TimemarkSignatureValidator.java example

Explorer
digidoc4j-master
- src
  - org
    - digidoc4j
  - prototype
- test
  - org
    - digidoc4j
/* DigiDoc4J library
*
* This software is released under either the GNU Library General Public
* License (see LICENSE.LGPL).
*
* Note that the only valid version of the LGPL license as far as this
* project is concerned is the original GNU Library General Public License
* Version 2.1, February 1999
*/

package org.digidoc4j.impl.bdoc.xades.validation;

import java.security.cert.X509Certificate;
import java.util.Date;

import org.apache.commons.lang.StringUtils;
import org.digidoc4j.exceptions.SignedWithExpiredCertificateException;
import org.digidoc4j.exceptions.UntrustedRevocationSourceException;
import org.digidoc4j.impl.bdoc.xades.XadesSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import eu.europa.esig.dss.validation.reports.Reports;
import eu.europa.esig.dss.validation.reports.wrapper.DiagnosticData;

public class TimemarkSignatureValidator extends XadesSignatureValidator {

  private final static Logger logger = LoggerFactory.getLogger(TimemarkSignatureValidator.class);
  private XadesSignature signature;

  public TimemarkSignatureValidator(XadesSignature signature) {
    super(signature);
    this.signature = signature;
  }

  @Override
  protected void populateValidationErrors() {
    super.populateValidationErrors();
    addCertificateExpirationError();
    addRevocationErrors();
  }

  private void addCertificateExpirationError() {
    Date signingTime = signature.getTrustedSigningTime();
    if (signingTime == null) {
      return;
    }
    X509Certificate signerCert = signature.getSigningCertificate().getX509Certificate();
    Date notBefore = signerCert.getNotBefore();
    Date notAfter = signerCert.getNotAfter();
    boolean isCertValid = signingTime.compareTo(notBefore) >= 0 && signingTime.compareTo(notAfter) <= 0;
    if (!isCertValid) {
      logger.error("Signature has been created with expired certificate");
      addValidationError(new SignedWithExpiredCertificateException());
    }
  }

  private void addRevocationErrors() {
    Reports validationReport = signature.validate().getReport();
    DiagnosticData diagnosticData = validationReport.getDiagnosticData();
    if (diagnosticData == null) {
      return;
    }
    String signingCertificateId = diagnosticData.getSigningCertificateId();
    String certificateRevocationSource = diagnosticData.getCertificateRevocationSource(signingCertificateId);
    logger.debug("Revocation source is " + certificateRevocationSource);
    if (StringUtils.equalsIgnoreCase("CRLToken", certificateRevocationSource)) {
      logger.error("Signing certificate revocation source is CRL instead of OCSP");
      addValidationError(new UntrustedRevocationSourceException());
    }
  }
}