laubstein · August 4, 2021 13:39
diff --git a/org.demoiselle.signer.core.ca.provider.ProviderCA b/org.demoiselle.signer.core.ca.provider.ProviderCA
 # src/main/resources/META-INF/services/org.demoiselle.signer.core.ca.provider.ProviderCA
 br.gov.example.demoiselle.TrustStoreProvider
diff --git a/TrustStoreProvider.java b/TrustStoreProvider.java
 package br.gov.example.demoiselle;

 import org.demoiselle.signer.core.ca.provider.ProviderCA;
 import org.demoiselle.signer.core.util.MessagesBundle;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;

 /**
 * TrustStoreProvider retorna CA's disponíveis na truststore
 */
 public class TrustStoreProvider implements ProviderCA {

    private static final String JAVAX_NET_SSL_TRUST_STORE = "javax.net.ssl.trustStore";
    private static final String JAVAX_NET_SSL_TRUST_STORE_PWD = "javax.net.ssl.trustStorePassword";
    private static final String JKS = "JKS";
    private static final Logger LOGGER = LoggerFactory.getLogger(TrustStoreProvider.class);
    private static final String CN = "CN";
    private static final String HOM = "hom";
    private static final String ICP_BRASIL = "icp-brasil";
    private static final String COMMA = ",";
    private static MessagesBundle chainMessagesBundle = new MessagesBundle();
    private static Collection<X509Certificate> trustStoreCAs = new ArrayList<>();

    static {
        LOGGER.info("Inicializando TrustStoreProvider");
        KeyStore keyStore = null;
        try {
            String trustStorePath = System.getProperty(JAVAX_NET_SSL_TRUST_STORE);
            String trustStorePassword = System.getProperty(JAVAX_NET_SSL_TRUST_STORE_PWD);

            try (InputStream is = new FileInputStream(trustStorePath)) {
                keyStore = KeyStore.getInstance(JKS);
                keyStore.load(is, trustStorePassword.toCharArray());
            }
        } catch (KeyStoreException ex) {
            LOGGER.error(chainMessagesBundle.getString("error.load.keystore"), ex);
        } catch (NoSuchAlgorithmException ex) {
            LOGGER.error(chainMessagesBundle.getString("error.no.algorithm"), ex);
        } catch (CertificateException ex) {
            LOGGER.error(chainMessagesBundle.getString("error.jks.certificate"), ex);
        } catch (IOException ex) {
            LOGGER.error(chainMessagesBundle.getString("error.io"), ex);
        }

        if (null != keyStore) {
            try {
                for (Enumeration<String> e = keyStore.aliases(); e.hasMoreElements(); ) {
                    String alias = e.nextElement();
                    X509Certificate root = (X509Certificate) keyStore.getCertificate(alias);

                    String certSubject = root.getSubjectX500Principal().getName();
                    boolean certificatesWhitelist = certSubject.contains(CN) && certSubject.contains(COMMA) && (
                            certSubject.toLowerCase().contains(HOM) || certSubject.toLowerCase().contains(ICP_BRASIL));

                    if (certificatesWhitelist) {
                        LOGGER.info(String.format("Adicionando %s", certSubject));
                        trustStoreCAs.add(root);
                    } else {
                        LOGGER.info(String.format("Ignorando %s", certSubject));
                    }
                }
            } catch (KeyStoreException ex) {
                LOGGER.error(chainMessagesBundle.getString("error.load.keystore"), ex);
            }
        }
    }

    @Override
    public Collection<X509Certificate> getCAs() {
        return trustStoreCAs;
    }

    @Override
    public String getName() {
        return "TrustStore Provider";
    }
 }
	# src/main/resources/META-INF/services/org.demoiselle.signer.core.ca.provider.ProviderCA
	br.gov.example.demoiselle.TrustStoreProvider
	package br.gov.example.demoiselle;

	import org.demoiselle.signer.core.ca.provider.ProviderCA;
	import org.demoiselle.signer.core.util.MessagesBundle;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.io.FileInputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.Enumeration;

	/**
	* TrustStoreProvider retorna CA's disponíveis na truststore
	*/
	public class TrustStoreProvider implements ProviderCA {

	private static final String JAVAX_NET_SSL_TRUST_STORE = "javax.net.ssl.trustStore";
	private static final String JAVAX_NET_SSL_TRUST_STORE_PWD = "javax.net.ssl.trustStorePassword";
	private static final String JKS = "JKS";
	private static final Logger LOGGER = LoggerFactory.getLogger(TrustStoreProvider.class);
	private static final String CN = "CN";
	private static final String HOM = "hom";
	private static final String ICP_BRASIL = "icp-brasil";
	private static final String COMMA = ",";
	private static MessagesBundle chainMessagesBundle = new MessagesBundle();
	private static Collection<X509Certificate> trustStoreCAs = new ArrayList<>();

	static {
	LOGGER.info("Inicializando TrustStoreProvider");
	KeyStore keyStore = null;
	try {
	String trustStorePath = System.getProperty(JAVAX_NET_SSL_TRUST_STORE);
	String trustStorePassword = System.getProperty(JAVAX_NET_SSL_TRUST_STORE_PWD);

	try (InputStream is = new FileInputStream(trustStorePath)) {
	keyStore = KeyStore.getInstance(JKS);
	keyStore.load(is, trustStorePassword.toCharArray());
	}
	} catch (KeyStoreException ex) {
	LOGGER.error(chainMessagesBundle.getString("error.load.keystore"), ex);
	} catch (NoSuchAlgorithmException ex) {
	LOGGER.error(chainMessagesBundle.getString("error.no.algorithm"), ex);
	} catch (CertificateException ex) {
	LOGGER.error(chainMessagesBundle.getString("error.jks.certificate"), ex);
	} catch (IOException ex) {
	LOGGER.error(chainMessagesBundle.getString("error.io"), ex);
	}

	if (null != keyStore) {
	try {
	for (Enumeration<String> e = keyStore.aliases(); e.hasMoreElements(); ) {
	String alias = e.nextElement();
	X509Certificate root = (X509Certificate) keyStore.getCertificate(alias);

	String certSubject = root.getSubjectX500Principal().getName();
	boolean certificatesWhitelist = certSubject.contains(CN) && certSubject.contains(COMMA) && (
	certSubject.toLowerCase().contains(HOM) \|\| certSubject.toLowerCase().contains(ICP_BRASIL));

	if (certificatesWhitelist) {
	LOGGER.info(String.format("Adicionando %s", certSubject));
	trustStoreCAs.add(root);
	} else {
	LOGGER.info(String.format("Ignorando %s", certSubject));
	}
	}
	} catch (KeyStoreException ex) {
	LOGGER.error(chainMessagesBundle.getString("error.load.keystore"), ex);
	}
	}
	}

	@Override
	public Collection<X509Certificate> getCAs() {
	return trustStoreCAs;
	}

	@Override
	public String getName() {
	return "TrustStore Provider";
	}
	}