package edu.uiuc.ncsa.security.util.ssl;

import edu.uiuc.ncsa.security.core.util.IdentifierProvider;
import edu.uiuc.ncsa.security.core.util.MyLoggingFacade;
import edu.uiuc.ncsa.security.storage.sql.ConnectionPoolProvider;
import edu.uiuc.ncsa.security.util.pkcs.CertUtil;
import java.io.File;
import java.io.FileInputStream;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import javax.net.ssl.X509TrustManager;
import net.sf.json.util.JSONUtils;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;

/* loaded from: input_file:WEB-INF/lib/ncsa-security-util-3.2.1.jar:edu/uiuc/ncsa/security/util/ssl/MyTrustManager.class */
public class MyTrustManager implements X509TrustManager {
    boolean debugOn;
    boolean stackTracesOn;
    String serverDN;
    MyLoggingFacade logger;
    public final String DEFAULT_TRUST_ROOT_PATH = "/etc/grid-security/certificates";
    String trustRootPath;
    boolean requestTrustRoots;
    String host;

    public MyTrustManager(MyLoggingFacade myLoggingFacade, String str) {
        this(myLoggingFacade, str, null);
    }

    public MyTrustManager(MyLoggingFacade myLoggingFacade, String str, String str2) {
        this.debugOn = false;
        this.stackTracesOn = false;
        this.serverDN = null;
        this.DEFAULT_TRUST_ROOT_PATH = "/etc/grid-security/certificates";
        this.trustRootPath = "/etc/grid-security/certificates";
        this.trustRootPath = str;
        this.logger = myLoggingFacade;
        this.serverDN = str2;
    }

    public boolean hasServerDN() {
        return this.serverDN != null;
    }

    public String getServerDN() {
        return this.serverDN;
    }

    public void setServerDN(String str) {
        this.serverDN = str;
    }

    public MyLoggingFacade getLogger() {
        if (this.logger == null) {
            this.logger = new MyLoggingFacade(MyTrustManager.class.getName());
            this.logger.setDebugOn(this.debugOn);
        }
        return this.logger;
    }

    public String getTrustRootPath() {
        return this.trustRootPath;
    }

    public void setTrustRootPath(String str) {
        this.trustRootPath = str;
    }

    public boolean isRequestTrustRoots() {
        return this.requestTrustRoots;
    }

    public void setRequestTrustRoots(boolean z) {
        this.requestTrustRoots = z;
    }

    public String getHost() {
        return this.host;
    }

    public void setHost(String str) {
        this.host = str;
    }

    void dbg(String str) {
        if (this.debugOn) {
            System.out.println(getClass().getName() + DefaultExpressionEngine.DEFAULT_INDEX_START + new Date() + "): " + str);
            getLogger().info(getClass().getName() + DefaultExpressionEngine.DEFAULT_INDEX_START + new Date() + "): " + str);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = null;
        String trustRootPath = getTrustRootPath();
        if (trustRootPath == null) {
            dbg("cert dir path null. Aborting");
            return null;
        }
        File file = new File(trustRootPath);
        if (!file.isDirectory()) {
            dbg(" cert dir path is not a directory. Aborting.");
            return null;
        }
        String[] list = file.list();
        String[] strArr = new String[list.length];
        for (int i = 0; i < list.length; i++) {
            try {
                FileInputStream fileInputStream = new FileInputStream(trustRootPath + File.separator + list[i]);
                byte[] bArr = new byte[fileInputStream.available()];
                fileInputStream.read(bArr);
                strArr[i] = new String(bArr);
                fileInputStream.close();
            } catch (Exception e) {
                dbg("Exception Reading issues " + e.getMessage());
            }
        }
        try {
            x509CertificateArr = CertUtil.getX509CertsFromStringList(strArr, list);
            dbg("Got " + x509CertificateArr.length + " issuers.");
        } catch (Exception e2) {
            if (this.stackTracesOn) {
                e2.printStackTrace();
            }
            dbg("Exception getting issuers. Returning null. " + e2.getMessage());
        }
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("checkClientTrusted not implemented by " + getClass().getName());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerCertPath(x509CertificateArr);
        checkServerDN(x509CertificateArr[0]);
    }

    protected void checkServerCertPath(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
            CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr));
            X509Certificate[] acceptedIssuers = getAcceptedIssuers();
            if (acceptedIssuers == null) {
                String trustRootPath = getTrustRootPath();
                if (trustRootPath != null) {
                    throw new CertificateException("no CA certificates found in " + trustRootPath);
                }
                if (!isRequestTrustRoots()) {
                    throw new CertificateException("no CA certificates directory found");
                }
                getLogger().info("no trusted CAs configured -- bootstrapping trust from MyProxy server");
                acceptedIssuers = new X509Certificate[]{x509CertificateArr[x509CertificateArr.length - 1]};
            }
            HashSet hashSet = new HashSet(acceptedIssuers.length);
            for (X509Certificate x509Certificate : acceptedIssuers) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            certPathValidator.validate(generateCertPath, pKIXParameters);
        } catch (CertificateException e) {
            if (this.stackTracesOn) {
                e.printStackTrace();
            }
            throw e;
        } catch (GeneralSecurityException e2) {
            if (this.stackTracesOn) {
                e2.printStackTrace();
            }
            throw new CertificateException(e2);
        } catch (Throwable th) {
            if (this.stackTracesOn) {
                th.printStackTrace();
            }
        }
    }

    private String getCommonName(String str) throws CertificateException {
        int indexOf = str.indexOf("CN=");
        if (indexOf == -1) {
            throw new CertificateException("Server certificate subject (" + str + "does not contain a CN component.");
        }
        String substring = str.substring(indexOf + 3);
        int indexOf2 = substring.indexOf(44);
        if (indexOf2 >= 0) {
            substring = substring.substring(0, indexOf2);
        }
        int indexOf3 = substring.indexOf(47);
        if (indexOf3 >= 0) {
            String substring2 = substring.substring(0, indexOf3);
            substring = substring.substring(indexOf3 + 1);
            if (!substring2.equals(ConnectionPoolProvider.HOST) && !substring2.equals(IdentifierProvider.SCHEME)) {
                dbg("common name =\"" + substring + "\" has unknown server element \"" + str + JSONUtils.DOUBLE_QUOTE);
                throw new CertificateException("Server certificate subject CN contains unknown server element: " + str);
            }
        }
        return substring;
    }

    private void checkServerDN(X509Certificate x509Certificate) throws CertificateException {
        getLogger();
        String commonName = getCommonName(x509Certificate.getSubjectX500Principal().getName());
        if (hasServerDN() && commonName.equals(getCommonName(getServerDN()))) {
            return;
        }
        if (getHost().equals("localhost")) {
            try {
                setHost(InetAddress.getLocalHost().getHostName());
            } catch (Exception e) {
            }
        }
        if (commonName.equals(getHost())) {
            dbg("Success! common name =\"" + commonName + "\" matches host = \"" + this.host + JSONUtils.DOUBLE_QUOTE);
        } else {
            dbg("common name =\"" + commonName + "\" does not match host from reverse lookup = \"" + this.host + JSONUtils.DOUBLE_QUOTE);
            throw new CertificateException("Server certificate subject CN (" + commonName + ") does not match server hostname (" + this.host + ").");
        }
    }
}
