public final class CryptoFactory extends Object
Modifier and Type | Field and Description |
---|---|
static String |
OCSP_CERT_STORE
Base property to set the certificates and crl to be used by the OCSP verification.
|
static String |
OCSP_CLOCK_SKEW
Property to set the acceptable difference (in millis) in time calculations to prevent clock synchronisation issues.
|
static String |
OCSP_CONNECTION_TIMEOUT
Maximum time (in millis) to setup a connection.
|
static String |
OCSP_CONNECTION_USER_INTERACTION
Flag (true/false) to allow for user interaction.
|
static String |
OCSP_INJECT_RESPONSE
Flag (true/false) to add OSCPResponse to sealed message.
|
static String |
OCSP_READ_TIMEOUT
Maximum time (in millis) to wait for a response.
|
static String |
OCSP_URI
Property to set the endpoint of the OCSP Response.
|
static String |
PROPS_CRYPTO_CLASS
Property used to change the implementation for the
Crypto . |
static String |
SIGNING_CLOCK_SKEW
Property to set the acceptable difference (in millis) in time calculations to prevent clock synchronisation issues.
|
static String |
SIGNING_TIME_EXPIRATION
Property to set the maximum time (in minutes) to consider a sealed message as recent.
|
static String |
SIGNING_TIME_TRUST_IMPLICIT
Flag (true/false) to accept messages that have an expired Signing-Time without further verifications.
|
static String |
SIGNING_TSA_CERT_STORE
Base property to set the certificates and crl to be used by the TSA verification.
|
Modifier and Type | Method and Description |
---|---|
static KeyStore |
getCaCertificateStore() |
static Crypto |
getCrypto(Credential encryption,
Map<String,PrivateKey> decryptionKeys) |
static Crypto |
getCrypto(Credential encryption,
Map<String,PrivateKey> decryptionKeys,
String oCSPPolicy)
Possible values of the OCSPPolicy parameter:
|
static Crypto |
getCryptoFromSession() |
static Map<be.fgov.ehealth.etee.crypto.policies.OCSPOption,Object> |
getOCSPOptions() |
static void |
resetOCSPOptions() |
public static final String PROPS_CRYPTO_CLASS
Crypto
.
Default:be.ehealth.technicalconnector.service.etee.impl.CryptoImpl
public static final String SIGNING_TIME_EXPIRATION
Default:5 minutes.
public static final String SIGNING_CLOCK_SKEW
Default:300 000 miliseconds
public static final String SIGNING_TIME_TRUST_IMPLICIT
Default:true
public static final String SIGNING_TSA_CERT_STORE
public static final String OCSP_URI
Default:null
public static final String OCSP_INJECT_RESPONSE
Defaultfalse
public static final String OCSP_CLOCK_SKEW
Default:300 000 miliseconds
public static final String OCSP_CONNECTION_TIMEOUT
Default:3 000 miliseconds
public static final String OCSP_CERT_STORE
public static final String OCSP_READ_TIMEOUT
Default:3 000 miliseconds
public static final String OCSP_CONNECTION_USER_INTERACTION
Default:false
public static Crypto getCrypto(Credential encryption, Map<String,PrivateKey> decryptionKeys, String oCSPPolicy) throws TechnicalConnectorException
Key | Description |
---|---|
NONE | No OCSP check. |
SENDER_OPTIONAL | Optional OCSP check. If the sender sets the OCSP response in the message, the receiver verifies it. If the response does not validate or the response is not included in the message, the cryptolib unseals the message but it also includes a NotificationWarning. This means that the receiver has a choice to reject or accept the message. |
RECEIVER_OPTIONAL | OCSP call done by the receiver if not done by the sender. If the OCSP response was not included in the message, the receiver
calls the OCSP service in order to verify the OCSP status of the signing certificate. The receiver should have the option to add the OCSP response into the received CMS message if the response was not present in the message (this does not break the receiver’s signature as the signature does not include the OCSP response and only the outer envelope contains the OCSP response). If the OCSP response was present in the message but it didn’t validate, or the OCSP check by the receiver failed, then the unsealing fails, i.e., a NotificationError is returned. |
SENDER_MANDATORY | Mandatory OCSP check done by the sender. If the OCSP response is not present in the message or it does not validate, a NotificationError is added to the result. |
RECEIVER_MANDATORY | Mandatory OCSP check done by the receiver of the message (i.e. intended recipient or intermediate ‘Message Storage Service’). The receiver should have the option to add the OCSP response into the received CMS message (this does not break the receiver’s signature as the signature does not include the OCSP response and only the outer envelope contains the OCSP response). If the OCSP response does not validate, a NotificationError is returned. |
TechnicalConnectorException
public static Map<be.fgov.ehealth.etee.crypto.policies.OCSPOption,Object> getOCSPOptions()
TechnicalConnectorException
public static void resetOCSPOptions()
public static KeyStore getCaCertificateStore()
public static Crypto getCrypto(Credential encryption, Map<String,PrivateKey> decryptionKeys) throws TechnicalConnectorException
encryption
- decryptionKeys
- Crypto
based on the paramsTechnicalConnectorException
public static Crypto getCryptoFromSession() throws TechnicalConnectorException
Crypto
based on the Session (using EncryptionCredential).TechnicalConnectorException
Connector Packaging TRUSSMAKER 4.1.2 API
Copyright © {inceptionYear}-2022 eHealth. All Rights Reserved.