package be.fedict.trust;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.x509.X509V2AttributeCertificate;

/* loaded from: input_file:be/fedict/trust/TrustValidator.class */
public class TrustValidator {
    private static final Log LOG = LogFactory.getLog(TrustValidator.class);
    private final CertificateRepository certificateRepository;
    private final List<TrustLinker> trustLinkers;
    private final List<CertificateConstraint> certificateConstraints;
    private RevocationData revocationData;
    private TrustLinkerResult result;

    public TrustValidator(CertificateRepository certificateRepository) {
        this.certificateRepository = certificateRepository;
        this.trustLinkers = new LinkedList();
        this.certificateConstraints = new LinkedList();
        this.revocationData = null;
        this.result = null;
    }

    public TrustValidator(CertificateRepository certificateRepository, RevocationData revocationData) {
        this.certificateRepository = certificateRepository;
        this.trustLinkers = new LinkedList();
        this.certificateConstraints = new LinkedList();
        this.revocationData = revocationData;
        this.result = null;
    }

    public void addTrustLinker(TrustLinker trustLinker) {
        this.trustLinkers.add(trustLinker);
    }

    public void addCertificateConstrain(CertificateConstraint certificateConstraint) {
        this.certificateConstraints.add(certificateConstraint);
    }

    public void isTrusted(List<X509Certificate> list) throws CertPathValidatorException {
        isTrusted(list, new Date());
    }

    public void isTrusted(List<byte[]> list, List<X509Certificate> list2) throws CertPathValidatorException {
        isTrusted(list, list2, new Date());
    }

    public void isTrusted(List<byte[]> list, List<X509Certificate> list2, Date date) throws CertPathValidatorException {
        try {
            isTrusted(list2, date);
            Iterator<byte[]> it = list.iterator();
            while (it.hasNext()) {
                X509V2AttributeCertificate x509V2AttributeCertificate = new X509V2AttributeCertificate(it.next());
                x509V2AttributeCertificate.checkValidity();
                if (list2.size() < 2) {
                    this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "Certificate path should at least contain 2 certificates");
                    throw new CertPathValidatorException(this.result.getMessage());
                }
                x509V2AttributeCertificate.verify(list2.get(1).getPublicKey(), "BC");
            }
        } catch (IOException e) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "IOException: " + e.getMessage());
        } catch (InvalidKeyException e2) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "InvalidKeyException: " + e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchAlgorithmException: " + e3.getMessage());
        } catch (NoSuchProviderException e4) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchProviderException: " + e4.getMessage());
        } catch (SignatureException e5) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "SignatureException: " + e5.getMessage());
        } catch (CertificateExpiredException e6) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "CertificateExpiredException: " + e6.getMessage());
        } catch (CertificateException e7) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "CertificateException: " + e7.getMessage());
        }
    }

    public RevocationData getRevocationData() {
        return this.revocationData;
    }

    public TrustLinkerResult getResult() {
        return this.result;
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) {
        return getSelfSignedResult(x509Certificate).isValid();
    }

    public static TrustLinkerResult getSelfSignedResult(X509Certificate x509Certificate) {
        if (false == x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
            return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "root certificate should be self-signed: " + x509Certificate.getSubjectX500Principal());
        }
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return new TrustLinkerResult(true);
        } catch (Exception e) {
            return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "certificate signature error: " + e.getMessage());
        }
    }

    public static TrustLinkerResult checkSignatureAlgorithm(String str) {
        LOG.debug("validate signature algorithm: " + str);
        return (str.contains("MD5") || str.equals("1.2.840.113549.1.1.4")) ? new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "Invalid signature algorithm: " + str) : new TrustLinkerResult(true);
    }

    public void isTrusted(List<X509Certificate> list, Date date) throws CertPathValidatorException {
        if (list.isEmpty()) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate path is empty");
            throw new CertPathValidatorException(this.result.getMessage());
        }
        int size = list.size() - 1;
        X509Certificate x509Certificate = list.get(size);
        LOG.debug("verifying root certificate: " + x509Certificate.getSubjectX500Principal());
        this.result = getSelfSignedResult(x509Certificate);
        if (!this.result.isValid()) {
            LOG.debug("result: " + this.result.getMessage());
            throw new CertPathValidatorException(this.result.getMessage());
        }
        this.result = checkSignatureAlgorithm(x509Certificate.getSigAlgName());
        if (!this.result.isValid()) {
            LOG.debug("result: " + this.result.getMessage());
            throw new CertPathValidatorException(this.result.getMessage());
        }
        checkSelfSignedTrust(x509Certificate, date);
        int i = size - 1;
        while (i >= 0) {
            X509Certificate x509Certificate2 = list.get(i);
            LOG.debug("verifying certificate: " + x509Certificate2.getSubjectX500Principal());
            i--;
            checkTrustLink(x509Certificate2, x509Certificate, date);
            x509Certificate = x509Certificate2;
        }
        for (CertificateConstraint certificateConstraint : this.certificateConstraints) {
            String simpleName = certificateConstraint.getClass().getSimpleName();
            LOG.debug("certificate constraint check: " + simpleName);
            if (false == certificateConstraint.check(x509Certificate)) {
                this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate constraint failure: " + simpleName);
                throw new CertPathValidatorException(this.result.getMessage());
            }
        }
        this.result = new TrustLinkerResult(true);
    }

    private void checkTrustLink(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws CertPathValidatorException {
        if (null == x509Certificate) {
            return;
        }
        this.result = checkSignatureAlgorithm(x509Certificate.getSigAlgName());
        if (!this.result.isValid()) {
            throw new CertPathValidatorException(this.result.getMessage());
        }
        boolean z = false;
        for (TrustLinker trustLinker : this.trustLinkers) {
            LOG.debug("trying trust linker: " + trustLinker.getClass().getSimpleName());
            this.result = trustLinker.hasTrustLink(x509Certificate, x509Certificate2, date, this.revocationData);
            if (null != this.result) {
                if (!this.result.isValid()) {
                    throw new CertPathValidatorException(this.result.getMessage());
                }
                z = true;
            }
        }
        if (false == z) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "no trust between " + x509Certificate.getSubjectX500Principal() + " and " + x509Certificate2.getSubjectX500Principal());
            throw new CertPathValidatorException(this.result.getMessage());
        }
    }

    private void checkSelfSignedTrust(X509Certificate x509Certificate, Date date) throws CertPathValidatorException {
        try {
            x509Certificate.checkValidity(date);
            if (this.certificateRepository.isTrustPoint(x509Certificate)) {
                return;
            }
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "self-signed certificate not in repository: " + x509Certificate.getSubjectX500Principal());
            throw new CertPathValidatorException(this.result.getMessage());
        } catch (Exception e) {
            this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate validity error: " + e.getMessage());
            throw new CertPathValidatorException(this.result.getMessage());
        }
    }

    public void setRevocationData(RevocationData revocationData) {
        this.revocationData = revocationData;
    }
}
