package eu.emi.security.authn.x509.helpers.pkipath;

import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.ValidationError;
import eu.emi.security.authn.x509.ValidationErrorCode;
import eu.emi.security.authn.x509.ValidationResult;
import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import eu.emi.security.authn.x509.helpers.JavaAndBCStyle;
import eu.emi.security.authn.x509.helpers.ObserversHandler;
import eu.emi.security.authn.x509.helpers.pkipath.ExtPKIXParameters2;
import eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer;
import eu.emi.security.authn.x509.helpers.proxy.ProxyHelper;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.FormatMode;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.i18n.ErrorBundle;
import org.bouncycastle.jcajce.PKIXExtendedParameters;
import org.bouncycastle.x509.CertPathReviewerException;
import org.bouncycastle.x509.PKIXCertPathReviewer;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/pkipath/BCCertPathValidator.class */
public class BCCertPathValidator {
    public static final long PROXY_VALIDATION_GRACE_PERIOD = 300000;

    public ValidationResult validate(X509Certificate[] x509CertificateArr, boolean z, Set<TrustAnchor> set, CertStore certStore, RevocationParameters revocationParameters, ObserversHandler observersHandler) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain to be validated must be non-empty");
        }
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        if (set.isEmpty()) {
            arrayList.add(new ValidationError(x509CertificateArr, -1, ValidationErrorCode.noTrustAnchorFound, new Object[0]));
            arrayList.add(new ValidationError(x509CertificateArr, 0, ValidationErrorCode.noIssuerPublicKey, new Object[0]));
            return new ValidationResult(false, arrayList, hashSet, null);
        }
        if (!z || !ProxyUtils.isProxy(x509CertificateArr)) {
            return new ValidationResult(arrayList.size() == 0, arrayList, hashSet, checkNonProxyChain(x509CertificateArr, createPKIXParameters(x509CertificateArr, z, set, certStore, revocationParameters, observersHandler), arrayList, hashSet, 0, x509CertificateArr));
        }
        int firstProxy = getFirstProxy(x509CertificateArr);
        if (firstProxy == x509CertificateArr.length - 1) {
            arrayList.add(new ValidationError(x509CertificateArr, -1, ValidationErrorCode.proxyNoIssuer, new Object[0]));
            return new ValidationResult(false, arrayList, hashSet, null);
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[(x509CertificateArr.length - firstProxy) - 1];
        X509Certificate[] x509CertificateArr3 = new X509Certificate[firstProxy + 2];
        for (int i = firstProxy + 1; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[(i - firstProxy) - 1] = x509CertificateArr[i];
        }
        for (int i2 = 0; i2 < firstProxy + 2; i2++) {
            x509CertificateArr3[i2] = x509CertificateArr[i2];
        }
        ExtPKIXParameters2 createPKIXParameters = createPKIXParameters(x509CertificateArr2, z, set, certStore, revocationParameters, observersHandler);
        List<X509Certificate> checkNonProxyChain = checkNonProxyChain(x509CertificateArr2, createPKIXParameters, arrayList, hashSet, firstProxy + 1, x509CertificateArr);
        checkProxyChainWithBC(x509CertificateArr3, x509CertificateArr2.length > 1 ? Collections.singleton(new TrustAnchor(x509CertificateArr2[1], null)) : set, arrayList, hashSet);
        checkProxyChainMain(x509CertificateArr3, arrayList, hashSet, createPKIXParameters.getBaseParameters().getDate());
        if (arrayList.size() == 0 && checkNonProxyChain != null) {
            for (int length = x509CertificateArr3.length - 2; length >= 0; length--) {
                checkNonProxyChain.add(0, x509CertificateArr3[length]);
            }
        }
        return new ValidationResult(arrayList.size() == 0, arrayList, hashSet, checkNonProxyChain);
    }

    protected ExtPKIXParameters2 createPKIXParameters(X509Certificate[] x509CertificateArr, boolean z, Set<TrustAnchor> set, CertStore certStore, RevocationParameters revocationParameters, ObserversHandler observersHandler) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509CertificateArr[0]);
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(set);
            pKIXParameters.setTargetCertConstraints(x509CertSelector);
            pKIXParameters.setDate(new Date());
            pKIXParameters.addCertStore(certStore);
            try {
                pKIXParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr)), "BC"));
                ExtPKIXParameters2.Builder builder = new ExtPKIXParameters2.Builder(new PKIXExtendedParameters.Builder(pKIXParameters), pKIXParameters, set, observersHandler);
                builder.setRevocationParams(revocationParameters);
                builder.setProxySupport(z);
                return builder.build();
            } catch (Exception e) {
                throw new RuntimeException("Can't create an instance of a simple Collection certificate store, using the BC provider, BUG?", e);
            }
        } catch (InvalidAlgorithmParameterException e2) {
            throw new IllegalStateException("Can't create PKIXParameters, shouldn't happen", e2);
        }
    }

    protected int getFirstProxy(X509Certificate[] x509CertificateArr) {
        for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
            if (ProxyUtils.isProxy(x509CertificateArr[length])) {
                return length;
            }
        }
        throw new RuntimeException("No proxy found, while it should be in chain?? BUG");
    }

    protected List<X509Certificate> checkNonProxyChain(X509Certificate[] x509CertificateArr, ExtPKIXParameters2 extPKIXParameters2, List<ValidationError> list, Set<String> set, int i, X509Certificate[] x509CertificateArr2) throws CertificateException {
        List<CertPath> singletonList;
        List<ValidationError> list2 = null;
        try {
            singletonList = new NonValidatingCertPathBuilder().buildPath(extPKIXParameters2.getBaseBuildParameters(), x509CertificateArr[0], x509CertificateArr2);
        } catch (ValidationErrorException e) {
            list2 = e.getErrors();
            singletonList = Collections.singletonList(CertificateHelpers.toCertPath(x509CertificateArr));
        }
        List<ValidationError> list3 = null;
        List[] listArr = null;
        for (int i2 = 0; i2 < singletonList.size(); i2++) {
            try {
                FixedBCPKIXCertPathReviewer fixedBCPKIXCertPathReviewer = new FixedBCPKIXCertPathReviewer(singletonList.get(i2), extPKIXParameters2);
                if (list2 != null && fixedBCPKIXCertPathReviewer.isValidCertPath()) {
                    throw new IllegalStateException("PKIXCertPAthReviewer validated while the path was not even build correctly. Build path error: " + list2.get(0));
                }
                List<ValidationError> convertErrors = convertErrors(fixedBCPKIXCertPathReviewer.getErrors(), false, i, x509CertificateArr2);
                if (convertErrors.size() == 0) {
                    X509Certificate trustedCert = fixedBCPKIXCertPathReviewer.getTrustAnchor().getTrustedCert();
                    if (trustedCert == null) {
                        return null;
                    }
                    List<? extends Certificate> certificates = singletonList.get(i2).getCertificates();
                    ArrayList arrayList = new ArrayList(certificates.size() + 1);
                    for (int i3 = 0; i3 < certificates.size(); i3++) {
                        arrayList.add((X509Certificate) certificates.get(i3));
                    }
                    arrayList.add(trustedCert);
                    return arrayList;
                }
                if (list3 == null || list3.size() > convertErrors.size()) {
                    list3 = convertErrors;
                    listArr = fixedBCPKIXCertPathReviewer.getErrors();
                }
            } catch (CertPathReviewerException e2) {
                throw new IllegalStateException("Can't init PKIXCertPathReviewer, bug?", e2);
            }
        }
        if (list3 == null) {
            throw new IllegalStateException("PKIXCertPAthReviewer BUG: validationErrors is null, tested chain: " + CertificateUtils.format(x509CertificateArr, FormatMode.FULL));
        }
        list.addAll(list3);
        if (listArr == null) {
            return null;
        }
        set.addAll(getUnresolvedExtensionons(listArr));
        return null;
    }

    protected void checkProxyChainWithBC(X509Certificate[] x509CertificateArr, Set<TrustAnchor> set, List<ValidationError> list, Set<String> set2) throws CertificateException {
        CertPath certPath = CertificateHelpers.toCertPath(x509CertificateArr);
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(set);
            pKIXParameters.addCertPathChecker(new PKIXProxyCertificateChecker());
            pKIXParameters.setRevocationEnabled(false);
            PKIXCertPathReviewer pKIXCertPathReviewer = new PKIXCertPathReviewer(certPath, pKIXParameters);
            list.addAll(convertErrors(pKIXCertPathReviewer.getErrors(), true, 0, x509CertificateArr));
            set2.addAll(getUnresolvedExtensionons(pKIXCertPathReviewer.getErrors()));
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException("Can't init PKIXParameters, bug?", e);
        } catch (CertPathReviewerException e2) {
            throw new RuntimeException("Can't init PKIXCertPathReviewer, bug?", e2);
        }
    }

    protected void checkProxyChainMain(X509Certificate[] x509CertificateArr, List<ValidationError> list, Set<String> set, Date date) throws CertificateException {
        int i = Integer.MAX_VALUE;
        int length = x509CertificateArr.length - 1;
        for (int i2 = length; i2 > 0; i2--) {
            try {
                checkPairWithProxy(x509CertificateArr[i2], x509CertificateArr[i2 - 1], list, i2 - 1, x509CertificateArr, date);
                if (i2 != length && i != Integer.MIN_VALUE) {
                    int proxyPathLimit = ProxyHelper.getProxyPathLimit(x509CertificateArr[i2]);
                    if (proxyPathLimit < i) {
                        i = proxyPathLimit - 1;
                    } else if (i != Integer.MAX_VALUE) {
                        i--;
                    }
                    if (i < 0) {
                        i = Integer.MIN_VALUE;
                        list.add(new ValidationError(x509CertificateArr, i2 - 1, ValidationErrorCode.proxyLength, new Object[0]));
                    }
                }
            } catch (IOException e) {
                throw new CertificateException("Can't parse the proxy path limit information", e);
            } catch (CertPathValidatorException e2) {
                return;
            }
        }
    }

    protected void checkPairWithProxy(X509Certificate x509Certificate, X509Certificate x509Certificate2, List<ValidationError> list, int i, X509Certificate[] x509CertificateArr, Date date) throws CertPathValidatorException, CertificateParsingException {
        if (!ProxyUtils.isProxy(x509Certificate2)) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxyEECInChain, new Object[0]));
            throw new CertPathValidatorException();
        }
        if (x509Certificate2.getBasicConstraints() >= 0) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxyCASet, new Object[0]));
        }
        if (x509Certificate2.getIssuerAlternativeNames() != null) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxyIssuerAltNameSet, new Object[0]));
        }
        if (x509Certificate2.getSubjectAlternativeNames() != null) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxySubjectAltNameSet, new Object[0]));
        }
        if (x509Certificate.getBasicConstraints() >= 0) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxyIssuedByCa, new Object[0]));
        }
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if ("".equals(subjectX500Principal.getName())) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxyNoIssuerSubject, new Object[0]));
            throw new CertPathValidatorException();
        }
        if (!X500NameUtils.rfc3280Equal(subjectX500Principal, x509Certificate2.getIssuerX500Principal())) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxySubjectInconsistent, new Object[0]));
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && !keyUsage[0]) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxyIssuerNoDsig, new Object[0]));
        }
        checkLastCNNameRule(x509Certificate2.getSubjectX500Principal(), subjectX500Principal, list, i, x509CertificateArr);
        checkProxyTime(x509Certificate2, date, x509CertificateArr, list, i);
        if (i + 2 != x509CertificateArr.length) {
            if (ProxyHelper.getProxyType(x509Certificate) != ProxyHelper.getProxyType(x509Certificate2)) {
                list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxyTypeInconsistent, new Object[0]));
            }
            try {
                if (ProxyHelper.isLimited(x509Certificate) && !ProxyHelper.isLimited(x509Certificate2)) {
                    list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.proxyInconsistentlyLimited, new Object[0]));
                }
            } catch (IOException e) {
                throw new CertificateParsingException("Can't establish whether the proxy is limited", e);
            }
        }
    }

    protected void checkProxyTime(X509Certificate x509Certificate, Date date, X509Certificate[] x509CertificateArr, List<ValidationError> list, int i) {
        if (date.getTime() > x509Certificate.getNotAfter().getTime() + PROXY_VALIDATION_GRACE_PERIOD) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.certificateExpired, x509Certificate.getNotAfter()));
        }
        if (date.getTime() < x509Certificate.getNotBefore().getTime() - PROXY_VALIDATION_GRACE_PERIOD) {
            list.add(new ValidationError(x509CertificateArr, i, ValidationErrorCode.certificateNotYetValid, x509Certificate.getNotBefore()));
        }
    }

    protected void checkLastCNNameRule(X500Principal x500Principal, X500Principal x500Principal2, List<ValidationError> list, int i, X509Certificate[] x509CertificateArr) throws CertPathValidatorException {
        X500Name x500Name = CertificateHelpers.toX500Name(x500Principal);
        X500Name x500Name2 = CertificateHelpers.toX500Name(x500Principal2);
        RDN[] rDNs = x500Name.getRDNs();
        if (rDNs.length < 2) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxySubjectOneRDN, new Object[0]));
            throw new CertPathValidatorException();
        }
        if (rDNs[rDNs.length - 1].isMultiValued()) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxySubjectMultiLastRDN, new Object[0]));
            throw new CertPathValidatorException();
        }
        if (!rDNs[rDNs.length - 1].getFirst().getType().equals(BCStyle.CN)) {
            list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxySubjectLastRDNNotCN, new Object[0]));
            throw new CertPathValidatorException();
        }
        RDN[] rdnArr = (RDN[]) Arrays.copyOf(rDNs, rDNs.length - 1);
        JavaAndBCStyle javaAndBCStyle = new JavaAndBCStyle();
        if (javaAndBCStyle.areEqual(x500Name2, new X500Name(javaAndBCStyle, rdnArr))) {
            return;
        }
        list.add(new ValidationError(x509CertificateArr, i + 1, ValidationErrorCode.proxySubjectBaseWrong, new Object[0]));
    }

    protected List<ValidationError> convertErrors(List<?>[] listArr, boolean z, int i, X509Certificate[] x509CertificateArr) {
        ArrayList arrayList = new ArrayList();
        for (int i2 = 0; i2 < listArr.length; i2++) {
            for (Object obj : listArr[i2]) {
                if (obj instanceof ErrorBundle) {
                    ErrorBundle errorBundle = (ErrorBundle) obj;
                    if (z) {
                        String id = errorBundle.getId();
                        if (!id.equals("CertPathReviewer.noBasicConstraints") && !id.equals("CertPathReviewer.noCACert") && !id.equals("CertPathReviewer.noCertSign") && !id.equals("CertPathReviewer.certificateNotYetValid") && !id.equals("CertPathReviewer.certificateExpired")) {
                        }
                    }
                    arrayList.add(BCErrorMapper.map(errorBundle, (i2 - 1) + i, x509CertificateArr));
                } else {
                    SimpleValidationErrorException simpleValidationErrorException = (SimpleValidationErrorException) obj;
                    if (z) {
                        ValidationErrorCode code = simpleValidationErrorException.getCode();
                        if (!code.equals(ValidationErrorCode.noBasicConstraints) && !code.equals(ValidationErrorCode.noCACert) && !code.equals(ValidationErrorCode.noCertSign) && !code.equals(ValidationErrorCode.certificateExpired) && !code.equals(ValidationErrorCode.certificateNotYetValid)) {
                        }
                    }
                    arrayList.add(new ValidationError(x509CertificateArr, (i2 - 1) + i, simpleValidationErrorException.getCode(), simpleValidationErrorException.getArguments()));
                }
            }
        }
        return arrayList;
    }

    protected Set<String> getUnresolvedExtensionons(List<?>[] listArr) {
        HashSet hashSet = new HashSet();
        for (List<?> list : listArr) {
            for (Object obj : list) {
                if (obj instanceof ErrorBundle) {
                    ErrorBundle errorBundle = (ErrorBundle) obj;
                    if (errorBundle.getId().equals("CertPathReviewer.unknownCriticalExt")) {
                        hashSet.add(((ASN1ObjectIdentifier) errorBundle.getArguments()[0]).getId());
                    }
                } else {
                    SimpleValidationErrorException simpleValidationErrorException = (SimpleValidationErrorException) obj;
                    if (simpleValidationErrorException.getCode().equals(ValidationErrorCode.unknownCriticalExt)) {
                        hashSet.add(((ASN1ObjectIdentifier) simpleValidationErrorException.getArguments()[0]).getId());
                    }
                }
            }
        }
        return hashSet;
    }
}
