package org.glite.security.trustmanager;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.glite.security.util.DN;
import org.glite.security.util.DNHandler;

/* loaded from: input_file:org/glite/security/trustmanager/ProxyCertPathValidator.class */
public class ProxyCertPathValidator {
    private static final Logger LOGGER = Logger.getLogger(ProxyCertPathValidator.class.getName());
    Vector trustAnchors;
    CRLCertChecker crlChecker = null;
    CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC");

    public ProxyCertPathValidator(Vector vector) throws CertificateException, NoSuchProviderException {
        this.trustAnchors = vector;
    }

    public void setCRLChecker(CRLCertChecker cRLCertChecker) {
        this.crlChecker = cRLCertChecker;
    }

    public void check(X509Certificate[] x509CertificateArr) throws CertPathValidatorException, CertificateException {
        Vector vector = new Vector();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            vector.add(this.certFact.generateCertificate(new BufferedInputStream(new ByteArrayInputStream(x509Certificate.getEncoded()))));
        }
        X509Certificate[] x509CertificateArr2 = (X509Certificate[]) vector.toArray(new X509Certificate[0]);
        if (LOGGER.isDebugEnabled()) {
            for (int i = 0; i < x509CertificateArr2.length; i++) {
                LOGGER.debug("input path cert type: " + x509CertificateArr2[i].getClass().getName() + " DN [" + x509CertificateArr2[i].getSubjectDN() + "]");
            }
        }
        int length = x509CertificateArr2.length;
        LOGGER.debug("path len is " + length);
        if (length == 0) {
            LOGGER.error("No certificate given to check");
            throw new CertPathValidatorException("No certificate given to check");
        }
        X509Certificate x509Certificate2 = x509CertificateArr2[length - 1];
        DN issuer = DNHandler.getIssuer(x509Certificate2);
        DN subject = DNHandler.getSubject(x509Certificate2);
        if (issuer.equals(subject)) {
            length--;
            LOGGER.debug("cert " + subject + " considered as CA cert (came with the chain from client)");
            if (length == 0) {
                TrustAnchor[] findCA = findCA(subject);
                TrustAnchor trustAnchor = null;
                int i2 = 0;
                while (true) {
                    if (i2 >= findCA.length) {
                        break;
                    }
                    if (findCA[i2].getTrustedCert().equals(x509Certificate2)) {
                        trustAnchor = findCA[i2];
                        break;
                    }
                    i2++;
                }
                if (trustAnchor == null) {
                    LOGGER.error("A self signed cert [" + subject + "] given, but not found among CAs, rejecting");
                    throw new CertPathValidatorException("A self signed cert [" + subject + "] given, but not found among CAs, rejecting");
                }
                try {
                    x509Certificate2.checkValidity();
                    LOGGER.info("certificate path for " + subject + " is valid");
                    return;
                } catch (CertificateException e) {
                    LOGGER.info("the CA Certificate " + subject + " expired on " + x509Certificate2.getNotAfter());
                    throw new CertificateExpiredException("the CA Certificate " + DNHandler.getSubject(x509Certificate2) + " expired on " + x509Certificate2.getNotAfter());
                }
            }
        }
        LOGGER.debug("Checking for expiration in the chain");
        for (int i3 = 0; i3 < x509CertificateArr2.length; i3++) {
            try {
                x509CertificateArr2[i3].checkValidity();
            } catch (CertificateExpiredException e2) {
                LOGGER.info("the Certificate for " + DNHandler.getSubject(x509CertificateArr2[i3]) + " expired on " + x509CertificateArr2[i3].getNotAfter());
                throw new CertificateExpiredException("the Certificate for " + DNHandler.getSubject(x509CertificateArr2[i3]) + " expired on " + x509CertificateArr2[i3].getNotAfter());
            } catch (CertificateNotYetValidException e3) {
                LOGGER.info("the Certificate for " + DNHandler.getSubject(x509CertificateArr2[i3]) + " will only be valid after " + x509CertificateArr2[i3].getNotBefore());
                throw new CertificateExpiredException("the Certificate for " + DNHandler.getSubject(x509CertificateArr2[i3]) + " will only be valid after " + x509CertificateArr2[i3].getNotBefore());
            }
        }
        X509Certificate x509Certificate3 = x509CertificateArr2[length - 1];
        boolean z = false;
        DN issuer2 = DNHandler.getIssuer(x509Certificate3);
        DN subject2 = DNHandler.getSubject(x509Certificate3);
        TrustAnchor[] findCA2 = findCA(issuer2);
        LOGGER.debug("found " + findCA2.length + " CAs that match, cheking which to use");
        boolean z2 = false;
        Exception exc = null;
        for (TrustAnchor trustAnchor2 : findCA2) {
            try {
                try {
                    z = checkLastAnchor(x509Certificate3, trustAnchor2);
                    z2 = true;
                } catch (Exception e4) {
                    if (e4 instanceof CRLException) {
                        throw ((CRLException) e4);
                    }
                    exc = e4;
                }
            } catch (CRLException e5) {
                LOGGER.info("Certificate for [" + subject2 + "] revoked by [" + issuer2 + "], rejecting it");
                throw new CertPathValidatorException(e5.getMessage());
            }
        }
        if (!z2) {
            if (exc != null) {
                LOGGER.error("While checking against CA [" + issuer2 + "] got exception" + exc);
                throw new CertPathValidatorException("While checking against CA [" + issuer2 + "] got exception " + exc + " " + exc.getMessage());
            }
            LOGGER.info("CA cert [" + issuer2 + "] not found, rejecting certificate for [" + subject2 + "]");
            throw new CertPathValidatorException("CA cert [" + issuer2 + "] not found, rejecting certificate for [" + subject2 + "]");
        }
        LOGGER.debug("checking the rest of the chain");
        try {
            for (int i4 = length - 1; i4 > 0; i4--) {
                z = checkCertificatePair(x509CertificateArr2[i4 - 1], x509CertificateArr2[i4], z);
            }
            LOGGER.debug("certificate path for " + DNHandler.getSubject(x509CertificateArr2[0]) + " is valid");
        } catch (CertPathValidatorException e6) {
            LOGGER.info(e6.getMessage());
            throw e6;
        } catch (CertificateException e7) {
            LOGGER.info(e7.getMessage());
            throw e7;
        }
    }

    public void checkSignature(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException, CertificateException {
        LOGGER.debug("Checking the signature");
        PublicKey publicKey = x509Certificate2.getPublicKey();
        LOGGER.debug("Sub cert is " + x509Certificate.getClass().getName());
        try {
            x509Certificate.verify(publicKey);
        } catch (InvalidKeyException e) {
            LOGGER.info("Invalid public key in \"" + x509Certificate2.getSubjectDN().toString() + "\" error was " + e.getClass().getName() + ":" + e.getMessage());
            throw new CertificateException("Invalid public key in \"" + x509Certificate2.getSubjectDN().toString() + "\" error was " + e.getClass().getName() + ":" + e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.info("Invalid signature algorithm in \"" + x509Certificate.getSubjectDN().toString() + "\" error was " + e2.getClass().getName() + ":" + e2.getMessage());
            throw new CertificateException("Invalid signature algorithm in \"" + x509Certificate.getSubjectDN().toString() + "\" error was " + e2.getClass().getName() + ":" + e2.getMessage());
        } catch (NoSuchProviderException e3) {
            LOGGER.error("Internal error, no crypto provider found. Error was " + e3.getClass().getName() + ":" + e3.getMessage());
            throw new CertificateException("Internal error, no crypto provider found. Error was " + e3.getMessage());
        } catch (SignatureException e4) {
            LOGGER.info("invalid signature in " + x509Certificate.getSubjectDN().toString());
            throw new CertPathValidatorException("invalid signature in " + x509Certificate.getSubjectDN().toString());
        }
    }

    public boolean checkCertificatePair(X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) throws CertPathValidatorException, CertificateException {
        LOGGER.debug("Checking a cert pair");
        checkSignature(x509Certificate, x509Certificate2);
        DN issuer = DNHandler.getIssuer(x509Certificate);
        DN subject = DNHandler.getSubject(x509Certificate2);
        LOGGER.debug("Checking DN match");
        if (!issuer.equals(subject)) {
            LOGGER.info("cert issuer DN (" + issuer + ") - Issuer subject DN (" + subject + ") mismatch subject was ");
            throw new CertPathValidatorException("cert issuer DN (" + issuer + ") - Issuer subject DN (" + subject + ") mismatch subject was ");
        }
        if (!z) {
            LOGGER.debug("Certificate for \"" + DNHandler.getSubject(x509Certificate) + "\" is OK");
            return x509Certificate.getVersion() == 1 || x509Certificate.getBasicConstraints() == -1;
        }
        LOGGER.debug("Checkin that " + DNHandler.getSubject(x509Certificate2) + " matches end of " + DNHandler.getSubject(x509Certificate) + " because either constraints were true [" + z + "] or signer basicContraints was equal to -1 [" + x509Certificate2.getBasicConstraints() + "]");
        checkDNRestriction(x509Certificate, x509Certificate2);
        return true;
    }

    public boolean checkLastAnchor(X509Certificate x509Certificate, TrustAnchor trustAnchor) throws CertPathValidatorException, CertificateException, CRLException {
        LOGGER.debug("Checkin last cert and anchor");
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        boolean checkCertificatePair = checkCertificatePair(x509Certificate, trustedCert, false);
        if (this.crlChecker != null) {
            this.crlChecker.check(x509Certificate, null);
        }
        LOGGER.debug("Certificate for \"" + DNHandler.getSubject(x509Certificate) + "\" is validly issued by CA \"" + DNHandler.getSubject(trustedCert) + "\"");
        return checkCertificatePair;
    }

    public TrustAnchor[] findCA(DN dn) throws CertPathValidatorException, CertificateParsingException {
        Iterator it = this.trustAnchors.iterator();
        Vector vector = new Vector();
        boolean z = false;
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            DN subject = DNHandler.getSubject(trustAnchor.getTrustedCert());
            if (subject.equals(dn)) {
                try {
                    trustAnchor.getTrustedCert().checkValidity();
                    vector.add(trustAnchor);
                } catch (CertificateExpiredException e) {
                    z = true;
                    LOGGER.warn("The CA certificate for " + subject + " has expired, update or remove it!");
                } catch (CertificateNotYetValidException e2) {
                    z = true;
                    LOGGER.warn("The CA certificate for " + subject + " is not yet valid!");
                }
            }
        }
        TrustAnchor[] trustAnchorArr = new TrustAnchor[0];
        if (vector.size() > 0) {
            if (z) {
                LOGGER.warn("Remove expired duplicate certificate(s) for CA " + dn);
            }
            return (TrustAnchor[]) vector.toArray(trustAnchorArr);
        }
        if (z) {
            LOGGER.error("The CA certificate for " + dn + " has expired or is not yet valid, update or remove it!");
        }
        LOGGER.info("No CA named \"" + dn + "\" could be found");
        throw new CertPathValidatorException("No CA named \"" + dn + "\" could be found");
    }

    public X509Certificate[] getCACerts() {
        Iterator it = this.trustAnchors.iterator();
        Vector vector = new Vector();
        while (it.hasNext()) {
            vector.add(((TrustAnchor) it.next()).getTrustedCert());
        }
        LOGGER.debug("getCACerts: returning " + vector.size() + " ca certs");
        return (X509Certificate[]) vector.toArray(new X509Certificate[0]);
    }

    public void checkDNRestriction(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateException {
        LOGGER.debug("Checking dn restriction");
        DN subject = DNHandler.getSubject(x509Certificate);
        DN subject2 = DNHandler.getSubject(x509Certificate2);
        try {
            if (!subject.withoutLastCN(false).equals(subject2)) {
                throw new CertificateException("The DN [" + subject + "] doesn't end with [" + subject2 + "] as required for proxy certs");
            }
        } catch (Exception e) {
            LOGGER.info("Error while cheking naming constrainst between sub [" + subject + "] and signer [" + subject2 + " error: " + e + e.getMessage());
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("StackTrace: ", e);
            }
            if (!(e instanceof CertificateException)) {
                throw new CertificateException("Error while cheking naming constrainst between sub [" + subject + "] and signer [" + subject2 + "] error: " + e + e.getMessage());
            }
            throw ((CertificateException) e);
        }
    }
}
