private void checkCircProcessing() throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate caCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCA));
X509Certificate crlCaCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCRLCA));
X509CRL crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(circCRL));
List list = new ArrayList();
list.add(caCert);
list.add(crlCaCert);
list.add(crl);
CertStoreParameters ccsp = new CollectionCertStoreParameters(list);
CertStore store = CertStore.getInstance("Collection", ccsp);
Date validDate = new Date(crl.getThisUpdate().getTime() + 60 * 60 * 1000);
// validating path
List certchain = new ArrayList();
certchain.add(crlCaCert);
CertPath cp = CertificateFactory.getInstance("X.509", "BC").generateCertPath(certchain);
Set trust = new HashSet();
trust.add(new TrustAnchor(caCert, null));
CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
// PKIXParameters param = new PKIXParameters(trust);
PKIXBuilderParameters param = new PKIXBuilderParameters(trust, null);
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(crlCaCert);
param.setTargetCertConstraints(certSelector);
param.addCertStore(store);
param.setRevocationEnabled(true);
param.setDate(validDate);
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, param);
}
// controlla che il certificato del firmatario sia affidabile controllando la sua catena di
// certificati
// valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione
// da java
// caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato
// italiano
private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer)
throws FirmapiuException {
// genera la lista di certificati da controllare per generare la catena dei certificati del
// firmatario
// TODO quali certificati carica esattamente?
Collection<?> certCollection = certStore.getMatches(signer.getSID());
Iterator<?> certIt = certCollection.iterator();
X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
List<X509Certificate> chain = new LinkedList<X509Certificate>();
JcaX509CertificateConverter certConverter =
new JcaX509CertificateConverter().setProvider(this.bcProvName);
try {
X509Certificate x509cert = certConverter.getCertificate(cert);
chain.add(x509cert);
while (certIt.hasNext()) {
x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next());
chain.add(x509cert);
}
} catch (CertificateException e) {
new FirmapiuException(CERT_DEFAULT_ERROR, e);
}
// carica i certificati presenti nel token crittografico passato come parametro
KeyStore anchors = this.token.loadKeyStore(null);
X509CertSelector target = new X509CertSelector();
target.setCertificate(chain.get(0));
PKIXBuilderParameters params;
CertPathBuilder builder;
try {
params = new PKIXBuilderParameters(anchors, target);
// disabilita il controllo delle CRL
params.setRevocationEnabled(false);
// se il certificato è scaduto cerca di generare lo stesso la catena dei certificati
try {
X509Certificate x509cert = certConverter.getCertificate(cert);
// long before=x509cert.getNotBefore().getTime();
long after = x509cert.getNotAfter().getTime();
after -= 10;
params.setDate(new Date(after));
} catch (CertificateException e) {
throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
}
CertStoreParameters intermediates = new CollectionCertStoreParameters(chain);
params.addCertStore(CertStore.getInstance("Collection", intermediates));
params.setSigProvider(this.bcProvName);
builder = CertPathBuilder.getInstance("PKIX", this.bcProvName);
} catch (KeyStoreException | InvalidAlgorithmParameterException e) {
throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new FirmapiuException(DEFAULT_ERROR, e);
}
/*
* If build() returns successfully, the certificate is valid. More details
* about the valid path can be obtained through the PKIXBuilderResult.
* If no valid path can be found, a CertPathBuilderException is thrown.
*/
try {
return (PKIXCertPathBuilderResult) builder.build(params);
} catch (CertPathBuilderException e) {
throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e);
} catch (InvalidAlgorithmParameterException e) {
throw new FirmapiuException(DEFAULT_ERROR, e);
}
} // fine metodo
/** Set the check date (for debugging). */
private void setDate(PKIXBuilderParameters params) {
Date date = validationDate;
if (date != null) {
params.setDate(date);
}
}