Parameters for verifying a certificate chain. More...
Public Member Functions | |
SignDocVerificationParameters () throws SignDocException | |
Constructor. | |
void | setForUpdateDSS () throws SignDocException |
Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2(). | |
synchronized int | setString (String aName, String aValue) throws SignDocException |
Set a string parameter. | |
synchronized int | setInteger (String aName, int aValue) throws SignDocException |
Set an integer parameter. | |
synchronized int | setBlob (String aName, byte[] aValue) throws SignDocException |
Set a blob parameter. | |
Static Public Attributes | |
static final int | rc_ok = 0 |
Return code for setter functions: Parameter set successfully. | |
static final int | rc_unknown = 1 |
Return code for setter functions: Unknown parameter. | |
static final int | rc_not_supported = 2 |
Return code for setter functions: Setting the parameter is not supported. | |
static final int | rc_invalid_value = 3 |
Return code for setter functions: The value for the parameter is invalid. | |
static final int | ccvp_dont_verify = 0 |
Value for integer parameter "CertificateChainVerificationPolicy": don't verify. | |
static final int | ccvp_accept_self_signed = 1 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates. | |
static final int | ccvp_accept_self_signed_with_bio = 2 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present. | |
static final int | ccvp_accept_self_signed_with_rsa_bio = 3 |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present. | |
static final int | ccvp_require_trusted_root = 4 |
Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate. | |
static final int | crvp_dont_check = 0 |
Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates. | |
static final int | crvp_offline = 1 |
Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server. | |
static final int | crvp_online = 2 |
Value for integer parameter "CertificateRevocationVerificationPolicy": require online server. | |
static final int | vm_minimal = 0 |
Value for integer parameter "VerificationModel": minimal. | |
static final int | vm_chain = 1 |
Value for integer parameter "VerificationModel": chain model. | |
static final int | vm_modified_shell = 2 |
Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model). | |
static final int | vm_shell = 3 |
Value for integer parameter "VerificationModel": shell model. | |
static final int | vf_check_revocation = 0x01 |
Flag for integer parameter "VerificationFlags": check the revocation state of the certificates. | |
static final int | vf_use_crl_only = 0x02 |
Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates. | |
static final int | vf_use_ocsp_only = 0x04 |
Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates. | |
static final int | vf_offline = 0x08 |
Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses. | |
static final int | vf_enforce_next_update = 0x10 |
Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses. | |
static final int | vf_enforce_ocsp_signer = 0x20 |
Flag for integer parameter "VerificationFlags": enforce correct OCSP signer. | |
static final int | vf_online = 0x40 |
Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses. | |
static final int | vf_no_ocsp_nonce = 0x80 |
Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests. | |
static final int | vf_crl_first = 0x100 |
Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points. | |
static final int | vf_ignore_no_revocation = 0x200 |
Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points. | |
Protected Member Functions | |
void | finalize () throws Throwable |
Finalize this object. |
Parameters for verifying a certificate chain.
If you use null instead of a SignDocVerificationParameters object, the following default values will be used (those are identical to the default values for a freshly created SignDocVerificationParameters object):
However, for SignDocDocument.updateDSS() and SignDocDocument.updateDSS2(), the following default values will be used if a null pointer is passed (those are identical to the values set by setForUpdateDSS()):
To make the signature maximally meaningful, verification parameters for SignDocDocument.addSignature() should include vf_check_revocation in integer parameter "VerificationFlags".
If integer parameter "CertificateChainVerificationPolicy" is ccvp_dont_verify, integer parameter "CertificateRevocationVerificationPolicy" must be crvp_dont_check.
de.softpro.doc.SignDocVerificationParameters.SignDocVerificationParameters | ( | ) | throws SignDocException |
void de.softpro.doc.SignDocVerificationParameters.finalize | ( | ) | throws Throwable [protected] |
Finalize this object.
Do not call this method unless you know what you are doing.
synchronized int de.softpro.doc.SignDocVerificationParameters.setBlob | ( | String | aName, |
byte[] | aValue | ||
) | throws SignDocException |
Set a blob parameter.
Available blob parameters are:
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
void de.softpro.doc.SignDocVerificationParameters.setForUpdateDSS | ( | ) | throws SignDocException |
Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2().
See SignDocVerificationParameters for the values set by this function.
synchronized int de.softpro.doc.SignDocVerificationParameters.setInteger | ( | String | aName, |
int | aValue | ||
) | throws SignDocException |
Set an integer parameter.
Available integer parameters are:
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
synchronized int de.softpro.doc.SignDocVerificationParameters.setString | ( | String | aName, |
String | aValue | ||
) | throws SignDocException |
Set a string parameter.
Available string parameters are:
[in] | aName | The name of the parameter (case-sensitive). |
[in] | aValue | The value of the parameter. |
final int de.softpro.doc.SignDocVerificationParameters.ccvp_accept_self_signed = 1 [static] |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates.
Accept self-signed certificates. If the signing certificate is not self-signed, it must chain up to a trusted root certificate.
final int de.softpro.doc.SignDocVerificationParameters.ccvp_accept_self_signed_with_bio = 2 [static] |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present.
If the signing certificate is not self-signed or if there is no biometric data, the certificate must chain up to a trusted root certificate.
final int de.softpro.doc.SignDocVerificationParameters.ccvp_accept_self_signed_with_rsa_bio = 3 [static] |
Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present.
If the signing certificate is not self-signed or if there is no biometric data or if the biometric data is not encrypted with RSA, the certificate must chain up to a trusted root certificate.
final int de.softpro.doc.SignDocVerificationParameters.ccvp_dont_verify = 0 [static] |
Value for integer parameter "CertificateChainVerificationPolicy": don't verify.
Don't verify the certificate chain, always pretend that the certificate chain is OK.
final int de.softpro.doc.SignDocVerificationParameters.ccvp_require_trusted_root = 4 [static] |
Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate.
The signing certificate must chain up to a trusted root certificate.
final int de.softpro.doc.SignDocVerificationParameters.crvp_dont_check = 0 [static] |
Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates.
Don't verify revocation of certificates, always pretend that certificates have not been revoked.
final int de.softpro.doc.SignDocVerificationParameters.crvp_offline = 1 [static] |
Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server.
Check revocation, assume that certificates are not revoked if the revocation server is offline.
final int de.softpro.doc.SignDocVerificationParameters.crvp_online = 2 [static] |
Value for integer parameter "CertificateRevocationVerificationPolicy": require online server.
Check revocation, assume that certificates are revoked if the revocation server is offline.
final int de.softpro.doc.SignDocVerificationParameters.rc_invalid_value = 3 [static] |
Return code for setter functions: The value for the parameter is invalid.
final int de.softpro.doc.SignDocVerificationParameters.rc_not_supported = 2 [static] |
Return code for setter functions: Setting the parameter is not supported.
final int de.softpro.doc.SignDocVerificationParameters.rc_ok = 0 [static] |
Return code for setter functions: Parameter set successfully.
final int de.softpro.doc.SignDocVerificationParameters.rc_unknown = 1 [static] |
Return code for setter functions: Unknown parameter.
final int de.softpro.doc.SignDocVerificationParameters.vf_check_revocation = 0x01 [static] |
Flag for integer parameter "VerificationFlags": check the revocation state of the certificates.
final int de.softpro.doc.SignDocVerificationParameters.vf_crl_first = 0x100 [static] |
Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points.
If this flag is set, CRLs will be tried first which has the advantage of CRLs being cacheable.
If this flag is not set, OCSP will be tried first which has the advantage of OCSP responses being usually smaller than CRLs.
final int de.softpro.doc.SignDocVerificationParameters.vf_enforce_next_update = 0x10 [static] |
Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses.
If this flag is set, CRLs and OCSP responses whose nextUpdate time is before the signing time or verification time (depending on the verification model) will be ignored. See also integer parameter "ComputeOfflineNextUpdate".
This flag is ignored unless vf_check_revocation is set. If this flag is set, there are more cases in which an OCSP or CRL server needs to be contacted.
final int de.softpro.doc.SignDocVerificationParameters.vf_enforce_ocsp_signer = 0x20 [static] |
Flag for integer parameter "VerificationFlags": enforce correct OCSP signer.
If this flag is set, an OCSP response must be signed by the issuer certificate or a delegate issued by the issuer certificate.
This flag flag is not set, any trusted signer will be accepted as OCSP signer.
This flag is ignored unless vf_check_revocation is set.
final int de.softpro.doc.SignDocVerificationParameters.vf_ignore_no_revocation = 0x200 [static] |
Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points.
If this flag is set, certificates that have neither CRL distribution points nor OCSP distribution points will be ignored during revocation checking.
If this flag is not set, certificates that have neither CRL distribution points nor OCSP distribution points cause revocation checking to fail (result SignDocVerificationResult.crs_not_checked for SignDocVerificationResult.getCertificateRevocationState()) unless there is a revoked certificate (result SignDocVerificationResult.crs_revoked for SignDocVerificationResult.getCertificateRevocationState()).
final int de.softpro.doc.SignDocVerificationParameters.vf_no_ocsp_nonce = 0x80 [static] |
Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests.
If this flag is set, OCSP requests won't use a nonce, enabling OCSP responders to cache responses and enabling attackers to mount replay attacks.
If this flag is not set, a nonce is used in OCSP requests (and is therefore required in OCSP responses).
final int de.softpro.doc.SignDocVerificationParameters.vf_offline = 0x08 [static] |
Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses.
This flag is ignored unless vf_check_revocation is set. vf_online must not be set if this flag is set.
final int de.softpro.doc.SignDocVerificationParameters.vf_online = 0x40 [static] |
Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses.
This flag is ignored unless vf_check_revocation is set. vf_offline must not be set if this flag is set.
final int de.softpro.doc.SignDocVerificationParameters.vf_use_crl_only = 0x02 [static] |
Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates.
This flag is ignored unless vf_check_revocation is set. vf_use_ocsp_only must not be set if this flag is set.
final int de.softpro.doc.SignDocVerificationParameters.vf_use_ocsp_only = 0x04 [static] |
Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates.
This flag is ignored unless vf_check_revocation is set. vf_use_crl_only must not be set if this flag is set.
final int de.softpro.doc.SignDocVerificationParameters.vm_chain = 1 [static] |
Value for integer parameter "VerificationModel": chain model.
Each certificate in the chain (except for the root certificate) must have been issued during the validity time period of its issuer certificate. The signing certificate must be valid at signing time.
final int de.softpro.doc.SignDocVerificationParameters.vm_minimal = 0 [static] |
Value for integer parameter "VerificationModel": minimal.
The signing certificate must be valid at signing time. Apparently, this is what Adobe Reader does.
final int de.softpro.doc.SignDocVerificationParameters.vm_modified_shell = 2 [static] |
Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model).
All certificates in the chain must be valid at signing time.
final int de.softpro.doc.SignDocVerificationParameters.vm_shell = 3 [static] |
Value for integer parameter "VerificationModel": shell model.
All certificates in the chain must be valid at verification time and the signing certificate must be valid at signing time.
The shell model is not really suitable for digital signatures as it allows for repudiation of signatures. An exception is LTV (long term validity) validation as signatures are validated at times in the past established by document time stamps.