package org.italiangrid.voms.ac.impl;

import eu.emi.security.authn.x509.ValidationError;
import eu.emi.security.authn.x509.ValidationResult;
import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
import org.italiangrid.voms.VOMSAttribute;
import org.italiangrid.voms.VOMSError;
import org.italiangrid.voms.ac.VOMSACValidationStrategy;
import org.italiangrid.voms.ac.VOMSValidationResult;
import org.italiangrid.voms.asn1.VOMSConstants;
import org.italiangrid.voms.error.VOMSValidationErrorCode;
import org.italiangrid.voms.error.VOMSValidationErrorMessage;
import org.italiangrid.voms.store.LSCInfo;
import org.italiangrid.voms.store.VOMSTrustStore;

/* loaded from: input_file:org/italiangrid/voms/ac/impl/DefaultVOMSValidationStrategy.class */
public class DefaultVOMSValidationStrategy implements VOMSACValidationStrategy {
    private final VOMSTrustStore store;
    private final X509CertChainValidatorExt certChainValidator;

    public DefaultVOMSValidationStrategy(VOMSTrustStore vOMSTrustStore, X509CertChainValidatorExt x509CertChainValidatorExt) {
        this.store = vOMSTrustStore;
        this.certChainValidator = x509CertChainValidatorExt;
    }

    private boolean checkACHolder(VOMSAttribute vOMSAttribute, X509Certificate[] x509CertificateArr, List<VOMSValidationErrorMessage> list) {
        X500Principal originalUserDN = ProxyUtils.getOriginalUserDN(x509CertificateArr);
        boolean equals = originalUserDN.equals(vOMSAttribute.getHolder());
        if (!equals) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.acHolderDoesntMatchCertChain, X500NameUtils.getReadableForm(vOMSAttribute.getHolder()), X500NameUtils.getReadableForm(originalUserDN)));
        }
        return equals;
    }

    private boolean checkACValidity(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        Date date = new Date();
        boolean validAt = vOMSAttribute.validAt(date);
        if (!validAt) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.acNotValidAtCurrentTime, vOMSAttribute.getNotBefore(), vOMSAttribute.getNotAfter(), date));
        }
        return validAt;
    }

    private boolean checkLocalAACertSignature(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        X509Certificate aACertificateBySubject = this.store.getAACertificateBySubject(vOMSAttribute.getIssuer());
        if (aACertificateBySubject == null) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.aaCertNotFound));
            return false;
        }
        if (!validateCertificate(aACertificateBySubject, list)) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.invalidAaCert));
            return false;
        }
        boolean verifyACSignature = verifyACSignature(vOMSAttribute, aACertificateBySubject);
        if (!verifyACSignature) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.aaCertFailsSignatureVerification, X500NameUtils.getReadableForm(aACertificateBySubject.getSubjectX500Principal())));
        }
        return verifyACSignature;
    }

    private boolean checkLSCSignature(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        LSCInfo lsc = this.store.getLSC(vOMSAttribute.getVO(), vOMSAttribute.getHost());
        X509Certificate[] aACertificates = vOMSAttribute.getAACertificates();
        if (lsc == null) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.lscFileNotFound));
            return false;
        }
        if (aACertificates == null || aACertificates.length == 0) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.emptyAcCertsExtension));
            return false;
        }
        if (!lsc.matches(aACertificates)) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.lscDescriptionDoesntMatchAcCert));
            return false;
        }
        if (!validateCertificateChain(aACertificates, list)) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.invalidAcCert));
            return false;
        }
        boolean verifyACSignature = verifyACSignature(vOMSAttribute, aACertificates[0]);
        if (!verifyACSignature) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.acCertFailsSignatureVerification, X500NameUtils.getReadableForm(aACertificates[0].getSubjectX500Principal())));
        }
        return verifyACSignature;
    }

    private boolean checkSignature(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        boolean checkLSCSignature = checkLSCSignature(vOMSAttribute, list);
        if (!checkLSCSignature) {
            checkLSCSignature = checkLocalAACertSignature(vOMSAttribute, list);
        }
        return checkLSCSignature;
    }

    private boolean checkTargets(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        if (vOMSAttribute.getTargets() == null || vOMSAttribute.getTargets().size() == 0) {
            return true;
        }
        try {
            String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
            if (vOMSAttribute.getTargets().contains(canonicalHostName)) {
                return true;
            }
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.localhostDoesntMatchAcTarget, canonicalHostName, vOMSAttribute.getTargets().toString()));
            return false;
        } catch (UnknownHostException e) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.other, "Error resolving localhost name: " + e.getMessage()));
            return false;
        }
    }

    private boolean checkNoRevAvailExtension(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        X509Extension extension = vOMSAttribute.getVOMSAC().getExtension(X509Extension.noRevAvail);
        if (extension == null || !extension.isCritical()) {
            return true;
        }
        list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.other, "NoRevAvail AC extension cannot be critical!"));
        return false;
    }

    private boolean checkAuthorityKeyIdentifierExtension(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        X509Extension extension = vOMSAttribute.getVOMSAC().getExtension(X509Extension.authorityKeyIdentifier);
        if (extension == null || !extension.isCritical()) {
            return true;
        }
        list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.other, "AuthorityKeyIdentifier AC extension cannot be critical!"));
        return false;
    }

    private boolean checkUnhandledCriticalExtensions(VOMSAttribute vOMSAttribute, List<VOMSValidationErrorMessage> list) {
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : vOMSAttribute.getVOMSAC().getExtensionOIDs()) {
            if (!VOMSConstants.VOMS_HANDLED_EXTENSIONS.contains(aSN1ObjectIdentifier) && vOMSAttribute.getVOMSAC().getExtension(aSN1ObjectIdentifier).isCritical()) {
                list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.other, "unknown critical extension found in VOMS AC: " + aSN1ObjectIdentifier.getId()));
                return false;
            }
        }
        return true;
    }

    @Override // org.italiangrid.voms.ac.VOMSACValidationStrategy
    public VOMSValidationResult validateAC(VOMSAttribute vOMSAttribute) {
        ArrayList arrayList = new ArrayList();
        boolean checkACValidity = checkACValidity(vOMSAttribute, arrayList);
        if (checkACValidity) {
            checkACValidity = checkSignature(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkTargets(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkAuthorityKeyIdentifierExtension(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkNoRevAvailExtension(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkUnhandledCriticalExtensions(vOMSAttribute, arrayList);
        }
        return new VOMSValidationResult(vOMSAttribute, checkACValidity, arrayList);
    }

    @Override // org.italiangrid.voms.ac.VOMSACValidationStrategy
    public synchronized VOMSValidationResult validateAC(VOMSAttribute vOMSAttribute, X509Certificate[] x509CertificateArr) {
        ArrayList arrayList = new ArrayList();
        boolean checkACValidity = checkACValidity(vOMSAttribute, arrayList);
        if (checkACValidity) {
            checkACValidity = checkSignature(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkACHolder(vOMSAttribute, x509CertificateArr, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkTargets(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkAuthorityKeyIdentifierExtension(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkNoRevAvailExtension(vOMSAttribute, arrayList);
        }
        if (checkACValidity) {
            checkACValidity = checkUnhandledCriticalExtensions(vOMSAttribute, arrayList);
        }
        return new VOMSValidationResult(vOMSAttribute, checkACValidity, arrayList);
    }

    private boolean validateCertificate(X509Certificate x509Certificate, List<VOMSValidationErrorMessage> list) {
        return validateCertificateChain(new X509Certificate[]{x509Certificate}, list);
    }

    private boolean validateCertificateChain(X509Certificate[] x509CertificateArr, List<VOMSValidationErrorMessage> list) {
        ValidationResult validate = this.certChainValidator.validate(x509CertificateArr);
        Iterator it = validate.getErrors().iterator();
        while (it.hasNext()) {
            list.add(VOMSValidationErrorMessage.newErrorMessage(VOMSValidationErrorCode.canlError, ((ValidationError) it.next()).getMessage()));
        }
        return validate.isValid();
    }

    private boolean verifyACSignature(VOMSAttribute vOMSAttribute, X509Certificate x509Certificate) {
        try {
            return vOMSAttribute.getVOMSAC().isSignatureValid(new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(new JcaX509CertificateHolder(x509Certificate)));
        } catch (Exception e) {
            throw new VOMSError("Error verifying AC signature: " + e.getMessage(), e);
        }
    }
}
