package org.glite.security.trustmanager;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Properties;
import java.util.Timer;
import java.util.TimerTask;
import java.util.Vector;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import org.apache.log4j.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PasswordFinder;
import org.glite.security.util.CaseInsensitiveProperties;
import org.glite.security.util.DNHandler;
import org.glite.security.util.FileCertReader;

/* loaded from: input_file:org/glite/security/trustmanager/ContextWrapper.class */
public class ContextWrapper implements SSLContextWrapper {
    public static final String CREDENTIALS_PROXY_FILE = "gridProxyFile";
    public static final String CREDENTIALS_UPDATE_INTERVAL = "credentialsUpdateInterval";
    public static final String CREDENTIALS_CERT_FILE = "sslCertFile";
    public static final String CREDENTIALS_KEY_FILE = "sslKey";
    public static final String CREDENTIALS_KEY_PASSWD = "sslKeyPasswd";
    public static final String CREDENTIALS_STORE_FILE = "sslCertStore";
    public static final String CREDENTIALS_STORE_TYPE = "sslCertStoreType";
    public static final String CREDENTIALS_STORE_PASSWD = "sslCertStorePasswd";
    public static final String CA_FILES = "sslCAFiles";
    public static final String CA_STORE_FILE = "sslCAStore";
    public static final String CA_STORE_TYPE = "sslCAStoreType";
    public static final String CA_STORE_PASSWD = "sslCAStorePasswd";
    public static final String CRL_FILES = "crlFiles";
    public static final String CRL_ENABLED = "crlEnabled";
    public static final String CRL_REQUIRED = "crlRequired";
    public static final String CRL_UPDATE_INTERVAL = "crlUpdateInterval";
    public static final String LOG_CONF_FILE = "log4jConfFile";
    public static final String LOG_FILE = "logFile";
    public static final String SSL_PROTOCOL = "sslProtocol";
    public static final String CONF_FILE = "sslConfigFile";
    public static final String SSL_TIMEOUT_SETTING = "sslTimeout";
    public static final String CONNECT_TIMEOUT = "sslConnectTimeout";
    public static final String OVERRIDE_EXPIRATION_CHECK_ON_INIT = "internalOverrideExpirationCheck";
    public static final String GRID_PROXY_STREAM = "gridProxyStream";
    public static final String KEYSTORE_TYPE_DEFAULT = "JKS";
    public static final String CRL_UPDATE_INTERVAL_DEFAULT = "0";
    public static final String CRL_REQUIRED_DEFAULT = "true";
    public static final String SSL_PROTOCOL_DEFAULT = "TLSv1";
    public static final String CRL_ENABLED_DEFAULT = "true";
    public static final String CREDENTIALS_UPDATE_INTERVAL_DEAFULT = "0 s";
    public static final String CA_FILES_DEFAULT = "/etc/grid-security/certificates/*.0";
    public static final String CRL_FILES_DEFAULT = "/etc/grid-security/certificates/*.r0";
    public static final String TIMEOUT_DEFAULT = "60000";
    public static final String INT_KEYSTORE_PASSWD = "internal";
    public static final String TRUSTSTORE_DIR = "trustStoreDir";
    public static final String TRUSTSTORE_DIR_DEFAULT = "/etc/grid-security/certificates";
    public static final String HOSTNAME_CHECK = "hostnameCheck";
    public static final String WANT_LOG4J_SETUP = "wantLog4jSetup";
    public static final String WANT_LOG4J_SETUP_DEFAULT = "true";
    public static final String HOSTNAME_CHECK_DEFAULT = "true";
    public CaseInsensitiveProperties config;
    SSLContext sslContext;
    static final Logger LOGGER = Logger.getLogger(ContextWrapper.class.getName());
    private static boolean s_loggerConfigured = false;
    public KeyManager[] identityKeyManagers = null;
    public Vector trustAnchors = null;
    public Vector crls = null;
    public FileCertReader certReader = null;
    public CRLFileTrustManager trustManager = null;
    public OpensslTrustmanager m_trustmanager = null;
    public boolean overrideExpirationCheck = false;
    Timer crlTimer = null;
    SSLServerSocketFactory serverSocketFactory = null;
    SSLSocketFactory socketFactory = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/glite/security/trustmanager/ContextWrapper$RefreshCRLs.class */
    public class RefreshCRLs extends TimerTask {
        RefreshCRLs() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            ContextWrapper.LOGGER.debug("refreshing CRLs.\n");
            try {
                ContextWrapper.this.updateCRLs();
            } catch (Exception e) {
                ContextWrapper.LOGGER.fatal("The CRL updating failed");
            }
        }
    }

    public ContextWrapper(Properties properties, boolean z) throws IOException, GeneralSecurityException {
        loadConfig(properties, z);
        init(null, null, null);
    }

    public ContextWrapper(Properties properties) throws IOException, GeneralSecurityException {
        loadConfig(properties, true);
        init(null, null, null);
    }

    public ContextWrapper(Properties properties, X509Certificate[] x509CertificateArr, PrivateKey privateKey) throws IOException, GeneralSecurityException {
        loadConfig(properties, true);
        init(null, x509CertificateArr, privateKey);
    }

    public ContextWrapper(Properties properties, PasswordFinder passwordFinder) throws IOException, GeneralSecurityException {
        loadConfig(properties, true);
        init(passwordFinder, null, null);
    }

    public void loadConfig(Properties properties, boolean z) throws FileNotFoundException, IOException {
        String property = properties.getProperty(CONF_FILE);
        if (property != null) {
            this.config = new CaseInsensitiveProperties();
            this.config.load(new FileInputStream(property));
        } else {
            this.config = new CaseInsensitiveProperties(properties);
        }
        if (this.config.getProperty(OVERRIDE_EXPIRATION_CHECK_ON_INIT) != null) {
            this.overrideExpirationCheck = true;
        }
        String lowerCase = this.config.getProperty(WANT_LOG4J_SETUP, "true").trim().toLowerCase();
        boolean z2 = true;
        if (lowerCase.startsWith("n") || lowerCase.startsWith("f")) {
            z2 = false;
        }
        if (!s_loggerConfigured && z && z2) {
            Log4jConfigurator.configure(this.config.getProperty(LOG_CONF_FILE), this.config.getProperty(LOG_FILE));
        }
    }

    public SSLContext getContext() {
        return this.sslContext;
    }

    @Override // org.glite.security.trustmanager.SSLContextWrapper
    public SSLServerSocketFactory getServerSocketFactory() throws SSLException {
        if (this.socketFactory != null) {
            LOGGER.fatal("Trying to use a client-use ContextWrapper to create server socket factory");
            throw new SSLException("Trying to use a client-use ContextWrapper to create server socket factory");
        }
        if (this.serverSocketFactory == null) {
            this.serverSocketFactory = this.sslContext.getServerSocketFactory();
        }
        return this.serverSocketFactory;
    }

    @Override // org.glite.security.trustmanager.SSLContextWrapper
    public SSLSocketFactory getSocketFactory() throws SSLException {
        if (this.serverSocketFactory != null) {
            LOGGER.fatal("Trying to use a server-use ContextWrapper to create client socket factory");
            throw new SSLException("Trying to use a server-use ContextWrapper to create client socket factory");
        }
        if (this.socketFactory == null) {
            this.socketFactory = new TimeoutSSLSocketFactory(this.sslContext.getSocketFactory(), this.config);
        }
        return this.socketFactory;
    }

    public void init(PasswordFinder passwordFinder, X509Certificate[] x509CertificateArr, PrivateKey privateKey) throws CertificateException, GeneralSecurityException, IOException {
        TrustManager[] trustManagerArr;
        this.certReader = new FileCertReader();
        try {
            if (x509CertificateArr == null && privateKey == null) {
                initKeyManagers(passwordFinder);
            } else {
                if (x509CertificateArr == null || privateKey == null) {
                    LOGGER.fatal("Internal error: either certificate chain or private key of credentials is not defined");
                    throw new CertificateException("Internal error: either certificate chain or private key of credentials is not defined");
                }
                initKeyManagers(x509CertificateArr, privateKey);
            }
            String property = this.config.getProperty(CA_FILES);
            LOGGER.debug("sslCAFiles is " + property);
            if (property != null) {
                LOGGER.debug("old way with sslCAFiles=" + property);
                initTrustAnchors();
                this.trustManager = new CRLFileTrustManager(this.trustAnchors);
                trustManagerArr = new TrustManager[]{this.trustManager};
            } else {
                String property2 = this.config.getProperty(TRUSTSTORE_DIR, TRUSTSTORE_DIR_DEFAULT);
                String lowerCase = this.config.getProperty(CRL_REQUIRED, "true").trim().toLowerCase();
                LOGGER.debug("new way with trust dir: " + property2);
                if (lowerCase.startsWith("f") || lowerCase.startsWith("n")) {
                    this.m_trustmanager = OpensslTrustmanagerFactory.getTrustmanager(null, property2, false, this.config);
                } else {
                    this.m_trustmanager = OpensslTrustmanagerFactory.getTrustmanager(null, property2, true, this.config);
                }
                trustManagerArr = new TrustManager[]{this.m_trustmanager};
            }
            String property3 = this.config.getProperty(SSL_PROTOCOL, SSL_PROTOCOL_DEFAULT);
            LOGGER.debug("Using transport protocol: " + property3);
            this.sslContext = SSLContext.getInstance(property3);
            LOGGER.debug("Actually using transport protocol: " + this.sslContext.getProtocol());
            this.sslContext.init(this.identityKeyManagers, trustManagerArr, new SecureRandom());
            startCRLLoop();
        } catch (IOException e) {
            LOGGER.fatal("ContextWrapper initialization failed: " + e.getMessage());
            throw e;
        } catch (GeneralSecurityException e2) {
            LOGGER.fatal("ContextWrapper initialization failed: " + e2.getMessage());
            throw e2;
        } catch (ParseException e3) {
            LOGGER.fatal("ContextWrapper initialization failed: " + e3.getMessage());
            throw new IOException("ContextWrapper initialization failed: " + e3.getMessage());
        }
    }

    public void initKeyManagers(PasswordFinder passwordFinder) throws CertificateException, NoSuchAlgorithmException {
        try {
            LOGGER.debug("ContextHandler.initKeyManagers");
            UpdatingKeyManager updatingKeyManager = new UpdatingKeyManager(this.config, passwordFinder);
            this.identityKeyManagers = new KeyManager[]{updatingKeyManager};
            String[] clientAliases = updatingKeyManager.getClientAliases("RSA", null);
            if (clientAliases == null || clientAliases.length == 0) {
                clientAliases = updatingKeyManager.getServerAliases("RSA", null);
            }
            if (clientAliases == null || clientAliases.length == 0) {
                throw new CertificateException("No credentials found");
            }
            X509Certificate[] certificateChain = updatingKeyManager.getCertificateChain(clientAliases[0]);
            if (!this.overrideExpirationCheck) {
                for (int i = 0; i < certificateChain.length; i++) {
                    try {
                        certificateChain[i].checkValidity();
                    } catch (CertificateExpiredException e) {
                        throw new CertificateExpiredException("Certificate for " + DNHandler.getSubject(certificateChain[i]).getRFCDN() + ", cert file was " + updatingKeyManager.m_credentialFile + ": " + e.getMessage());
                    } catch (CertificateNotYetValidException e2) {
                        throw new CertificateNotYetValidException("Certificate for " + DNHandler.getSubject(certificateChain[i]).getRFCDN() + ", cert file was " + updatingKeyManager.m_credentialFile + ": " + e2.getMessage());
                    }
                }
            }
        } catch (NoSuchAlgorithmException e3) {
            LOGGER.fatal("Internal error: while reading credentials " + e3.getMessage(), e3);
            throw e3;
        } catch (CertificateException e4) {
            LOGGER.fatal("The credentials reading failed:  " + e4.getMessage());
            throw e4;
        }
    }

    public void initKeyManagers(X509Certificate[] x509CertificateArr, PrivateKey privateKey) throws CertificateException, NoSuchAlgorithmException, IOException {
        try {
            if (!this.overrideExpirationCheck) {
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    x509Certificate.checkValidity();
                }
            }
            LOGGER.debug("ContextHandler.initKeyManagers(chain, key)");
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE_DEFAULT);
            keyStore.load(null, null);
            keyStore.setKeyEntry("identity", privateKey, INT_KEYSTORE_PASSWD.toCharArray(), x509CertificateArr);
            keyManagerFactory.init(keyStore, INT_KEYSTORE_PASSWD.toCharArray());
            this.identityKeyManagers = keyManagerFactory.getKeyManagers();
        } catch (IOException e) {
            LOGGER.fatal("The credentials loading from given cert chain and private key failed:  " + e.getMessage());
            throw e;
        } catch (KeyStoreException e2) {
            LOGGER.fatal("The keystore creation from given cert chain and private key failed:  " + e2.getMessage());
            throw new CertificateException(e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            LOGGER.fatal("The credentials creation from given cert chain and private key failed:  " + e3.getMessage());
            throw e3;
        } catch (UnrecoverableKeyException e4) {
            LOGGER.fatal("Internal error while loading credentials:  " + e4.getMessage());
            throw new CertificateException(e4.getMessage());
        } catch (CertificateException e5) {
            LOGGER.fatal("The credentials creation from given cert chain and private key failed:  " + e5.getMessage());
            throw e5;
        }
    }

    void initTrustAnchors() throws KeyStoreException, IOException, CertificateException {
        FileInputStream fileInputStream = null;
        try {
            try {
                try {
                    String property = this.config.getProperty(CA_STORE_FILE);
                    if (property != null) {
                        String property2 = this.config.getProperty(CA_STORE_TYPE, KEYSTORE_TYPE_DEFAULT);
                        String property3 = this.config.getProperty(CA_STORE_PASSWD);
                        KeyStore keyStore = KeyStore.getInstance(property2);
                        fileInputStream = new FileInputStream(property);
                        keyStore.load(fileInputStream, property3.toCharArray());
                        Enumeration<String> aliases = keyStore.aliases();
                        while (aliases.hasMoreElements()) {
                            this.trustAnchors.add(new TrustAnchor((X509Certificate) keyStore.getCertificate(aliases.nextElement()), null));
                        }
                        if (this.trustAnchors.size() == 0) {
                            throw new IOException("No CA store file found matching \"" + keyStore);
                        }
                    } else {
                        String property4 = this.config.getProperty(CA_FILES, CA_FILES_DEFAULT);
                        this.trustAnchors = this.certReader.readAnchors(property4);
                        if (this.trustAnchors.size() == 0) {
                            throw new IOException("No CA files found matching \"" + property4);
                        }
                    }
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                } catch (NoSuchAlgorithmException e) {
                    LOGGER.fatal("The trusted certificate authority certificates reading failed:  " + e.getMessage());
                    throw new CertificateException("The trusted certificate authority certificates reading failed:  " + e.toString());
                } catch (CertificateException e2) {
                    LOGGER.fatal("The trusted certificate authority certificates reading failed:  " + e2.getMessage());
                    throw e2;
                }
            } catch (IOException e3) {
                LOGGER.fatal("The trusted certificate authority certificates reading failed:  " + e3.getMessage());
                throw new IOException("The trusted certificate authority certificates reading failed:  " + e3.toString());
            } catch (KeyStoreException e4) {
                LOGGER.fatal("The trusted certificate authority certificates reading failed:  " + e4.getMessage());
                throw new KeyStoreException("The trusted certificate authority certificates reading failed:  " + e4.toString());
            }
        } catch (Throwable th) {
            if (0 != 0) {
                fileInputStream.close();
            }
            throw th;
        }
    }

    void startCRLLoop() throws CertificateException, IOException, ParseException {
        if ((this.trustManager == null || !this.config.getProperty(CRL_ENABLED, "true").toLowerCase().startsWith("f")) && this.crlTimer == null && updateCRLs()) {
            long intervalSecs = getIntervalSecs(this.config.getProperty(CRL_UPDATE_INTERVAL, CRL_UPDATE_INTERVAL_DEFAULT));
            if (intervalSecs < 1) {
                LOGGER.debug("The CRL update interval is less than 1 second, update loop not started. Value was: " + intervalSecs);
            } else {
                this.crlTimer = new Timer(true);
                this.crlTimer.schedule(new RefreshCRLs(), intervalSecs * 1000, intervalSecs * 1000);
            }
        }
    }

    boolean updateCRLs() throws CertificateException, IOException, ParseException {
        if (this.trustManager == null && this.m_trustmanager == null) {
            LOGGER.fatal("Trying to set CRLs in uninitialized ContextWrapper");
            throw new SecurityException("Trying to set CRLs in uninitialized ContextWrapper");
        }
        if (this.m_trustmanager != null) {
            this.m_trustmanager.checkUpdate();
            return true;
        }
        String property = this.config.getProperty(CRL_FILES, CRL_FILES_DEFAULT);
        if (property == null) {
            return false;
        }
        try {
            Vector checkCRLs = checkCRLs(this.certReader.readCRLs(property));
            if (checkCRLs.isEmpty()) {
                return false;
            }
            boolean z = false;
            if (this.config.getProperty(CRL_REQUIRED, "true").toLowerCase().startsWith("t")) {
                z = true;
            }
            this.trustManager.setChecker(new CRLCertChecker(checkCRLs, z));
            return true;
        } catch (IOException e) {
            LOGGER.fatal("Error while setting CRLs. Tried to read " + property + " with current path " + System.getProperty("user.dir") + " error was " + e.toString());
            throw new IOException("Error while setting CRLs. Tried to read " + property + " with current path " + System.getProperty("user.dir") + " error was " + e.toString());
        } catch (CertificateException e2) {
            LOGGER.fatal("Error while setting CRLs. Tried to read " + property + " with current path " + System.getProperty("user.dir") + " error was " + e2.toString());
            throw new CertificateException("Error while setting CRLs. Tried to read " + property + " with current path " + System.getProperty("user.dir") + " error was " + e2.toString());
        }
    }

    Vector checkCRLs(Vector vector) throws SecurityException {
        if (this.trustAnchors == null) {
            LOGGER.fatal("Trying to check CRLs without setting trustanchors first");
            throw new SecurityException("Trying to check CRLs without setting trustanchors first");
        }
        Iterator it = vector.iterator();
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            Iterator it2 = this.trustAnchors.iterator();
            boolean z = false;
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                X509Certificate trustedCert = ((TrustAnchor) it2.next()).getTrustedCert();
                if (trustedCert.getSubjectDN().equals(x509crl.getIssuerDN())) {
                    try {
                        x509crl.verify(trustedCert.getPublicKey());
                        z = true;
                        break;
                    } catch (Exception e) {
                        LOGGER.error("Invalid signature in CRL from " + x509crl.getIssuerDN().toString());
                    }
                }
            }
            if (!z) {
                LOGGER.error("Rejecting a CRL from " + x509crl.getIssuerDN().toString() + " because corresponding ca not found or invalid signature");
                it.remove();
            }
        }
        return vector;
    }

    public static long getIntervalSecs(String str) {
        long parseLong;
        int i = 0;
        while (i < str.length() && Character.isDigit(str.charAt(i))) {
            i++;
        }
        if (i == 0) {
            parseLong = 1;
        } else {
            parseLong = Long.parseLong(str.substring(0, i));
            if (parseLong == 0) {
                return 0L;
            }
        }
        String trim = str.substring(i).toLowerCase().trim();
        if (trim.charAt(0) == 's') {
            return parseLong;
        }
        if (trim.charAt(0) == 'm') {
            return parseLong * 60;
        }
        if (trim.charAt(0) == 'h') {
            return parseLong * 60 * 60;
        }
        if (trim.charAt(0) == 'd') {
            return parseLong * 24 * 60 * 60;
        }
        LOGGER.fatal("invalid time unit definition in \"" + str + "\" should start either with s, m, h or d");
        throw new IllegalArgumentException("invalid unit definition in \"" + str + "\" should start either with s, m, h or d");
    }

    public X509KeyManager getKeyManager() {
        return (X509KeyManager) this.identityKeyManagers[0];
    }

    public void stop() {
        if (this.crlTimer != null) {
            this.crlTimer.cancel();
            this.crlTimer = null;
        }
        if (this.identityKeyManagers == null || this.identityKeyManagers[0] == null || !(this.identityKeyManagers[0] instanceof UpdatingKeyManager)) {
            return;
        }
        ((UpdatingKeyManager) this.identityKeyManagers[0]).stop();
    }

    static {
        if (Security.getProvider("BC") == null) {
            LOGGER.debug("ContextWrapper: bouncycastle provider set.");
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
