package org.glite.security.trustmanager;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.glite.security.util.DN;
import org.glite.security.util.DNHandler;

/* loaded from: input_file:glite-security-trustmanager.jar:org/glite/security/trustmanager/ProxyCertPathValidator.class */
public class ProxyCertPathValidator {
    static Logger logger;
    Vector trustAnchors;
    static Class class$org$glite$security$trustmanager$ProxyCertPathValidator;
    CRLCertChecker crlChecker = null;
    CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC");

    public ProxyCertPathValidator(Vector vector) throws CertificateException, NoSuchProviderException {
        this.trustAnchors = vector;
    }

    public void setCRLChecker(CRLCertChecker cRLCertChecker) {
        this.crlChecker = cRLCertChecker;
    }

    public void check(X509Certificate[] x509CertificateArr) throws CertPathValidatorException, CertificateException {
        Vector vector = new Vector();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            vector.add(this.certFact.generateCertificate(new BufferedInputStream(new ByteArrayInputStream(x509Certificate.getEncoded()))));
        }
        X509Certificate[] x509CertificateArr2 = (X509Certificate[]) vector.toArray(new X509Certificate[0]);
        if (logger.isDebugEnabled()) {
            for (int i = 0; i < x509CertificateArr2.length; i++) {
                logger.debug(new StringBuffer().append("input path cert type: ").append(x509CertificateArr2[i].getClass().getName()).append(" DN [").append(x509CertificateArr2[i].getSubjectDN()).append("]").toString());
            }
        }
        int length = x509CertificateArr2.length;
        logger.debug(new StringBuffer().append("path len is ").append(length).toString());
        if (length == 0) {
            logger.error("No certificate given to check");
            throw new CertPathValidatorException("No certificate given to check");
        }
        X509Certificate x509Certificate2 = x509CertificateArr2[length - 1];
        DN issuer = DNHandler.getIssuer(x509Certificate2);
        DN subject = DNHandler.getSubject(x509Certificate2);
        if (issuer.equals(subject)) {
            length--;
            logger.debug(new StringBuffer().append("cert ").append(subject).append(" considered as CA cert (came with the chain from client)").toString());
            if (length == 0) {
                TrustAnchor[] findCA = findCA(subject);
                if ((0 < findCA.length ? findCA[0].getTrustedCert().equals(x509Certificate2) ? findCA[0] : findCA[0] : null) == null) {
                    logger.error(new StringBuffer().append("A self signed cert [").append(subject).append("] given, but not found among CAs, rejecting").toString());
                    throw new CertPathValidatorException(new StringBuffer().append("A self signed cert [").append(subject).append("] given, but not found among CAs, rejecting").toString());
                }
                try {
                    x509Certificate2.checkValidity();
                    logger.info(new StringBuffer().append("certificate path for ").append(subject).append(" is valid").toString());
                    return;
                } catch (CertificateException e) {
                    logger.info(new StringBuffer().append("the CA Certificate ").append(subject).append(" expired on ").append(x509Certificate2.getNotAfter()).toString());
                    throw new CertificateExpiredException(new StringBuffer().append("the CA Certificate ").append(DNHandler.getSubject(x509Certificate2)).append(" expired on ").append(x509Certificate2.getNotAfter()).toString());
                }
            }
        }
        logger.debug("Checking for expiration in the chain");
        for (int i2 = 0; i2 < x509CertificateArr2.length; i2++) {
            try {
                x509CertificateArr2[i2].checkValidity();
            } catch (CertificateExpiredException e2) {
                logger.info(new StringBuffer().append("the Certificate for ").append(DNHandler.getSubject(x509CertificateArr2[i2])).append(" expired on ").append(x509CertificateArr2[i2].getNotAfter()).toString());
                throw new CertificateExpiredException(new StringBuffer().append("the Certificate for ").append(DNHandler.getSubject(x509CertificateArr2[i2])).append(" expired on ").append(x509CertificateArr2[i2].getNotAfter()).toString());
            } catch (CertificateNotYetValidException e3) {
                logger.info(new StringBuffer().append("the Certificate for ").append(DNHandler.getSubject(x509CertificateArr2[i2])).append(" will only be valid after ").append(x509CertificateArr2[i2].getNotBefore()).toString());
                throw new CertificateExpiredException(new StringBuffer().append("the Certificate for ").append(DNHandler.getSubject(x509CertificateArr2[i2])).append(" will only be valid after ").append(x509CertificateArr2[i2].getNotBefore()).toString());
            }
        }
        X509Certificate x509Certificate3 = x509CertificateArr2[length - 1];
        boolean z = false;
        DN issuer2 = DNHandler.getIssuer(x509Certificate3);
        DN subject2 = DNHandler.getSubject(x509Certificate3);
        TrustAnchor[] findCA2 = findCA(issuer2);
        logger.debug(new StringBuffer().append("found ").append(findCA2.length).append(" CAs that match, cheking which to use").toString());
        boolean z2 = false;
        Exception exc = null;
        for (TrustAnchor trustAnchor : findCA2) {
            try {
                try {
                    z = checkLastAnchor(x509Certificate3, trustAnchor);
                    z2 = true;
                } catch (Exception e4) {
                    if (e4 instanceof CRLException) {
                        throw ((CRLException) e4);
                    }
                    exc = e4;
                }
            } catch (CRLException e5) {
                logger.info(new StringBuffer().append("Certificate for [").append(subject2).append("] revoked by [").append(issuer2).append("], rejecting it").toString());
                throw new CertPathValidatorException(e5.getMessage());
            }
        }
        if (!z2) {
            if (exc != null) {
                logger.error(new StringBuffer().append("While checking against CA [").append(issuer2).append("] got exception").append(exc).toString());
                throw new CertPathValidatorException(new StringBuffer().append("While checking against CA [").append(issuer2).append("] got exception ").append(exc).append(" ").append(exc.getMessage()).toString());
            }
            logger.info(new StringBuffer().append("CA cert [").append(issuer2).append("] not found, rejecting certificate for [").append(subject2).append("]").toString());
            throw new CertPathValidatorException(new StringBuffer().append("CA cert [").append(issuer2).append("] not found, rejecting certificate for [").append(subject2).append("]").toString());
        }
        logger.debug("checking the rest of the chain");
        try {
            for (int i3 = length - 1; i3 > 0; i3--) {
                z = checkCertificatePair(x509CertificateArr2[i3 - 1], x509CertificateArr2[i3], z);
            }
            logger.debug(new StringBuffer().append("certificate path for ").append(DNHandler.getSubject(x509CertificateArr2[0])).append(" is valid").toString());
        } catch (CertPathValidatorException e6) {
            logger.info(e6.getMessage());
            throw e6;
        } catch (CertificateException e7) {
            logger.info(e7.getMessage());
            throw e7;
        }
    }

    public void checkSignature(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException, CertificateException {
        logger.debug("Checking the signature");
        PublicKey publicKey = x509Certificate2.getPublicKey();
        logger.debug(new StringBuffer().append("Sub cert is ").append(x509Certificate.getClass().getName()).toString());
        try {
            x509Certificate.verify(publicKey);
        } catch (InvalidKeyException e) {
            logger.info(new StringBuffer().append("Invalid public key in \"").append(x509Certificate2.getSubjectDN().toString()).append("\" error was ").append(e.getClass().getName()).append(":").append(e.getMessage()).toString());
            throw new CertificateException(new StringBuffer().append("Invalid public key in \"").append(x509Certificate2.getSubjectDN().toString()).append("\" error was ").append(e.getClass().getName()).append(":").append(e.getMessage()).toString());
        } catch (NoSuchAlgorithmException e2) {
            logger.info(new StringBuffer().append("Invalid signature algorithm in \"").append(x509Certificate.getSubjectDN().toString()).append("\" error was ").append(e2.getClass().getName()).append(":").append(e2.getMessage()).toString());
            throw new CertificateException(new StringBuffer().append("Invalid signature algorithm in \"").append(x509Certificate.getSubjectDN().toString()).append("\" error was ").append(e2.getClass().getName()).append(":").append(e2.getMessage()).toString());
        } catch (NoSuchProviderException e3) {
            logger.error(new StringBuffer().append("Internal error, no crypto provider found. Error was ").append(e3.getClass().getName()).append(":").append(e3.getMessage()).toString());
            throw new CertificateException(new StringBuffer().append("Internal error, no crypto provider found. Error was ").append(e3.getMessage()).toString());
        } catch (SignatureException e4) {
            logger.info(new StringBuffer().append("invalid signature in ").append(x509Certificate.getSubjectDN().toString()).toString());
            throw new CertPathValidatorException(new StringBuffer().append("invalid signature in ").append(x509Certificate.getSubjectDN().toString()).toString());
        }
    }

    public boolean checkCertificatePair(X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) throws CertPathValidatorException, CertificateException {
        logger.debug("Checking a cert pair");
        checkSignature(x509Certificate, x509Certificate2);
        DN issuer = DNHandler.getIssuer(x509Certificate);
        DN subject = DNHandler.getSubject(x509Certificate2);
        logger.debug("Checking DN match");
        if (!issuer.equals(subject)) {
            logger.info(new StringBuffer().append("cert issuer DN (").append(issuer).append(") - Issuer subject DN (").append(subject).append(") mismatch subject was ").toString());
            throw new CertPathValidatorException(new StringBuffer().append("cert issuer DN (").append(issuer).append(") - Issuer subject DN (").append(subject).append(") mismatch subject was ").toString());
        }
        if (!z) {
            logger.debug(new StringBuffer().append("Certificate for \"").append(DNHandler.getSubject(x509Certificate)).append("\" is OK").toString());
            return x509Certificate.getVersion() == 1 || x509Certificate.getBasicConstraints() == -1;
        }
        logger.debug(new StringBuffer().append("Checkin that ").append(DNHandler.getSubject(x509Certificate2)).append(" matches end of ").append(DNHandler.getSubject(x509Certificate)).append(" because either constraints were true [").append(z).append("] or signer basicContraints was equal to -1 [").append(x509Certificate2.getBasicConstraints()).append("]").toString());
        checkDNRestriction(x509Certificate, x509Certificate2);
        return true;
    }

    public boolean checkLastAnchor(X509Certificate x509Certificate, TrustAnchor trustAnchor) throws CertPathValidatorException, CertificateException, CRLException {
        logger.debug("Checkin last cert and anchor");
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        boolean checkCertificatePair = checkCertificatePair(x509Certificate, trustedCert, false);
        if (this.crlChecker != null) {
            this.crlChecker.check(x509Certificate, null);
        }
        logger.debug(new StringBuffer().append("Certificate for \"").append(DNHandler.getSubject(x509Certificate)).append("\" is validly issued by CA \"").append(DNHandler.getSubject(trustedCert)).append("\"").toString());
        return checkCertificatePair;
    }

    public TrustAnchor[] findCA(DN dn) throws CertPathValidatorException, CertificateParsingException {
        Iterator it = this.trustAnchors.iterator();
        Vector vector = new Vector();
        boolean z = false;
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            DN subject = DNHandler.getSubject(trustAnchor.getTrustedCert());
            if (subject.equals(dn)) {
                try {
                    trustAnchor.getTrustedCert().checkValidity();
                    vector.add(trustAnchor);
                } catch (CertificateExpiredException e) {
                    z = true;
                    logger.warn(new StringBuffer().append("The CA certificate for ").append(subject).append(" has expired, update or remove it!").toString());
                } catch (CertificateNotYetValidException e2) {
                    z = true;
                    logger.warn(new StringBuffer().append("The CA certificate for ").append(subject).append(" is not yet valid!").toString());
                }
            }
        }
        TrustAnchor[] trustAnchorArr = new TrustAnchor[0];
        if (vector.size() > 0) {
            if (z) {
                logger.warn(new StringBuffer().append("Remove expired duplicate certificate(s) for CA ").append(dn).toString());
            }
            return (TrustAnchor[]) vector.toArray(trustAnchorArr);
        }
        if (z) {
            logger.error(new StringBuffer().append("The CA certificate for ").append(dn).append(" has expired or is not yet valid, update or remove it!").toString());
        }
        logger.info(new StringBuffer().append("No CA named \"").append(dn).append("\" could be found").toString());
        throw new CertPathValidatorException(new StringBuffer().append("No CA named \"").append(dn).append("\" could be found").toString());
    }

    public X509Certificate[] getCACerts() {
        Iterator it = this.trustAnchors.iterator();
        Vector vector = new Vector();
        while (it.hasNext()) {
            vector.add(((TrustAnchor) it.next()).getTrustedCert());
        }
        logger.debug(new StringBuffer().append("getCACerts: returning ").append(vector.size()).append(" ca certs").toString());
        return (X509Certificate[]) vector.toArray(new X509Certificate[0]);
    }

    public void checkDNRestriction(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateException {
        logger.debug("Checking dn restriction");
        DN subject = DNHandler.getSubject(x509Certificate);
        DN subject2 = DNHandler.getSubject(x509Certificate2);
        try {
            if (!subject.withoutLastCN(false).equals(subject2)) {
                throw new CertificateException(new StringBuffer().append("The DN [").append(subject).append("] doesn't end with [").append(subject2).append("] as required for proxy certs").toString());
            }
        } catch (Exception e) {
            logger.info(new StringBuffer().append("Error while cheking naming constrainst between sub [").append(subject).append("] and signer [").append(subject2).append(" error: ").append(e).append(e.getMessage()).toString());
            e.printStackTrace();
            if (!(e instanceof CertificateException)) {
                throw new CertificateException(new StringBuffer().append("Error while cheking naming constrainst between sub [").append(subject).append("] and signer [").append(subject2).append("] error: ").append(e).append(e.getMessage()).toString());
            }
            throw ((CertificateException) e);
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$glite$security$trustmanager$ProxyCertPathValidator == null) {
            cls = class$("org.glite.security.trustmanager.ProxyCertPathValidator");
            class$org$glite$security$trustmanager$ProxyCertPathValidator = cls;
        } else {
            cls = class$org$glite$security$trustmanager$ProxyCertPathValidator;
        }
        logger = Logger.getLogger(cls.getName());
    }
}
