package org.glite.voms;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.NoSuchElementException;
import java.util.Set;
import java.util.Stack;
import java.util.TreeSet;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.glite.voms.ac.ACCerts;
import org.glite.voms.ac.ACTargets;
import org.glite.voms.ac.AttributeCertificate;
import org.glite.voms.ac.AttributeCertificateInfo;
import org.glite.voms.ac.VOMSTrustStore;
import org.globus.gsi.gssapi.KeyPairCache;

/* loaded from: input_file:org/glite/voms/PKIVerifier.class */
public class PKIVerifier {
    public static final String BASIC_CONSTRAINTS_IDENTIFIER = "2.5.29.19";
    public static final String KEY_USAGE_IDENTIFIER = "2.5.29.15";
    public static final String TARGET = "2.5.29.55";
    private PKIStore caStore;
    private VOMSTrustStore vomsStore;
    private static Logger logger = Logger.getLogger(PKIVerifier.class.getName());
    public static final String SUBJECT_KEY_IDENTIFIER = "2.5.29.14";
    public static final String AUTHORITY_KEY_IDENTIFIER = "2.5.29.35";
    public static final String PROXYCERTINFO = "1.3.6.1.5.5.7.1.14";
    public static final String PROXYCERTINFO_OLD = "1.3.6.1.4.1.3536.1.222";
    private static final String[] OIDs = {SUBJECT_KEY_IDENTIFIER, AUTHORITY_KEY_IDENTIFIER, PROXYCERTINFO, PROXYCERTINFO_OLD, "2.5.29.19", "2.5.29.15"};
    private static final String[] AC_OIDs = {"2.5.29.55"};
    private static final Set handledOIDs = new TreeSet(Arrays.asList(OIDs));
    private static final Set handledACOIDs = new TreeSet(Arrays.asList(AC_OIDs));

    public PKIVerifier(VOMSTrustStore vOMSTrustStore, PKIStore pKIStore) {
        this.caStore = null;
        this.vomsStore = null;
        this.vomsStore = vOMSTrustStore;
        this.caStore = pKIStore;
    }

    public PKIVerifier(VOMSTrustStore vOMSTrustStore) throws IOException, CertificateException, CRLException {
        this(vOMSTrustStore, new PKIStore(PKIStore.DEFAULT_CADIR, 2, true));
    }

    public PKIVerifier() throws IOException, CertificateException, CRLException {
        this.caStore = null;
        this.vomsStore = null;
        String property = System.getProperty("VOMSDIR");
        String property2 = System.getProperty("CADIR");
        if (property != null) {
            this.vomsStore = new PKIStore(property, 1, true);
        } else {
            this.vomsStore = new PKIStore(PKIStore.DEFAULT_VOMSDIR, 1, true);
        }
        if (property2 != null) {
            this.caStore = new PKIStore(property2, 2, true);
        } else {
            this.caStore = new PKIStore(PKIStore.DEFAULT_CADIR, 2, true);
        }
    }

    public void cleanup() {
        if (this.vomsStore != null) {
            this.vomsStore.stopRefresh();
        }
        if (this.caStore != null) {
            this.caStore.stopRefresh();
        }
        this.vomsStore = null;
        this.caStore = null;
    }

    public void setCAStore(PKIStore pKIStore) {
        if (this.caStore != null) {
            this.caStore.stopRefresh();
            this.caStore = null;
        }
        this.caStore = pKIStore;
    }

    public void setVOMSStore(VOMSTrustStore vOMSTrustStore) {
        if (this.vomsStore != null) {
            this.vomsStore.stopRefresh();
            this.vomsStore = null;
        }
        this.vomsStore = vOMSTrustStore;
    }

    private static String getHostName() {
        try {
            return InetAddress.getLocalHost().getCanonicalHostName();
        } catch (UnknownHostException e) {
            logger.error("Cannot discover hostName.");
            return "";
        }
    }

    public boolean verify(AttributeCertificate attributeCertificate) {
        if (attributeCertificate == null || this.vomsStore == null) {
            return false;
        }
        AttributeCertificateInfo acinfo = attributeCertificate.getAcinfo();
        X509Certificate[] x509CertificateArr = null;
        ACCerts certList = acinfo.getCertList();
        String vo = attributeCertificate.getVO();
        LSCFile lsc = certList != null ? this.vomsStore.getLSC(vo, attributeCertificate.getHost()) : null;
        logger.debug("LSC is: " + lsc);
        if (lsc != null) {
            boolean z = false;
            Iterator it = lsc.getDNLists().iterator();
            while (!z && it.hasNext()) {
                boolean z2 = false;
                while (it.hasNext() && !z2) {
                    Iterator it2 = certList.getCerts().iterator();
                    Iterator it3 = ((Vector) it.next()).iterator();
                    while (it3.hasNext() && it2.hasNext() && !z2) {
                        String str = null;
                        String str2 = null;
                        try {
                            str = (String) it3.next();
                            str2 = (String) it3.next();
                        } catch (NoSuchElementException e) {
                            z2 = true;
                        }
                        X509Certificate x509Certificate = (X509Certificate) it2.next();
                        String openSSLFormatPrincipal = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getSubjectDN());
                        String openSSLFormatPrincipal2 = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getIssuerDN());
                        logger.debug("dn is : " + str);
                        logger.debug("is is : " + str2);
                        logger.debug("canddn is : " + openSSLFormatPrincipal);
                        logger.debug("candis is : " + openSSLFormatPrincipal2);
                        logger.debug("dn == canddn is " + str.equals(openSSLFormatPrincipal));
                        logger.debug("is == candis is " + str2.equals(openSSLFormatPrincipal2));
                        if (!str.equals(openSSLFormatPrincipal) || !str2.equals(openSSLFormatPrincipal2)) {
                            z2 = true;
                        }
                    }
                    if (!z2 && !it3.hasNext() && !it2.hasNext()) {
                        z = true;
                    }
                }
            }
            if (z) {
                x509CertificateArr = (X509Certificate[]) certList.getCerts().toArray(new X509Certificate[0]);
            }
        }
        if (x509CertificateArr == null) {
            logger.debug("lsc check failed.");
            if (logger.isDebugEnabled()) {
                logger.debug("Looking for hash: " + PKIUtils.getHash(attributeCertificate.getIssuer()) + " for certificate: " + attributeCertificate.getIssuer().getName());
            }
            X509Certificate[] aACandidate = this.vomsStore.getAACandidate(attributeCertificate.getIssuer(), vo);
            if (aACandidate == null) {
                logger.debug("No candidates found!");
            } else if (aACandidate.length != 0) {
                int i = 0;
                while (true) {
                    if (i >= aACandidate.length) {
                        break;
                    }
                    X509Certificate x509Certificate2 = aACandidate[i];
                    PublicKey publicKey = x509Certificate2.getPublicKey();
                    if (logger.isDebugEnabled()) {
                        logger.debug("Candidate: " + x509Certificate2.getSubjectDN().getName());
                        logger.debug("Key class: " + publicKey.getClass());
                        logger.debug("Key: " + publicKey);
                        String str3 = "Key: ";
                        for (byte b : publicKey.getEncoded()) {
                            str3 = str3 + Integer.toHexString(b) + MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR;
                        }
                        logger.debug(str3);
                    }
                    if (attributeCertificate.verifyCert(x509Certificate2)) {
                        logger.debug("Signature Verification OK");
                        x509CertificateArr = new X509Certificate[]{x509Certificate2};
                        break;
                    }
                    logger.debug("Signature Verification false");
                    i++;
                }
            }
        }
        if (x509CertificateArr == null) {
            logger.error("Cannot find usable certificates to validate the AC. Check that the voms server host certificate is in your vomsdir directory.");
            return false;
        }
        if (logger.isDebugEnabled()) {
            for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                logger.debug("Position: " + i2 + " value: " + x509CertificateArr[i2].getSubjectDN().getName());
            }
        }
        if (!verify(x509CertificateArr)) {
            logger.error("Cannot verify issuer certificate chain for AC");
            return false;
        }
        if (!attributeCertificate.isValid()) {
            logger.error("Attribute Certificate not valid at current time.");
            return false;
        }
        ACTargets targets = acinfo.getTargets();
        if (targets != null) {
            String hostName = getHostName();
            boolean z3 = false;
            Iterator it4 = targets.getTargets().iterator();
            while (true) {
                if (!it4.hasNext()) {
                    break;
                }
                if (((String) it4.next()).equals(hostName)) {
                    z3 = true;
                    break;
                }
            }
            if (!z3) {
                logger.error("Targeting check failed!");
                return false;
            }
        }
        X509Extensions extensions = acinfo.getExtensions();
        if (extensions == null) {
            return true;
        }
        Enumeration oids = extensions.oids();
        while (oids.hasMoreElements()) {
            DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) oids.nextElement();
            if (extensions.getExtension(dERObjectIdentifier).isCritical() && !handledACOIDs.contains(dERObjectIdentifier)) {
                logger.error("Unknown critical extension discovered: " + dERObjectIdentifier.getId());
                return false;
            }
        }
        return true;
    }

    public boolean verify(X509Certificate[] x509CertificateArr) {
        X509Certificate x509Certificate;
        int indexOf;
        if (this.caStore == null) {
            logger.error("No Trust Anchor are known.");
            return false;
        }
        if (x509CertificateArr.length <= 0) {
            logger.error("Certificate verification: passed empty certificate array.");
            return false;
        }
        Hashtable cAs = this.caStore.getCAs();
        Stack stack = new Stack();
        stack.push(x509CertificateArr[0]);
        logger.info("Certificate verification: Verifying certificate '" + x509CertificateArr[0].getSubjectDN().getName() + "'");
        X509Certificate x509Certificate2 = x509CertificateArr[0];
        logger.debug("path length = " + x509CertificateArr.length);
        for (int i = 1; i < x509CertificateArr.length; i++) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking: " + x509CertificateArr[i].getSubjectDN().getName());
            }
            if (PKIUtils.checkIssued(x509CertificateArr[i], x509CertificateArr[i - 1])) {
                logger.debug("Is issuer");
                stack.push(x509CertificateArr[i]);
                x509Certificate2 = x509CertificateArr[i];
                if (logger.isDebugEnabled()) {
                    logger.debug("ELEMENT: " + x509Certificate2.getSubjectDN().getName());
                }
            }
            logger.debug("Is not issuer");
        }
        logger.debug("Before anchor searching.");
        X509Certificate x509Certificate3 = null;
        if (logger.isDebugEnabled()) {
            Iterator it = stack.iterator();
            while (it.hasNext()) {
                logger.debug("Content: " + ((X509Certificate) it.next()).getSubjectDN().getName());
            }
        }
        if (!PKIUtils.selfIssued(x509Certificate2)) {
            x509Certificate = null;
            logger.debug("Looking for anchor");
            do {
                String hash = PKIUtils.getHash(x509Certificate2.getIssuerX500Principal());
                logger.debug("hash = " + hash);
                Vector vector = (Vector) cAs.get(hash);
                if (vector != null) {
                    logger.debug("CANDIDATES: " + vector);
                    Iterator it2 = vector.iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        x509Certificate = (X509Certificate) it2.next();
                        if (logger.isDebugEnabled()) {
                            logger.debug("Candidate = " + x509Certificate.getSubjectDN().getName());
                        }
                        if (PKIUtils.checkIssued(x509Certificate, x509Certificate2)) {
                            stack.push(x509Certificate);
                            x509Certificate2 = x509Certificate;
                            if (logger.isDebugEnabled()) {
                                logger.debug("ELEMENT: " + x509Certificate.getSubjectDN().getName());
                            }
                        } else {
                            x509Certificate = null;
                        }
                    }
                }
                if (x509Certificate == null) {
                    break;
                }
            } while (!PKIUtils.selfIssued(x509Certificate2));
        } else {
            Vector vector2 = (Vector) cAs.get(PKIUtils.getHash(x509Certificate2));
            if (vector2 == null || (indexOf = vector2.indexOf(x509Certificate2)) == -1) {
                logger.error("Certificate verification: self-signed certificate '" + x509Certificate3.getSubjectDN().getName() + "' not found among trusted certificates.");
                return false;
            }
            stack.pop();
            x509Certificate = (X509Certificate) vector2.elementAt(indexOf);
            stack.push(x509Certificate);
            if (logger.isDebugEnabled()) {
                logger.debug("ELEMENT: " + x509Certificate.getSubjectDN().getName());
            }
        }
        if (x509Certificate == null) {
            logger.error("Certificate verification: no trust anchor found.");
            return false;
        }
        int i2 = 0;
        boolean z = true;
        PublicKey publicKey = null;
        X509Certificate x509Certificate4 = null;
        if (logger.isDebugEnabled()) {
            logger.debug("Constructed chain:");
            Iterator it3 = stack.iterator();
            while (it3.hasNext()) {
                logger.debug("Content: " + ((X509Certificate) it3.next()).getSubjectDN().getName());
            }
        }
        while (true) {
            if (stack.isEmpty()) {
                break;
            }
            X509Certificate x509Certificate5 = (X509Certificate) stack.pop();
            if (logger.isDebugEnabled()) {
                logger.debug("VERIFYING : " + x509Certificate5.getSubjectDN().getName());
            }
            if (PKIUtils.selfIssued(x509Certificate5)) {
                if (i2 != 0) {
                    logger.error("Certificate verification: Self signed certificate not trust anchor");
                    logger.error("subject: " + x509Certificate5.getSubjectDN().getName());
                    z = false;
                    break;
                }
                publicKey = x509Certificate5.getPublicKey();
                x509Certificate4 = x509Certificate5;
            }
            logger.debug("Checking chain");
            if (!x509Certificate5.getIssuerX500Principal().equals(x509Certificate4.getSubjectX500Principal())) {
                logger.error("Certificate verification: issuing chain broken.");
                return false;
            }
            logger.debug("Checking validity");
            try {
                x509Certificate5.checkValidity();
                logger.debug("Checking key");
                try {
                    x509Certificate5.verify(publicKey);
                    logger.debug("Checking revoked");
                    if (isRevoked(x509Certificate5, x509Certificate4)) {
                        logger.error("Certificate verification: certificate in chain has been revoked.");
                        logger.error("Faulty certificate: " + x509Certificate5.getSubjectDN().getName());
                        return false;
                    }
                    boolean isCA = PKIUtils.isCA(x509Certificate4);
                    logger.debug("Checking CA " + isCA);
                    if (isCA) {
                        if (!allowsPath(x509Certificate5, x509Certificate4)) {
                            logger.error("Certificate verification: subject '" + x509Certificate5.getSubjectDN().getName() + "' not allowed by CA '" + x509Certificate4.getSubjectDN().getName() + "'");
                            return false;
                        }
                        int basicConstraints = x509Certificate5.getBasicConstraints();
                        logger.debug("stack.size = " + stack.size() + " maxPath = " + basicConstraints);
                        if (basicConstraints != -1 && basicConstraints < stack.size()) {
                            logger.error("Certificate verification: Maximum certification path length exceeded.");
                            z = false;
                            break;
                        }
                    } else {
                        logger.debug("Checking for Proxy");
                        if (!PKIUtils.isProxy(x509Certificate5)) {
                            logger.error("Certificate verification: Non-proxy, non-CA certificate issued a certificate.");
                            return false;
                        }
                    }
                    Set<String> criticalExtensionOIDs = x509Certificate5.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs != null && !handledOIDs.containsAll(criticalExtensionOIDs)) {
                        logger.error("Certificate verification: Certificate contain unhandled critical extensions.");
                        return false;
                    }
                    x509Certificate4 = x509Certificate5;
                    publicKey = x509Certificate5.getPublicKey();
                    i2++;
                } catch (Exception e) {
                    logger.error("Certificate verification: cannot verify signature. " + e.getMessage(), e);
                    logger.error("Faulty certificate: " + x509Certificate5.getSubjectDN().getName());
                    return false;
                }
            } catch (CertificateExpiredException e2) {
                logger.error("Certificate verification: certificate in chain expired. " + e2.getMessage(), e2);
                logger.error("Faulty certificate: " + x509Certificate5.getSubjectDN().getName());
                logger.error("End validity      : " + x509Certificate5.getNotAfter().toString());
                return false;
            } catch (CertificateNotYetValidException e3) {
                logger.error("Certificate verification: certificate in chain not yet valid. " + e3.getMessage(), e3);
                logger.error("Faulty certificate: " + x509Certificate5.getSubjectDN().getName());
                logger.error("Start validity      : " + x509Certificate5.getNotBefore().toString());
                return false;
            }
        }
        return z;
    }

    private boolean allowsPath(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        SigningPolicy signingPolicy = (SigningPolicy) this.caStore.getSignings().get(PKIUtils.getHash(x509Certificate2));
        logger.debug("signCandidate is: " + signingPolicy);
        if (signingPolicy == null) {
            return true;
        }
        logger.debug("Class of issuer is : " + x509Certificate2.getClass());
        logger.debug("Class of Subject is: " + x509Certificate2.getSubjectDN().getClass());
        String openSSLFormatPrincipal = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate2.getSubjectDN());
        logger.debug("Subject is : " + openSSLFormatPrincipal);
        Vector allNames = getAllNames(x509Certificate);
        if (allNames == null) {
            return false;
        }
        Iterator it = allNames.iterator();
        while (it.hasNext()) {
            boolean z = false;
            String str = (String) it.next();
            logger.debug("Looking for " + openSSLFormatPrincipal);
            int findIssuer = signingPolicy.findIssuer(openSSLFormatPrincipal);
            while (true) {
                int i = findIssuer;
                if (i == -1) {
                    break;
                }
                logger.debug("Inside index");
                signingPolicy.setCurrent(i);
                if (signingPolicy.getAccessIDCA().equals(openSSLFormatPrincipal)) {
                    Iterator it2 = signingPolicy.getCondSubjects().iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            String str2 = (String) it2.next();
                            logger.debug("Comparing certSubj: '" + str + "' to '" + str2 + "'");
                            String replaceFirst = str2.replaceFirst("\\*", "\\.\\*");
                            if (str.matches(replaceFirst)) {
                                z = true;
                                logger.debug("Subject: '" + str + "' matches with subject: '" + replaceFirst + "' from signing policy.");
                                break;
                            }
                            logger.debug("Subject: '" + str + "' does not match subject: '" + replaceFirst + "' from signing policy.");
                        }
                    }
                }
                findIssuer = signingPolicy.findIssuer(openSSLFormatPrincipal, i);
            }
            if (!z) {
                allNames.clear();
                return false;
            }
        }
        return true;
    }

    private Vector getAllNames(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        Vector vector = new Vector();
        vector.add(PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getSubjectDN()));
        return vector;
    }

    private boolean isRevoked(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Vector vector = (Vector) this.caStore.getCRLs().get(PKIUtils.getHash(x509Certificate2));
        boolean z = false;
        if (vector != null) {
            Iterator it = vector.iterator();
            while (it.hasNext()) {
                X509CRL x509crl = (X509CRL) it.next();
                if (x509crl != null) {
                    try {
                        x509crl.verify(x509Certificate2.getPublicKey());
                        if (x509crl.getCriticalExtensionOIDs() == null && x509crl.getIssuerX500Principal().equals(x509Certificate2.getIssuerX500Principal()) && x509crl.getNextUpdate().compareTo(new Date()) >= 0 && x509crl.getThisUpdate().compareTo(new Date()) <= 0 && x509crl.getRevokedCertificate(x509Certificate.getSerialNumber()) == null) {
                            return false;
                        }
                        z = true;
                    } catch (Exception e) {
                    }
                }
            }
        }
        return z;
    }

    static {
        if (Security.getProvider(KeyPairCache.DEFAULT_PROVIDER) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
