Download - Svetlin Nakov
Download - Svetlin Nakov
Download - Svetlin Nakov
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
import java.io.*;<br />
import java.util.List;<br />
import java.util.HashSet;<br />
/**<br />
* Utility class for digital signatures and certificates verification.<br />
*<br />
* Verification of digital signature aims to confirm or deny that given signature is<br />
* created by signing given document with the private key corresponding to given<br />
* certificate. Verification of signatures is done with the standard digital<br />
* signature verification algorithm, provided by Java Cryptography API:<br />
* 1. The message digest is calculated from given document.<br />
* 2. The original message digest is obtained by decrypting the signature with<br />
* the public key of the signer (this public key is taken from the signer's<br />
* certificate).<br />
* 3. Values calculated in step 1. and step 2. are compared.<br />
*<br />
* Verification of a certificate aims to check if the certificate is valid wihtout<br />
* inspecting its certification chain (sometimes it is unavailable). The certificate<br />
* verification is done in two steps:<br />
* 1. The certificate validity period is checked against current date.<br />
* 2. The certificate is checked if it is directly signed by some of the trusted<br />
* certificates that we have. A list of trusted certificates is supported for this<br />
* direct certificate verification process. If we want to successfully validate the<br />
* certificates issued by some certification authority (CA), we need to add the<br />
* certificate of this CA in our trusted list. Note that some CA have several<br />
* certificates and we should add only that of them, which the CA directly uses for<br />
* issuing certificates to its clients.<br />
*<br />
* Verification of a certification chains aims to check if given certificate is<br />
* valid by analysing its certification chain. A certification chain always starts<br />
* with the user certificate that should be verified, then several intermediate CA<br />
* certificates follow and at the end of the chain stays some root CA certificate.<br />
* The verification process includes following steps (according to PKIX algorithm):<br />
* 1. Check the certificate validity period against current date.<br />
* 2. Check if each certificate in the chain is signed by the previous.<br />
* 3. Check if all the certificates in the chain, except the first, belong to<br />
* some CA, i.e. if they are authorized to be used for signing other certificates.<br />
* 4. Check if the root CA certificate in the end of the chain is trusted, i.e.<br />
* if is it in the list of trusted root CA certificates.<br />
* The verification process uses PKIX algorithm, defined in RFC-3280, but don't use<br />
* CRL lists.<br />
*<br />
* This file is part of <strong>Nakov</strong>DocumentSigner digital document<br />
* signing framework for Java-based Web applications:<br />
* http://www.nakov.com/documents-signing/<br />
*<br />
* Copyright (c) 2003 by <strong>Svetlin</strong> <strong>Nakov</strong> - http://www.nakov.com<br />
* National Academy for Software Development - http://academy.devbg.org<br />
* All rights reserved. This code is freeware. It can be used<br />
* for any purpose as long as this copyright statement is not<br />
* removed or modified.<br />
*/<br />
public class DigitalSignatureUtils {<br />
private static final String X509_CERTIFICATE_TYPE = "X.509";<br />
private static final String CERT_CHAIN_ENCODING = "PkiPath";<br />
private static final String DIGITAL_SIGNATURE_ALGORITHM_NAME = "SHA1withRSA";<br />
private static final String CERT_CHAIN_VALIDATION_ALGORITHM = "PKIX";<br />
/**<br />
* Loads X.509 certificate from DER-encoded binary stream.<br />
*/<br />
public static X509Certificate loadX509CertificateFromStream(<br />
127