been revoked.
|
static |
Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server.
Check revocation, assume that certificates are not revoked if the revocation server is offline.
|
static |
Value for integer parameter "CertificateRevocationVerificationPolicy": require online server.
Check revocation, assume that certificates are revoked if the revocation server is offline.
|
static |
Flag for integer parameter "VerificationFlags": check the revocation state of the certificates.
|
static |
Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points.
If this flag is set, CRLs will be tried first which has the advantage of CRLs being cacheable.
If this flag is not set, OCSP will be tried first which has the advantage of OCSP responses being usually smaller than CRLs.
|
static |
Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses.
If this flag is set, CRLs and OCSP responses whose nextUpdate time is before the signing time or verification time (depending on the verification model) will be ignored. See also integer parameter "ComputeOfflineNextUpdate".
This flag is ignored unless vf_check_revocation is set. If this flag is set, there are more cases in which an OCSP or CRL server needs to be contacted.
|
static |
Flag for integer parameter "VerificationFlags": enforce correct OCSP signer.
If this flag is set, an OCSP response must be signed by the issuer certificate or a delegate issued by the issuer certificate.
This flag flag is not set, any trusted signer will be accepted as OCSP signer.
This flag is ignored unless vf_check_revocation is set.
|
static |
Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points.
If this flag is set, certificates that have neither CRL distribution points nor OCSP distribution points will be ignored during revocation checking.
If this flag is not set, certificates that have neither CRL distribution points nor OCSP distribution points cause revocation checking to fail (result SignDocVerificationResult.crs_not_checked for SignDocVerificationResult.getCertificateRevocationState()) unless there is a revoked certificate (result SignDocVerificationResult.crs_revoked for SignDocVerificationResult.getCertificateRevocationState()).
|
static |
Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests.
If this flag is set, OCSP requests won't use a nonce, enabling OCSP responders to cache responses and enabling attackers to mount replay attacks.
If this flag is not set, a nonce is used in OCSP requests (and is therefore required in OCSP responses).
|
static |
Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses.
This flag is ignored unless vf_check_revocation is set. vf_online must not be set if this flag is set.
|
static |
Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses.
This flag is ignored unless vf_check_revocation is set. vf_offline must not be set if this flag is set.
|
static |
Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates.
This flag is ignored unless vf_check_revocation is set. vf_use_ocsp_only must not be set if this flag is set.
|
static |
Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates.
This flag is ignored unless vf_check_revocation is set. vf_use_crl_only must not be set if this flag is set.
|
static |
Value for integer parameter "VerificationModel": chain model.
Each certificate in the chain (except for the root certificate) must have been issued during the validity time period of its issuer certificate. The signing certificate must be valid at signing time.
|
static |
Value for integer parameter "VerificationModel": minimal.
The signing certificate must be valid at signing time. Apparently, this is what Adobe Reader does.
|
static |
Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model).
All certificates in the chain must be valid at signing time.
|
static |
Value for integer parameter "VerificationModel": shell model.
All certificates in the chain must be valid at verification time and the signing certificate must be valid at signing time.
The shell model is not really suitable for digital signatures as it allows for repudiation of signatures. An exception is LTV (long term validity) validation as signatures are validated at times in the past established by document time stamps.