package com.wm.security.cert;

import com.wm.security.Util;
import com.wm.security.resources.CertificateExceptionBundle;
import com.wm.util.Config;
import com.wm.util.JournalLogger;
import com.wm.util.LocalizedCertificateException;
import com.wm.util.LocalizedCertificateExpiredException;
import iaik.x509.SimpleChainVerifier;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.util.Hashtable;
import java.util.Vector;

/* loaded from: input_file:com/wm/security/cert/wmChainVerifier.class */
public class wmChainVerifier extends SimpleChainVerifier implements Cloneable {
    static final String ALLOW_EXPIRED_CHAINS_PROP = "watt.security.ssl.ignoreExpiredChains";
    static final String ENFORCE_EXTENSIONS_CHECK_PROP = "wm.security.cert.wmChainVerifier.enforExtensionChecks";
    static final String CHECK_ENTIRE_CHAIN_PROP = "wm.security.cert.wmChainVerifier.checkEntireChain";
    static final String TRUST_BY_DEFAULT_PROP = "watt.security.cert.wmChainVerifier.trustByDefault";
    static final boolean ALLOW_EXPIRED_CHAINS_DEFAULT = false;
    static final boolean ENFORCE_EXTENSIONS_CHECK_DEFAULT = false;
    static final boolean CHECK_ENTIRE_CHAIN_DEFAULT = false;
    static final boolean TRUST_BY_DEFAULT_DEFAULT = true;
    static wmChainVerifier Default;
    static boolean initialized = false;
    protected Hashtable _trustedDNs;
    protected boolean _allowExpiredChains;
    protected boolean _enforceExtensionChecks;
    protected boolean _checkEntireChain;
    protected boolean _trustByDefault;

    public static void init() {
        if (initialized) {
            return;
        }
        Default = new wmChainVerifier();
        Default.loadDefaultAuthorities();
        initialized = true;
    }

    protected void loadDefaultAuthorities() {
        String property = Config.getProperty("watt.security.CADir");
        if (property == null || property.length() == 0) {
            return;
        }
        setTrustedCertificates(Util.loadCertificatesFromDir(property));
    }

    public static void reloadDefaultAuthorities() {
        getDefault().loadDefaultAuthorities();
    }

    public static wmChainVerifier getDefault() {
        if (!initialized) {
            init();
        }
        return Default;
    }

    public wmChainVerifier() {
        updateFromProperties();
        this._trustedDNs = new Hashtable();
    }

    public void updateFromProperties() {
        this._allowExpiredChains = Config.getProperty(ALLOW_EXPIRED_CHAINS_PROP) == null ? false : Boolean.getBoolean(ALLOW_EXPIRED_CHAINS_PROP);
        this._enforceExtensionChecks = Config.getProperty(ENFORCE_EXTENSIONS_CHECK_PROP) == null ? false : Boolean.getBoolean(ENFORCE_EXTENSIONS_CHECK_PROP);
        this._checkEntireChain = Config.getProperty(CHECK_ENTIRE_CHAIN_PROP) == null ? false : Boolean.getBoolean(CHECK_ENTIRE_CHAIN_PROP);
        this._trustByDefault = Config.getProperty(TRUST_BY_DEFAULT_PROP) == null ? true : Boolean.getBoolean(TRUST_BY_DEFAULT_PROP);
    }

    public boolean ignoreExpiredChains() {
        return this._allowExpiredChains;
    }

    public boolean enforceExtensionChecking() {
        return this._enforceExtensionChecks;
    }

    public boolean checkEntireChain() {
        return this._checkEntireChain;
    }

    public boolean trustByDefault() {
        return this._trustByDefault;
    }

    public void allowExpiredChains(boolean z) {
        this._allowExpiredChains = z;
    }

    public void setExtensionChecking(boolean z) {
        this._enforceExtensionChecks = z;
    }

    public void checkEntireChain(boolean z) {
        this._checkEntireChain = z;
    }

    public void setTrustByDefault(boolean z) {
        this._trustByDefault = z;
    }

    protected void checkExtensions(X509Certificate[] x509CertificateArr, int i) throws CertificateException {
        try {
            super.checkExtensions(x509CertificateArr, i);
        } catch (CertificateException e) {
            if (this._enforceExtensionChecks) {
                JournalLogger.logDebugPlus(2, 7, 9, x509CertificateArr[i].getSubjectDN().toString());
                throw e;
            }
        }
    }

    public boolean verifyChain(X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        int length = x509CertificateArr.length;
        if (z) {
            X509Certificate[] x509CertificateArr2 = new X509Certificate[length];
            for (int i = 0; i < length; i++) {
                x509CertificateArr2[i] = x509CertificateArr[(length - i) - 1];
            }
            x509CertificateArr = x509CertificateArr2;
        }
        for (int i2 = 0; i2 < length; i2++) {
            if (i2 > 0) {
                try {
                    if (!x509CertificateArr[i2].getSubjectDN().equals(x509CertificateArr[i2 - 1].getIssuerDN())) {
                        throw new LocalizedCertificateException(CertificateExceptionBundle.class, CertificateExceptionBundle.CERT_CHAIN_BROKEN, "");
                    }
                    x509CertificateArr[i2 - 1].verify(x509CertificateArr[i2].getPublicKey());
                } catch (CertificateException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new LocalizedCertificateException(CertificateExceptionBundle.class, CertificateExceptionBundle.CERT_ERROR_IN_CHAIN, "");
                }
            }
            if (x509CertificateArr[i2].getSubjectDN().equals(x509CertificateArr[i2].getIssuerDN())) {
                x509CertificateArr[i2].verify(x509CertificateArr[i2].getPublicKey());
            }
            checkExtensions(x509CertificateArr, i2);
            try {
                x509CertificateArr[i2].checkValidity();
            } catch (CertificateExpiredException e3) {
                if (!this._allowExpiredChains) {
                    JournalLogger.logDebugPlus(2, 8, 9, x509CertificateArr[i2].getSubjectDN().toString());
                    if (e3.getMessage() == null) {
                        throw new LocalizedCertificateExpiredException(CertificateExceptionBundle.class, CertificateExceptionBundle.CERT_EXPIRED, "", x509CertificateArr[i2].getSubjectDN().toString());
                    }
                    throw e3;
                }
            }
        }
        return true;
    }

    public void addTrustedCertificate(X509Certificate x509Certificate) {
        super.addTrustedCertificate(x509Certificate);
        Vector vector = (Vector) this._trustedDNs.get(x509Certificate.getSubjectDN());
        if (vector == null) {
            vector = new Vector();
            this._trustedDNs.put(x509Certificate.getSubjectDN(), vector);
        }
        if (vector.contains(x509Certificate)) {
            return;
        }
        vector.addElement(x509Certificate);
    }

    public boolean isTrustedChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        return isTrustedChain(x509CertificateArr, false);
    }

    public boolean isTrustedChain(X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        if (this.signers == null || this.signers.size() == 0) {
            return trustByDefault();
        }
        int length = x509CertificateArr.length;
        if (z) {
            X509Certificate[] x509CertificateArr2 = new X509Certificate[length];
            for (int i = 0; i < length; i++) {
                x509CertificateArr2[i] = x509CertificateArr[(length - i) - 1];
            }
            x509CertificateArr = x509CertificateArr2;
        }
        int i2 = 0;
        while (i2 < length) {
            if (isTrustedCertificate(x509CertificateArr[i2])) {
                return true;
            }
            i2++;
        }
        return isSignerTrusted(x509CertificateArr[i2 - 1]);
    }

    public boolean isSignerTrusted(X509Certificate x509Certificate) {
        Vector vector;
        if (x509Certificate == null || (vector = (Vector) this._trustedDNs.get(x509Certificate.getIssuerDN())) == null || vector.size() == 0) {
            return false;
        }
        int size = vector.size();
        for (int i = 0; i < size; i++) {
            try {
                x509Certificate.verify(((X509Certificate) vector.elementAt(i)).getPublicKey());
                return true;
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            }
        }
        return false;
    }

    public Object clone() {
        wmChainVerifier wmchainverifier = new wmChainVerifier();
        wmchainverifier.signers = (Hashtable) this.signers.clone();
        wmchainverifier._trustedDNs = (Hashtable) this._trustedDNs.clone();
        wmchainverifier._allowExpiredChains = this._allowExpiredChains;
        wmchainverifier._checkEntireChain = this._checkEntireChain;
        wmchainverifier._enforceExtensionChecks = this._enforceExtensionChecks;
        wmchainverifier._trustByDefault = this._trustByDefault;
        return wmchainverifier;
    }

    static {
        init();
    }
}
