package org.globus.gsi.trustmanager;

import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStoreException;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.SigningPolicy;
import org.globus.gsi.provider.SigningPolicyStore;
import org.globus.gsi.util.ProxyCertificateUtil;

/* loaded from: input_file:WEB-INF/lib/JGlobus-Core-2.0.4.jar:org/globus/gsi/trustmanager/SigningPolicyChecker.class */
public class SigningPolicyChecker implements CertificateChecker {
    private SigningPolicyStore policyStore;

    public SigningPolicyChecker(SigningPolicyStore signingPolicyStore) {
        this.policyStore = signingPolicyStore;
    }

    @Override // org.globus.gsi.trustmanager.CertificateChecker
    public void invoke(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType) throws CertPathValidatorException {
        if (requireSigningPolicyCheck(certificateType)) {
            X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
            try {
                SigningPolicy signingPolicy = this.policyStore.getSigningPolicy(issuerX500Principal);
                if (signingPolicy == null) {
                    throw new CertPathValidatorException("No signing policy for " + x509Certificate.getIssuerDN());
                }
                if (!signingPolicy.isValidSubject(x509Certificate.getSubjectX500Principal())) {
                    throw new CertPathValidatorException("Certificate " + x509Certificate.getSubjectDN() + " violates signing policy for CA " + issuerX500Principal.getName());
                }
            } catch (CertStoreException e) {
                throw new CertPathValidatorException(e);
            }
        }
    }

    private boolean requireSigningPolicyCheck(GSIConstants.CertificateType certificateType) {
        return (ProxyCertificateUtil.isProxy(certificateType) || certificateType == GSIConstants.CertificateType.CA) ? false : true;
    }
}
