package es.gob.afirma.util;

import es.gob.afirma.core.AOException;
import es.gob.afirma.core.misc.AOUtil;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.LDAPCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Logger;
import javax.naming.ldap.LdapName;

/* loaded from: input_file:es/gob/afirma/util/AOCertVerifier.class */
public final class AOCertVerifier {
    private static final Logger LOGGER = Logger.getLogger("es.atosorigin");
    private static final int LDAP_DEFAULT_PORT = 389;
    private final Set<TrustAnchor> tas = new HashSet();
    private boolean checkValidity = true;
    private String errorMessage = null;

    public void addRootCertificate(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            LOGGER.warning("No se pueden anadir certificados nulos");
        } else {
            this.tas.add(new TrustAnchor(x509Certificate, null));
        }
    }

    public void addRootCertificate(URL url) {
        if (url == null) {
            LOGGER.warning("No se pueden anadir certificados desde una URL nula");
            return;
        }
        try {
            this.tas.add(new TrustAnchor((X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(AOUtil.loadFile(url.toURI())), null));
        } catch (Exception e) {
            LOGGER.severe("No se pudo crear el certificado desde la URL '" + url.toString() + "': " + e);
        }
    }

    public void addRootCertificate(InputStream inputStream) {
        if (inputStream == null) {
            LOGGER.warning("No se pueden anadir certificados nulos");
            return;
        }
        try {
            this.tas.add(new TrustAnchor((X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(inputStream), null));
        } catch (Exception e) {
            LOGGER.severe("No se pudo crear el certificado: " + e);
        }
    }

    public void addRootCertificatesFromLdap(String str, LdapName ldapName) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException, CertStoreException {
        if (str == null || "".equals(str) || ldapName == null) {
            throw new IllegalArgumentException("No se pueden anadir certificados desde un servidor o una localizacion nula o vacia");
        }
        String str2 = str;
        if (str2.startsWith("ldap://")) {
            str2 = str2.replace("ldap://", "");
        }
        int i = LDAP_DEFAULT_PORT;
        if (str2.contains(":")) {
            String substring = str2.substring(str2.indexOf(58) + 1, str2.length());
            str2.substring(0, str2.indexOf(58));
            String str3 = null;
            if (substring.contains("/")) {
                if (substring.indexOf(47) != substring.length() - 1) {
                    str3 = substring.substring(substring.indexOf(47) + 1);
                }
                substring = substring.substring(0, substring.indexOf(47));
            }
            try {
                i = Integer.parseInt(substring);
            } catch (Exception e) {
                Logger.getLogger("es.gob.afirma").severe("El puerto proporcionado (" + substring + ") no es un numero, se usara el puerto por defecto (" + LDAP_DEFAULT_PORT + "): " + e);
            }
            str2 = str3;
        }
        if (str2 != null && str2.contains("/")) {
            str2 = str2.substring(0, str2.indexOf(47));
        }
        CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters(str2, i));
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSubject(ldapName.toString());
        Iterator<? extends Certificate> it = certStore.getCertificates(x509CertSelector).iterator();
        while (it.hasNext()) {
            this.tas.add(new TrustAnchor((X509Certificate) it.next(), null));
        }
    }

    public void setCheckValidity(boolean z) {
        this.checkValidity = z;
    }

    public static void disableOCSP() {
        Security.setProperty("ocsp.enable", "false");
    }

    public static void enableOCSP(URL url, LdapName ldapName, LdapName ldapName2, String str) {
        Security.setProperty("ocsp.enable", "true");
        if (url != null) {
            Security.setProperty("ocsp.responderURL", url.toString());
        }
        if (ldapName != null) {
            Security.setProperty("ocsp.responderCertSubjectName", ldapName.toString());
        }
        if (ldapName2 != null) {
            Security.setProperty("ocsp.responderCertIssuerName", ldapName2.toString());
        }
        if (str != null) {
            Security.setProperty("ocsp.responderCertSerialNumber", str);
        }
    }

    public void checkCertificate(Certificate[] certificateArr, boolean z) throws AOException, CertificateExpiredException, CertificateNotYetValidException, CertPathValidatorException, AOCertificateRevokedException {
        this.errorMessage = null;
        if (this.checkValidity || !z) {
            for (Certificate certificate : certificateArr) {
                try {
                    ((X509Certificate) certificate).checkValidity();
                } catch (CertificateExpiredException e) {
                    this.errorMessage = UtilMessages.getString("AOCertVerifier.0");
                    throw e;
                } catch (CertificateNotYetValidException e2) {
                    this.errorMessage = UtilMessages.getString("AOCertVerifier.1");
                    throw e2;
                } catch (Exception e3) {
                    this.errorMessage = UtilMessages.getString("AOCertVerifier.2");
                    throw new AOException(this.errorMessage, e3);
                }
            }
        }
        if (z) {
            ArrayList arrayList = new ArrayList();
            for (Certificate certificate2 : certificateArr) {
                arrayList.add((X509Certificate) certificate2);
            }
            try {
                CertPath generateCertPath = CertificateFactory.getInstance("X509").generateCertPath(arrayList);
                try {
                    PKIXParameters pKIXParameters = new PKIXParameters(this.tas);
                    pKIXParameters.setRevocationEnabled(true);
                    try {
                        try {
                            CertPathValidator.getInstance("PKIX").validate(generateCertPath, pKIXParameters);
                        } catch (CertPathValidatorException e4) {
                            this.errorMessage = UtilMessages.getString("AOCertVerifier.7");
                            Throwable cause = e4.getCause();
                            Class<?> cls = cause != null ? cause.getClass() : e4.getClass();
                            if (!cls.getSimpleName().equals("CertificateRevokedException")) {
                                throw e4;
                            }
                            AOCertificateRevokedException aOCertificateRevokedException = new AOCertificateRevokedException(UtilMessages.getString("AOCertVerifier.8"), e4);
                            try {
                                aOCertificateRevokedException.setRevocationDate((Date) cls.getMethod("getRevocationDate", null).invoke(cause, null));
                                aOCertificateRevokedException.setRevocationReason((String) cls.getMethod("getRevocationReason", null).invoke(cause, null));
                            } catch (Exception unused) {
                            }
                            throw aOCertificateRevokedException;
                        } catch (Exception e5) {
                            this.errorMessage = UtilMessages.getString("AOCertVerifier.6");
                            throw new AOException("El certificado no ha sido validado", e5);
                        }
                    } catch (Exception e6) {
                        this.errorMessage = UtilMessages.getString("AOCertVerifier.5");
                        throw new AOException("Error obteniendo un validador PKIX", e6);
                    }
                } catch (Exception e7) {
                    this.errorMessage = UtilMessages.getString("AOCertVerifier.4");
                    throw new AOException("Error creando los parametros PKIX", e7);
                }
            } catch (Exception e8) {
                this.errorMessage = UtilMessages.getString("AOCertVerifier.3");
                throw new AOException(this.errorMessage, e8);
            }
        }
    }

    public String getErrorMessage() {
        return this.errorMessage;
    }
}
