MyX509TrustManager() throws java.security.GeneralSecurityException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
KeyStore ks = KeyStore.getInstance("JKS");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
try {
ks.load(null, null);
File cacert = new File(cafile);
if (!cacert.exists() || !cacert.canRead()) return;
InputStream caStream = new FileInputStream(cafile);
X509Certificate ca = (X509Certificate) cf.generateCertificate(caStream);
ks.setCertificateEntry("CA", ca);
PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector());
File crlcert = new File(crlfile);
if (!crlcert.exists() || !crlcert.canRead()) {
params.setRevocationEnabled(false);
} else {
InputStream crlStream = new FileInputStream(crlfile);
Collection<? extends CRL> crls = cf.generateCRLs(crlStream);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
params.addCertStore(store);
params.setRevocationEnabled(true);
}
tmf.init(new CertPathTrustManagerParameters(params));
} catch (java.io.FileNotFoundException e) {
vlog.error(e.toString());
} catch (java.io.IOException e) {
vlog.error(e.toString());
}
tm = (X509TrustManager) tmf.getTrustManagers()[0];
}
/**
* Return the initialization parameters for the TrustManager. Currently, only the default <code>
* PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore)
throws Exception {
CertPathParameters params = null;
if ("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
String trustLength = (String) attributes.get("trustMaxCertLength");
if (trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
} catch (Exception ex) {
log.warn("Bad maxCertLength: " + trustLength);
}
}
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: " + algorithm);
}
return params;
}
private X509Certificate[] doBuild(X509Certificate[] chain, Collection otherCerts)
throws CertificateException {
try {
PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
setDate(params);
// setup target constraints
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(chain[0]);
params.setTargetCertConstraints(selector);
// setup CertStores
Collection certs = new ArrayList();
certs.addAll(Arrays.asList(chain));
if (otherCerts != null) {
certs.addAll(otherCerts);
}
CertStore store =
CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs));
params.addCertStore(store);
// do the build
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);
return toArray(result.getCertPath(), result.getTrustAnchor());
} catch (GeneralSecurityException e) {
throw new ValidatorException("PKIX path building failed: " + e.toString(), e);
}
}
private void testExceptions() throws Exception {
byte[] enc = {(byte) 0, (byte) 2, (byte) 3, (byte) 4, (byte) 5};
MyCertPath mc = new MyCertPath(enc);
ByteArrayOutputStream os = new ByteArrayOutputStream();
ByteArrayInputStream is;
byte[] arr;
ObjectOutputStream oOut = new ObjectOutputStream(os);
oOut.writeObject(mc);
oOut.flush();
oOut.close();
try {
CertificateFactory cFac = CertificateFactory.getInstance("X.509", "BC");
arr = os.toByteArray();
is = new ByteArrayInputStream(arr);
cFac.generateCertPath(is);
} catch (CertificateException e) {
// ignore okay
}
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List certCol = new ArrayList();
certCol.add(cf.generateCertificate(new ByteArrayInputStream(certA)));
certCol.add(cf.generateCertificate(new ByteArrayInputStream(certB)));
certCol.add(cf.generateCertificate(new ByteArrayInputStream(certC)));
certCol.add(cf.generateCertificate(new ByteArrayInputStream(certD)));
CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
X509CertSelector select = new X509CertSelector();
select.setSubject(((X509Certificate) certCol.get(0)).getSubjectX500Principal().getEncoded());
Set trustanchors = new HashSet();
trustanchors.add(
new TrustAnchor(
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(rootCertBin)), null));
CertStore certStore =
CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select);
params.addCertStore(certStore);
try {
CertPathBuilderResult result = pathBuilder.build(params);
CertPath path = result.getCertPath();
fail("found cert path in circular set");
} catch (CertPathBuilderException e) {
// expected
}
}
/**
* Build a path using the given root as the trust anchor, and the passed in end constraints and
* certificate store.
*
* <p>Note: the path is built with revocation checking turned off.
*/
public static PKIXCertPathBuilderResult buildPath(
X509Certificate rootCert, X509CertSelector endConstraints, CertStore certsAndCRLs)
throws Exception {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
PKIXBuilderParameters buildParams =
new PKIXBuilderParameters(
Collections.singleton(new TrustAnchor(rootCert, null)), endConstraints);
buildParams.addCertStore(certsAndCRLs);
buildParams.setRevocationEnabled(false);
return (PKIXCertPathBuilderResult) builder.build(buildParams);
}
private void validateChain(List<Certificate> chain, Certificate cert) {
List<Certificate> certs = new ArrayList<Certificate>();
List<Certificate> root = new ArrayList<Certificate>();
Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
certs.add(cert); // adding for self signed certs
certs.addAll(chain);
for (Certificate c : certs) {
if (!(c instanceof X509Certificate))
throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
X509Certificate xCert = (X509Certificate) c;
Principal subject = xCert.getSubjectDN();
Principal issuer = xCert.getIssuerDN();
if (issuer != null && subject.equals(issuer)) {
root.add(c);
anchors.add(new TrustAnchor(xCert, null));
}
}
if (root.size() == 0)
throw new IllegalArgumentException("No root certificates found for certificate chain", null);
X509CertSelector target = new X509CertSelector();
target.setCertificate((X509Certificate) cert);
PKIXBuilderParameters params = null;
try {
params = new PKIXBuilderParameters(anchors, target);
params.setRevocationEnabled(false);
params.addCertStore(
CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
builder.build(params);
} catch (InvalidAlgorithmParameterException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (CertPathBuilderException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (NoSuchProviderException e) {
throw new CloudRuntimeException("No provider for certificate validation", e);
}
}
private void checkCircProcessing() throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate caCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCA));
X509Certificate crlCaCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCRLCA));
X509CRL crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(circCRL));
List list = new ArrayList();
list.add(caCert);
list.add(crlCaCert);
list.add(crl);
CertStoreParameters ccsp = new CollectionCertStoreParameters(list);
CertStore store = CertStore.getInstance("Collection", ccsp);
Date validDate = new Date(crl.getThisUpdate().getTime() + 60 * 60 * 1000);
// validating path
List certchain = new ArrayList();
certchain.add(crlCaCert);
CertPath cp = CertificateFactory.getInstance("X.509", "BC").generateCertPath(certchain);
Set trust = new HashSet();
trust.add(new TrustAnchor(caCert, null));
CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
// PKIXParameters param = new PKIXParameters(trust);
PKIXBuilderParameters param = new PKIXBuilderParameters(trust, null);
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(crlCaCert);
param.setTargetCertConstraints(certSelector);
param.addCertStore(store);
param.setRevocationEnabled(true);
param.setDate(validDate);
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, param);
}
PKIXValidator(String variant, PKIXBuilderParameters params) {
super(TYPE_PKIX, variant);
trustedCerts = new HashSet();
for (Iterator t = params.getTrustAnchors().iterator(); t.hasNext(); ) {
TrustAnchor anchor = (TrustAnchor) t.next();
X509Certificate cert = anchor.getTrustedCert();
if (cert != null) {
trustedCerts.add(cert);
}
}
parameterTemplate = params;
initCommon();
}
/**
* Initialize the builder with the input parameters.
*
* @param params the parameter set used to build a certification path
*/
ReverseBuilder(PKIXBuilderParameters buildParams, X500Principal targetSubjectDN) {
super(buildParams, targetSubjectDN);
// Initialize date if not specified
date = buildParams.getDate();
if (date == null) {
date = new Date();
}
targetCertSelector = (X509CertSelector) buildParams.getTargetCertConstraints();
Set initialPolicies = buildParams.getInitialPolicies();
initPolicies = new HashSet();
if (initialPolicies.isEmpty()) {
// if no initialPolicies are specified by user, set
// initPolicies to be anyPolicy by default
initPolicies.add(PolicyChecker.ANY_POLICY);
} else {
Iterator i = initialPolicies.iterator();
while (i.hasNext()) {
initPolicies.add(i.next());
}
}
}
// controlla che il certificato del firmatario sia affidabile controllando la sua catena di
// certificati
// valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione
// da java
// caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato
// italiano
private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer)
throws FirmapiuException {
// genera la lista di certificati da controllare per generare la catena dei certificati del
// firmatario
// TODO quali certificati carica esattamente?
Collection<?> certCollection = certStore.getMatches(signer.getSID());
Iterator<?> certIt = certCollection.iterator();
X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
List<X509Certificate> chain = new LinkedList<X509Certificate>();
JcaX509CertificateConverter certConverter =
new JcaX509CertificateConverter().setProvider(this.bcProvName);
try {
X509Certificate x509cert = certConverter.getCertificate(cert);
chain.add(x509cert);
while (certIt.hasNext()) {
x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next());
chain.add(x509cert);
}
} catch (CertificateException e) {
new FirmapiuException(CERT_DEFAULT_ERROR, e);
}
// carica i certificati presenti nel token crittografico passato come parametro
KeyStore anchors = this.token.loadKeyStore(null);
X509CertSelector target = new X509CertSelector();
target.setCertificate(chain.get(0));
PKIXBuilderParameters params;
CertPathBuilder builder;
try {
params = new PKIXBuilderParameters(anchors, target);
// disabilita il controllo delle CRL
params.setRevocationEnabled(false);
// se il certificato è scaduto cerca di generare lo stesso la catena dei certificati
try {
X509Certificate x509cert = certConverter.getCertificate(cert);
// long before=x509cert.getNotBefore().getTime();
long after = x509cert.getNotAfter().getTime();
after -= 10;
params.setDate(new Date(after));
} catch (CertificateException e) {
throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
}
CertStoreParameters intermediates = new CollectionCertStoreParameters(chain);
params.addCertStore(CertStore.getInstance("Collection", intermediates));
params.setSigProvider(this.bcProvName);
builder = CertPathBuilder.getInstance("PKIX", this.bcProvName);
} catch (KeyStoreException | InvalidAlgorithmParameterException e) {
throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new FirmapiuException(DEFAULT_ERROR, e);
}
/*
* If build() returns successfully, the certificate is valid. More details
* about the valid path can be obtained through the PKIXBuilderResult.
* If no valid path can be found, a CertPathBuilderException is thrown.
*/
try {
return (PKIXCertPathBuilderResult) builder.build(params);
} catch (CertPathBuilderException e) {
throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e);
} catch (InvalidAlgorithmParameterException e) {
throw new FirmapiuException(DEFAULT_ERROR, e);
}
} // fine metodo
private X509Certificate[] doValidate(X509Certificate[] chain) throws CertificateException {
PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
return doValidate(chain, params);
}
/** Set the check date (for debugging). */
private void setDate(PKIXBuilderParameters params) {
Date date = validationDate;
if (date != null) {
params.setDate(date);
}
}
X509Certificate[] engineValidate(X509Certificate[] chain, Collection otherCerts, Object parameter)
throws CertificateException {
if ((chain == null) || (chain.length == 0)) {
throw new CertificateException("null or zero-length certificate chain");
}
if (TRY_VALIDATOR) {
// check that chain is in correct order and check if chain contains
// trust anchor
X500Principal prevIssuer = null;
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
X500Principal dn = cert.getSubjectX500Principal();
if (i != 0 && !dn.equals(prevIssuer)) {
// chain is not ordered correctly, call builder instead
return doBuild(chain, otherCerts);
}
// Check if chain[i] is already trusted. It may be inside
// trustedCerts, or has the same dn and public key as a cert
// inside trustedCerts. The latter happens when a CA has
// updated its cert with a stronger signature algorithm in JRE
// but the weak one is still in circulation.
if (trustedCerts.contains(cert)
|| // trusted cert
(trustedSubjects.containsKey(dn)
&& // replacing ...
trustedSubjects
.get(dn)
.contains( // ... weak cert
cert.getPublicKey()))) {
if (i == 0) {
return new X509Certificate[] {chain[0]};
}
// Remove and call validator on partial chain [0 .. i-1]
X509Certificate[] newChain = new X509Certificate[i];
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain);
}
prevIssuer = cert.getIssuerX500Principal();
}
// apparently issued by trust anchor?
X509Certificate last = chain[chain.length - 1];
X500Principal issuer = last.getIssuerX500Principal();
X500Principal subject = last.getSubjectX500Principal();
if (trustedSubjects.containsKey(issuer)
&& isSignatureValid(trustedSubjects.get(issuer), last)) {
return doValidate(chain);
}
// don't fallback to builder if called from plugin/webstart
if (plugin) {
// Validate chain even if no trust anchor is found. This
// allows plugin/webstart to make sure the chain is
// otherwise valid
if (chain.length > 1) {
X509Certificate[] newChain = new X509Certificate[chain.length - 1];
System.arraycopy(chain, 0, newChain, 0, newChain.length);
// temporarily set last cert as sole trust anchor
PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
try {
params.setTrustAnchors(
Collections.singleton(new TrustAnchor(chain[chain.length - 1], null)));
} catch (InvalidAlgorithmParameterException iape) {
// should never occur, but ...
throw new CertificateException(iape);
}
doValidate(newChain, params);
}
// if the rest of the chain is valid, throw exception
// indicating no trust anchor was found
throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR);
}
// otherwise, fall back to builder
}
return doBuild(chain, otherCerts);
}
/**
* Set J2SE global default PKIX parameters. Currently, hardcoded to disable revocation checking.
* In the future, this should be configurable.
*/
private void setDefaultParameters(String variant) {
parameterTemplate.setRevocationEnabled(false);
}