/** Load the certificates contained in all the TSL referenced by the LOTL */
public void init() {
diagnosticInfo.clear();
X509Certificate lotlCert = null;
if (checkSignature) {
lotlCert = readLOTLCertificate();
}
TrustStatusList lotl;
try {
LOG.info("Downloading LOTL from url= {}", lotlUrl);
final ArrayList<X509Certificate> x509CertificateList = new ArrayList<X509Certificate>();
x509CertificateList.add(lotlCert);
lotl = getTrustStatusList(lotlUrl, x509CertificateList);
} catch (DSSException e) {
LOG.error("The LOTL cannot be loaded: " + e.getMessage(), e);
throw e;
}
diagnosticInfo.put(lotlUrl, "Loaded " + new Date().toString());
final int size = lotl.getOtherTSLPointers().size();
// final ExecutorService executorService = Executors.newFixedThreadPool(size);
// List<Future> futures = new ArrayList<Future>(size);
for (final PointerToOtherTSL pointerToTSL : lotl.getOtherTSLPointers()) {
// Runnable runnable = new Runnable() {
// public void run() {
final String url = pointerToTSL.getTslLocation();
final String territory = pointerToTSL.getTerritory();
final List<X509Certificate> signingCertList = pointerToTSL.getDigitalIdentity();
try {
loadTSL(url, territory, signingCertList);
} catch (DSSException e) {
LOG.error("Error loading trusted list for {} at {}", new Object[] {territory, url, e});
// do nothing continue with the next trusted list.
}
// }
// };
// final Future submit = executorService.submit(runnable);
// futures.add(submit);
}
// executorService.shutdown();
// while (!executorService.isTerminated()){
// try {
// Thread.sleep(100);
// } catch (InterruptedException e) {
// throw new RuntimeException(e);
// }
// }
// LOG.info("Parallel download of Trusted list done");
loadAdditionalLists();
LOG.info("Loading completed: {} trusted lists", size);
LOG.info(" : {} certificates", certPool.getNumberOfCertificates());
}
/**
* Load a trusted list for the specified URL
*
* @param url
* @param signingCertList
* @return
* @throws java.io.IOException
*/
private TrustStatusList getTrustStatusList(
final String url, final List<X509Certificate> signingCertList) {
byte[] bytes = dataLoader.get(url);
if (bytes == null) {
throw new DSSNullReturnedException(url);
}
final Document doc = DSSXMLUtils.buildDOM(bytes);
boolean coreValidity = true;
if (checkSignature) {
coreValidity = false;
if (signingCertList != null) {
final CommonTrustedCertificateSource commonTrustedCertificateSource =
new CommonTrustedCertificateSource();
for (final X509Certificate x509Certificate : signingCertList) {
commonTrustedCertificateSource.addCertificate(x509Certificate);
}
final CertificateVerifier certificateVerifier = new CommonCertificateVerifier(true);
certificateVerifier.setTrustedCertSource(commonTrustedCertificateSource);
final DSSDocument dssDocument = new InMemoryDocument(bytes);
final XMLDocumentValidator xmlDocumentValidator = new XMLDocumentValidator(dssDocument);
xmlDocumentValidator.setCertificateVerifier(certificateVerifier);
// To increase the security: the default {@code XPathQueryHolder} is used.
final List<XPathQueryHolder> xPathQueryHolders = xmlDocumentValidator.getXPathQueryHolder();
xPathQueryHolders.clear();
final XPathQueryHolder xPathQueryHolder = new XPathQueryHolder();
xPathQueryHolders.add(xPathQueryHolder);
final List<AdvancedSignature> signatures = xmlDocumentValidator.getSignatures();
if (signatures.size() == 0) {
throw new DSSException("Not ETSI compliant signature. The Xml is not signed.");
}
xmlDocumentValidator.validateDocument();
final SimpleReport simpleReport = xmlDocumentValidator.getSimpleReport();
final List<String> signatureIdList = simpleReport.getSignatureIds();
final String signatureId = signatureIdList.get(0);
final String indication = simpleReport.getIndication(signatureId);
coreValidity = Indication.VALID.equals(indication);
LOG.info("The TSL signature validity: " + coreValidity);
if (!coreValidity) {
LOG.info("The TSL signature validity details:\n" + simpleReport);
System.out.println(xmlDocumentValidator.getDiagnosticData());
throw new DSSException("Not ETSI compliant signature. The signature is not valid.");
}
}
}
final TrustStatusList tsl = TrustServiceListFactory.newInstance(doc);
tsl.setWellSigned(coreValidity);
return tsl;
}
/**
* Adds all the service entries (current and history) of all the providers of the trusted list to
* the list of CertificateSource
*
* @param trustStatusList
*/
private void loadAllCertificatesFromOneTSL(final TrustStatusList trustStatusList) {
for (final TrustServiceProvider trustServiceProvider :
trustStatusList.getTrustServicesProvider()) {
for (final AbstractTrustService trustService : trustServiceProvider.getTrustServiceList()) {
if (LOG.isTraceEnabled()) {
LOG.trace("### " + trustService.getServiceName());
LOG.trace("------> " + trustService.getType());
LOG.trace("------> " + trustService.getStatus());
}
for (final Object digitalIdentity : trustService.getDigitalIdentity()) {
try {
X509Certificate x509Certificate = null;
if (digitalIdentity instanceof X509Certificate) {
x509Certificate = (X509Certificate) digitalIdentity;
} else if (digitalIdentity instanceof X500Principal) {
final X500Principal x500Principal = (X500Principal) digitalIdentity;
final List<CertificateToken> certificateTokens = certPool.get(x500Principal);
if (certificateTokens.size() > 0) {
x509Certificate = certificateTokens.get(0).getCertificate();
} else {
LOG.warn(
"There is currently no certificate with the given X500Principal: '{}' within the certificate pool!",
x500Principal);
}
}
if (x509Certificate != null) {
addCertificate(
x509Certificate,
trustService,
trustServiceProvider,
trustStatusList.isWellSigned());
}
} catch (DSSException e) {
// There is a problem when loading the certificate, we continue with the next one.
LOG.warn(e.getLocalizedMessage());
}
}
}
}
}
