DefaultValidationService

Overview

The Default Validation Service has a set of Validators. A validator is responsible for checking  the validity against one or more issuers, using for example CRL check or OCSP, or by checking a database.

The Default Validation Service supports validations to be cached for some or all issuers for a specified amount of time. If not configured otherwise, the validation service uses the DefaultX509CertTypeChecker that determines the certificate type from the key usage in the certificate.

Key Encipherment and Digital Signature indicates an IDENTIFICATION type, and Non-reputation and/or Digital Signature indicates ELECTRONIC_SIGNATURE.

The validation specific Web Service can be used for platform independent client calls. The Web Service WSDL file is located at the URL:

http://<hostname>:8080/signserver/validationws/validationws?wsdl

The file contains two calls:

  • isValid:  Performs the validation check.
  • getStatus: Checks the health of the node and its underlying systems. Can be used by clients for monitoring or implementing redundancy.

Available Properties

The following property types can be configured with the DefaultValidationService:

  • General Properties: Apply for the service and all configured validators.
  • Validator Properties: Only apply for a specific validator.
  • Issuer Properties; Only apply for an issuer configured in a specific validator.

General Properties

PropertyDescription
CACHEDISSUERS A ';' separated list of issuer names (usually issuer DNs). Optional, no validation is cached if unset.
CERTTYPECHECKER Certificate type checker used to determine the type of certificate. Optional, default is org.signserver.validationservice.server.DefaultX509CertTypeChecker-
TIMEINCACHE Time in seconds that a certificate validation should be cached. Optional, default is 10 seconds.

Validator Properties

Validator properties are specified using the prefix of validator<validatorId>. or val<validatorId>., were <validatorId> is an integer between 1 and 255. For example, to specify the type of a validator with an ID of 1:

val1.classpath=some.classpath.SomeClass

This validator will be initialized with all its validator specific properties, (with val<id>. prefix removed), as well as the general ones.

PropertyDescription
CLASSPATH 

Fully qualified class name of the validator that should be used. Required for each configured validator.

Issuer properties: Issuer properties are specified as val<val id>.issuer<issuer id>.<property> were issuer ID is a positive integer between 1 and 255. All generic and validator specific properties (with the given validator id) will also be propagated to the specific issuer configuration.

CERTCHAIN = The certificate path of the CA certificates used to verify the certificate. Should be a appended BASE64 string. Required for each configured issuer.

Example configuration of a validation service:

# Set up the worker -> validation service wrapper
WORKER1.IMPLEMENTATION_CLASS=org.signserver.validationservice .server.ValidationServiceWorker
#Uncomment and set class path to custom validation service, otherwise is default #used.
#WORKER1.TYPE=

# Name of Service (Optional)
WORKER1.NAME=ValidationService1

# Define TestCA2 and TestCA3 as a cached for 15 seconds, TestCA1 is Not cached.
WORKER1.CACHEDISSUERS=CN=TestCA2;CN=TestCA3
WORKER1.TIMEINCACHE=15

# Define a validator in charge of issuer TestCA1 and TestCA2
WORKER1.VAL1.CLASSPATH=<Class path to some validator>
WORKER1.VAL1.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231.....
WORKER1.VAL1.ISSUER2.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231.....

# Define a validator in charge of issuer TestCA3
WORKER1.VAL2.CLASSPATH=<Class path to some validator>
WORKER1.VAL2.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231.....