Example 1 with CertificationChainData
use of xades4j.verification.QualifyingPropertyVerificationContext.CertificationChainData in project xades4j by luisgoncalves.
the class SigningCertificateVerifier method verify.
@Override
public QualifyingProperty verify(SigningCertificateData propData, QualifyingPropertyVerificationContext ctx) throws SigningCertificateVerificationException {
Collection<CertRef> certRefs = propData.getCertRefs();
CertificationChainData certChainData = ctx.getCertChainData();
Iterator<X509Certificate> certPathIter = certChainData.getCertificateChain().iterator();
/* Check the signing certificate */
// "If the verifier does not find any reference matching the signing certificate,
// the validation of this property should be taken as failed."
X509Certificate signingCert = certPathIter.next();
CertRef signingCertRef = CertRefUtils.findCertRef(signingCert, certRefs);
if (null == signingCertRef)
throw new SigningCertificateReferenceNotFoundException(signingCert);
// "If the ds:KeyInfo contains the ds:X509IssuerSerial element, check that
// the issuer and the serial number indicated in both, that one and IssuerSerial
// from SigningCertificate, are the same."
X500Principal keyInfoIssuer = certChainData.getValidationCertIssuer();
if (keyInfoIssuer != null && (!new X500Principal(signingCertRef.issuerDN).equals(keyInfoIssuer) || !signingCertRef.serialNumber.equals(certChainData.getValidationCertSerialNumber())))
throw new SigningCertificateIssuerSerialMismatchException(signingCertRef.issuerDN, signingCertRef.serialNumber, keyInfoIssuer.getName(), certChainData.getValidationCertSerialNumber());
try {
CertRefUtils.checkCertRef(signingCertRef, signingCert, messageDigestProvider);
} catch (CertRefUtils.InvalidCertRefException ex) {
throw new SigningCertificateReferenceException(signingCert, signingCertRef, ex);
}
/* Check the other certificates in the certification path */
int nMatchedRefs = 1;
while (certPathIter.hasNext()) {
X509Certificate cert = certPathIter.next();
CertRef certRef = CertRefUtils.findCertRef(cert, certRefs);
// verification is successful (...)"
if (null == certRef)
continue;
nMatchedRefs++;
try {
CertRefUtils.checkCertRef(certRef, cert, messageDigestProvider);
} catch (CertRefUtils.InvalidCertRefException ex) {
throw new SigningCertificateReferenceException(cert, certRef, ex);
}
}
// assume that a failure has occurred during the verification."
if (nMatchedRefs < certRefs.size())
throw new SigningCertificateCertsNotInCertPathException();
return new SigningCertificateProperty(certChainData.getCertificateChain());
}
Also used :
SigningCertificateProperty(xades4j.properties.SigningCertificateProperty)
X509Certificate(java.security.cert.X509Certificate)
CertRef(xades4j.properties.data.CertRef)
CertificationChainData(xades4j.verification.QualifyingPropertyVerificationContext.CertificationChainData)
X500Principal(javax.security.auth.x500.X500Principal)
Aggregations
X509Certificate (java.security.cert.X509Certificate)1
X500Principal (javax.security.auth.x500.X500Principal)1
SigningCertificateProperty (xades4j.properties.SigningCertificateProperty)1
CertRef (xades4j.properties.data.CertRef)1
CertificationChainData (xades4j.verification.QualifyingPropertyVerificationContext.CertificationChainData)1
