package net.sf.jguard.ext.authentication.loginmodules;

import java.io.BufferedInputStream;
import java.io.DataInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.LDAPCertStoreParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.PolicyNode;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import net.sf.jguard.ext.SecurityConstants;
import net.sf.jguard.ext.authentication.certificates.CertUtils;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:WEB-INF/lib/jguard-ext-1.1.0-beta-4.jar:net/sf/jguard/ext/authentication/loginmodules/CRLLoginModule.class */
public class CRLLoginModule extends CertificateLoginModule implements LoginModule {
    private static final String COLLECTION = "Collection";
    private static final String LDAP = "LDAP";
    private static final String PKIX = "PKIX";
    private static final String X_509 = "X.509";
    private static final Logger logger;
    private Map sharedState;
    private String keyStorePath;
    private String keyStorePassword;
    private String keyStoreType;
    private static boolean SecurityProviderInitialized;
    static Class class$net$sf$jguard$ext$authentication$loginmodules$CRLLoginModule;
    static Class class$org$bouncycastle$jce$provider$BouncyCastleProvider;
    private Set trustAnchors = null;
    private String trustedCaCertsDirPath = null;
    private CertPath certPath = null;
    private boolean debug = false;
    private Provider securityProvider = null;
    private String certStoreType = LDAP;
    private String ldapServerName = SecurityConstants.DEFAULT_RMI_REGISTRY_HOST;
    private int ldapServerPort = 389;
    private String fileCrlPath = null;
    private String urlCrlPath = null;
    private boolean anyPolicyInhibited = false;
    private boolean explicitPolicyRequired = false;
    private boolean policyMappingInhibited = false;
    private boolean policyQualifierRejected = true;
    private boolean revocationEnabled = true;
    private String sigProvider = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        if (!SecurityProviderInitialized) {
            SecurityProviderInitialized = initSecurityProvider();
        }
        if (((String) map2.get("debug")) != null) {
            this.debug = Boolean.valueOf((String) map2.get("debug")).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_ANY_POLICY_INHIBITED)) != null) {
            this.anyPolicyInhibited = Boolean.valueOf((String) map2.get(SecurityConstants.CERT_PATH_ANY_POLICY_INHIBITED)).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_EXPLICIT_POLICY_REQUIRED)) != null) {
            this.explicitPolicyRequired = Boolean.valueOf((String) map2.get(SecurityConstants.CERT_PATH_EXPLICIT_POLICY_REQUIRED)).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_POLICY_MAPPING_INHIBITED)) != null) {
            this.policyMappingInhibited = Boolean.valueOf((String) map2.get(SecurityConstants.CERT_PATH_POLICY_MAPPING_INHIBITED)).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_POLICY_QUALIFIERS_REJECTED)) != null) {
            this.policyQualifierRejected = Boolean.valueOf((String) map2.get(SecurityConstants.CERT_PATH_POLICY_QUALIFIERS_REJECTED)).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_REVOCATION_ENABLED)) != null) {
            this.revocationEnabled = Boolean.valueOf((String) map2.get(SecurityConstants.CERT_PATH_REVOCATION_ENABLED)).booleanValue();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_SIG_PROVIDER)) != null) {
            this.sigProvider = (String) map2.get(SecurityConstants.CERT_PATH_SIG_PROVIDER);
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_CRL_PATH)) != null) {
            this.fileCrlPath = (String) map2.get(SecurityConstants.CERT_PATH_CRL_PATH);
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_URL_CRL_PATH)) != null) {
            this.urlCrlPath = (String) map2.get(SecurityConstants.CERT_PATH_URL_CRL_PATH);
        }
        if (((String) map2.get(SecurityConstants.TRUSTED_CA_CERTIFICATES_DIRECTORY_PATH)) != null) {
            this.trustedCaCertsDirPath = (String) map2.get(SecurityConstants.TRUSTED_CA_CERTIFICATES_DIRECTORY_PATH);
            this.trustAnchors = CertUtils.getTrustedAnchorsFromDirectory(this.trustedCaCertsDirPath);
        }
        if (((String) map2.get(SecurityConstants.SECURITY_PROVIDER)) != null) {
            try {
                this.securityProvider = (Provider) getClass().getClassLoader().loadClass((String) map2.get(SecurityConstants.SECURITY_PROVIDER)).newInstance();
            } catch (ClassNotFoundException e) {
                logger.warning(e.getMessage());
            } catch (IllegalAccessException e2) {
                logger.warning(e2.getMessage());
            } catch (InstantiationException e3) {
                logger.warning(e3.getMessage());
            }
        } else {
            this.securityProvider = new BouncyCastleProvider();
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_CERTSTORE_TYPE)) != null) {
            this.certStoreType = (String) map2.get(SecurityConstants.CERT_PATH_CERTSTORE_TYPE);
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_LDAP_SERVER_NAME)) != null) {
            this.ldapServerName = (String) map2.get(SecurityConstants.CERT_PATH_LDAP_SERVER_NAME);
        }
        if (((String) map2.get(SecurityConstants.CERT_PATH_LDAP_SERVER_PORT)) != null) {
            this.ldapServerPort = Integer.parseInt((String) map2.get(SecurityConstants.CERT_PATH_LDAP_SERVER_PORT));
        }
        if (((String) map2.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE)) != null) {
            System.setProperty(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE, (String) map2.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE));
        }
        if (((String) map2.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE_PASSWORD)) != null) {
            System.setProperty(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE_PASSWORD, (String) map2.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE_PASSWORD));
        }
        if (((String) map2.get(SecurityConstants.KEY_STORE_PATH)) != null) {
            this.keyStorePath = (String) map2.get(SecurityConstants.KEY_STORE_PATH);
        }
        if (((String) map2.get(SecurityConstants.KEY_STORE_PASSWORD)) != null) {
            this.keyStorePassword = (String) map2.get(SecurityConstants.KEY_STORE_PASSWORD);
        }
        if (((String) map2.get(SecurityConstants.KEY_STORE_TYPE)) != null) {
            this.keyStoreType = (String) map2.get(SecurityConstants.KEY_STORE_TYPE);
        }
    }

    @Override // net.sf.jguard.ext.authentication.loginmodules.CertificateLoginModule
    public boolean login() throws LoginException {
        boolean login = super.login();
        if (!login) {
            return login;
        }
        this.certPath = buildCertPath(this.certChainToCheck);
        validateCertPath(this.certPath);
        this.sharedState.put(SecurityConstants.SKIP_PASSWORD_CHECK, SchemaSymbols.ATTVAL_TRUE);
        return true;
    }

    private CertPath buildCertPath(X509Certificate[] x509CertificateArr) {
        CertPath certPath = null;
        try {
            certPath = CertificateFactory.getInstance(X_509, this.securityProvider).generateCertPath(Arrays.asList(x509CertificateArr));
        } catch (CertificateException e) {
            logger.warning(e.getMessage());
        }
        return certPath;
    }

    private void validateCertPath(CertPath certPath) throws LoginException {
        CertPathValidator certPathValidator = null;
        try {
            certPathValidator = CertPathValidator.getInstance(PKIX, this.securityProvider);
        } catch (NoSuchAlgorithmException e) {
            logger.severe(new StringBuffer().append(" algorithm PKIX is not present ").append(this.securityProvider.getName()).append(" ").append(this.securityProvider.getInfo()).append(" ").append(this.securityProvider.getVersion()).toString());
        }
        try {
            PKIXParameters pKIXParameters = getPKIXParameters();
            ArrayList arrayList = new ArrayList();
            arrayList.add(getCertStore());
            pKIXParameters.setCertStores(arrayList);
            pKIXParameters.setAnyPolicyInhibited(this.anyPolicyInhibited);
            pKIXParameters.setDate(new Date());
            pKIXParameters.setExplicitPolicyRequired(this.explicitPolicyRequired);
            pKIXParameters.setPolicyMappingInhibited(this.policyMappingInhibited);
            pKIXParameters.setPolicyQualifiersRejected(this.policyQualifierRejected);
            pKIXParameters.setRevocationEnabled(this.revocationEnabled);
            if (this.sigProvider != null) {
                pKIXParameters.setSigProvider(this.sigProvider);
            }
            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, pKIXParameters);
            PolicyNode policyTree = pKIXCertPathValidatorResult.getPolicyTree();
            PublicKey publicKey = pKIXCertPathValidatorResult.getPublicKey();
            TrustAnchor trustAnchor = pKIXCertPathValidatorResult.getTrustAnchor();
            if (this.debug) {
                if (policyTree != null) {
                    logger.finest(new StringBuffer().append("policyTree depth = ").append(policyTree.getDepth()).toString());
                    logger.finest(new StringBuffer().append("policyTree expected policies = ").append(policyTree.getExpectedPolicies()).toString());
                    logger.finest(new StringBuffer().append("policyTree policy qualifiers = ").append(policyTree.getPolicyQualifiers()).toString());
                }
                if (publicKey != null) {
                    logger.finest(new StringBuffer().append("public key= ").append(publicKey.toString()).toString());
                }
                if (trustAnchor != null) {
                    logger.finest(new StringBuffer().append("TrustAnchor ca name= ").append(trustAnchor.getCAName()).toString());
                    logger.finest(new StringBuffer().append("TrustAnchor ca public key = ").append(trustAnchor.getCAPublicKey()).toString());
                    logger.finest(new StringBuffer().append("TrustAnchor name constraints = ").append(trustAnchor.getNameConstraints()).toString());
                    logger.finest(new StringBuffer().append("TrustAnchor trustedCert = ").append(trustAnchor.getTrustedCert()).toString());
                }
            }
        } catch (InvalidAlgorithmParameterException e2) {
            logger.severe(e2.getMessage());
            throw new FailedLoginException(e2.getMessage());
        } catch (CertPathValidatorException e3) {
            logger.severe(e3.getMessage());
            throw new FailedLoginException(e3.getMessage());
        }
    }

    private PKIXParameters getPKIXParameters() throws LoginException {
        PKIXParameters pKIXParameters;
        if (this.keyStorePath != null) {
            try {
                pKIXParameters = new PKIXParameters(CertUtils.getKeyStore(this.keyStorePath, this.keyStorePassword, this.keyStoreType));
            } catch (IOException e) {
                throw new LoginException(e.getMessage());
            } catch (InvalidAlgorithmParameterException e2) {
                throw new LoginException(e2.getMessage());
            } catch (KeyStoreException e3) {
                throw new LoginException(e3.getMessage());
            } catch (NoSuchAlgorithmException e4) {
                throw new LoginException(e4.getMessage());
            } catch (CertificateException e5) {
                throw new LoginException(e5.getMessage());
            }
        } else {
            try {
                pKIXParameters = new PKIXParameters((Set<TrustAnchor>) this.trustAnchors);
            } catch (InvalidAlgorithmParameterException e6) {
                throw new LoginException(e6.getMessage());
            }
        }
        return pKIXParameters;
    }

    private CertStore getCertStore() throws LoginException {
        CertStoreParameters collectionCertStoreParameters;
        if (this.certStoreType.equalsIgnoreCase(LDAP)) {
            collectionCertStoreParameters = new LDAPCertStoreParameters(this.ldapServerName, this.ldapServerPort);
        } else {
            if (!this.certStoreType.equalsIgnoreCase(COLLECTION)) {
                throw new LoginException(" invalid 'certStoreType' value : this value should be 'LDAP' or 'Collection' ");
            }
            collectionCertStoreParameters = new CollectionCertStoreParameters(getCRLAndCertsCollection());
        }
        try {
            return CertStore.getInstance(this.certStoreType, collectionCertStoreParameters, this.securityProvider);
        } catch (InvalidAlgorithmParameterException e) {
            throw new LoginException(e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            throw new LoginException(e2.getMessage());
        }
    }

    private Collection getCRLAndCertsCollection() {
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = null;
        try {
            certificateFactory = CertificateFactory.getInstance(X_509, this.securityProvider);
        } catch (CertificateException e) {
            logger.log(Level.SEVERE, new StringBuffer().append(" X509 certificate factory cannot be retrieved with the securityProvider ").append(this.securityProvider.getName()).append(" ").append(this.securityProvider.getInfo()).append(" ").append(this.securityProvider.getVersion()).toString(), (Throwable) e);
        }
        if (this.fileCrlPath != null) {
            addCRLFromPath(arrayList, certificateFactory);
        }
        if (this.urlCrlPath != null) {
            addCRLFromURL(arrayList, certificateFactory);
        }
        return arrayList;
    }

    private void addCRLFromPath(Collection collection, CertificateFactory certificateFactory) {
        BufferedInputStream bufferedInputStream = null;
        try {
            bufferedInputStream = new BufferedInputStream(new FileInputStream(this.fileCrlPath));
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        try {
            try {
                collection.add(certificateFactory.generateCRL(bufferedInputStream));
            } catch (CRLException e2) {
                e2.printStackTrace();
                try {
                    bufferedInputStream.close();
                } catch (IOException e3) {
                    e3.printStackTrace();
                }
            }
        } finally {
            try {
                bufferedInputStream.close();
            } catch (IOException e4) {
                e4.printStackTrace();
            }
        }
    }

    private void addCRLFromURL(Collection collection, CertificateFactory certificateFactory) {
        DataInputStream dataInputStream = null;
        try {
            try {
                URLConnection openConnection = new URL(this.urlCrlPath).openConnection();
                openConnection.setDoInput(true);
                openConnection.setUseCaches(false);
                dataInputStream = new DataInputStream(openConnection.getInputStream());
                try {
                    collection.add(certificateFactory.generateCRL(dataInputStream));
                } catch (CRLException e) {
                    logger.severe(" CRL cannot be built with the retrieved data ");
                    e.printStackTrace();
                }
                try {
                    dataInputStream.close();
                } catch (IOException e2) {
                    logger.log(Level.SEVERE, " IOException when we close the DATAInputStream", (Throwable) e2);
                }
            } catch (Throwable th) {
                try {
                    dataInputStream.close();
                } catch (IOException e3) {
                    logger.log(Level.SEVERE, " IOException when we close the DATAInputStream", (Throwable) e3);
                }
                throw th;
            }
        } catch (MalformedURLException e4) {
            logger.log(Level.SEVERE, new StringBuffer().append(" bad uri synthax ").append(this.urlCrlPath).toString(), (Throwable) e4);
            try {
                dataInputStream.close();
            } catch (IOException e5) {
                logger.log(Level.SEVERE, " IOException when we close the DATAInputStream", (Throwable) e5);
            }
        } catch (IOException e6) {
            logger.log(Level.SEVERE, " IOException when we wan to retrieve CRL with data ", (Throwable) e6);
            try {
                dataInputStream.close();
            } catch (IOException e7) {
                logger.log(Level.SEVERE, " IOException when we close the DATAInputStream", (Throwable) e7);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean initSecurityProvider() {
        Class cls;
        if (class$org$bouncycastle$jce$provider$BouncyCastleProvider == null) {
            cls = class$("org.bouncycastle.jce.provider.BouncyCastleProvider");
            class$org$bouncycastle$jce$provider$BouncyCastleProvider = cls;
        } else {
            cls = class$org$bouncycastle$jce$provider$BouncyCastleProvider;
        }
        if (Security.getProvider(cls.getName()) != null) {
            return true;
        }
        try {
            Security.addProvider(new BouncyCastleProvider());
            return true;
        } catch (SecurityException e) {
            logger.severe(" jGuard cannot add dynamically the JCE provider required from  \n");
            logger.severe(" the BOUNCYCASTLE library .this operation is prevented by the SECURITYMANAGER \n");
            logger.severe(" to use this required provider, you must add an entry to your java.security  \n");
            logger.severe(" properties file (found in $JAVA_HOME/jre/lib/security/java.security, \n");
            logger.severe(" where $JAVA_HOME is the location of your JDK/JRE distribution) \n");
            logger.severe(" security.provider.<n>=org.bouncycastle.jce.provider.BouncyCastleProvider \n");
            logger.severe("  Where <n> is the preference you want the provider at (1 being the most prefered). ");
            return false;
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$net$sf$jguard$ext$authentication$loginmodules$CRLLoginModule == null) {
            cls = class$("net.sf.jguard.ext.authentication.loginmodules.CRLLoginModule");
            class$net$sf$jguard$ext$authentication$loginmodules$CRLLoginModule = cls;
        } else {
            cls = class$net$sf$jguard$ext$authentication$loginmodules$CRLLoginModule;
        }
        logger = Logger.getLogger(cls.getName());
        SecurityProviderInitialized = false;
    }
}
