public class TrustVerifier
extends java.lang.Object
Modifier and Type | Field and Description |
---|---|
protected java.io.PrintWriter |
debugWriter_
Writer to which debug information may be written.
|
protected java.util.Hashtable |
trustedCerts_
Trust store holding the certificates using IssuerAndSerialNumber as key.
|
Constructor and Description |
---|
TrustVerifier()
Creates a new TrustVerifier.
|
Modifier and Type | Method and Description |
---|---|
void |
addTrustedCertificate(iaik.x509.X509Certificate cert)
Adds a trusted certificate.
|
boolean |
checkEMail(java.lang.String emailFROM,
iaik.x509.X509Certificate signer)
Checks if the email given in the From header corresponds to the one
given in the certificate.
|
iaik.x509.X509Certificate[] |
getCertificates(java.security.Principal subjectDN)
Returns all certificates with the given subjectDN.
|
iaik.x509.X509Certificate[] |
getCertificates(java.lang.String email)
Returns all certificates with the given email address.
|
static java.util.Enumeration |
getEmailAddresses(iaik.x509.X509Certificate cert)
Returns the email adresses of the subject in the given certificate.
|
java.util.Enumeration |
getTrustedCertificates()
Enumerates the explicitly trusted certificates.
|
iaik.x509.X509Certificate |
getTrustedIssuerCert(iaik.x509.X509Certificate cert)
Gets the issuer certificate of the given certificate (if available in
the pool of trusted certificates).
|
iaik.x509.X509Certificate[] |
getTrustedIssuerCerts(iaik.x509.X509Certificate cert)
Gets all issuer certificates of the given certificate (if available in
the pool of trusted certificates).
|
boolean |
isTrustedCertificate(iaik.x509.X509Certificate cert)
Checks if the given certificate is explicitly trusted.
|
boolean |
removeTrustedCertificate(iaik.x509.X509Certificate cert)
Removes a trusted certificate.
|
void |
setDebugStream(java.io.OutputStream out)
Sets the stream to which debug information shall be printed.
|
int |
size()
Returns the number of explicitly trusted certificates.
|
void |
verifyCertificateChain(iaik.x509.X509Certificate[] certs)
Verifies a certificate chain.
|
void |
verifyCertificateChain(iaik.x509.X509Certificate[] certs,
java.lang.String debugID)
Verifies a certificate chain.
|
boolean |
verifyChain(iaik.x509.X509Certificate[] certs)
Deprecated.
use
verifyCertificateChain instead |
boolean |
verifyChain(iaik.x509.X509Certificate[] certs,
java.lang.String debugID)
Deprecated.
use
verifyCertificateChain instead |
protected java.util.Hashtable trustedCerts_
protected java.io.PrintWriter debugWriter_
public TrustVerifier()
public void addTrustedCertificate(iaik.x509.X509Certificate cert)
cert
- the trusted certificate to be added.public boolean removeTrustedCertificate(iaik.x509.X509Certificate cert)
cert
- the certificate to be removed from the trust repositorytrue
if the cert successfully has been remove, false
otherwisepublic int size()
public java.util.Enumeration getTrustedCertificates()
public iaik.x509.X509Certificate[] getCertificates(java.security.Principal subjectDN)
subjectDN
- the subjectDN to be searched forpublic iaik.x509.X509Certificate[] getCertificates(java.lang.String email)
email
- the email address to be searched forpublic boolean isTrustedCertificate(iaik.x509.X509Certificate cert)
cert
- the cert which shall be checked for trusttrue
if the cert is trusted, false
otherwisepublic iaik.x509.X509Certificate getTrustedIssuerCert(iaik.x509.X509Certificate cert)
cert
- the cert to be searched for a trusted issuernull
if no trusted issuer cert
is in the repositorypublic iaik.x509.X509Certificate[] getTrustedIssuerCerts(iaik.x509.X509Certificate cert)
cert
- the cert to be searched for trusted issuerspublic boolean verifyChain(iaik.x509.X509Certificate[] certs)
verifyCertificateChain
insteadThis implementation does the following in order:
verifyCert()
.
If any call returns true it returns true, if any throws an exception it
returns false.
size()
returns 0, i.e. no certificates are
trusted at all.
That means invalid certificate chains (signatures that do not verify, expired certificates) are never accepted. If trusted certificates are set only valid chains containing a trusted certificate are accepted, otherwise all valid chains are accepted.
certs
- the cert chain to be verifiedtrue
if the chain verifies up to a trusted certificate or
the chain verifies and there are no trusted certificates in the pool (all
is trusted), false
otherwisepublic boolean verifyChain(iaik.x509.X509Certificate[] certs, java.lang.String debugID)
verifyCertificateChain
insteadThis implementation does the following in order:
verifyCert()
.
If any call returns true it returns true, if any throws an exception it
returns false.
size()
returns 0, i.e. no certificates are
trusted at all.
That means invalid certificate chains (signatures that do not verify, expired certificates) are never accepted. If trusted certificates are set only valid chains containing a trusted certificate are accepted, otherwise all valid chains are accepted.
certs
- the cert chain to be verifieddebugID
- an ID to may be printed in front of debug messages; may be null
true
if the chain verifies up to a trusted certificate or
the chain verifies and there are no trusted certificates in the pool (all
is trusted), false
otherwisepublic void verifyCertificateChain(iaik.x509.X509Certificate[] certs) throws java.security.cert.CertificateException
This implementation does the following in order:
verifyCert()
.
If any call returns true it returns true, if any throws an exception it
returns false.
size()
returns 0, i.e. no certificates are
trusted at all.
That means invalid certificate chains (signatures that do not verify, expired certificates) are never accepted. If trusted certificates are set only valid chains containing a trusted certificate are accepted, otherwise all valid chains are accepted.
certs
- the cert chain to be verifiedjava.security.cert.CertificateException
- if the chain does not verify up to a trusted certificatepublic void verifyCertificateChain(iaik.x509.X509Certificate[] certs, java.lang.String debugID) throws java.security.cert.CertificateException
This implementation does the following in order:
verifyCert()
.
If any call returns true it returns true, if any throws an exception it
returns false.
size()
returns 0, i.e. no certificates are
trusted at all.
That means invalid certificate chains (signatures that do not verify, expired certificates) are never accepted. If trusted certificates are set only valid chains containing a trusted certificate are accepted, otherwise all valid chains are accepted.
certs
- the cert chain to be verifieddebugID
- an ID to may be printed in front of debug messages; may be null
java.security.cert.CertificateException
- if the chain does not verify up to a trusted certificatepublic void setDebugStream(java.io.OutputStream out)
out
- the stream to which debug information shall be written;
maybe null
for disabling debug outputpublic boolean checkEMail(java.lang.String emailFROM, iaik.x509.X509Certificate signer)
emailFROM
- the email given in the From header field (the email has to be
formatted as an "addr-spec" as defined in RFC 822. An addr-spec
has the form "local-part@domain".signer
- the signer certificatetrue
if this certificate contains an email that matches
to the From: email, or if the certificate does not contain an email
but is a CA certificate; false
if emails are present
in the certificate but none of them matches to the From: email, or
if the certificate is an end entity certificate without an emailpublic static java.util.Enumeration getEmailAddresses(iaik.x509.X509Certificate cert)
cert
- the certificate to be searched for any included email address