Skip to content

SD DSS and trusted lists...

Jump to bottom Edit New page
Robert Bielecki edited this page Feb 24, 2015 · 3 revisions

In the European context "Certificate Validation" requires the use of European trusted lists. In the simplest case, where all the lists must be used the SD-DSS framework provides a simple mechanism for the consideration of this model.

Here is an example of Java code using European trusted lists:

final TrustedListsCertificateSource certificateSource = new TrustedListsCertificateSource();
certificateSource.setLotlUrl("https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml");
certificateSource.setCheckSignature(false/true);
certificateSource.setDataLoader(dataLoader);
certificateSource.init();

Note that the signature verification of the lists is optional. We highly recommend setting this attribute to true. It means that the certificate used to sign the LOTL must be provided. It is included in the framework:

\dgmarkt-dss\apps\dss\demo\dss-demo-webapp\src\main\resources\ec.europa.eu.crt

Its hash can be checked against: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:374:0008:0008:EN:PDF

Nevertheless it is possible to specify a different certificate:

certificateSource.setLotlCertificate("classpath://toto.crt");

The path to the LOTL certificate can be provided in two manners by using {@code classpath://} or {@code file://} prefixes (spring notation).

Another important element that is used by the class TrustedListsCertificateSource is dataLoader. Indeed, it provides an interface to physically get different files containing the trusted lists.

The framework provides three implementations of this class:

All taken into account the authentication, the proxy management. The following protocols are supported: http, https, ldap, ftp.
The FileCacheDataLoader offers a simple feature to hide the information obtained online on the local file system. The DataLoader interface allows the implementation of proprietary solutions with a more advanced cache system.

How the trusted lists are obtained?

The process begins by the loading of the LOTL at the indicated address. Then its signature is validated. Subsequently all pointers to other TSL are analysed one by one and the referenced trusted lists are downloaded. The signature of each list is checked with the certificate extracted from the LOTL. All services with their historical included within the TSL are analysed and the related certificates excerpted.

Add a custom footer
Add a custom sidebar
Clone this wiki locally