package com.tibco.security;

import com.tibco.security.ocsp.OCSPProvider;
import java.io.PrintStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:com/tibco/security/CertChainVerifier.class */
public final class CertChainVerifier {
    public static final boolean IMPLICIT_CA_CHAIN = Boolean.getBoolean("com.tibco.security.NoExplicitCAChain");
    private static final boolean o00000 = Boolean.getBoolean("com.tibco.security.CheckRevocation");

    public static Cert[] validateAndCompleteChain(PrintStream printStream, Cert[] certArr, TrustedCerts trustedCerts, String str, boolean z, OCSPProvider oCSPProvider) throws AXSecurityException {
        return validateAndCompleteChain(printStream, certArr, trustedCerts, str, z, oCSPProvider, false);
    }

    public static Cert[] validateAndCompleteChain(PrintStream printStream, Cert[] certArr, TrustedCerts trustedCerts, String str, boolean z, OCSPProvider oCSPProvider, boolean z2) throws AXSecurityException {
        if (certArr.length == 0) {
            if (printStream != null) {
                printStream.println("cert chain is empty");
            }
            throw new AXSecurityException("cert chain is empty");
        }
        if (IMPLICIT_CA_CHAIN) {
            return chain_validate_jdk(certArr, trustedCerts);
        }
        if (printStream != null) {
            printStream.println("validating certificate chain");
        }
        int length = certArr.length;
        if (length == 1 && certArr[0].getIssuerDN().equals(certArr[0].getSubjectDN())) {
            if (printStream != null) {
                printStream.println("certificate chain is of length 1 and appears to be self-signed");
            }
            return completeAndVerifyChain(printStream, certArr, trustedCerts, str, z, oCSPProvider);
        }
        int i = 1;
        while (i < length) {
            int i2 = i - 1;
            boolean z3 = true;
            try {
                certArr[i2].getCertificate().verify(certArr[i].getCertificate().getPublicKey());
            } catch (InvalidKeyException e) {
                throw new AXSecurityException(e);
            } catch (NoSuchAlgorithmException e2) {
                throw new AXSecurityException(e2);
            } catch (NoSuchProviderException e3) {
                throw new AXSecurityException(e3);
            } catch (SignatureException unused) {
                z3 = false;
            } catch (CertificateException unused2) {
                z3 = false;
            }
            if (z3) {
                String name = certArr[i2].getIssuerDN().getName();
                Iterator<Cert> certificates = trustedCerts.getCertificates(name);
                boolean z4 = false;
                if (printStream != null) {
                    printStream.println("looking in datastore for certificate with DN " + name);
                }
                while (true) {
                    if (!certificates.hasNext()) {
                        break;
                    }
                    Cert next = certificates.next();
                    if (certArr[i].equals(next)) {
                        if (printStream != null) {
                            printStream.println("match found");
                        }
                        z4 = true;
                    } else if (printStream != null) {
                        printStream.println("CA certificate with correct DN, but fingerprint '" + CertUtils.m6super(next.getFingerprint()) + "' found.  Continuing search.");
                    }
                }
                if (!z4) {
                    if (printStream != null) {
                        printStream.println("No match found");
                    }
                    String str2 = "CA certificate " + CertUtils.getCertificateDescription(certArr[i]) + " is not a trusted certificate";
                    if (printStream != null) {
                        printStream.println(str2);
                    }
                    throw new AXSecurityException(str2);
                }
            } else {
                if (printStream != null) {
                    printStream.println("Found a certificate in presented chain that is not in correct order.  Ignoring certificate " + CertUtils.getCertificateDescription(certArr[i]));
                }
                length--;
                Cert[] certArr2 = new Cert[length];
                if (i > 0) {
                    System.arraycopy(certArr, 0, certArr2, 0, i);
                }
                if (i < length) {
                    System.arraycopy(certArr, i + 1, certArr2, i, length - i);
                }
                certArr = certArr2;
                i--;
            }
            i++;
        }
        return completeAndVerifyChain(printStream, certArr, trustedCerts, str, z, oCSPProvider, z2);
    }

    public static Cert[] chain_validate_jdk(Cert[] certArr, TrustedCerts trustedCerts) throws AXSecurityException {
        X509Certificate[] x509CertificateArr = new X509Certificate[certArr.length];
        int i = 0;
        for (Cert cert : certArr) {
            int i2 = i;
            i++;
            x509CertificateArr[i2] = cert.getCertificate();
        }
        return chain_validate_jdk(x509CertificateArr, trustedCerts, true);
    }

    public static Cert[] chain_validate_jdk(X509Certificate[] x509CertificateArr, TrustedCerts trustedCerts, boolean z) throws AXSecurityException {
        try {
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
            X509CertSelector x509CertSelector = new X509CertSelector();
            X509Certificate x509Certificate = x509CertificateArr[0];
            x509CertSelector.setSerialNumber(x509Certificate.getSerialNumber());
            x509CertSelector.setIssuer(x509Certificate.getIssuerX500Principal().getEncoded());
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr)));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustedCerts.getTrustAnchors(), x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(o00000);
            CertPath certPath = ((PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters)).getCertPath();
            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(certPath, pKIXBuilderParameters);
            if (!z) {
                return null;
            }
            List<? extends Certificate> certificates = certPath.getCertificates();
            Cert[] certArr = new Cert[certificates.size() + 1];
            for (int i = 0; i < certArr.length - 1; i++) {
                certArr[i] = CertFactory.createCert((X509Certificate) certificates.get(i));
            }
            certArr[certArr.length - 1] = CertFactory.createCert(pKIXCertPathValidatorResult.getTrustAnchor().getTrustedCert());
            return certArr;
        } catch (Exception e) {
            throw new AXSecurityException(e);
        }
    }

    public static Cert[] completeAndVerifyChain(PrintStream printStream, Cert[] certArr, TrustedCerts trustedCerts, String str, boolean z, OCSPProvider oCSPProvider) throws AXSecurityException {
        return completeAndVerifyChain(printStream, certArr, trustedCerts, str, z, oCSPProvider, false);
    }

    public static Cert[] completeAndVerifyChain(PrintStream printStream, Cert[] certArr, TrustedCerts trustedCerts, String str, boolean z, OCSPProvider oCSPProvider, boolean z2) throws AXSecurityException {
        ArrayList arrayList = null;
        boolean z3 = false;
        boolean z4 = true;
        if (trustedCerts == null) {
            trustedCerts = TrustedCertsFactory.createTrustedCerts(new Cert[0]);
        }
        if (!certArr[certArr.length - 1].getIssuerDN().equals(certArr[certArr.length - 1].getSubjectDN())) {
            if (printStream != null) {
                printStream.println("cert chain is incomplete.  Trying to complete from datastore");
            }
            z3 = true;
        }
        if (z3) {
            Cert cert = certArr[certArr.length - 1];
            arrayList = new ArrayList();
            while (true) {
                String name = cert.getIssuerDN().getName();
                Iterator<Cert> certificates = trustedCerts.getCertificates(name);
                if (printStream != null) {
                    printStream.println("looking in datastore for certificate with DN " + name + "' that signed certificate with DN '" + cert.getSubjectDN().getName() + "'");
                }
                while (certificates.hasNext()) {
                    Cert next = certificates.next();
                    try {
                        cert.getCertificate().verify(next.getCertificate().getPublicKey());
                        if (printStream != null) {
                            printStream.println("match found");
                        }
                        arrayList.add(next);
                        if (!next.getIssuerDN().equals(next.getSubjectDN())) {
                            cert = next;
                        } else if (printStream != null) {
                            printStream.println("last certificate found was self-signed.  Finished completing chain from datastore");
                        }
                    } catch (Exception unused) {
                        if (printStream != null) {
                            printStream.println("Trusted CA certificate with correct DN found, but it didn't sign the certificate in question.  Continuing search.");
                        }
                    }
                }
                if (0 == 0) {
                    String str2 = "could not find trusted CA certificate with DN '" + cert.getIssuerDN().getName() + "' that signed certificate with DN '" + cert.getSubjectDN().getName() + "'";
                    if (printStream != null) {
                        printStream.println(str2);
                    }
                    if (!z) {
                        throw new AXSecurityException(str2);
                    }
                    z4 = false;
                }
            }
        }
        if (z3) {
            Cert[] certArr2 = new Cert[certArr.length + arrayList.size()];
            System.arraycopy(certArr, 0, certArr2, 0, certArr.length);
            System.arraycopy(arrayList.toArray(), 0, certArr2, certArr.length, arrayList.size());
            certArr = certArr2;
        }
        if (z4) {
            verify(printStream, certArr, oCSPProvider, z2);
        }
        return certArr;
    }

    public static void verify(PrintStream printStream, Cert[] certArr, OCSPProvider oCSPProvider) throws AXSecurityException {
        verify(printStream, certArr, oCSPProvider, false);
    }

    public static void verify(PrintStream printStream, Cert[] certArr, OCSPProvider oCSPProvider, boolean z) throws AXSecurityException {
        try {
            if (certArr.length != 1) {
                if (printStream != null) {
                    printStream.println("chain length: " + certArr.length);
                }
                X509Verifier x509Verifier = X509Verifier.getInstance();
                x509Verifier.setIgnoreValidity(z);
                x509Verifier.verifyChain(certArr);
                if (oCSPProvider != null) {
                    oCSPProvider.doOCSPValidation(printStream, certArr);
                }
                if (printStream != null) {
                    printStream.println("chain verifies ok");
                    return;
                }
                return;
            }
            if (printStream != null) {
                printStream.println("verifying that chain of length 1 contains a self-signed root");
            }
            if (!certArr[0].getIssuerDN().equals(certArr[0].getSubjectDN())) {
                if (printStream != null) {
                    printStream.println("Error: CA or intermediate certificate with DN=" + certArr[0].getIssuerDN() + " not found");
                }
                throw new AXSecurityException("certificate chain is incomplete");
            }
            if (!z) {
                certArr[0].getCertificate().checkValidity();
            }
            certArr[0].getCertificate().verify(certArr[0].getCertificate().getPublicKey());
            if (oCSPProvider != null) {
                oCSPProvider.doOCSPValidation(printStream, certArr);
            }
            if (printStream != null) {
                printStream.println("chain verifies ok");
            }
        } catch (InvalidKeyException e) {
            o00000(e, printStream, "the signature of at least one certificate in the chain has an invalid public key");
            throw new AXSecurityException("the signature of at least one certificate in the chain has an invalid public key", e);
        } catch (NoSuchAlgorithmException e2) {
            o00000(e2, printStream, "the signature of at least one certificate in the chain uses an uninstalled signature algorithm");
            throw new AXSecurityException("the signature of at least one certificate in the chain uses an uninstalled signature algorithm", e2);
        } catch (NoSuchProviderException e3) {
            o00000(e3, printStream, "the signature of at least one certificate in the chain uses an uninstalled security provider");
            throw new AXSecurityException("the signature of at least one certificate in the chain uses an uninstalled security provider", e3);
        } catch (SignatureException e4) {
            o00000(e4, printStream, "the signature of at least one certificate in the chain could not be verified");
            throw new AXSecurityException("the signature of at least one certificate in the chain could not be verified", e4);
        } catch (CertificateException e5) {
            o00000(e5, printStream, "the certificate chain could not be verified");
            throw new AXSecurityException("the certificate chain could not be verified", e5);
        }
    }

    private static void o00000(Exception exc, PrintStream printStream, String str) {
        if (printStream != null) {
            printStream.println(String.valueOf(str) + ": " + exc);
        }
    }
}
