package org.glite.voms;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.NoSuchElementException;
import java.util.Set;
import java.util.Stack;
import java.util.TreeSet;
import java.util.Vector;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.glite.voms.ac.ACCerts;
import org.glite.voms.ac.ACTargets;
import org.glite.voms.ac.AttributeCertificate;
import org.glite.voms.ac.AttributeCertificateInfo;
import org.glite.voms.ac.VOMSTrustStore;
import org.glite.voms.contact.MyProxyCertInfo;

/* loaded from: input_file:WEB-INF/lib/voms-api-2.0.6.jar:org/glite/voms/PKIVerifier.class */
public class PKIVerifier {
    public static final String SUBJECT_KEY_IDENTIFIER = "2.5.29.14";
    public static final String TARGET = "2.5.29.55";
    private PKIStore caStore;
    private VOMSTrustStore vomsStore;
    private static Logger logger = Logger.getLogger(PKIVerifier.class.getName());
    public static final String AUTHORITY_KEY_IDENTIFIER = "2.5.29.35";
    public static final String PROXYCERTINFO = "1.3.6.1.5.5.7.1.14";
    public static final String PROXYCERTINFO_OLD = "1.3.6.1.4.1.3536.1.222";
    public static final String BASIC_CONSTRAINTS_IDENTIFIER = "2.5.29.19";
    public static final String KEY_USAGE_IDENTIFIER = "2.5.29.15";
    private static final String[] OIDs = {"2.5.29.14", AUTHORITY_KEY_IDENTIFIER, PROXYCERTINFO, PROXYCERTINFO_OLD, BASIC_CONSTRAINTS_IDENTIFIER, KEY_USAGE_IDENTIFIER};
    private static final String[] AC_OIDs = {"2.5.29.55"};
    private static final Set handledOIDs = new TreeSet(Arrays.asList(OIDs));
    private static final Set handledACOIDs = new TreeSet(Arrays.asList(AC_OIDs));

    public PKIVerifier(VOMSTrustStore vOMSTrustStore, PKIStore pKIStore) {
        this.caStore = null;
        this.vomsStore = null;
        this.vomsStore = vOMSTrustStore;
        this.caStore = pKIStore;
    }

    public PKIVerifier(VOMSTrustStore vOMSTrustStore) throws IOException, CertificateException, CRLException {
        this.caStore = null;
        this.vomsStore = null;
        this.vomsStore = vOMSTrustStore;
        this.caStore = PKIStoreFactory.getStore(2);
    }

    public PKIVerifier() throws IOException, CertificateException, CRLException {
        this.caStore = null;
        this.vomsStore = null;
        this.vomsStore = PKIStoreFactory.getStore(1);
        this.caStore = PKIStoreFactory.getStore(2);
    }

    public void cleanup() {
        if (this.vomsStore != null) {
            this.vomsStore.stopRefresh();
        }
        if (this.caStore != null) {
            this.caStore.stopRefresh();
        }
        this.vomsStore = null;
        this.caStore = null;
    }

    public void setCAStore(PKIStore pKIStore) {
        if (this.caStore != null) {
            this.caStore.stopRefresh();
            this.caStore = null;
        }
        this.caStore = pKIStore;
    }

    public void setVOMSStore(VOMSTrustStore vOMSTrustStore) {
        if (this.vomsStore != null) {
            this.vomsStore.stopRefresh();
            this.vomsStore = null;
        }
        this.vomsStore = vOMSTrustStore;
    }

    private static String getHostName() {
        try {
            return InetAddress.getLocalHost().getCanonicalHostName();
        } catch (UnknownHostException e) {
            logger.error("Cannot discover hostName.");
            return "";
        }
    }

    public boolean verify(AttributeCertificate attributeCertificate) {
        if (attributeCertificate == null || this.vomsStore == null) {
            return false;
        }
        AttributeCertificateInfo acinfo = attributeCertificate.getAcinfo();
        X509Certificate[] x509CertificateArr = null;
        ACCerts certList = acinfo.getCertList();
        String vo = attributeCertificate.getVO();
        LSCFile lsc = certList != null ? this.vomsStore.getLSC(vo, attributeCertificate.getHost()) : null;
        logger.debug("LSC is: " + lsc);
        if (lsc != null) {
            boolean z = false;
            Iterator it2 = lsc.getDNLists().iterator();
            while (!z && it2.hasNext()) {
                boolean z2 = false;
                while (it2.hasNext() && !z2) {
                    Iterator it3 = certList.getCerts().iterator();
                    Iterator it4 = ((Vector) it2.next()).iterator();
                    while (it4.hasNext() && it3.hasNext() && !z2) {
                        String str = null;
                        String str2 = null;
                        try {
                            str = (String) it4.next();
                            str2 = (String) it4.next();
                        } catch (NoSuchElementException e) {
                            z2 = true;
                        }
                        X509Certificate x509Certificate = (X509Certificate) it3.next();
                        String openSSLFormatPrincipal = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getSubjectDN());
                        String openSSLFormatPrincipal2 = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getIssuerDN());
                        logger.debug("canddn is : " + openSSLFormatPrincipal);
                        logger.debug("candis is : " + openSSLFormatPrincipal2);
                        if (str != null) {
                            logger.debug("dn is : " + str);
                            logger.debug("dn == canddn is " + str.equals(openSSLFormatPrincipal));
                        }
                        if (str2 != null) {
                            logger.debug("is is : " + str2);
                            logger.debug("is == candis is " + str2.equals(openSSLFormatPrincipal2));
                        }
                        if (str != null && str2 != null && (!str.equals(openSSLFormatPrincipal) || !str2.equals(openSSLFormatPrincipal2))) {
                            z2 = true;
                        }
                    }
                    if (!z2 && !it4.hasNext() && !it3.hasNext()) {
                        z = true;
                    }
                }
            }
            if (z) {
                logger.debug("LSC Verification step.");
                x509CertificateArr = (X509Certificate[]) certList.getCerts().toArray(new X509Certificate[0]);
                if (attributeCertificate.verifyCert(x509CertificateArr[0])) {
                    logger.debug("Signature Verification OK (from LSC).");
                } else {
                    x509CertificateArr = null;
                    logger.debug("Signature Verification false (from LSC).");
                }
            }
        }
        if (x509CertificateArr == null) {
            logger.debug("lsc check failed.");
            if (logger.isDebugEnabled()) {
                X500Principal issuer = attributeCertificate.getIssuer();
                logger.debug("Looking for hash: " + PKIUtils.getHash(issuer) + " for certificate: " + issuer.getName());
            }
            X509Certificate[] aACandidate = this.vomsStore.getAACandidate(attributeCertificate.getIssuer(), vo);
            if (aACandidate == null) {
                logger.debug("No candidates found!");
            } else if (aACandidate.length != 0) {
                int i = 0;
                while (true) {
                    if (i >= aACandidate.length) {
                        break;
                    }
                    X509Certificate x509Certificate2 = aACandidate[i];
                    PublicKey publicKey = x509Certificate2.getPublicKey();
                    if (logger.isDebugEnabled()) {
                        logger.debug("Candidate: " + x509Certificate2.getSubjectDN().getName());
                        logger.debug("Key class: " + publicKey.getClass());
                        logger.debug("Key: " + publicKey);
                        byte[] encoded = publicKey.getEncoded();
                        StringBuffer stringBuffer = new StringBuffer();
                        stringBuffer.append("Key: ");
                        for (byte b : encoded) {
                            stringBuffer.append(Integer.toHexString(b));
                            stringBuffer.append(' ');
                        }
                        logger.debug(stringBuffer.toString());
                    }
                    if (attributeCertificate.verifyCert(x509Certificate2)) {
                        logger.debug("Signature Verification OK");
                        x509CertificateArr = new X509Certificate[]{x509Certificate2};
                        break;
                    }
                    logger.debug("Signature Verification false");
                    i++;
                }
            }
        }
        if (x509CertificateArr == null) {
            logger.error("Cannot find usable certificates to validate the AC. Check that the voms server host certificate is in your vomsdir directory.");
            return false;
        }
        if (logger.isDebugEnabled()) {
            for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                logger.debug("Position: " + i2 + " value: " + x509CertificateArr[i2].getSubjectDN().getName());
            }
        }
        if (!verify(x509CertificateArr)) {
            logger.error("Cannot verify issuer certificate chain for AC");
            return false;
        }
        if (!attributeCertificate.isValid()) {
            logger.error("Attribute Certificate not valid at current time.");
            return false;
        }
        ACTargets targets = acinfo.getTargets();
        if (targets != null) {
            String hostName = getHostName();
            boolean z3 = false;
            Iterator it5 = targets.getTargets().iterator();
            while (true) {
                if (!it5.hasNext()) {
                    break;
                }
                if (((String) it5.next()).equals(hostName)) {
                    z3 = true;
                    break;
                }
            }
            if (!z3) {
                logger.error("Targeting check failed!");
                return false;
            }
        }
        X509Extensions extensions = acinfo.getExtensions();
        if (extensions == null) {
            return true;
        }
        Enumeration oids = extensions.oids();
        while (oids.hasMoreElements()) {
            DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) oids.nextElement();
            if (extensions.getExtension(dERObjectIdentifier).isCritical() && !handledACOIDs.contains(dERObjectIdentifier)) {
                logger.error("Unknown critical extension discovered: " + dERObjectIdentifier.getId());
                return false;
            }
        }
        return true;
    }

    private boolean checkProxyCertInfo(X509Certificate x509Certificate, int i, int i2) {
        X509Extension x509Extension;
        byte[] extensionValue = x509Certificate.getExtensionValue(PROXYCERTINFO);
        if (extensionValue == null) {
            extensionValue = x509Certificate.getExtensionValue(PROXYCERTINFO_OLD);
            if (extensionValue == null) {
                logger.debug("No ProxyCertInfo extension found.");
                return true;
            }
            x509Extension = new X509Extension(false, (ASN1OctetString) new DEROctetString(extensionValue));
        } else {
            x509Extension = new X509Extension(true, (ASN1OctetString) new DEROctetString(extensionValue));
        }
        try {
            MyDERInputStream myDERInputStream = new MyDERInputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(x509Extension.getValue().getOctets())).readObject()).getOctetStream());
            myDERInputStream.read();
            myDERInputStream.read(extensionValue, 0, myDERInputStream.readLength());
            MyProxyCertInfo myProxyCertInfo = new MyProxyCertInfo(extensionValue);
            logger.info("Constraint: " + myProxyCertInfo.getPathLenConstraint() + "   Size: " + i2 + "   Current: " + i);
            return myProxyCertInfo.getPathLenConstraint() == -1 || myProxyCertInfo.getPathLenConstraint() >= i2 - i;
        } catch (IOException e) {
            throw new IllegalArgumentException("Cannot read DERObject from source data:" + e.getMessage());
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:75:0x06e7, code lost:
    
        if (r13 != false) goto L139;
     */
    /* JADX WARN: Code restructure failed: missing block: B:76:0x06ea, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:77:0x06ec, code lost:
    
        return true;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean verify(java.security.cert.X509Certificate[] r6) {
        /*
            Method dump skipped, instructions count: 1774
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.glite.voms.PKIVerifier.verify(java.security.cert.X509Certificate[]):boolean");
    }

    /* JADX WARN: Code restructure failed: missing block: B:10:0x007a, code lost:
    
        if (r9 != null) goto L31;
     */
    /* JADX WARN: Code restructure failed: missing block: B:12:0x0080, code lost:
    
        if (r11 != (-1)) goto L32;
     */
    /* JADX WARN: Code restructure failed: missing block: B:17:0x0085, code lost:
    
        if (r9 != null) goto L18;
     */
    /* JADX WARN: Code restructure failed: missing block: B:18:0x0088, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:8:0x005c, code lost:
    
        if (r0 > 0) goto L10;
     */
    /* JADX WARN: Code restructure failed: missing block: B:9:0x005f, code lost:
    
        r9 = (org.glite.voms.Namespace) r0.get(org.glite.voms.PKIUtils.getHash((java.security.cert.X509Certificate) r7.elementAt(r11)));
        r11 = r11 - 1;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean allowsNamespaces(java.security.cert.X509Certificate r5, java.security.cert.X509Certificate r6, java.util.Stack r7) {
        /*
            Method dump skipped, instructions count: 238
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.glite.voms.PKIVerifier.allowsNamespaces(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Stack):boolean");
    }

    private boolean allowsPath(X509Certificate x509Certificate, X509Certificate x509Certificate2, Stack stack) {
        if (PKIUtils.selfIssued(x509Certificate)) {
            return true;
        }
        SigningPolicy signingPolicy = (SigningPolicy) this.caStore.getSignings().get(PKIUtils.getHash(x509Certificate2));
        logger.debug("signCandidate is: " + signingPolicy);
        boolean z = false;
        if (signingPolicy == null) {
            return allowsNamespaces(x509Certificate, x509Certificate2, stack);
        }
        if (signingPolicy != null) {
            logger.debug("Class of issuer is : " + x509Certificate2.getClass());
            logger.debug("Class of Subject is: " + x509Certificate2.getSubjectDN().getClass());
            String openSSLFormatPrincipal = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate2.getSubjectDN());
            logger.debug("Subject is : " + openSSLFormatPrincipal);
            Vector allNames = getAllNames(x509Certificate);
            if (allNames == null) {
                return false;
            }
            logger.debug("Content of Vector is:" + allNames);
            Iterator it2 = allNames.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                String str = (String) it2.next();
                logger.debug("Examining: " + str);
                logger.debug("Looking for " + openSSLFormatPrincipal);
                int findIssuer = signingPolicy.findIssuer(openSSLFormatPrincipal);
                if (findIssuer == -1) {
                    openSSLFormatPrincipal = PKIUtils.getOpenSSLFormatPrincipal(x509Certificate2.getSubjectDN(), true);
                    findIssuer = signingPolicy.findIssuer(openSSLFormatPrincipal);
                }
                while (findIssuer != -1) {
                    logger.debug("Inside index");
                    signingPolicy.setCurrent(findIssuer);
                    if (signingPolicy.getAccessIDCA().equals(openSSLFormatPrincipal)) {
                        Iterator it3 = signingPolicy.getCondSubjects().iterator();
                        while (true) {
                            if (it3.hasNext()) {
                                String str2 = (String) it3.next();
                                logger.debug("Comparing certSubj: '" + str + "' to '" + str2 + "'");
                                String replaceFirst = str2.replaceFirst("\\*", "\\.\\*");
                                if (str.toUpperCase().matches(replaceFirst.toUpperCase())) {
                                    z = true;
                                    logger.debug("Subject: '" + str + "' matches with subject: '" + replaceFirst + "' from signing policy.");
                                    break;
                                }
                                logger.debug("Subject: '" + str + "' does not match subject: '" + replaceFirst + "' from signing policy.");
                            }
                        }
                    }
                    findIssuer = signingPolicy.findIssuer(openSSLFormatPrincipal, findIssuer);
                }
                if (z) {
                    logger.debug("MATCHED AT LEAST ONCE");
                    break;
                }
            }
            allNames.clear();
        }
        logger.debug("Value of Matched is: " + z);
        return z;
    }

    private Vector getAllNames(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        Vector vector = new Vector();
        vector.add(PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getSubjectDN()));
        vector.add(PKIUtils.getOpenSSLFormatPrincipal(x509Certificate.getSubjectDN(), true));
        return vector;
    }

    private boolean isRevoked(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Vector vector = (Vector) this.caStore.getCRLs().get(PKIUtils.getHash(x509Certificate2));
        boolean z = false;
        if (vector != null) {
            Iterator it2 = vector.iterator();
            while (it2.hasNext()) {
                X509CRL x509crl = (X509CRL) it2.next();
                if (x509crl != null) {
                    try {
                        x509crl.verify(x509Certificate2.getPublicKey());
                        Set<String> criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
                        HashSet hashSet = new HashSet();
                        hashSet.add("2.5.29.28");
                        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty() && (criticalExtensionOIDs.isEmpty() || !hashSet.containsAll(criticalExtensionOIDs))) {
                            logger.error("Critical extension found in crl!");
                            Iterator<String> it3 = criticalExtensionOIDs.iterator();
                            while (it3.hasNext()) {
                                logger.debug("Critical CRL Extension: " + it3.next());
                            }
                        } else if (x509crl.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                            if (x509crl.getNextUpdate().compareTo(new Date()) < 0 || x509crl.getThisUpdate().compareTo(new Date()) > 0) {
                                logger.error("CRL for CA '" + x509Certificate2.getSubjectDN().toString() + "' has expired!");
                            } else if (x509crl.getRevokedCertificate(x509Certificate.getSerialNumber()) == null) {
                                return false;
                            }
                        }
                        z = true;
                    } catch (Exception e) {
                    }
                }
            }
        }
        return z;
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
