OCSPConfig.java

/*
 * GovWay - A customizable API Gateway 
 * https://govway.org
 * 
 * Copyright (c) 2005-2025 Link.it srl (https://link.it). 
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3, as published by
 * the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
package org.openspcoop2.utils.certificate.ocsp;

import java.util.ArrayList;
import java.util.List;
import java.util.Properties;

import org.apache.commons.lang.StringUtils;
import org.openspcoop2.utils.UtilsException;
import org.openspcoop2.utils.certificate.ExtendedKeyUsage;
import org.openspcoop2.utils.certificate.KeystoreType;
import org.openspcoop2.utils.random.SecureRandomAlgorithm;
import org.openspcoop2.utils.transport.http.HttpUtilities;
import org.slf4j.Logger;

/**
 * OCSPConfig
 *
 * @author Poli Andrea (apoli@link.it)
 * @author $Author$
 * @version $Rev$, $Date$
 */
public class OCSPConfig {
    
    private String id;

    private String type;
    
    private String label;
    
    private boolean certificateChainVerify = true;
    
    private boolean checkValidity = true;
    private boolean checkCAValidity = true;
    
    private List<CertificateSource> caSource = new ArrayList<>();
    private String alternativeTrustStoreCAPath;
    private String alternativeTrustStoreCAPassword;
    private String alternativeTrustStoreCAType;
    private boolean rejectsCertificateWithoutCA = true;
    
    private String trustStoreSignerPath;
    private String trustStoreSignerPassword;
    private String trustStoreSignerType;
    private String aliasCertificateSigner;
    
    private boolean nonce;
    
    private List<CertificateSource> responderUrlSource = new ArrayList<>();
    private List<String> alternativeResponderUrl;
    private List<String> alternativeResponderUrlCA;
    private boolean rejectsCertificateWithoutResponderUrl = true;
    private boolean rejectsCAWithoutResponderUrl = false;
    private List<OCSPResponseCode> responderBreakStatus = null;
    private List<Integer> responderReturnCodeOk = null;
    
    // fondamentale per prevenire attacchi man in the middle (siamo in http) firmando con un altro certificato rilasciato dalla CA, non adibito a firmare risposte OCSP
    private List<ExtendedKeyUsage> extendedKeyUsageRequired = null;
    
    private int readTimeout = HttpUtilities.HTTP_READ_CONNECTION_TIMEOUT;
    private int connectTimeout = HttpUtilities.HTTP_CONNECTION_TIMEOUT;
        
    private boolean externalResourcesHostnameVerifier = true;
    private boolean externalResourcesTrustAllCerts = false;
    private String externalResourcesTrustStorePath;
    private String externalResourcesTrustStorePassword;
    private String externalResourcesTrustStoreType;
    
    private String externalResourcesKeyStorePath;
    private String externalResourcesKeyStorePassword;
    private String externalResourcesKeyStoreType;
    private String externalResourcesKeyAlias;
    private String externalResourcesKeyPassword;
    
    private String externalResourcesUsername;
    private String externalResourcesPassword;
    
    private String forwardProxyUrl;
    private String forwardProxyHeader;
    private String forwardProxyQueryParameter;
    private boolean forwardProxyBase64;
    
    private SecureRandomAlgorithm secureRandomAlgorithm;
    
    private int responseCheckDateToleranceMilliseconds;

    private boolean crlSigningCertCheck=false;
    private boolean crlCaCheck=false;
    private boolean crl = false;
    
    private List<CertificateSource> crlSource = new ArrayList<>();
    private List<String> crlAlternative = null;
    private boolean rejectsCertificateWithoutCRL = false;
    private boolean rejectsCAWithoutCRL = false;
    
    private List<CertificateSource> crlTrustStoreSource = new ArrayList<>();
    private String alternativeTrustStoreCRLPath;
    private String alternativeTrustStoreCRLPassword;
    private String alternativeTrustStoreCRLType;
                

    public String getId() {
        return this.id;
    }

    public String getType() {
        return this.type;
    }
    public String getLabel() {
        return this.label;
    }
    
    public boolean isCertificateChainVerify() {
        return this.certificateChainVerify;
    }
    
    public boolean isCheckValidity() {
        return this.checkValidity;
    }

    public boolean isCheckCAValidity() {
        return this.checkCAValidity;
    }
    
    public List<CertificateSource> getCaSource() {
        return this.caSource;
    }
    public String getAlternativeTrustStoreCAPath() {
        return this.alternativeTrustStoreCAPath;
    }
    public String getAlternativeTrustStoreCAPassword() {
        return this.alternativeTrustStoreCAPassword;
    }
    public String getAlternativeTrustStoreCAType() {
        return this.alternativeTrustStoreCAType;
    }
    public boolean isRejectsCertificateWithoutCA() {
        return this.rejectsCertificateWithoutCA;
    }
    
    public String getTrustStoreSignerPath() {
        return this.trustStoreSignerPath;
    }
    public String getTrustStoreSignerPassword() {
        return this.trustStoreSignerPassword;
    }
    public String getTrustStoreSignerType() {
        return this.trustStoreSignerType;
    }
    public String getAliasCertificateSigner() {
        return this.aliasCertificateSigner;
    }   
    
    public boolean isNonce() {
        return this.nonce;
    }
    
    public List<CertificateSource> getResponderUrlSource() {
        return this.responderUrlSource;
    }
    public List<String> getAlternativeResponderUrl() {
        return this.alternativeResponderUrl;
    }
    public List<String> getAlternativeResponderUrlCA() {
        return this.alternativeResponderUrlCA;
    }
    public boolean isRejectsCertificateWithoutResponderUrl() {
        return this.rejectsCertificateWithoutResponderUrl;
    }
    public boolean isRejectsCAWithoutResponderUrl() {
        return this.rejectsCAWithoutResponderUrl;
    }
    public List<OCSPResponseCode> getResponderBreakStatus() {
        return this.responderBreakStatus;
    }
    public List<Integer> getResponderReturnCodeOk() {
        return this.responderReturnCodeOk;
    }
    
    public List<ExtendedKeyUsage> getExtendedKeyUsageRequired() {
        return this.extendedKeyUsageRequired;
    }
        
    public int getReadTimeout() {
        return this.readTimeout;
    }
    public int getConnectTimeout() {
        return this.connectTimeout;
    }

    public boolean isExternalResourcesHostnameVerifier() {
        return this.externalResourcesHostnameVerifier;
    }
    public boolean isExternalResourcesTrustAllCerts() {
        return this.externalResourcesTrustAllCerts;
    }
    public String getExternalResourcesTrustStorePath() {
        return this.externalResourcesTrustStorePath;
    }
    public String getExternalResourcesTrustStorePassword() {
        return this.externalResourcesTrustStorePassword;
    }
    public String getExternalResourcesTrustStoreType() {
        return this.externalResourcesTrustStoreType;
    }
    
    public String getExternalResourcesKeyStorePath() {
        return this.externalResourcesKeyStorePath;
    }
    public String getExternalResourcesKeyStorePassword() {
        return this.externalResourcesKeyStorePassword;
    }
    public String getExternalResourcesKeyStoreType() {
        return this.externalResourcesKeyStoreType;
    }
    public String getExternalResourcesKeyAlias() {
        return this.externalResourcesKeyAlias;
    }
    public String getExternalResourcesKeyPassword() {
        return this.externalResourcesKeyPassword;
    }
    
    public String getExternalResourcesUsername() {
        return this.externalResourcesUsername;
    }
    public String getExternalResourcesPassword() {
        return this.externalResourcesPassword;
    }

    public String getForwardProxyUrl() {
        return this.forwardProxyUrl;
    }
    public String getForwardProxyHeader() {
        return this.forwardProxyHeader;
    }
    public String getForwardProxyQueryParameter() {
        return this.forwardProxyQueryParameter;
    }
    public boolean isForwardProxyBase64() {
        return this.forwardProxyBase64;
    }
    
    public SecureRandomAlgorithm getSecureRandomAlgorithm() {
        return this.secureRandomAlgorithm;
    }
    
    public int getResponseCheckDateToleranceMilliseconds() {
        return this.responseCheckDateToleranceMilliseconds;
    }
    
    public boolean isCrlSigningCertCheck() {
        return this.crlSigningCertCheck;
    }
    
    public boolean isCrlCaCheck() {
        return this.crlCaCheck;
    }
    
    public boolean isCrl() {
        return this.crl;
    }

    public List<CertificateSource> getCrlSource() {
        return this.crlSource;
    }

    public List<String> getCrlAlternative() {
        return this.crlAlternative;
    }
    
    public boolean isRejectsCertificateWithoutCRL() {
        return this.rejectsCertificateWithoutCRL;
    }
    public boolean isRejectsCAWithoutCRL() {
        return this.rejectsCAWithoutCRL;
    }
    
    public List<CertificateSource> getCrlTrustStoreSource() {
        return this.crlTrustStoreSource;
    }

    public String getAlternativeTrustStoreCRLPath() {
        return this.alternativeTrustStoreCRLPath;
    }

    public String getAlternativeTrustStoreCRLPassword() {
        return this.alternativeTrustStoreCRLPassword;
    }

    public String getAlternativeTrustStoreCRLType() {
        return this.alternativeTrustStoreCRLType;
    }

    
    protected OCSPConfig(String id, Properties p, Logger log) throws UtilsException {
        this.id = id;
        
        if(log!=null) {
            // nop
        }
        
        if(p==null || p.isEmpty()) {
            throw new UtilsException("Properties '"+OCSPCostanti.PROPERTY_PREFIX+id+".*' undefined");
        }
        
        this.type = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_TYPE, true);    
        this.label = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_LABEL, true);  
        
        this.certificateChainVerify = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CERTIFICATE_CHAIN_VERIFY, false, true);    
        
        this.checkValidity = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CHECK_VALIDITY, false, true);   
        this.checkCAValidity = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CHECK_CA_VALIDITY, false, true);  
        
        this.caSource = getCertificateSourceProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CA_SOURCE, true, null);
        
        this.alternativeTrustStoreCAPath = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CA_ALTERNATIVE_TRUST_STORE, false);  
        if(this.alternativeTrustStoreCAPath!=null && StringUtils.isNotEmpty(this.alternativeTrustStoreCAPath)) {
            this.alternativeTrustStoreCAPassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CA_ALTERNATIVE_TRUST_STORE_PASSWORD, true);  
            this.alternativeTrustStoreCAType = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CA_ALTERNATIVE_TRUST_STORE_TYPE, false);
            if(this.alternativeTrustStoreCAType==null || StringUtils.isEmpty(this.alternativeTrustStoreCAType)) {
                this.alternativeTrustStoreCAType = KeystoreType.JKS.getNome();
            }
        }
        
        this.rejectsCertificateWithoutCA = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CA_NOT_FOUD_REJECTS_CERTIFICATE, false, true);    
        
        this.trustStoreSignerPath = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_SIGNER_TRUST_STORE, false); 
        if(this.trustStoreSignerPath!=null && StringUtils.isNotEmpty(this.trustStoreSignerPath)) {
            this.trustStoreSignerPassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_SIGNER_TRUST_STORE_PASSWORD, true); 
            this.trustStoreSignerType = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_SIGNER_TRUST_STORE_TYPE, false);
            if(this.trustStoreSignerType==null || StringUtils.isEmpty(this.trustStoreSignerType)) {
                this.trustStoreSignerType = KeystoreType.JKS.getNome();
            }
        }
        
        String prefix = "Property '"+OCSPCostanti.PROPERTY_PREFIX+id+".";
        
        this.aliasCertificateSigner = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_SIGNER_ALIAS, false); 
        if(
                (this.aliasCertificateSigner!=null && StringUtils.isNotEmpty(this.aliasCertificateSigner))
                &&
                (this.trustStoreSignerPath==null || StringUtils.isEmpty(this.trustStoreSignerPath))
            ){
            throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_SIGNER_ALIAS+"' require property '"+
                    OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_SIGNER_TRUST_STORE+"'");
        }
        
        this.nonce = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_NONCE_ENABLED, false, true);
        
        this.crl=getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ENABLED, false, false);
        
        if(this.crl) {
            this.responderUrlSource = getCertificateSourceProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_SOURCE, false, null);
        }
        else {
            this.responderUrlSource = getCertificateSourceProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_SOURCE, true, null);
        }
        if(this.responderUrlSource!=null && this.responderUrlSource.contains(CertificateSource.CONFIG)) {
            throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_URL_SOURCE+"' declare unsupported '"+CertificateSource.CONFIG+"' mode");
        }
        
        this.alternativeResponderUrl = getListProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_ALTERNATIVE, false, null);
        this.alternativeResponderUrlCA = getListProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_ALTERNATIVE_CA, false, null);
        this.rejectsCertificateWithoutResponderUrl = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_NOT_FOUND_REJECTS_CERTIFICATE, false, true);    
        this.rejectsCAWithoutResponderUrl = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_NOT_FOUND_REJECTS_CA, false, false); 
        this.responderBreakStatus = getOCSPResponseCodeProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_BREAK_STATUS, false, null); 
        this.responderReturnCodeOk = getListIntProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_URL_RETURN_CODE_OK, false, null);
        
        // fondamentale per prevenire attacchi man in the middle (siamo in http) firmando con un altro certificato rilasciato dalla CA, non adibito a firmare risposte OCSP
        List<ExtendedKeyUsage> extendedKeyUsageRequiredDefault = new ArrayList<>();
        extendedKeyUsageRequiredDefault.add(ExtendedKeyUsage.OCSP_SIGNING);
        this.extendedKeyUsageRequired = getExtendedKeyUsageProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_EXTENDED_KEY_USAGE, extendedKeyUsageRequiredDefault);
        
        this.readTimeout = getIntProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_READ_TIMEOUT, false, 15000); /** HttpUtilities.HTTP_READ_CONNECTION_TIMEOUT); */
        this.connectTimeout = getIntProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CONNECT_TIMEOUT, false, HttpUtilities.HTTP_CONNECTION_TIMEOUT);
        
        this.externalResourcesHostnameVerifier = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_HOSTNAME_VERIFIER, false, true);  
        this.externalResourcesTrustAllCerts = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_TRUST_ALL_CERTS, false, false);  
        this.externalResourcesTrustStorePath = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_TRUST_STORE, false);   
        if(this.externalResourcesTrustStorePath!=null && StringUtils.isNotEmpty(this.externalResourcesTrustStorePath)) {
            this.externalResourcesTrustStorePassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_TRUST_STORE_PASSWORD, true);   
            this.externalResourcesTrustStoreType = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_TRUST_STORE_TYPE, false);
            if(this.externalResourcesTrustStoreType==null || StringUtils.isEmpty(this.externalResourcesTrustStoreType)) {
                this.externalResourcesTrustStoreType = KeystoreType.JKS.getNome();
            }
        }
        
        this.externalResourcesKeyStorePath = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_KEY_STORE, false);   
        if(this.externalResourcesKeyStorePath!=null && StringUtils.isNotEmpty(this.externalResourcesKeyStorePath)) {
            this.externalResourcesKeyStorePassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_KEY_STORE_PASSWORD, true);   
            this.externalResourcesKeyStoreType = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_KEY_STORE_TYPE, false);
            if(this.externalResourcesKeyStoreType==null || StringUtils.isEmpty(this.externalResourcesKeyStoreType)) {
                this.externalResourcesKeyStoreType = KeystoreType.JKS.getNome();
            }
            
            this.externalResourcesKeyPassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_KEY_PASSWORD, true);  
            this.externalResourcesKeyAlias = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_HTTPS_KEY_ALIAS, false);   
        }
        
        this.externalResourcesUsername = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_USERNAME, false);  
        if(this.externalResourcesUsername!=null && StringUtils.isNotEmpty(this.externalResourcesUsername)) {
            this.externalResourcesPassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_PASSWORD, false);  
        }
        
        this.forwardProxyUrl = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_URL, false);   
        if(this.forwardProxyUrl!=null && StringUtils.isNotEmpty(this.forwardProxyUrl)) {
            this.forwardProxyHeader = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_HEADER, false); 
            this.forwardProxyQueryParameter = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_QUERY_PARAMETER, false);
            if(this.forwardProxyHeader==null && this.forwardProxyQueryParameter==null) {
                throw new UtilsException("ForwardProxy property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_URL+"' require '"+
                        OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_HEADER+"' o '"+
                        OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_QUERY_PARAMETER+"'");
            }
            this.forwardProxyBase64 = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_FORWARD_PROXY_BASE64, false, true);
        }

        String tmp = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_SECURE_RANDOM_ALGORITHM, false);
        if(tmp!=null && StringUtils.isNotEmpty(tmp)) {
            try {
                this.secureRandomAlgorithm = SecureRandomAlgorithm.valueOf(tmp);
            }catch(Exception t) {
                throw new UtilsException("SecureRandomAlgorithm property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_SECURE_RANDOM_ALGORITHM+"' invalid (found value:["+tmp+"]): "+t.getMessage(),t);
            }
        }
        if( this.secureRandomAlgorithm == null) {
            this.secureRandomAlgorithm = SecureRandomAlgorithm.SHA1PRNG;
        }
        
        int defaultTolerance = 1000 * 60 * 10; // 10 minuti
        this.responseCheckDateToleranceMilliseconds = getIntProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_RESPONSE_DATE_TOLERANCE_MS, false, defaultTolerance);

        this.crlSigningCertCheck=getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_SIGNING_CERT_CHECK, false, false);
        
        this.crlCaCheck=getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_CA_CHECK, false, true);
        
        //this.crl=getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ENABLED, false, false); spostato sopra
        
        if(this.crl || this.crlSigningCertCheck || this.crlCaCheck) {
            
            List<CertificateSource> defaultValue = new ArrayList<>();
            defaultValue.add(CertificateSource.AUTHORITY_INFORMATION_ACCESS);
            
            this.crlSource = getCertificateSourceProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_SOURCE, false, defaultValue);
            if(this.crlSource == null || this.crlSource.isEmpty()) {
                throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_CRL_SOURCE+"' is empty");
            }
            if(this.crlSigningCertCheck && !this.crlSource.contains(CertificateSource.AUTHORITY_INFORMATION_ACCESS)) {
                throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_CRL_SIGNING_CERT_CHECK+"' require mode '"+
                        CertificateSource.AUTHORITY_INFORMATION_ACCESS+"' defined in property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_CRL_SOURCE+"'");
            }
            if(this.crlCaCheck && !this.crlSource.contains(CertificateSource.AUTHORITY_INFORMATION_ACCESS)) {
                throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_CRL_CA_CHECK+"' require mode '"+
                        CertificateSource.AUTHORITY_INFORMATION_ACCESS+"' defined in property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+OCSPCostanti.PROPERTY_SUFFIX_CRL_SOURCE+"'");
            }
            
            this.crlAlternative = getListProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ALTERNATIVE, false, null);
            
            this.rejectsCertificateWithoutCRL = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_NOT_FOUND_REJECTS_CERTIFICATE, false, false);    
            this.rejectsCAWithoutCRL = getBooleanProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_NOT_FOUND_REJECTS_CA, false, false);  
                        
            this.crlTrustStoreSource = getCertificateSourceProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_TRUSTSTORE_SOURCE, false, defaultValue);
            if(this.crlTrustStoreSource == null || this.crlTrustStoreSource.isEmpty()) {
                throw new UtilsException(prefix+OCSPCostanti.PROPERTY_SUFFIX_CRL_TRUSTSTORE_SOURCE+"' is empty");
            }
            
            this.alternativeTrustStoreCRLPath = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ALTERNATIVE_TRUST_STORE, false);    
            if(this.alternativeTrustStoreCRLPath!=null && StringUtils.isNotEmpty(this.alternativeTrustStoreCRLPath)) {
                this.alternativeTrustStoreCRLPassword = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ALTERNATIVE_TRUST_STORE_PASSWORD, true);    
                this.alternativeTrustStoreCRLType = getProperty(id, p, OCSPCostanti.PROPERTY_SUFFIX_CRL_ALTERNATIVE_TRUST_STORE_TYPE, false);
                if(this.alternativeTrustStoreCRLType==null || StringUtils.isEmpty(this.alternativeTrustStoreCRLType)) {
                    this.alternativeTrustStoreCRLType = KeystoreType.JKS.getNome();
                }
            }
        }

    }
    
    private static String getProperty(String id, Properties p, String name, boolean required) throws UtilsException {
        String tmp = p.getProperty(name);
        if(tmp!=null) {
            return tmp.trim();
        }
        else {
            if(required) {
                throw new UtilsException("Property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' notFound");
            }
            return null;
        }
    }
    private static boolean getBooleanProperty(String id, Properties p, String name, boolean required, boolean defaultValue) throws UtilsException {
        String tmp = getProperty(id, p, name, required);
        if(tmp!=null && StringUtils.isNotEmpty(tmp)) {
            try {
                return Boolean.valueOf(tmp);
            }catch(Exception t) {
                throw new UtilsException("Boolean property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+tmp+"]): "+t.getMessage(),t);
            }
        }
        return defaultValue;
    }
    private static int getIntProperty(String id, Properties p, String name, boolean required, int defaultValue) throws UtilsException {
        String tmp = getProperty(id, p, name, required);
        if(tmp!=null && StringUtils.isNotEmpty(tmp)) {
            try {
                return Integer.valueOf(tmp);
            }catch(Exception t) {
                throw new UtilsException("Boolean property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+tmp+"]): "+t.getMessage(),t);
            }
        }
        return defaultValue;
    }
    private static List<String> getListProperty(String id, Properties p, String name, boolean required, List<String> defaultValue) throws UtilsException {
        String tmp = getProperty(id, p, name, required);
        if(tmp!=null && StringUtils.isNotEmpty(tmp)) {
            try {
                List<String> l = new ArrayList<>();
                String [] tmpArray = tmp.split(",");
                if(tmpArray==null || tmpArray.length<=0) {
                    throw new UtilsException("Undefined value");
                }
                for (String s : tmpArray) {
                    if(s!=null && StringUtils.isNotEmpty(s.trim())) {
                        l.add(s.trim());
                    }
                }
                return l;
            }catch(Exception t) {
                throw new UtilsException("CertificateSource property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+tmp+"]): "+t.getMessage(),t);
            }
        }
        return defaultValue;
    }
    private static List<Integer> getListIntProperty(String id, Properties p, String name, boolean required, List<Integer> defaultValue) throws UtilsException {
        List<String> l = getListProperty(id, p, name, required, null);
        if(l==null || l.isEmpty()) {
            return defaultValue;
        }
        List<Integer> lCS = new ArrayList<>();
        for (String certificateSource : l) {
            try {
                int c = Integer.parseInt(certificateSource);
                lCS.add(c);
            }catch(Exception t) {
                throw new UtilsException("CertificateSource property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+certificateSource+"]): "+t.getMessage(),t);
            }
        }
        return lCS;
    }
    private static List<CertificateSource> getCertificateSourceProperty(String id, Properties p, String name, boolean required, List<CertificateSource> defaultValue) throws UtilsException {
        List<String> l = getListProperty(id, p, name, required, null);
        if(l==null || l.isEmpty()) {
            return defaultValue;
        }
        List<CertificateSource> lCS = new ArrayList<>();
        for (String certificateSource : l) {
            try {
                CertificateSource c = CertificateSource.valueOf(certificateSource.toUpperCase());
                lCS.add(c);
            }catch(Exception t) {
                throw new UtilsException("CertificateSource property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+certificateSource+"]): "+t.getMessage(),t);
            }
        }
        if(lCS.isEmpty()) {
            return defaultValue;
        }
        return lCS;
    }
    private static List<OCSPResponseCode> getOCSPResponseCodeProperty(String id, Properties p, String name, boolean required, List<OCSPResponseCode> defaultValue) throws UtilsException {
        List<String> l = getListProperty(id, p, name, required, null);
        if(l==null || l.isEmpty()) {
            return defaultValue;
        }
        List<OCSPResponseCode> lCS = new ArrayList<>();
        for (String certificateSource : l) {
            try {
                OCSPResponseCode c = OCSPResponseCode.valueOf(certificateSource.toUpperCase());
                lCS.add(c);
            }catch(Exception t) {
                throw new UtilsException("OCSPResponseCode property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+certificateSource+"]): "+t.getMessage(),t);
            }
        }
        if(lCS.isEmpty()) {
            return defaultValue;
        }
        return lCS;
    }
    private static List<ExtendedKeyUsage> getExtendedKeyUsageProperty(String id, Properties p, String name, List<ExtendedKeyUsage> defaultValue) throws UtilsException {
        
        String tmp = getProperty(id, p, name, false);
        if(tmp!=null && "".equals(tmp)) {
            // non si vuole attuare alcun controllo
            return new ArrayList<>();
        }
        
        List<String> l = getListProperty(id, p, name, false, null);
        if(l==null || l.isEmpty()) {
            return defaultValue;
        }
        List<ExtendedKeyUsage> lCS = new ArrayList<>();
        for (String e : l) {
            try {
                ExtendedKeyUsage c = ExtendedKeyUsage.valueOf(e.toUpperCase());
                lCS.add(c);
            }catch(Exception t) {
                throw new UtilsException("ExtendedKeyUsage property '"+OCSPCostanti.PROPERTY_PREFIX+id+"."+name+"' invalid (found value:["+e+"]): "+t.getMessage(),t);
            }
        }
        if(lCS.isEmpty()) {
            return defaultValue;
        }
        return lCS;
    }
    
    
}