package com.sun.identity.security.cert;

import com.sun.identity.security.SecurityDebug;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Vector;
import org.forgerock.openam.utils.StringUtils;

/* loaded from: input_file:com/sun/identity/security/cert/AMCertPath.class */
public class AMCertPath {
    private static CertificateFactory cf;
    private static CertPathValidator cpv;
    private CertStore store;
    private static Debug debug = SecurityDebug.debug;
    private static final String OCSP_ENABLE = "ocsp.enable";
    private static final String OCSP_RESPONDER_URL = "ocsp.responderURL";
    private static final String TRUE = "true";
    private static final String FALSE = "false";

    public AMCertPath(Vector vector) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        this.store = null;
        if (vector == null || vector.size() <= 0) {
            if (debug.messageEnabled()) {
                debug.message("AMCertPath:AMCertPath: no crl");
            }
        } else {
            if (debug.messageEnabled()) {
                debug.message("AMCertPath:AMCertPath: crl =" + ((X509CRL) vector.elementAt(0)).toString());
            }
            CollectionCertStoreParameters collectionCertStoreParameters = new CollectionCertStoreParameters(vector);
            synchronized (AMCertPath.class) {
                this.store = CertStore.getInstance("Collection", collectionCertStoreParameters);
            }
        }
    }

    public boolean verify(X509Certificate[] x509CertificateArr, boolean z, boolean z2) {
        synchronized (AMCertPath.class) {
            if (debug.messageEnabled()) {
                debug.message("AMCertPath.verify: invoked !");
            }
            try {
                try {
                    CertPath generateCertPath = cf.generateCertPath(Arrays.asList(x509CertificateArr));
                    Class<?> cls = Class.forName("com.sun.identity.security.keystore.AMX509TrustManager");
                    PKIXParameters pKIXParameters = new PKIXParameters((KeyStore) cls.getMethod("getKeyStore", new Class[0]).invoke(cls.newInstance(), new Object[0]));
                    if (debug.messageEnabled()) {
                        debug.message("AMCertPath.verify: crlEnabled ---> " + z);
                        debug.message("AMCertPath.verify: ocspEnabled ---> " + z2);
                    }
                    pKIXParameters.setRevocationEnabled(z || z2);
                    if (z2) {
                        String responderURLString = getResponderURLString();
                        if (StringUtils.isBlank(responderURLString)) {
                            pKIXParameters.setRevocationEnabled(z);
                            Security.setProperty(OCSP_ENABLE, FALSE);
                            debug.error("AMCertPath.verify: OCSP is enabled, but the com.sun.identity.authentication.ocsp.responder.url property does not specify a OCSP responder. OCSP checking will NOT be performed.");
                        } else {
                            Security.setProperty(OCSP_ENABLE, TRUE);
                            Security.setProperty(OCSP_RESPONDER_URL, responderURLString);
                            if (debug.messageEnabled()) {
                                debug.message("AMCertPath.verify: pkixparams.setRevocationEnabled set to true, and ocsp.enabled set to true with a OCSP responder url of " + responderURLString);
                            }
                        }
                    } else {
                        Security.setProperty(OCSP_ENABLE, FALSE);
                        if (debug.messageEnabled()) {
                            debug.message("AMCertPath.verify: pkixparams Security property ocsp.enabled set to false.");
                        }
                    }
                    if (this.store != null) {
                        pKIXParameters.addCertStore(this.store);
                    }
                    if (debug.messageEnabled()) {
                        StringBuilder sb = new StringBuilder("The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator: \n");
                        sb.append("\tgetInitialPolicies: ").append(pKIXParameters.getInitialPolicies()).append('\n');
                        sb.append("\tisExplicitPolicyRequired: ").append(pKIXParameters.isExplicitPolicyRequired()).append('\n');
                        sb.append("\tisPolicyMappingInhibited: ").append(pKIXParameters.isPolicyMappingInhibited()).append('\n');
                        debug.message(sb.toString());
                    }
                    CertPathValidatorResult validate = cpv.validate(generateCertPath, pKIXParameters);
                    if (debug.messageEnabled()) {
                        debug.message("AMCertPath.verify: PASS " + validate.toString());
                    }
                } catch (Throwable th) {
                    debug.error("AMCertPath.verify: FAILED", th);
                    return false;
                }
            } catch (CertPathValidatorException e) {
                debug.error("AMCertPath.verify: FAILED - " + e.getMessage());
                if (debug.messageEnabled()) {
                    debug.message("AMCertPath.verify: FAILED", e);
                }
                return false;
            }
        }
        return true;
    }

    private String getResponderURLString() {
        String str = SystemPropertiesManager.get("com.sun.identity.authentication.ocsp.responder.url");
        try {
            if (str == null) {
                if (debug.warningEnabled()) {
                    debug.warning("AMCertPath.getResponderURLString: No ocsp responder url configured");
                }
                return str;
            }
            try {
                new URL(str);
                return str;
            } catch (MalformedURLException e) {
                debug.error("AMCertPath.getResponderURLString: Invalid ocsp responder url configured", e);
                return str;
            }
        } catch (Throwable th) {
            return str;
        }
    }

    static {
        cf = null;
        cpv = null;
        try {
            cf = CertificateFactory.getInstance("X509");
            cpv = CertPathValidator.getInstance("PKIX");
        } catch (Exception e) {
            debug.error("AMCertPath.Static:", e);
        }
    }
}
