package org.globus.gsi.trustmanager;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.X509ProxyCertPathParameters;
import org.globus.gsi.X509ProxyCertPathValidatorResult;
import org.globus.gsi.provider.SigningPolicyStore;
import org.globus.gsi.proxy.ProxyPolicyHandler;
import org.globus.gsi.proxy.ext.ProxyCertInfo;
import org.globus.gsi.util.CertificateUtil;
import org.globus.gsi.util.ProxyCertificateUtil;

/* loaded from: input_file:WEB-INF/lib/JGlobus-Core-2.0.4.jar:org/globus/gsi/trustmanager/X509ProxyCertPathValidator.class */
public class X509ProxyCertPathValidator extends CertPathValidatorSpi {
    public static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
    public static final String KEY_USAGE_OID = "2.5.29.15";
    protected KeyStore keyStore;
    protected CertStore certStore;
    protected SigningPolicyStore policyStore;
    private X509Certificate identityCert;
    private boolean limited;
    private boolean rejectLimitedProxy;
    private Map<String, ProxyPolicyHandler> policyHandlers;

    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        if (certPath == null) {
            throw new IllegalArgumentException("Certificate path cannot be null");
        }
        if (certPath.getCertificates().size() < 1) {
            throw new IllegalArgumentException("Certificate path cannot be empty");
        }
        parseParameters(certPathParameters);
        return validate(TrustedCertPathFinder.findTrustedCertPath(this.keyStore, certPath));
    }

    public void clear() {
        this.identityCert = null;
        this.limited = false;
    }

    protected void parseParameters(CertPathParameters certPathParameters) throws InvalidAlgorithmParameterException {
        if (!(certPathParameters instanceof X509ProxyCertPathParameters)) {
            throw new IllegalArgumentException("Parameter of type " + X509ProxyCertPathParameters.class.getName() + " required");
        }
        X509ProxyCertPathParameters x509ProxyCertPathParameters = (X509ProxyCertPathParameters) certPathParameters;
        this.keyStore = x509ProxyCertPathParameters.getTrustStore();
        this.certStore = x509ProxyCertPathParameters.getCrlStore();
        this.policyStore = x509ProxyCertPathParameters.getSigningPolicyStore();
        this.rejectLimitedProxy = x509ProxyCertPathParameters.isRejectLimitedProxy();
        this.policyHandlers = x509ProxyCertPathParameters.getPolicyHandlers();
    }

    protected CertPathValidatorResult validate(CertPath certPath) throws CertPathValidatorException {
        List<? extends Certificate> certificates = certPath.getCertificates();
        if (certificates.size() == 0) {
            return null;
        }
        X509Certificate x509Certificate = (X509Certificate) certificates.get(0);
        TBSCertificateStructure tBSCertificateStructure = getTBSCertificateStructure(x509Certificate);
        GSIConstants.CertificateType certificateType = getCertificateType(tBSCertificateStructure);
        checkCertificate(x509Certificate, certificateType);
        int i = ProxyCertificateUtil.isProxy(certificateType) ? 0 + 1 : 0;
        for (int i2 = 1; i2 < certificates.size(); i2++) {
            boolean isProxy = ProxyCertificateUtil.isProxy(certificateType);
            X509Certificate x509Certificate2 = (X509Certificate) certificates.get(i2);
            TBSCertificateStructure tBSCertificateStructure2 = getTBSCertificateStructure(x509Certificate2);
            GSIConstants.CertificateType certificateType2 = getCertificateType(tBSCertificateStructure2);
            i = validateCert(x509Certificate, certificateType, x509Certificate2, tBSCertificateStructure2, certificateType2, i, i2, isProxy);
            if (isProxy) {
                checkProxyConstraints(certPath, x509Certificate, tBSCertificateStructure, certificateType, tBSCertificateStructure2, i2);
            } else {
                try {
                    checkKeyUsage(tBSCertificateStructure2);
                } catch (IOException e) {
                    throw new CertPathValidatorException("Key usage check failed on " + x509Certificate2.getSubjectDN(), e);
                }
            }
            checkCertificate(x509Certificate2, certificateType2);
            x509Certificate = x509Certificate2;
            certificateType = certificateType2;
            tBSCertificateStructure = tBSCertificateStructure2;
        }
        return new X509ProxyCertPathValidatorResult(this.identityCert, this.limited);
    }

    private GSIConstants.CertificateType getCertificateType(TBSCertificateStructure tBSCertificateStructure) throws CertPathValidatorException {
        try {
            return CertificateUtil.getCertificateType(tBSCertificateStructure);
        } catch (IOException e) {
            throw new CertPathValidatorException("Error obtaining certificate type", e);
        } catch (CertificateException e2) {
            throw new CertPathValidatorException("Error obtaining certificate type", e2);
        }
    }

    private TBSCertificateStructure getTBSCertificateStructure(X509Certificate x509Certificate) throws CertPathValidatorException {
        try {
            return CertificateUtil.getTBSCertificateStructure(x509Certificate);
        } catch (IOException e) {
            throw new CertPathValidatorException("Error converting certificate", e);
        } catch (CertificateException e2) {
            throw new CertPathValidatorException("Error converting certificate", e2);
        }
    }

    private int validateCert(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType, X509Certificate x509Certificate2, TBSCertificateStructure tBSCertificateStructure, GSIConstants.CertificateType certificateType2, int i, int i2, boolean z) throws CertPathValidatorException {
        if (certificateType2 == GSIConstants.CertificateType.CA) {
            validateCACert(x509Certificate, x509Certificate2, tBSCertificateStructure, i, i2, z);
        } else {
            if (ProxyCertificateUtil.isGsi3Proxy(certificateType2) || ProxyCertificateUtil.isGsi4Proxy(certificateType2)) {
                return validateGsiProxyCert(x509Certificate, certificateType, x509Certificate2, tBSCertificateStructure, certificateType2, i);
            }
            if (ProxyCertificateUtil.isGsi2Proxy(certificateType2)) {
                return validateGsi2ProxyCert(x509Certificate, certificateType, x509Certificate2, i);
            }
            if (certificateType2 != GSIConstants.CertificateType.EEC) {
                throw new CertPathValidatorException("UNknown issuer type " + certificateType2 + " for certificate " + x509Certificate2.getSubjectDN());
            }
            validateEECCert(x509Certificate, certificateType, x509Certificate2);
        }
        return i;
    }

    private void checkProxyConstraints(CertPath certPath, X509Certificate x509Certificate, TBSCertificateStructure tBSCertificateStructure, GSIConstants.CertificateType certificateType, TBSCertificateStructure tBSCertificateStructure2, int i) throws CertPathValidatorException {
        if (ProxyCertificateUtil.isGsi3Proxy(certificateType) || ProxyCertificateUtil.isGsi4Proxy(certificateType)) {
            try {
                checkProxyConstraints(tBSCertificateStructure, tBSCertificateStructure2, x509Certificate);
                if (certificateType == GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY || certificateType == GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY) {
                    try {
                        checkRestrictedProxy(tBSCertificateStructure, certPath, i);
                    } catch (IOException e) {
                        throw new CertPathValidatorException("Restricted proxy check failed on " + x509Certificate.getSubjectDN(), e);
                    }
                }
            } catch (IOException e2) {
                throw new CertPathValidatorException("Proxy constraint check failed on " + x509Certificate.getSubjectDN(), e2);
            }
        }
    }

    private void validateEECCert(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType, X509Certificate x509Certificate2) throws CertPathValidatorException {
        if (!ProxyCertificateUtil.isProxy(certificateType)) {
            throw new CertPathValidatorException("EEC can only sign another proxy certificate. Violated by " + x509Certificate2.getSubjectDN() + " issuing " + x509Certificate.getSubjectDN());
        }
    }

    private int validateGsi2ProxyCert(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType, X509Certificate x509Certificate2, int i) throws CertPathValidatorException {
        if (ProxyCertificateUtil.isGsi2Proxy(certificateType)) {
            return i + 1;
        }
        throw new CertPathValidatorException("Proxy certificate can only sign another proxy certificate of same type. Violated by " + x509Certificate2.getSubjectDN() + " issuing " + x509Certificate.getSubjectDN());
    }

    private int validateGsiProxyCert(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType, X509Certificate x509Certificate2, TBSCertificateStructure tBSCertificateStructure, GSIConstants.CertificateType certificateType2, int i) throws CertPathValidatorException {
        if (ProxyCertificateUtil.isGsi3Proxy(certificateType2)) {
            if (!ProxyCertificateUtil.isGsi3Proxy(certificateType)) {
                throw new CertPathValidatorException("Proxy certificate can only sign another proxy certificate of same type. Violated by " + x509Certificate2.getSubjectDN() + " issuing " + x509Certificate.getSubjectDN());
            }
        } else if (ProxyCertificateUtil.isGsi4Proxy(certificateType2) && !ProxyCertificateUtil.isGsi4Proxy(certificateType)) {
            throw new CertPathValidatorException("Proxy certificate can only sign another proxy certificate of same type. Violated by " + x509Certificate2.getSubjectDN() + " issuing " + x509Certificate.getSubjectDN());
        }
        try {
            int proxyPathConstraint = ProxyCertificateUtil.getProxyPathConstraint(tBSCertificateStructure);
            if (proxyPathConstraint == 0) {
                throw new CertPathValidatorException("Proxy path length constraint violated of certificate " + x509Certificate2.getSubjectDN());
            }
            if (proxyPathConstraint >= Integer.MAX_VALUE || i <= proxyPathConstraint) {
                return i + 1;
            }
            throw new CertPathValidatorException("Proxy path length constraint violated of certificate " + x509Certificate2.getSubjectDN());
        } catch (IOException e) {
            throw new CertPathValidatorException("Error obtaining proxy path constraint", e);
        }
    }

    private void validateCACert(X509Certificate x509Certificate, X509Certificate x509Certificate2, TBSCertificateStructure tBSCertificateStructure, int i, int i2, boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("Proxy certificate can be signed only by EEC or Proxy Certificate. Certificate " + x509Certificate.getSubjectDN() + " violates this.");
        }
        try {
            int cAPathConstraint = CertificateUtil.getCAPathConstraint(tBSCertificateStructure);
            if (cAPathConstraint >= Integer.MAX_VALUE || (i2 - i) - 1 <= cAPathConstraint) {
            } else {
                throw new CertPathValidatorException("Path length constraint of certificate " + x509Certificate2.getSubjectDN() + " violated");
            }
        } catch (IOException e) {
            throw new CertPathValidatorException("Error obtaining CA Path constraint", e);
        }
    }

    protected void checkRestrictedProxy(TBSCertificateStructure tBSCertificateStructure, CertPath certPath, int i) throws CertPathValidatorException, IOException {
        ProxyCertInfo proxyCertInfo = ProxyCertificateUtil.getProxyCertInfo(tBSCertificateStructure);
        String id = proxyCertInfo.getProxyPolicy().getPolicyLanguage().getId();
        ProxyPolicyHandler proxyPolicyHandler = null;
        if (this.policyHandlers != null) {
            proxyPolicyHandler = this.policyHandlers.get(id);
        }
        if (proxyPolicyHandler == null) {
            throw new CertPathValidatorException("Unknown policy, no handler registered to validate policy " + id);
        }
        proxyPolicyHandler.validate(proxyCertInfo, certPath, i);
    }

    protected void checkKeyUsage(TBSCertificateStructure tBSCertificateStructure) throws CertPathValidatorException, IOException {
        boolean[] keyUsage = CertificateUtil.getKeyUsage(tBSCertificateStructure);
        if (keyUsage != null && keyUsage.length > 0 && !keyUsage[5]) {
            throw new CertPathValidatorException("Certificate " + tBSCertificateStructure.getSubject() + " violated key usage policy.");
        }
    }

    protected List<CertificateChecker> getCertificateCheckers() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new DateValidityChecker());
        arrayList.add(new UnsupportedCriticalExtensionChecker());
        arrayList.add(new IdentityChecker(this));
        arrayList.add(new CRLChecker(this.certStore, this.keyStore, true));
        arrayList.add(new SigningPolicyChecker(this.policyStore));
        return arrayList;
    }

    private void checkCertificate(X509Certificate x509Certificate, GSIConstants.CertificateType certificateType) throws CertPathValidatorException {
        Iterator<CertificateChecker> it = getCertificateCheckers().iterator();
        while (it.hasNext()) {
            it.next().invoke(x509Certificate, certificateType);
        }
    }

    protected void checkProxyConstraints(TBSCertificateStructure tBSCertificateStructure, TBSCertificateStructure tBSCertificateStructure2, X509Certificate x509Certificate) throws CertPathValidatorException, IOException {
        X509Extension x509Extension = null;
        X509Extensions extensions = tBSCertificateStructure.getExtensions();
        if (extensions != null) {
            Enumeration oids = extensions.oids();
            while (oids.hasMoreElements()) {
                DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) oids.nextElement();
                X509Extension extension = extensions.getExtension(dERObjectIdentifier);
                if (dERObjectIdentifier.equals(X509Extensions.SubjectAlternativeName) || dERObjectIdentifier.equals(X509Extensions.IssuerAlternativeName)) {
                    throw new CertPathValidatorException("Proxy violation: no Subject or Issuer Alternative Name");
                }
                if (dERObjectIdentifier.equals(X509Extensions.BasicConstraints)) {
                    if (CertificateUtil.getBasicConstraints(extension).isCA()) {
                        throw new CertPathValidatorException("Proxy violation: Basic Constraint CA is set to true");
                    }
                } else if (dERObjectIdentifier.equals(X509Extensions.KeyUsage)) {
                    x509Extension = extension;
                    checkKeyUsage(tBSCertificateStructure2, extension);
                }
            }
        }
        X509Extensions extensions2 = tBSCertificateStructure2.getExtensions();
        if (extensions2 != null) {
            Enumeration oids2 = extensions2.oids();
            while (oids2.hasMoreElements()) {
                DERObjectIdentifier dERObjectIdentifier2 = (DERObjectIdentifier) oids2.nextElement();
                checkExtension(dERObjectIdentifier2, extensions2.getExtension(dERObjectIdentifier2), x509Extension);
            }
        }
    }

    private void checkKeyUsage(TBSCertificateStructure tBSCertificateStructure, X509Extension x509Extension) throws IOException, CertPathValidatorException {
        boolean[] keyUsage = CertificateUtil.getKeyUsage(x509Extension);
        if (keyUsage[1] || keyUsage[5]) {
            throw new CertPathValidatorException("Proxy violation: Key usage is asserted.");
        }
        boolean[] keyUsage2 = CertificateUtil.getKeyUsage(tBSCertificateStructure);
        if (keyUsage2.length > 0) {
            for (int i = 0; i < 9; i++) {
                if (i != 1 && i != 5 && !keyUsage2[i] && keyUsage[i]) {
                    throw new CertPathValidatorException("Proxy violation: Issuer key usage is incorrect");
                }
            }
        }
    }

    private void checkExtension(DERObjectIdentifier dERObjectIdentifier, X509Extension x509Extension, X509Extension x509Extension2) throws CertPathValidatorException {
        if (dERObjectIdentifier.equals(X509Extensions.KeyUsage)) {
            if (x509Extension2 == null) {
                throw new CertPathValidatorException("Proxy violation: Issuer has key usage, but proxy does not");
            }
            if (x509Extension.isCritical() && !x509Extension2.isCritical()) {
                throw new CertPathValidatorException("Proxy voilation: issuer key usage is critical, but proxy certificate's is not");
            }
        }
    }

    public X509Certificate getIdentityCertificate() {
        return this.identityCert;
    }

    public void setLimited(boolean z) {
        this.limited = z;
    }

    public boolean isLimited() {
        return this.limited;
    }

    public void setIdentityCert(X509Certificate x509Certificate) {
        this.identityCert = x509Certificate;
    }

    public boolean isRejectLimitedProxy() {
        return this.rejectLimitedProxy;
    }
}
