package org.globus.gsi.trustmanager;

import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jena.atlas.lib.Chars;
import org.globus.gsi.util.CertificateUtil;
import org.globus.gsi.util.KeyStoreUtil;

/* loaded from: input_file:BOOT-INF/lib/ssl-proxies-2.1.0.jar:org/globus/gsi/trustmanager/TrustedCertPathFinder.class */
public final class TrustedCertPathFinder {
    private static Log logger = LogFactory.getLog(TrustedCertPathFinder.class.getCanonicalName());

    private TrustedCertPathFinder() {
    }

    private static CertPath isTrustedCert(KeyStore keyStore, X509Certificate x509Certificate, List<X509Certificate> list) throws CertPathValidatorException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        try {
            if (KeyStoreUtil.getTrustedCertificates(keyStore, x509CertSelector).size() <= 0 || x509Certificate.getBasicConstraints() == -1) {
                return null;
            }
            list.add(x509Certificate);
            try {
                return CertificateFactory.getInstance("X.509").generateCertPath(list);
            } catch (CertificateException e) {
                throw new CertPathValidatorException("Error generating trusted certificate path", e);
            }
        } catch (KeyStoreException e2) {
            throw new CertPathValidatorException("Error accessing trusted certificate store", e2);
        }
    }

    public static CertPath findTrustedCertPath(KeyStore keyStore, CertPath certPath) throws CertPathValidatorException {
        X509Certificate x509Certificate;
        ArrayList arrayList = new ArrayList();
        List<? extends Certificate> certificates = certPath.getCertificates();
        int i = 0;
        int size = certificates.size();
        Certificate certificate = certificates.get(0);
        if (!(certificate instanceof X509Certificate)) {
            throw new CertPathValidatorException("Certificate of type " + X509Certificate.class.getName() + " required");
        }
        X509Certificate x509Certificate2 = (X509Certificate) certificate;
        while (true) {
            x509Certificate = x509Certificate2;
            if (i >= size) {
                break;
            }
            CertPath isTrustedCert = isTrustedCert(keyStore, x509Certificate, arrayList);
            if (isTrustedCert != null) {
                return isTrustedCert;
            }
            if (i + 1 >= size) {
                break;
            }
            i++;
            x509Certificate2 = checkCertificate(arrayList, x509Certificate, certificates.get(i));
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSubject(x509Certificate.getIssuerX500Principal());
        try {
            Collection<? extends Certificate> trustedCertificates = KeyStoreUtil.getTrustedCertificates(keyStore, x509CertSelector);
            if (trustedCertificates.size() < 1) {
                throw new CertPathValidatorException("No trusted path can be constructed");
            }
            boolean z = false;
            for (Certificate certificate2 : trustedCertificates) {
                if (certificate2 instanceof X509Certificate) {
                    try {
                        arrayList.add(checkCertificate(arrayList, x509Certificate, certificate2));
                        z = true;
                        break;
                    } catch (CertPathValidatorException e) {
                        logger.warn("Failed to validate signature of certificate with subject DN '" + x509Certificate.getSubjectDN() + "' against a CA certificate with issuer DN '" + ((X509Certificate) certificate2).getSubjectDN() + Chars.S_QUOTE1);
                    }
                } else {
                    logger.warn("Skipped a certificate: not an X509Certificate");
                }
            }
            if (!z) {
                throw new CertPathValidatorException("No trusted path can be constructed");
            }
            try {
                return CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
            } catch (CertificateException e2) {
                throw new CertPathValidatorException("Error generating trusted certificate path", e2);
            }
        } catch (KeyStoreException e3) {
            throw new CertPathValidatorException(e3);
        }
    }

    private static X509Certificate checkCertificate(List<X509Certificate> list, X509Certificate x509Certificate, Certificate certificate) throws CertPathValidatorException {
        X509Certificate x509Certificate2 = (X509Certificate) certificate;
        if (!CertificateUtil.toGlobusID(x509Certificate.getIssuerX500Principal()).equals(CertificateUtil.toGlobusID(x509Certificate2.getSubjectX500Principal()))) {
            throw new IllegalArgumentException("Incorrect certificate path, certificate in chain can only be issuer of previous certificate");
        }
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            list.add(x509Certificate);
            return x509Certificate2;
        } catch (InvalidKeyException e) {
            throw new CertPathValidatorException("Signature validation on the certificate " + x509Certificate.getSubjectDN(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertPathValidatorException("Signature validation on the certificate " + x509Certificate.getSubjectDN(), e2);
        } catch (NoSuchProviderException e3) {
            throw new CertPathValidatorException("Signature validation on the certificate " + x509Certificate.getSubjectDN(), e3);
        } catch (SignatureException e4) {
            throw new CertPathValidatorException("Signature validation on the certificate " + x509Certificate.getSubjectDN(), e4);
        } catch (CertificateException e5) {
            throw new CertPathValidatorException("Signature validation on the certificate " + x509Certificate.getSubjectDN(), e5);
        }
    }
}
