ITrustCertificateProviderAddin
Whenever an artifact is signed, or a signature validation is performed, the solution needs to validate if the certificate used for signing is trusted. Add-in responsible for retrieving the list of all certificates that will be trusted for each given purpose.
Trigger Event(s): Updating or listing the trust certificate store |
Method | Description | ||
---|---|---|---|
getTrustCertificates |
Retrieves a map containing, for each certificate type, the list of trusted certificates |
||
Parameter |
Type |
Description |
|
- |
- |
- |
|
Returns |
Type |
Description |
|
trustCertificates |
HashMap<CertificateType, HashMap<String,X509Certificate>> |
Map of trusted certificates by certificate type (CertificateType) |
The following table lists the types of certificates that can be retrieved from by the Provider and later persisted in the store by an add-in which implements ITrustCertificateStoreAddin.
Certificate Types | |
---|---|
Type |
Description |
CA |
Qualified Certificate |
TSA |
Time Stamping Authority |
INTERNAL |
Internally trusted certificates (specific to each client) |
eSign brings an out-of-the box implementation for this interface that is described below |
Implementation | Default | Description |
---|---|---|
DefaultTrustCertificateProviderAddin |
✓ |
Updates or creates (if local keystores do not exist) the trust store with a configured (add-in configuration parameter) Trust Service Status List (TSL). The URL destination of the used TSL is configurable. Furthermore, the update can be made recursive which means the add-in will look for pointers to other TSL within the configured TSL |
The code snippet bellow illustrates how to configure esign.config to enable the usage of DefaultTrustCertificateProviderAddin. The object "params" should hold two name/value pairs: "url" and "recursive". The first indicates the URL destination of one or more (separated by commas) Trust Service Status List (TSL) the client trusts and wishes to retrieve the certificates from. The latter indicates whether the add-in should behave recursively or not. Recursively means the add-in will look for pointers to other TSL within the originally targeted TSL as configured in "url". Taking the above example, the add-in would retrieve the trust certificates form the Portuguese TSL and look for other TSL pointers inside it, which in the present case is just the European Union (EU).