package org.glite.voms;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.StringTokenizer;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.glite.voms.ac.ACTrustStore;
import org.glite.voms.ac.ACValidator;
import org.glite.voms.ac.AttributeCertificate;
import org.glite.voms.ac.VOMSTrustStore;
import org.globus.gsi.gssapi.KeyPairCache;

/* loaded from: input_file:org/glite/voms/VOMSValidator.class */
public class VOMSValidator {
    static Logger log = Logger.getLogger(VOMSValidator.class);
    public static final String VOMS_EXT_OID = "1.3.6.1.4.1.8005.100.100.5";
    protected static ACTrustStore theTrustStore;
    protected ACValidator myValidator;
    protected X509Certificate[] myValidatedChain;
    protected Vector myVomsAttributes;
    protected boolean isParsed;
    protected boolean isValidated;
    protected FQANTree myFQANTree;
    protected VOMSTrustStore vomsStore;

    /* loaded from: input_file:org/glite/voms/VOMSValidator$FQANTree.class */
    public class FQANTree {
        Hashtable myTree = new Hashtable();
        Hashtable myResults = new Hashtable();

        public FQANTree() {
        }

        public void add(List list) {
            if (list == null) {
                return;
            }
            Iterator it = list.iterator();
            while (it.hasNext()) {
                add((FQAN) it.next());
            }
        }

        public void add(FQAN fqan) {
            String group = fqan.getGroup();
            Vector vector = (Vector) this.myTree.get(group);
            if (vector == null) {
                Hashtable hashtable = this.myTree;
                Vector vector2 = new Vector();
                vector = vector2;
                hashtable.put(group, vector2);
            }
            if (vector.contains(fqan)) {
                return;
            }
            vector.add(fqan);
        }

        protected RoleCaps traverse(String str) {
            RoleCaps roleCaps = (RoleCaps) this.myResults.get(str);
            if (roleCaps != null) {
                return roleCaps;
            }
            RoleCaps roleCaps2 = new RoleCaps();
            StringTokenizer stringTokenizer = new StringTokenizer(str, "/", true);
            StringBuffer stringBuffer = new StringBuffer();
            while (stringTokenizer.hasMoreTokens()) {
                stringBuffer.append(stringTokenizer.nextToken());
                roleCaps2.add((Vector) this.myTree.get(stringBuffer.toString()));
            }
            this.myResults.put(str, roleCaps2);
            return roleCaps2;
        }

        public List getRoles(String str) {
            return traverse(str).getRoles();
        }

        public List getCapabilities(String str) {
            return traverse(str).getCapabilities();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/glite/voms/VOMSValidator$RoleCaps.class */
    public class RoleCaps {
        List roles;
        List caps;

        RoleCaps() {
        }

        void add(List list, String str) {
            if (str == null || list.contains(str)) {
                return;
            }
            list.add(str);
        }

        public void add(Vector vector) {
            if (vector == null) {
                return;
            }
            if (this.roles == null) {
                this.roles = new Vector();
                this.caps = new Vector();
            }
            Iterator it = vector.iterator();
            while (it.hasNext()) {
                FQAN fqan = (FQAN) it.next();
                add(this.roles, fqan.getRole());
                add(this.caps, fqan.getCapability());
            }
        }

        public List getRoles() {
            return this.roles;
        }

        public List getCapabilities() {
            return this.caps;
        }
    }

    public VOMSValidator(X509Certificate x509Certificate) {
        this(new X509Certificate[]{x509Certificate});
    }

    public VOMSValidator(X509Certificate[] x509CertificateArr) {
        this(x509CertificateArr, null);
    }

    public VOMSValidator(X509Certificate[] x509CertificateArr, ACValidator aCValidator) {
        this.myVomsAttributes = new Vector();
        this.isParsed = false;
        this.isValidated = false;
        this.myFQANTree = null;
        this.vomsStore = null;
        this.myValidatedChain = x509CertificateArr;
        if (theTrustStore == null) {
            if (this.vomsStore == null) {
                try {
                    this.vomsStore = new PKIStore("/etc/grid-security/vomsdir", 1, true);
                } catch (IOException e) {
                } catch (CRLException e2) {
                } catch (CertificateException e3) {
                }
            }
        } else if (theTrustStore instanceof BasicVOMSTrustStore) {
            BasicVOMSTrustStore basicVOMSTrustStore = (BasicVOMSTrustStore) theTrustStore;
            basicVOMSTrustStore.stopRefresh();
            if (this.vomsStore == null) {
                try {
                    this.vomsStore = new PKIStore(basicVOMSTrustStore.getDirList(), 1, true);
                } catch (IOException e4) {
                } catch (CRLException e5) {
                } catch (CertificateException e6) {
                }
            }
        } else if (this.vomsStore == null) {
            log.error("Cannot replace passed truststore.  Validation may not be complete.");
        }
        if (this.vomsStore != null) {
            this.myValidator = aCValidator == null ? new ACValidator(this.vomsStore) : aCValidator;
        } else {
            this.myValidator = aCValidator == null ? new ACValidator(theTrustStore) : aCValidator;
        }
    }

    public void cleanup() {
        this.myValidatedChain = null;
        if (this.myVomsAttributes != null) {
            this.myVomsAttributes.clear();
            this.myVomsAttributes = null;
        }
        this.myFQANTree = null;
        if (this.myValidator != null) {
            this.myValidator.cleanup();
            this.myValidator = null;
        }
        if (this.vomsStore != null) {
            this.vomsStore.stopRefresh();
            this.vomsStore = null;
        }
        if (theTrustStore != null) {
            if (theTrustStore instanceof BasicVOMSTrustStore) {
                ((BasicVOMSTrustStore) theTrustStore).stopRefresh();
            }
            theTrustStore = null;
        }
    }

    public VOMSValidator setClientChain(X509Certificate[] x509CertificateArr) {
        this.myValidatedChain = x509CertificateArr;
        this.myVomsAttributes = new Vector();
        this.myFQANTree = null;
        this.isParsed = false;
        this.isValidated = false;
        return this;
    }

    public static Vector parse(X509Certificate[] x509CertificateArr) {
        if (log.isDebugEnabled()) {
            log.debug("VOMSValidator : parsing cert chain");
        }
        int i = -1;
        int findClientCert = CertUtil.findClientCert(x509CertificateArr);
        if (findClientCert < 0) {
            log.error("VOMSValidator : no client cert found in cert chain");
        }
        if (log.isDebugEnabled()) {
            log.debug("Parsing VOMS attributes for subject " + x509CertificateArr[findClientCert].getSubjectX500Principal().getName());
        }
        Vector vector = new Vector();
        for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
            byte[] extensionValue = x509CertificateArr[i2].getExtensionValue("1.3.6.1.4.1.8005.100.100.5");
            if (extensionValue != null) {
                try {
                    Enumeration objects = new ASN1InputStream(new ByteArrayInputStream(new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject().getOctets())).readObject().getObjects();
                    while (objects.hasMoreElements()) {
                        Enumeration objects2 = ((ASN1Sequence) objects.nextElement()).getObjects();
                        while (objects2.hasMoreElements()) {
                            AttributeCertificate attributeCertificate = new AttributeCertificate((ASN1Sequence) objects2.nextElement());
                            i++;
                            for (int i3 = findClientCert; i3 < x509CertificateArr.length; i3++) {
                                if (attributeCertificate.getHolder().isHolder(x509CertificateArr[i3])) {
                                    VOMSAttribute vOMSAttribute = new VOMSAttribute(attributeCertificate);
                                    if (log.isDebugEnabled()) {
                                        log.debug("Found VOMS attribute from " + vOMSAttribute.getHostPort() + " in certificate issued to " + x509CertificateArr[i3].getSubjectX500Principal().getName());
                                    }
                                    vector.add(vOMSAttribute);
                                } else {
                                    log.debug("VOMS attribute cert found, but holder checking failed!");
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    log.info("Error parsing VOMS extension in certificate issued to " + x509CertificateArr[i2].getSubjectX500Principal().getName(), e);
                    throw new IllegalArgumentException("Error parsing VOMS extension in certificate issued to " + x509CertificateArr[i2].getSubjectX500Principal().getName() + "error was:" + e.getMessage());
                }
            } else if (log.isDebugEnabled()) {
                log.debug("No VOMS extension in certificate issued to " + x509CertificateArr[i2].getSubjectX500Principal().getName());
            }
        }
        return vector;
    }

    public VOMSValidator parse() {
        if (log.isDebugEnabled()) {
            log.debug("VOMSValidator : parsing cert chain");
        }
        if (this.isParsed) {
            return this;
        }
        int i = -1;
        int findClientCert = CertUtil.findClientCert(this.myValidatedChain);
        if (findClientCert < 0) {
            log.error("VOMSValidator : no client cert found in cert chain");
        }
        if (log.isDebugEnabled()) {
            log.debug("Parsing VOMS attributes for subject " + this.myValidatedChain[findClientCert].getSubjectX500Principal().getName());
        }
        for (int i2 = 0; i2 < this.myValidatedChain.length; i2++) {
            byte[] extensionValue = this.myValidatedChain[i2].getExtensionValue("1.3.6.1.4.1.8005.100.100.5");
            if (extensionValue != null) {
                try {
                    Enumeration objects = new ASN1InputStream(new ByteArrayInputStream(new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject().getOctets())).readObject().getObjects();
                    while (objects.hasMoreElements()) {
                        Enumeration objects2 = ((ASN1Sequence) objects.nextElement()).getObjects();
                        while (objects2.hasMoreElements()) {
                            AttributeCertificate attributeCertificate = new AttributeCertificate((ASN1Sequence) objects2.nextElement());
                            for (int i3 = findClientCert; i3 < this.myValidatedChain.length; i3++) {
                                if (attributeCertificate.getHolder().isHolder(this.myValidatedChain[i3])) {
                                    i++;
                                    VOMSAttribute vOMSAttribute = new VOMSAttribute(attributeCertificate);
                                    if (log.isDebugEnabled()) {
                                        log.debug("Found VOMS attribute from " + vOMSAttribute.getHostPort() + " in certificate issued to " + this.myValidatedChain[i3].getSubjectX500Principal().getName());
                                    }
                                    this.myVomsAttributes.add(vOMSAttribute);
                                } else {
                                    log.debug("VOMS attribute cert found, but holder checking failed!");
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    log.info("Error parsing VOMS extension in certificate issued to " + this.myValidatedChain[i2].getSubjectX500Principal().getName(), e);
                }
            } else if (log.isDebugEnabled()) {
                log.debug("No VOMS extension in certificate issued to " + this.myValidatedChain[i2].getSubjectX500Principal().getName());
            }
        }
        this.isParsed = true;
        return this;
    }

    public VOMSValidator validate() {
        if (this.isValidated) {
            return this;
        }
        if (!this.isParsed) {
            parse();
            this.isParsed = true;
        }
        ListIterator listIterator = this.myVomsAttributes.listIterator();
        while (listIterator.hasNext()) {
            if (!this.myValidator.validate(((VOMSAttribute) listIterator.next()).privateGetAC())) {
                listIterator.remove();
            }
        }
        this.isValidated = true;
        return this;
    }

    private void populate() {
        if (!this.isParsed && !this.isValidated) {
            throw new IllegalStateException("VOMSValidator: trying to populate FQAN tree before call to parse() or validate()");
        }
        this.myFQANTree = new FQANTree();
        ListIterator listIterator = this.myVomsAttributes.listIterator();
        while (listIterator.hasNext()) {
            this.myFQANTree.add(((VOMSAttribute) listIterator.next()).getListOfFQAN());
        }
    }

    public String[] getAllFullyQualifiedAttributes() {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < this.myVomsAttributes.size(); i++) {
            arrayList.addAll(((VOMSAttribute) this.myVomsAttributes.get(i)).getFullyQualifiedAttributes());
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public List getVOMSAttributes() {
        return this.myVomsAttributes;
    }

    public List getRoles(String str) {
        if (!this.isParsed && !this.isValidated) {
            throw new IllegalStateException("Must call parse() or validate() first");
        }
        if (this.myFQANTree == null) {
            populate();
        }
        return this.myFQANTree.getRoles(str);
    }

    public List getCapabilities(String str) {
        if (!this.isParsed && !this.isValidated) {
            throw new IllegalStateException("Must call parse() or validate() first");
        }
        if (this.myFQANTree == null) {
            populate();
        }
        return this.myFQANTree.getCapabilities(str);
    }

    public boolean isValidated() {
        return this.isValidated;
    }

    public boolean isValid() {
        return true;
    }

    public String toString() {
        return "isParsed : " + this.isParsed + "\nhas been validated : " + this.isValidated + "\nVOMS attrs:" + this.myVomsAttributes;
    }

    static {
        if (Security.getProvider(KeyPairCache.DEFAULT_PROVIDER) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
