ITrustCertificateProviderAddin

Whenever an artifact is signed, or a signature validation is performed, the solution needs to validate if the certificate used for signing is trusted. Add-in responsible for retrieving the list of all certificates that will be trusted for each given purpose.

Trigger Event(s): Updating or listing the trust certificate store
Table 1. ITrustCertificateProviderAddin interface methods declaration and description
Method Description

getTrustCertificates

Retrieves a map containing, for each certificate type, the list of trusted certificates

Parameter

Type

Description

-

-

-

Returns

Type

Description

trustCertificates

HashMap<CertificateType, HashMap<String,X509Certificate>>

Map of trusted certificates by certificate type (CertificateType)

The following table lists the types of certificates that can be retrieved from by the Provider and later persisted in the store by an add-in which implements ITrustCertificateStoreAddin.

Table 2. Monetized certificate types in the Trust Certificate Store
Certificate Types

Type

Description

CA

Qualified Certificate

TSA

Time Stamping Authority

INTERNAL

Internally trusted certificates (specific to each client)

eSign brings an out-of-the box implementation for this interface that is described below
Table 3. Available implementations for ITemplateLoadAddin
Implementation Default Description

DefaultTrustCertificateProviderAddin

Updates or creates (if local keystores do not exist) the trust store with a configured (add-in configuration parameter) Trust Service Status List (TSL). The URL destination of the used TSL is configurable. Furthermore, the update can be made recursive which means the add-in will look for pointers to other TSL within the configured TSL

The code snippet bellow illustrates how to configure esign.config to enable the usage of DefaultTrustCertificateProviderAddin. The object "params" should hold two name/value pairs: "url" and "recursive". The first indicates the URL destination of one or more (separated by commas) Trust Service Status List (TSL) the client trusts and wishes to retrieve the certificates from. The latter indicates whether the add-in should behave recursively or not. Recursively means the add-in will look for pointers to other TSL within the originally targeted TSL as configured in "url". Taking the above example, the add-in would retrieve the trust certificates form the Portuguese TSL and look for other TSL pointers inside it, which in the present case is just the European Union (EU).

Configuration

First the add-in needs to be loaded as an extension, with the above-mentioned parameters, "url" and "recursive", declared in an JSON object called "params"

"_comment" : "List all the extensions to be used",
"extensions" :
[
	...

	{
        "name": "trust-certificate",
        "class": "novabase.connect.paperless.esign.core.extensions.impl.DefaultTrustCertificateProviderAddin",
        "params" : {
            "url" : "https://www.gns.gov.pt/media/1894/tslpt.xml",
            "recursive" : "true"
		}

    },

	...
]

Optionally, set as the default add-in by establishing the class path for the type "trust_certificate_provider"

"_comment" : "List all the default addins to be used",
"addins" :
[
    ...

    {
        "type": "trust_certificate_provider",
        "extension": "trust-certificate"
    },

    ...
]