org.bouncycastle.openpgp.api

Class OpenPGPCertificate.OpenPGPSignatureChain

java.lang.Object

org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPSignatureChain

All Implemented Interfaces:

java.lang.Comparable<OpenPGPCertificate.OpenPGPSignatureChain>, java.lang.Iterable<OpenPGPCertificate.OpenPGPSignatureChain.Link>

Enclosing class:

OpenPGPCertificate

public static class OpenPGPCertificate.OpenPGPSignatureChain
extends java.lang.Object
implements java.lang.Comparable<OpenPGPCertificate.OpenPGPSignatureChain>, java.lang.Iterable<OpenPGPCertificate.OpenPGPSignatureChain.Link>

Chain of signatures. Such a chain originates from a certificates primary key and points towards some certificate component that is bound to a certificate. As for example a subkey can only be bound by a primary key that holds either at least one direct-key self-signature or at least one user-id binding signature, multiple signatures may form a validity chain. Another example is a third-party certification over a user-id or certificates primary key. Here, the chain originates from the certifiers primary key and ends at the user-id or primary key of the signee. An OpenPGPCertificate.OpenPGPSignatureChain can either be a certification (isCertification()), e.g. it represents a positive binding, or it can be a revocation (isRevocation()) which invalidates a positive binding.

Example:

                           v-----------\
           [PRIMARY KEY 0xAAAA]         \
            /         \       \         |
           /           \       \__(DIRECT KEY SIG #0)
   (USERID BINDING #1) |
          |    (SUBKEY BINDING #2)
          v           |
  [USERID Alice]      v
                  [SUBKEY 0xAABB]
 

Here, the certificates components are bound like follows:

• Primary Key 0xAAAA: [0xAAAA->#0->0xAAAA]
• UserID Alice: [0xAAAA->#0->#1->Alice]
• Subkey 0xAABB: [0xAAAA->#0->#2->0xAABB]

Note: If the certificate does not carry a direct-key self-signature, the primary user-id binding would be used as root link in its place. A binding can also be a revocation. In such case, the whole chain represents a revocation.

In Web-of-Trust scenarios, signature chains can span multiple certificates.

Example:

                               ________________
                              v               |
               [PRIMARY KEY 0xAAAA]---(DIRECT KEY SIG #0)
               /         |     \
  (USERID BINDING #1)    |      \
        |                |  (DELEGATION #2)-->[PRIMARY KEY 0xBBBB]
        |                \                            |
        v                 \                  (USERID BINDING #3)
 [USERID Alice]      (CERTIFICATION #4)               |
                             \                        v
                              \________________>[USERID Bob]
 

Here, Alice delegated trust to Bob by issuing a direct key delegation signature (#0) over Bobs primary key, as well as a 3rd-party certification signature for UserID Bob. Now there are the following paths of trust from Alice's certificate down to Bobs certificate:

• Bobs Certificate (primary key 0xBBBB): [0xAAAA->#0->#2->0xBBBB
• Bobs UserID Bob: [0xAAAA->#0->#4->Bob

Note, that certificate 0xAAAA holds signatures #0,#1, while certificate 0xBBBB holds signatures #2,#3,#4.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	OpenPGPCertificate.OpenPGPSignatureChain.Certification "Positive" signature chain link.
static class	OpenPGPCertificate.OpenPGPSignatureChain.Link Link in a OpenPGPCertificate.OpenPGPSignatureChain.
static class	OpenPGPCertificate.OpenPGPSignatureChain.Revocation "Negative" signature chain link.

Method Summary

Modifier and Type	Method and Description
int	compareTo(OpenPGPCertificate.OpenPGPSignatureChain other)
static OpenPGPCertificate.OpenPGPSignatureChain	direct(OpenPGPCertificate.OpenPGPComponentSignature sig) Factory method for creating an OpenPGPCertificate.OpenPGPSignatureChain with only a single link.
OpenPGPCertificate.OpenPGPSignatureChain.Link	getLeafLink() Return the last link in the chain, which applies to the chains target component.
OpenPGPCertificate.OpenPGPComponentKey	getLeafLinkTargetKey() Return the OpenPGPCertificate.OpenPGPComponentKey to which the leaf link applies to.
OpenPGPCertificate.OpenPGPComponentSignature	getRevocation() Return the first revocation signature in the chain, or null if the chain does not contain any revocations.
OpenPGPCertificate.OpenPGPSignatureChain.Link	getRootLink() Return the very first link in the chain.
OpenPGPCertificate.OpenPGPComponentKey	getRootLinkIssuer() Return the issuer of the root link.
OpenPGPCertificate.OpenPGPComponentSignature	getSignature() Return the signature from the leaf of the chain, which directly applies to the OpenPGPCertificate.OpenPGPCertificateComponent.
java.util.List<OpenPGPCertificate.OpenPGPComponentSignature>	getSignatures() Return a List of all signatures in the chain.
java.util.Date	getSince() Return the date since which this signature chain is valid.
java.util.Date	getUntil() Return the date until which the chain link is valid.
boolean	isCertification() Return true, if the chain only consists of non-revocation signatures and is therefore a certification chain.
boolean	isEffectiveAt(java.util.Date evaluationDate) Return true if the chain is effective at the given evaluation date, meaning all link signatures have been created before the evaluation time, and none signature expires before the evaluation time.
boolean	isHardRevocation() Return true, if the chain contains at least one link that represents a hard revocation.
boolean	isRevocation() Return true, if the chain contains at least one revocation signature.
boolean	isValid() Return true if the signature chain is valid, meaning all its chain links are valid.
boolean	isValid(PGPContentVerifierBuilderProvider contentVerifierBuilderProvider, OpenPGPPolicy policy) Return true if the signature chain is valid, meaning all its chain links are valid.
java.util.Iterator<OpenPGPCertificate.OpenPGPSignatureChain.Link>	iterator()
OpenPGPCertificate.OpenPGPSignatureChain	plus(OpenPGPCertificate.OpenPGPComponentSignature sig) Return an NEW instance of the OpenPGPCertificate.OpenPGPSignatureChain with the new link appended.
java.lang.String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.lang.Iterable

forEach, spliterator

Method Detail

getSignature

public OpenPGPCertificate.OpenPGPComponentSignature getSignature()

Return the signature from the leaf of the chain, which directly applies to the OpenPGPCertificate.OpenPGPCertificateComponent.

Returns:

signature

getRevocation

public OpenPGPCertificate.OpenPGPComponentSignature getRevocation()

Return the first revocation signature in the chain, or null if the chain does not contain any revocations.

Returns:

first revocation signature

getSignatures

public java.util.List<OpenPGPCertificate.OpenPGPComponentSignature> getSignatures()

Return a List of all signatures in the chain.

Returns:

list of signatures

plus

public OpenPGPCertificate.OpenPGPSignatureChain plus(OpenPGPCertificate.OpenPGPComponentSignature sig)

Return an NEW instance of the OpenPGPCertificate.OpenPGPSignatureChain with the new link appended.

Parameters:

sig - signature

Returns:

new instance

direct

public static OpenPGPCertificate.OpenPGPSignatureChain direct(OpenPGPCertificate.OpenPGPComponentSignature sig)

Factory method for creating an OpenPGPCertificate.OpenPGPSignatureChain with only a single link.

Parameters:

sig - signature

Returns:

chain

getRootLink

public OpenPGPCertificate.OpenPGPSignatureChain.Link getRootLink()

Return the very first link in the chain. This is typically a link that originates from the issuing certificates primary key.

Returns:

root link

getRootLinkIssuer

public OpenPGPCertificate.OpenPGPComponentKey getRootLinkIssuer()

Return the issuer of the root link. This is typically the issuing certificates primary key.

Returns:

root links issuer

getLeafLink

public OpenPGPCertificate.OpenPGPSignatureChain.Link getLeafLink()

Return the last link in the chain, which applies to the chains target component.

Returns:

leaf link

getLeafLinkTargetKey

public OpenPGPCertificate.OpenPGPComponentKey getLeafLinkTargetKey()

Return the OpenPGPCertificate.OpenPGPComponentKey to which the leaf link applies to. For subkey binding signatures, this is the subkey. For user-id certification signatures, it is the primary key.

Returns:

target key component of the leaf link

isCertification

public boolean isCertification()

Return true, if the chain only consists of non-revocation signatures and is therefore a certification chain.

Returns:

true if the chain is a certification, false if it contains a revocation link.

isRevocation

public boolean isRevocation()

Return true, if the chain contains at least one revocation signature.

Returns:

true if the chain is a revocation.

isHardRevocation

public boolean isHardRevocation()

Return true, if the chain contains at least one link that represents a hard revocation.

Returns:

true if chain is hard revocation, false if it is a certification or soft revocation

getSince

public java.util.Date getSince()

Return the date since which this signature chain is valid. This is the creation time of the most recent link in the chain.

Returns:

most recent signature creation time

getUntil

public java.util.Date getUntil()

Return the date until which the chain link is valid. This is the earliest expiration time of any signature in the chain.

Returns:

earliest expiration time

isEffectiveAt

public boolean isEffectiveAt(java.util.Date evaluationDate)

Return true if the chain is effective at the given evaluation date, meaning all link signatures have been created before the evaluation time, and none signature expires before the evaluation time.

Parameters:

evaluationDate - reference time

Returns:

true if chain is effective at evaluation date

isValid

public boolean isValid()
                throws PGPSignatureException

Return true if the signature chain is valid, meaning all its chain links are valid.

Returns:

true if chain is valid

Throws:

PGPSignatureException - if an exception occurs during signature verification

isValid

public boolean isValid(PGPContentVerifierBuilderProvider contentVerifierBuilderProvider,
                       OpenPGPPolicy policy)
                throws PGPSignatureException

Return true if the signature chain is valid, meaning all its chain links are valid.

Parameters:

contentVerifierBuilderProvider - provider for content verifier builders

policy - algorithm policy

Returns:

true if chain is valid

Throws:

PGPSignatureException - if an exception occurs during signature verification

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object

compareTo

public int compareTo(OpenPGPCertificate.OpenPGPSignatureChain other)

Specified by:

compareTo in interface java.lang.Comparable<OpenPGPCertificate.OpenPGPSignatureChain>

iterator

public java.util.Iterator<OpenPGPCertificate.OpenPGPSignatureChain.Link> iterator()

Specified by:

iterator in interface java.lang.Iterable<OpenPGPCertificate.OpenPGPSignatureChain.Link>