package org.glite.security.util;

import java.io.File;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import org.apache.log4j.Logger;
import org.glite.security.trustmanager.ContextWrapper;
import org.glite.security.util.namespace.EUGridNamespaceFormat;
import org.glite.security.util.namespace.LegacyNamespaceFormat;
import org.glite.security.util.namespace.NamespaceFormat;

/* loaded from: input_file:org/glite/security/util/FullTrustAnchor.class */
public class FullTrustAnchor {
    private static final Logger LOGGER = Logger.getLogger(FullTrustAnchor.class);
    public static final String IGTF_NAMESPACE_ENDING = ".namespaces";
    public static final String GLOBUS_NAMESPACE_ENDING = ".signing_policy";
    public static final String CRL_FILE_ENDING_PREFIX = ".r";
    public static final String REVOCATION_CHECKER_CLASS = "revocationChecker";
    private static final String REVOCATION_CHECKER_CLASS_DEFAULT = "org.glite.security.util.FileCRLChecker";
    static FileCertReader s_certReader;
    public String m_caHash;
    public String m_baseFilename;
    public int m_caNumber;
    public X509Certificate m_caCert;
    public long m_caModified;
    public NamespaceFormat m_namespace;
    public String m_namespaceFilename;
    public long m_namespaceModified;
    public long m_lastUpdateCheck;
    public RevocationChecker m_revChecker;
    private String m_revCheckerClass;
    private CaseInsensitiveProperties m_props;
    public boolean m_crlEnabled = true;

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("TrustAnchor hash: ");
        stringBuffer.append(this.m_caHash);
        stringBuffer.append(" DN: ");
        stringBuffer.append(DNHandler.getSubject(this.m_caCert).toString());
        stringBuffer.append("\n modified: ");
        stringBuffer.append(this.m_caModified);
        stringBuffer.append("\n RevocationChecker: ");
        stringBuffer.append(this.m_revChecker);
        stringBuffer.append("\n nameSpace from " + this.m_namespaceFilename + ": ");
        stringBuffer.append(this.m_namespace);
        stringBuffer.append("\n namespace modified: ");
        stringBuffer.append(this.m_namespaceModified);
        stringBuffer.append("\n last update check: ");
        stringBuffer.append(this.m_lastUpdateCheck);
        return stringBuffer.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FullTrustAnchor(String str, CaseInsensitiveProperties caseInsensitiveProperties) throws IOException, CertificateException {
        initCAInfo(str, caseInsensitiveProperties);
    }

    private void initCAInfo(String str, CaseInsensitiveProperties caseInsensitiveProperties) throws IOException, CertificateException {
        if (str == null || str.length() == 0) {
            throw new IOException("Can't initialize a trustanchor without filename.");
        }
        CAFilenameSplitter splitCAFilename = CAFilenameSplitter.splitCAFilename(str);
        this.m_caHash = splitCAFilename.m_hash;
        this.m_caNumber = splitCAFilename.m_number;
        this.m_baseFilename = splitCAFilename.m_baseFilename;
        this.m_props = caseInsensitiveProperties;
        loadCACert(this.m_baseFilename + "." + this.m_caNumber);
        try {
            this.m_caCert.checkValidity();
            if (this.m_caCert.getBasicConstraints() == -1) {
                LOGGER.error("The CA certificate " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " is an invalid CA as it doesn't have the required CA basic constraints extension.");
                throw new CertificateException("The CA certificate " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " is an invalid CA as it doesn't have the required CA basic constraints extension.");
            }
            if (this.m_caCert.getKeyUsage() == null || !this.m_caCert.getKeyUsage()[5]) {
                LOGGER.error("The CA certificate " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " is an invalid CA as it doesn't have the required keyCertSign flag set.");
                throw new CertificateException("The CA certificate " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " is an invalid CA as it doesn't have the required keyCertSign flag set.");
            }
            this.m_caCert.getNonCriticalExtensionOIDs();
            if (caseInsensitiveProperties != null) {
                String property = caseInsensitiveProperties.getProperty(ContextWrapper.CRL_ENABLED);
                String lowerCase = property != null ? property.trim().toLowerCase() : "true";
                if (lowerCase.startsWith("f") || lowerCase.startsWith("n")) {
                    this.m_crlEnabled = false;
                }
            }
            if (this.m_crlEnabled) {
                if (caseInsensitiveProperties != null) {
                    this.m_revCheckerClass = caseInsensitiveProperties.get(REVOCATION_CHECKER_CLASS);
                }
                if (this.m_revCheckerClass == null || this.m_revCheckerClass.length() < 1) {
                    this.m_revCheckerClass = REVOCATION_CHECKER_CLASS_DEFAULT;
                }
                tryInitRevocationChecker();
            }
            tryLoadNamespace(this.m_baseFilename);
        } catch (CertificateExpiredException e) {
            throw new CertificateExpiredException(DNHandler.getSubject(this.m_caCert).getRFCDN() + " " + e.getMessage());
        } catch (CertificateNotYetValidException e2) {
            throw new CertificateNotYetValidException(DNHandler.getSubject(this.m_caCert).getRFCDN() + " " + e2.getMessage());
        }
    }

    private void tryInitRevocationChecker() {
        try {
            this.m_revChecker = (RevocationChecker) Class.forName(this.m_revCheckerClass).getConstructor(X509Certificate.class, String.class, Integer.TYPE, CaseInsensitiveProperties.class).newInstance(this.m_caCert, this.m_baseFilename, Integer.valueOf(this.m_caNumber), this.m_props);
        } catch (InvocationTargetException e) {
            LOGGER.warn("Certificate revocation checker creation for CA " + this.m_baseFilename + "." + this.m_caNumber + " failed, depending on configuration the certificates from the CA " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " might be refused. Error was: " + e.getCause().getMessage());
        } catch (Exception e2) {
            LOGGER.warn("Certificate revocation checker for CA " + this.m_baseFilename + "." + this.m_caNumber + " failed, depending on configuration the certificates from the CA " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " might be refused. Error was: " + e2.getClass(), e2);
        }
    }

    void loadCACert(String str) throws CertificateException, IOException {
        this.m_caCert = (X509Certificate) s_certReader.readCerts(str).get(0);
        this.m_caModified = new File(str).lastModified();
    }

    void tryLoadNamespace(String str) {
        try {
            loadNamespace(str);
        } catch (Exception e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.warn("Namespace restrictions loading for CA " + this.m_baseFilename + "." + this.m_caNumber + " failed, namespace is not restricted. Error was: " + e.getMessage(), e);
            } else {
                LOGGER.warn("Namespace restrictions loading for CA " + this.m_baseFilename + "." + this.m_caNumber + " failed, namespace is not restricted. Error was: " + e.getMessage());
            }
        }
    }

    void loadNamespace(String str) throws IOException, ParseException {
        File file = new File(str + IGTF_NAMESPACE_ENDING);
        if (file.exists()) {
            try {
                this.m_namespaceFilename = str + IGTF_NAMESPACE_ENDING;
                this.m_namespace = new EUGridNamespaceFormat();
                this.m_namespace.parse(this.m_namespaceFilename);
                this.m_namespaceModified = file.lastModified();
                LOGGER.debug("loaded: " + this.m_namespaceFilename);
                return;
            } catch (ParseException e) {
                LOGGER.warn("Parsing of " + this.m_namespaceFilename + " failed! Falling back to the " + GLOBUS_NAMESPACE_ENDING + " file. Error was: " + e.getMessage());
            }
        }
        this.m_namespaceFilename = str + GLOBUS_NAMESPACE_ENDING;
        this.m_namespace = new LegacyNamespaceFormat();
        this.m_namespace.parse(this.m_namespaceFilename);
        this.m_namespaceModified = new File(this.m_namespaceFilename).lastModified();
        LOGGER.debug("loaded: " + this.m_namespaceFilename);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkUpdate() throws CertificateException, IOException, CertificateNotFoundException {
        try {
            File file = new File(this.m_baseFilename + "." + this.m_caNumber);
            if (!file.exists()) {
                throw new CertificateNotFoundException("The CA file " + file.getName() + " can't be found anymore.");
            }
            if (file.lastModified() != this.m_caModified) {
                LOGGER.debug("CA file changed, reloading it: " + file);
                loadCACert(file.getAbsolutePath());
            }
            if (this.m_revChecker != null) {
                this.m_revChecker.checkUpdate();
            } else if (this.m_crlEnabled) {
                tryInitRevocationChecker();
            }
            if (!this.m_namespaceFilename.equals(this.m_baseFilename + IGTF_NAMESPACE_ENDING)) {
                LOGGER.debug("new format namespace found when old format used, trying to load new format: " + new File(this.m_baseFilename + IGTF_NAMESPACE_ENDING).getName());
                tryLoadNamespace(this.m_baseFilename);
            } else {
                File file2 = new File(this.m_namespaceFilename);
                if (file2.lastModified() != this.m_namespaceModified) {
                    LOGGER.debug("Namespace file changed, reloading it: " + file2.getName());
                    tryLoadNamespace(this.m_baseFilename);
                }
            }
        } catch (CertificateNotFoundException e) {
            throw e;
        } catch (Exception e2) {
            throw new CertificateException("Error loading a CA: " + e2.getMessage());
        }
    }

    static {
        try {
            s_certReader = new FileCertReader();
        } catch (CertificateException e) {
            throw new RuntimeException("Security provider initialization failed: " + e.getMessage(), e);
        }
    }
}
