package eu.europa.esig.dss.validation.process.bbb.xcv.rfc;
import java.util.Date;
import eu.europa.esig.dss.jaxb.detailedreport.XmlRFC;
import eu.europa.esig.dss.validation.policy.Context;
import eu.europa.esig.dss.validation.policy.SubContext;
import eu.europa.esig.dss.validation.policy.ValidationPolicy;
import eu.europa.esig.dss.validation.process.Chain;
import eu.europa.esig.dss.validation.process.ChainItem;
import eu.europa.esig.dss.validation.process.bbb.sav.checks.CryptographicCheck;
import eu.europa.esig.dss.validation.process.bbb.xcv.rfc.checks.NextUpdateCheck;
import eu.europa.esig.dss.validation.process.bbb.xcv.rfc.checks.RevocationDataAvailableCheck;
import eu.europa.esig.dss.validation.process.bbb.xcv.rfc.checks.RevocationDataFreshCheck;
import eu.europa.esig.dss.validation.process.bbb.xcv.rfc.checks.RevocationDataFreshCheckWithNullConstraint;
import eu.europa.esig.dss.validation.reports.wrapper.RevocationWrapper;
import eu.europa.esig.jaxb.policy.CryptographicConstraint;
import eu.europa.esig.jaxb.policy.LevelConstraint;
import eu.europa.esig.jaxb.policy.TimeConstraint;
/**
* 5.2.5 Revocation freshness checker This building block checks that a given
* revocation status information is "fresh" at a given validation time. The
* freshness of the revocation status information is the maximum accepted
* difference between the issuance time of the revocation status information and
* the current time. This process is used by other validation blocks when
* checking the revocation status of a certificate.
*/
public class RevocationFreshnessChecker extends Chain<XmlRFC> {
private final RevocationWrapper revocationData;
private final Date validationDate;
private final ValidationPolicy policy;
private final Context context;
private final SubContext subContext;
public RevocationFreshnessChecker(RevocationWrapper revocationData, Date validationDate, Context context,
SubContext subContext, ValidationPolicy policy) {
super(new XmlRFC());
this.revocationData = revocationData;
this.validationDate = validationDate;
this.policy = policy;
this.context = context;
this.subContext = subContext;
}
@Override
protected void initChain() {
ChainItem<XmlRFC> item = firstItem = revocationDataAvailable(revocationData);
if (revocationData != null) {
/*
* 1) The building block shall get the maximum accepted revocation
* freshness from the X.509 validation constraints for the given
* certificate. If the constraints do not contain a value for the
* maximum accepted revocation freshness and the revocation
* information status is a CRL or an OCSP response IETF RFC 5280
* [1], IETF RFC 6960 [i.12] with a value in the nextUpdate field
* the time interval between the fields thisUpdate and nextUpdate
* shall be used as the value of maximum freshness. If nextUpdate is
* not set, the building block shall return with the indication
* FAILED.
*
* NOTE: This means that if the given validation time is after the
* nextUpdate time, the revocation status information will not be
* considered fresh.
*/
item = item.setNextItem(nextUpdateCheck(revocationData));
/*
* 2) If the issuance time of the revocation information status is
* after the validation time minus the considered maximum freshness,
* the building block shall return the indication PASSED. Otherwise
* the building block shall return the indication FAILED.
*/
item = item.setNextItem(revocationDataFreshCheck(revocationData));
item = item.setNextItem(revocationCryptographic(revocationData));
}
}
private ChainItem<XmlRFC> revocationDataAvailable(RevocationWrapper revocationData) {
LevelConstraint constraint = policy.getRevocationDataAvailableConstraint(context, subContext);
return new RevocationDataAvailableCheck(result, revocationData, constraint);
}
private ChainItem<XmlRFC> nextUpdateCheck(RevocationWrapper revocationData) {
LevelConstraint constraint = policy.getRevocationDataNextUpdatePresentConstraint(context, subContext);
return new NextUpdateCheck(result, revocationData, constraint);
}
private ChainItem<XmlRFC> revocationDataFreshCheck(RevocationWrapper revocationData) {
TimeConstraint timeConstraint = policy.getRevocationFreshnessConstraint();
/*
* The building block shall get the maximum accepted revocation
* freshness from the X.509 validation constraints for the given
* certificate.
*/
if (timeConstraint != null) {
return new RevocationDataFreshCheck(result, revocationData, validationDate, timeConstraint);
}
/*
* If the constraints do not contain a value for the maximum accepted
* revocation freshness and the revocation information status is a CRL
* or an OCSP response IETF RFC 5280 [1], IETF RFC 6960 [i.12] with a
* value in the nextUpdate field the time interval between the fields
* thisUpdate and nextUpdate shall be used as the value of maximum
* freshness.
*/
else {
return new RevocationDataFreshCheckWithNullConstraint(result, revocationData, validationDate,
getFailLevelConstraint());
}
}
private ChainItem<XmlRFC> revocationCryptographic(RevocationWrapper revocationData) {
CryptographicConstraint cryptographicConstraint = policy.getCertificateCryptographicConstraint(context,
subContext);
return new CryptographicCheck<XmlRFC>(result, revocationData, validationDate, cryptographicConstraint);
}
}