package org.opensciencegrid.authz.xacml.common;

import java.io.File;
import java.io.IOException;
import java.net.Socket;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.StringTokenizer;
import java.util.Vector;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509Name;
import org.glite.voms.BasicVOMSTrustStore;
import org.glite.voms.PKIStore;
import org.glite.voms.PKIVerifier;
import org.glite.voms.VOMSAttribute;
import org.glite.voms.VOMSValidator;
import org.glite.voms.ac.ACTrustStore;
import org.glite.voms.ac.ACValidator;
import org.glite.voms.ac.AttributeCertificate;
import org.glite.voms.ac.VOMSTrustStore;
import org.globus.gsi.CertUtil;
import org.globus.gsi.CredentialException;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.TrustedCertificates;
import org.globus.gsi.X509Credential;
import org.globus.gsi.bc.BouncyCastleUtil;
import org.globus.gsi.bc.X509NameHelper;
import org.globus.gsi.gssapi.GSSConstants;
import org.globus.gsi.gssapi.GlobusGSSCredentialImpl;
import org.globus.gsi.gssapi.auth.NoAuthorization;
import org.globus.gsi.gssapi.net.GssSocket;
import org.globus.gsi.gssapi.net.GssSocketFactory;
import org.gridforum.jgss.ExtendedGSSContext;
import org.gridforum.jgss.ExtendedGSSManager;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:org/opensciencegrid/authz/xacml/common/X509CertUtil.class */
public class X509CertUtil {
    public static String default_service_cert = "/etc/grid-security/hostcert.pem";
    public static String default_service_key = "/etc/grid-security/hostkey.pem";
    public static String default_trusted_cacerts = "/etc/grid-security/certificates";
    private static PKIStore caTrustStore = null;
    private static VOMSTrustStore vomsTrustStore = null;
    private static ACTrustStore acTrustStore = null;
    private static VOMSValidator vomsValidator = null;
    private static ACValidator acValidator = null;
    private static PKIVerifier pkiVerifier = null;
    private static int REFRESH_TIME_MS = 20000;
    public static final String capnull = "/Capability=NULL";
    public static final int capnulllen = capnull.length();
    public static final String rolenull = "/Role=NULL";
    public static final int rolenulllen = rolenull.length();

    public static GSSContext getUserContext(String str) throws GSSException {
        return getUserContext(str, default_trusted_cacerts);
    }

    public static GSSContext getUserContext(String str, String str2) throws GSSException {
        try {
            GlobusGSSCredentialImpl globusGSSCredentialImpl = new GlobusGSSCredentialImpl(new X509Credential(str, str), 0);
            TrustedCertificates load = TrustedCertificates.load(str2);
            ExtendedGSSContext createContext = ExtendedGSSManager.getInstance().createContext(globusGSSCredentialImpl);
            createContext.setOption(GSSConstants.GSS_MODE, GSIConstants.MODE_GSI);
            createContext.setOption(GSSConstants.TRUSTED_CERTIFICATES, load);
            return createContext;
        } catch (CredentialException e) {
            throw new GSSException(13, 0, "could not load host globus credentials " + e.toString());
        } catch (IOException e2) {
            throw new GSSException(9, 0, "Could not read cert or key " + e2.getMessage() + "\n" + e2.getCause());
        }
    }

    public static Socket getGsiClientSocket(String str, int i, ExtendedGSSContext extendedGSSContext) throws Exception {
        GssSocket createSocket = GssSocketFactory.getDefault().createSocket(str, i, extendedGSSContext);
        createSocket.setWrapMode(2);
        createSocket.setAuthorization(NoAuthorization.getInstance());
        return createSocket;
    }

    public static String toGlobusID(Vector vector) {
        int size = vector.size();
        StringBuffer stringBuffer = new StringBuffer();
        for (int i = 0; i < size; i++) {
            String[] strArr = (String[]) ((Vector) vector.elementAt(i)).elementAt(0);
            stringBuffer.append('/').append(strArr[0]).append('=').append(strArr[1]);
        }
        return stringBuffer.toString();
    }

    public static String toGlobusDN(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        StringBuffer stringBuffer = new StringBuffer();
        while (stringTokenizer.hasMoreTokens()) {
            stringBuffer.insert(0, stringTokenizer.nextToken().trim());
            stringBuffer.insert(0, "/");
        }
        return stringBuffer.toString();
    }

    public static String getSubjectFromX509Chain(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        TBSCertificateStructure userTBSCertFromX509Chain = getUserTBSCertFromX509Chain(x509CertificateArr);
        X509NameHelper.toString(userTBSCertFromX509Chain.getSubject());
        return toGlobusString(userTBSCertFromX509Chain.getSubject().getDERObject(), z);
    }

    public static TBSCertificateStructure getUserTBSCertFromX509Chain(X509Certificate[] x509CertificateArr) throws Exception {
        X509Certificate x509Certificate = null;
        int i = 0;
        while (true) {
            if (i >= x509CertificateArr.length) {
                break;
            }
            if (!CertUtil.isImpersonationProxy(BouncyCastleUtil.getCertificateType(x509CertificateArr[i]).getCode())) {
                x509Certificate = x509CertificateArr[i];
                break;
            }
            i++;
        }
        if (x509Certificate == null) {
            throw new Exception("could not find clientcert");
        }
        return null;
    }

    public static X509Certificate getUserCertFromX509Chain(X509Certificate[] x509CertificateArr) throws Exception {
        X509Certificate x509Certificate = null;
        int i = 0;
        while (true) {
            if (i >= x509CertificateArr.length) {
                break;
            }
            X509Certificate x509Certificate2 = x509CertificateArr[i];
            BouncyCastleUtil.getTBSCertificateStructure(x509Certificate2);
            if (!CertUtil.isImpersonationProxy(BouncyCastleUtil.getCertificateType(x509Certificate2).getCode())) {
                x509Certificate = x509CertificateArr[i];
                break;
            }
            i++;
        }
        if (x509Certificate == null) {
            throw new Exception("could not find clientcert");
        }
        return x509Certificate;
    }

    public static Date getLatestNotBefore(X509Certificate[] x509CertificateArr) throws Exception {
        Date date = null;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Date notBefore = x509Certificate.getNotBefore();
            if (date == null || notBefore.after(date)) {
                date = notBefore;
            }
            BouncyCastleUtil.getTBSCertificateStructure(x509Certificate);
            if (!CertUtil.isImpersonationProxy(BouncyCastleUtil.getCertificateType(x509Certificate).getCode())) {
                break;
            }
        }
        if (date == null) {
            throw new Exception("could not find any not-before time in the certificate chain.");
        }
        return date;
    }

    public static Date getEarliestNotAfter(X509Certificate[] x509CertificateArr) throws Exception {
        Date date = null;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Date notAfter = x509Certificate.getNotAfter();
            if (date == null || notAfter.before(date)) {
                date = notAfter;
            }
            BouncyCastleUtil.getTBSCertificateStructure(x509Certificate);
            if (!CertUtil.isImpersonationProxy(BouncyCastleUtil.getCertificateType(x509Certificate).getCode())) {
                break;
            }
        }
        if (date == null) {
            throw new Exception("could not find any not-after time in the certificate chain.");
        }
        return date;
    }

    public static String getSubjectX509Issuer(X509Certificate[] x509CertificateArr) throws Exception {
        return getSubjectX509Issuer(getUserCertFromX509Chain(x509CertificateArr));
    }

    public static String getSubjectX509Issuer(X509Certificate x509Certificate) throws Exception {
        return toGlobusDN(x509Certificate.getIssuerDN().toString());
    }

    public static Collection<String> getFQANsFromContext(ExtendedGSSContext extendedGSSContext, boolean z) throws Exception {
        try {
            return getFQANsFromX509Chain((X509Certificate[]) extendedGSSContext.inquireByOid(GSSConstants.X509_CERT_CHAIN), z);
        } catch (GSSException e) {
            throw new Exception("Could not extract certificate chain from context " + e.getMessage() + "\n" + e.getCause());
        }
    }

    public static Collection<String> getFQANsFromContext(ExtendedGSSContext extendedGSSContext) throws Exception {
        try {
            return getFQANsFromX509Chain((X509Certificate[]) extendedGSSContext.inquireByOid(GSSConstants.X509_CERT_CHAIN), false);
        } catch (GSSException e) {
            throw new Exception("Could not extract certificate chain from context " + e.getMessage() + "\n" + e.getCause());
        }
    }

    public static Collection<String> getValidatedFQANsFromX509Chain(X509Certificate[] x509CertificateArr) throws Exception {
        return getFQANsFromX509Chain(x509CertificateArr, true);
    }

    public static Collection<String> getFQANsFromX509Chain(X509Certificate[] x509CertificateArr) throws Exception {
        return getFQANsFromX509Chain(x509CertificateArr, false);
    }

    public static Collection<String> getFQANsFromX509Chain(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        try {
            return getFQANSfromVOMSAttributes(getVOMSAttributes(x509CertificateArr, z));
        } catch (Exception e) {
            throw new Exception(e.toString());
        }
    }

    public static LinkedHashSet<String> getFQANSfromVOMSAttributes(List list) {
        LinkedHashSet<String> linkedHashSet = new LinkedHashSet<>();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            for (String str : ((VOMSAttribute) it.next()).getFullyQualifiedAttributes()) {
                if (str.endsWith(capnull)) {
                    str = str.substring(0, str.length() - capnulllen);
                }
                if (str.endsWith(rolenull)) {
                    str = str.substring(0, str.length() - rolenulllen);
                }
                Iterator<String> it2 = linkedHashSet.iterator();
                boolean z = false;
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (it2.next().startsWith(str)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    linkedHashSet.add(str);
                }
            }
        }
        return linkedHashSet;
    }

    public static AttributeCertificate getAttributeCertificate(X509Certificate[] x509CertificateArr, String str) throws Exception {
        return getVOMSAttribute(x509CertificateArr, str).getAC();
    }

    public static VOMSAttribute getVOMSAttribute(X509Certificate[] x509CertificateArr, String str) throws Exception {
        if (str.endsWith(capnull)) {
            str = str.substring(0, str.length() - capnulllen);
        }
        if (str.endsWith(rolenull)) {
            str = str.substring(0, str.length() - rolenulllen);
        }
        for (VOMSAttribute vOMSAttribute : getVOMSAttributes(x509CertificateArr, false)) {
            for (String str2 : vOMSAttribute.getFullyQualifiedAttributes()) {
                if (str2.endsWith(capnull)) {
                    str2 = str2.substring(0, str2.length() - capnulllen);
                }
                if (str2.endsWith(rolenull)) {
                    str2 = str2.substring(0, str2.length() - rolenulllen);
                }
                if (str2.equals(str)) {
                    return vOMSAttribute;
                }
            }
        }
        return null;
    }

    public static synchronized List getVOMSAttributes(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        try {
            VOMSValidator vOMSValidatorInstance = getVOMSValidatorInstance();
            vOMSValidatorInstance.setClientChain(x509CertificateArr);
            if (z) {
                vOMSValidatorInstance.validate();
            } else {
                vOMSValidatorInstance.parse();
            }
            return vOMSValidatorInstance.getVOMSAttributes();
        } catch (IOException e) {
            throw new Exception("Could not read trust stores " + e.getMessage() + "\n" + e.getCause());
        } catch (CRLException e2) {
            throw new Exception("Could not read CRL " + e2.getMessage() + "\n" + e2.getCause());
        } catch (CertificateException e3) {
            throw new Exception("Could not read certificate " + e3.getMessage() + "\n" + e3.getCause());
        }
    }

    public static String parseGroupFromFQAN(String str) {
        String str2 = null;
        if (str != null) {
            str2 = new FQAN(str).getGroup();
            StringTokenizer stringTokenizer = new StringTokenizer(str2, "/");
            if (stringTokenizer.hasMoreTokens()) {
                str2 = "/" + stringTokenizer.nextToken();
            }
        }
        return str2;
    }

    public static String toGlobusString(ASN1Sequence aSN1Sequence, boolean z) {
        if (aSN1Sequence == null) {
            return null;
        }
        Enumeration objects = aSN1Sequence.getObjects();
        StringBuffer stringBuffer = new StringBuffer();
        while (objects.hasMoreElements()) {
            Enumeration objects2 = ((ASN1Set) objects.nextElement()).getObjects();
            boolean z2 = false;
            while (objects2.hasMoreElements()) {
                ASN1Sequence aSN1Sequence2 = (ASN1Sequence) objects2.nextElement();
                DERObjectIdentifier objectAt = aSN1Sequence2.getObjectAt(0);
                String str = (String) X509Name.OIDLookUp.get(objectAt);
                if (!objectAt.equals(X509Name.EmailAddress) || !z) {
                    if (!z2) {
                        stringBuffer.append('/');
                        z2 = true;
                    }
                    if (str == null) {
                        stringBuffer.append(objectAt.getId());
                    } else {
                        stringBuffer.append(str);
                    }
                    stringBuffer.append('=');
                    stringBuffer.append(aSN1Sequence2.getObjectAt(1).getString());
                    if (objects2.hasMoreElements()) {
                        stringBuffer.append('+');
                    }
                }
            }
        }
        return stringBuffer.toString();
    }

    public static synchronized VOMSValidator getVOMSValidatorInstance() throws IOException, CertificateException, CRLException {
        if (vomsValidator != null) {
            return vomsValidator;
        }
        PKIStore pKIStore = null;
        String property = System.getProperty("VOMSDIR");
        String str = property == null ? PKIStore.DEFAULT_VOMSDIR : property;
        File file = new File(str);
        if (file.exists() && file.isDirectory() && file.list().length > 0) {
            pKIStore = new PKIStore(str, 1, true);
            pKIStore.rescheduleRefresh(900000);
        }
        String property2 = System.getProperty("CADIR");
        PKIStore pKIStore2 = new PKIStore(property2 == null ? PKIStore.DEFAULT_CADIR : property2, 2, true);
        pKIStore2.rescheduleRefresh(900000);
        vomsValidator = new VOMSValidator((X509Certificate[]) null, new ACValidator(new PKIVerifier(pKIStore, pKIStore2)));
        return vomsValidator;
    }

    public static synchronized ACTrustStore getACTrustStoreInstance() throws IOException, CertificateException, CRLException {
        if (acTrustStore != null) {
            return acTrustStore;
        }
        acTrustStore = new BasicVOMSTrustStore(PKIStore.DEFAULT_CADIR, 43200000L);
        acTrustStore.stopRefresh();
        return acTrustStore;
    }
}
