issrg.security
Interface Verifier

All Known Implementing Classes:
DefaultSecurity, DefaultVerifier, MultiFileTypeSecurity, PKCS12Security, SamlPKCHandler, Security

public interface Verifier

This is the interface for verification of signatures on various objects. It implies that the underlying implementation can operate on a certificate storage to retrieve certificates. However, the implementations must assume that during the verification process the whole certification path can be passed to the verifier. Such separation makes the push model possible.

Some implementations may support the push model only (don't return anything on getVerificationCertificates), but the callers need to be aware of that.

Version:
1.0
Author:
A.Otenko

Method Summary
 PKCRepository getPKCRepository()
          gets the repository that will be used to retrieve user's signature verification Public Key Certificates.
 java.security.cert.X509Certificate[] getRootCAs()
          This method returns the array of PKCs of multiple roots of trust.
 java.security.cert.X509Certificate[] getVerificationCertificates(TokenLocator signerName)
          This method allows the caller to obtain all verification certificates that the Verifier can obtain using its own means.
 boolean verify(byte[] data, byte[] signature, java.lang.String algorithmID, java.security.cert.X509Certificate[] certs)
          This method lets to verify the given signature of the data byte array.
 

Method Detail

verify

boolean verify(byte[] data,
               byte[] signature,
               java.lang.String algorithmID,
               java.security.cert.X509Certificate[] certs)
               throws SecurityException
This method lets to verify the given signature of the data byte array.

The caller must supply all certificates that are relevant to the signer and issuers of that certificate, putting the certificate of the signer the first in the array of certificates. The implementations may retrieve insufficient data (roots of trust, certificate repositories, CRLs) by whatever means available to them; these means are not specified by this interface.

It is up to the Verifier to ensure the certificates are not revoked.

Parameters:
data - is the byte array of the signed data
signature - is the byte array of the signature
certs - is the array of certificates available to the caller; the first certificate is the one used for verifying the signature, the rest will be used to verify the certification path
Returns:
true, if the signature verifies and the certification path can be established
Throws:
SecurityException - if a definite decision cannot be derived

getVerificationCertificates

java.security.cert.X509Certificate[] getVerificationCertificates(TokenLocator signerName)
                                                                 throws SecurityException
This method allows the caller to obtain all verification certificates that the Verifier can obtain using its own means. The returned array can be empty.

Parameters:
signerName - is the name of the signer of the data - the name of the holder of the verification certificates to return, and the locator of holder's PKCs
Returns:
the array of X509 PKCs; if no certificates could be obtained, an empty array should be returned (invalid name, or the Verifier is too simple to access any certificate repositories)
Throws:
SecurityException - if the result cannot be delivered

getRootCAs

java.security.cert.X509Certificate[] getRootCAs()
This method returns the array of PKCs of multiple roots of trust.

Returns:
array of X509Certificate, which can be empty or null, if no roots of trust have been specified

getPKCRepository

PKCRepository getPKCRepository()
gets the repository that will be used to retrieve user's signature verification Public Key Certificates.