package org.opensciencegrid.authz.xacml.common;

import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.OpensslNameUtils;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import org.italiangrid.voms.VOMSAttribute;
import org.italiangrid.voms.VOMSValidators;
import org.italiangrid.voms.ac.VOMSACValidator;
import org.italiangrid.voms.store.VOMSTrustStores;
import org.italiangrid.voms.util.CertificateValidatorBuilder;

/* loaded from: input_file:org/opensciencegrid/authz/xacml/common/X509CertUtil.class */
public class X509CertUtil {
    private static X509CertChainValidatorExt certChainValidator;
    private static VOMSACValidator vomsValidator;
    private static PEMCredential hostCredential;
    public static String default_service_cert = "/etc/grid-security/hostcert.pem";
    public static String default_service_key = "/etc/grid-security/hostkey.pem";
    private static int REFRESH_TIME_MS = 20000;
    public static final String capnull = "/Capability=NULL";
    public static final int capnulllen = capnull.length();
    public static final String rolenull = "/Role=NULL";
    public static final int rolenulllen = rolenull.length();

    public static String toGlobusDN(String str) {
        return OpensslNameUtils.convertFromRfc2253(str, true);
    }

    public static String getSubjectFromX509Chain(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        return toGlobusDN(ProxyUtils.getOriginalUserDN(x509CertificateArr).getName());
    }

    public static X509Certificate getUserCertFromX509Chain(X509Certificate[] x509CertificateArr) throws Exception {
        return ProxyUtils.getEndUserCertificate(x509CertificateArr);
    }

    public static Date getLatestNotBefore(X509Certificate[] x509CertificateArr) throws Exception {
        Date date = null;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Date notBefore = x509Certificate.getNotBefore();
            if (date == null || notBefore.after(date)) {
                date = notBefore;
            }
            if (!ProxyUtils.isProxy(x509Certificate)) {
                break;
            }
        }
        if (date == null) {
            throw new Exception("could not find any not-before time in the certificate chain.");
        }
        return date;
    }

    public static Date getEarliestNotAfter(X509Certificate[] x509CertificateArr) throws Exception {
        Date date = null;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Date notAfter = x509Certificate.getNotAfter();
            if (date == null || notAfter.before(date)) {
                date = notAfter;
            }
            if (!ProxyUtils.isProxy(x509Certificate)) {
                break;
            }
        }
        if (date == null) {
            throw new Exception("could not find any not-after time in the certificate chain.");
        }
        return date;
    }

    public static String getSubjectX509Issuer(X509Certificate[] x509CertificateArr) throws Exception {
        return getSubjectX509Issuer(getUserCertFromX509Chain(x509CertificateArr));
    }

    public static String getSubjectX509Issuer(X509Certificate x509Certificate) throws Exception {
        return toGlobusDN(x509Certificate.getIssuerDN().toString());
    }

    public static Collection<String> getFQANsFromX509Chain(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        try {
            return getFQANSfromVOMSAttributes(getVOMSAttributes(x509CertificateArr, z));
        } catch (Exception e) {
            throw new Exception(e.toString());
        }
    }

    public static LinkedHashSet<String> getFQANSfromVOMSAttributes(List<VOMSAttribute> list) {
        LinkedHashSet<String> linkedHashSet = new LinkedHashSet<>();
        Iterator<VOMSAttribute> it = list.iterator();
        while (it.hasNext()) {
            for (String str : it.next().getFQANs()) {
                if (str.endsWith(capnull)) {
                    str = str.substring(0, str.length() - capnulllen);
                }
                if (str.endsWith(rolenull)) {
                    str = str.substring(0, str.length() - rolenulllen);
                }
                boolean z = false;
                Iterator<String> it2 = linkedHashSet.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (it2.next().startsWith(str)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    linkedHashSet.add(str);
                }
            }
        }
        return linkedHashSet;
    }

    public static VOMSAttribute getVOMSAttribute(X509Certificate[] x509CertificateArr, String str) throws Exception {
        if (str.endsWith(capnull)) {
            str = str.substring(0, str.length() - capnulllen);
        }
        if (str.endsWith(rolenull)) {
            str = str.substring(0, str.length() - rolenulllen);
        }
        for (VOMSAttribute vOMSAttribute : getVOMSAttributes(x509CertificateArr, false)) {
            for (String str2 : vOMSAttribute.getFQANs()) {
                if (str2.endsWith(capnull)) {
                    str2 = str2.substring(0, str2.length() - capnulllen);
                }
                if (str2.endsWith(rolenull)) {
                    str2 = str2.substring(0, str2.length() - rolenulllen);
                }
                if (str2.equals(str)) {
                    return vOMSAttribute;
                }
            }
        }
        return null;
    }

    public static List<VOMSAttribute> getVOMSAttributes(X509Certificate[] x509CertificateArr, boolean z) throws Exception {
        try {
            VOMSACValidator vOMSValidatorInstance = getVOMSValidatorInstance();
            return z ? vOMSValidatorInstance.validate(x509CertificateArr) : vOMSValidatorInstance.parse(x509CertificateArr);
        } catch (IOException e) {
            throw new Exception("Could not read trust stores " + e.getMessage() + "\n" + e.getCause());
        } catch (CRLException e2) {
            throw new Exception("Could not read CRL " + e2.getMessage() + "\n" + e2.getCause());
        } catch (CertificateException e3) {
            throw new Exception("Could not read certificate " + e3.getMessage() + "\n" + e3.getCause());
        }
    }

    public static synchronized VOMSACValidator getVOMSValidatorInstance() throws IOException, CertificateException, CRLException {
        if (vomsValidator == null) {
            String property = System.getProperty("VOMSDIR");
            vomsValidator = VOMSValidators.newValidator(property == null ? VOMSTrustStores.newTrustStore() : VOMSTrustStores.newTrustStore(Arrays.asList(property)), getCertChainValidator());
        }
        return vomsValidator;
    }

    public static synchronized X509CertChainValidatorExt getCertChainValidator() {
        if (certChainValidator == null) {
            String property = System.getProperty("CADIR");
            CertificateValidatorBuilder certificateValidatorBuilder = new CertificateValidatorBuilder();
            if (property != null) {
                certificateValidatorBuilder.trustAnchorsDir(property);
            }
            certChainValidator = certificateValidatorBuilder.build();
        }
        return certChainValidator;
    }

    public static synchronized X509Credential getHostCredential() throws CertificateException, KeyStoreException, IOException {
        if (hostCredential == null) {
            hostCredential = new PEMCredential(System.getProperty("HOSTKEY", default_service_key), System.getProperty("HOSTCERT", default_service_cert), (char[]) null);
        }
        return hostCredential;
    }
}
