/**
* Verifies a document level timestamp.
*
* @throws GeneralSecurityException
* @throws IOException
*/
public List<VerificationOK> verifySignature() throws GeneralSecurityException, IOException {
LOGGER.info("Verifying signature.");
List<VerificationOK> result = new ArrayList<VerificationOK>();
// Get the certificate chain
Certificate[] chain = pkcs7.getSignCertificateChain();
verifyChain(chain);
// how many certificates in the chain do we need to check?
int total = 1;
if (CertificateOption.WHOLE_CHAIN.equals(option)) {
total = chain.length;
}
// loop over the certificates
X509Certificate signCert;
X509Certificate issuerCert;
for (int i = 0; i < total; ) {
// the certificate to check
signCert = (X509Certificate) chain[i++];
// its issuer
issuerCert = null;
if (i < chain.length) issuerCert = (X509Certificate) chain[i];
// now lets verify the certificate
LOGGER.info(signCert.getSubjectDN().getName());
List<VerificationOK> list = verify(signCert, issuerCert, signDate);
if (list.size() == 0) {
try {
signCert.verify(signCert.getPublicKey());
if (latestRevision && chain.length > 1) {
list.add(
new VerificationOK(
signCert, this.getClass(), "Root certificate in final revision"));
}
if (list.size() == 0 && verifyRootCertificate) {
throw new GeneralSecurityException();
} else if (chain.length > 1)
list.add(
new VerificationOK(
signCert, this.getClass(), "Root certificate passed without checking"));
} catch (GeneralSecurityException e) {
throw new VerificationException(
signCert, "Couldn't verify with CRL or OCSP or trusted anchor");
}
}
result.addAll(list);
}
// go to the previous revision
switchToPreviousRevision();
return result;
}
