package org.astrogrid.security.rfc3820;

import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.i18n.ErrorBundle;
import org.bouncycastle.x509.CertPathReviewerException;
import org.globus.gsi.TrustedCertificates;

/* loaded from: input_file:org/astrogrid/security/rfc3820/CertificateChainValidator.class */
public class CertificateChainValidator {
    private static Log log = LogFactory.getLog(CertificateChainValidator.class);
    private PKIXParameters pkixParameters;

    public CertificateChainValidator() {
        this.pkixParameters = null;
    }

    public CertificateChainValidator(List<X509Certificate> list) throws GeneralSecurityException {
        loadTrustAnchors(list);
    }

    public CertificateChainValidator(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        loadTrustAnchors(x509CertificateArr);
    }

    public CertificateChainValidator(KeyStore keyStore) throws GeneralSecurityException {
        loadTrustAnchors(keyStore);
    }

    public void validate(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        validate(Arrays.asList(x509CertificateArr));
    }

    public void validateChain(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        validate(x509CertificateArr);
    }

    public void validateChain(X509Certificate[] x509CertificateArr, TrustedCertificates trustedCertificates) throws GeneralSecurityException {
        loadTrustAnchors(trustedCertificates.getCertificates());
        validate(Arrays.asList(x509CertificateArr));
    }

    public void validate(List<X509Certificate> list, X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        loadTrustAnchors(x509CertificateArr);
        validate(list);
    }

    public void validate(CertPath certPath) throws GeneralSecurityException {
        try {
            ProxyCertPathReviewer proxyCertPathReviewer = new ProxyCertPathReviewer(certPath, this.pkixParameters);
            if (proxyCertPathReviewer.isValidCertPath()) {
                return;
            }
            log.info("A certificate chain was rejected.");
            for (int i = 0; i < certPath.getCertificates().size(); i++) {
                log.info("Errors in certificate " + i + ":");
                Iterator it = proxyCertPathReviewer.getErrors(i).iterator();
                while (it.hasNext()) {
                    log.info(it.next());
                }
            }
            throw new AccessControlException("The certificate chain is invalid.");
        } catch (CertPathReviewerException e) {
            throw new GeneralSecurityException("Failed to set up validation for certificates", e);
        }
    }

    public void validate(List<X509Certificate> list) throws GeneralSecurityException {
        CertPath generateCertPath = CertificateFactory.getInstance("X509").generateCertPath(list);
        try {
            ProxyCertPathReviewer proxyCertPathReviewer = new ProxyCertPathReviewer(generateCertPath, this.pkixParameters);
            if (proxyCertPathReviewer.isValidCertPath()) {
                return;
            }
            log.info("A certificate chain was rejected.");
            for (int i = 0; i < generateCertPath.getCertificates().size(); i++) {
                log.info("Errors in certificate " + i + ":");
                Iterator it = proxyCertPathReviewer.getErrors(i).iterator();
                while (it.hasNext()) {
                    log.info(((ErrorBundle) it.next()).getDetail(Locale.getDefault()));
                }
            }
            throw new AccessControlException("The certificate chain is invalid.");
        } catch (CertPathReviewerException e) {
            throw new GeneralSecurityException("Failed to set up validation for certificates", e);
        }
    }

    private void loadTrustAnchors(KeyStore keyStore) throws GeneralSecurityException {
        this.pkixParameters = new PKIXParameters(keyStore);
        this.pkixParameters.setRevocationEnabled(false);
    }

    private void loadTrustAnchors(List<X509Certificate> list) throws GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        try {
            keyStore.load(null);
            for (X509Certificate x509Certificate : list) {
                keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
            }
            loadTrustAnchors(keyStore);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private void loadTrustAnchors(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        loadTrustAnchors(Arrays.asList(x509CertificateArr));
    }
}
