package com.claymoresystems.cert;

import com.claymoresystems.ptls.SSLDebug;
import com.claymoresystems.sslg.CertVerifyPolicyInt;
import com.claymoresystems.sslg.Certificate;
import com.claymoresystems.sslg.DistinguishedName;
import com.oscar.crypt.Sign;
import cryptix.asn1.encoding.BaseCoder;
import cryptix.asn1.encoding.CoderOperations;
import cryptix.asn1.lang.ASNObject;
import cryptix.util.core.ArrayUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.DSAPublicKey;
import java.util.Date;
import java.util.Hashtable;
import java.util.Vector;
import org.bouncycastle.asn1.ASN1Encoding;
import xjava.security.interfaces.CryptixRSAPublicKey;

/* loaded from: input_file:WEB-INF/lib/shentongjdbc-4.0.jar:com/claymoresystems/cert/X509Cert.class */
public class X509Cert implements Certificate {
    ASNObject signedCert;
    ASNObject unsignedCert;
    ASNObject issuer;
    ASNObject subject;
    ASNObject sigAlg;
    ASNObject sig;
    byte[] DER;
    byte[] unsignedCertDER;
    byte[] subjectDER;
    byte[] issuerDER;
    byte[] signature;
    String signatureAlgorithm;
    PublicKey pubKey;
    X509Name subjectName;
    X509Name issuerName;
    BigInteger serialNumber;
    Date notBefore;
    Date notAfter;
    Vector extensions;
    private static Hashtable oid2NameMap = new Hashtable();

    public X509Cert(byte[] bArr) throws CertificateException {
        this.extensions = null;
        this.DER = bArr;
        synchronized (CertContext.getSpec()) {
            ASNObject component = CertContext.getSpec().getComponent("UsefulCertificate");
            CoderOperations baseCoder = BaseCoder.getInstance(ASN1Encoding.DER);
            baseCoder.init(new ByteArrayInputStream(bArr));
            try {
                component.accept(baseCoder, null);
                this.signedCert = component;
                this.unsignedCertDER = (byte[]) component.getComponent("UsefulCertificate.tbsCertificate").getValue();
                this.sigAlg = component.getComponent("UsefulCertificate.signatureAlgorithm");
                this.signatureAlgorithm = (String) ((Vector) ((Vector) this.sigAlg.getValue()).elementAt(0)).elementAt(0);
                SSLDebug.debug(32, "Signed by " + this.signatureAlgorithm);
                this.sig = component.getComponent("UsefulCertificate.signature");
                byte[] bArr2 = (byte[]) this.sig.getValue();
                if (bArr2[0] != 0) {
                    throw new IOException();
                }
                this.signature = new byte[bArr2.length - 1];
                System.arraycopy(bArr2, 1, this.signature, 0, this.signature.length);
                SSLDebug.debug(32, "Signature ", this.signature);
                this.unsignedCert = CertContext.getSpec().getComponent("UsefulTBSCertificate");
                ASNObject component2 = this.unsignedCert.getComponent("UsefulTBSCertificate.extensions");
                component2.setValue(component2.getDefaultValue());
                ASNObject component3 = this.unsignedCert.getComponent("UsefulTBSCertificate.version");
                component3.setValue(component3.getDefaultValue());
                ASNObject component4 = this.unsignedCert.getComponent("UsefulTBSCertificate.issuerUniqueID");
                component4.setValue(component4.getDefaultValue());
                ASNObject component5 = this.unsignedCert.getComponent("UsefulTBSCertificate.subjectUniqueID");
                component5.setValue(component5.getDefaultValue());
                SSLDebug.debug(32, "Unsigned cert DER", this.unsignedCertDER);
                baseCoder.init(new ByteArrayInputStream(this.unsignedCertDER));
                this.unsignedCert.accept(baseCoder, null);
                this.issuer = this.unsignedCert.getComponent("UsefulTBSCertificate.issuer");
                this.issuerDER = (byte[]) this.issuer.getValue();
                this.issuerName = new X509Name(this.issuerDER);
                SSLDebug.debug(32, "Issuer DER", this.issuerDER);
                this.subject = this.unsignedCert.getComponent("UsefulTBSCertificate.subject");
                this.subjectDER = (byte[]) this.subject.getValue();
                this.subjectName = new X509Name(this.subjectDER);
                SSLDebug.debug(32, "Subject DER", this.subjectDER);
                this.pubKey = X509SubjectPublicKeyInfo.createPublicKey((byte[]) this.unsignedCert.getComponent("UsefulTBSCertificate.subjectPublicKeyInfo").getValue());
                this.serialNumber = (BigInteger) this.unsignedCert.getComponent("UsefulTBSCertificate.serialNumber").getValue();
                ASNObject component6 = this.unsignedCert.getComponent("UsefulTBSCertificate.validity");
                this.notBefore = (Date) component6.getComponent("Validity.notBefore").getValue();
                this.notAfter = (Date) component6.getComponent("Validity.notAfter").getValue();
                Vector vector = (Vector) this.unsignedCert.getComponent("UsefulTBSCertificate.extensions").getValue();
                if (vector != null) {
                    for (int i = 0; i < vector.size(); i++) {
                        if (i == 0) {
                            this.extensions = new Vector();
                        }
                        this.extensions.addElement(new X509Ext((byte[]) ((Vector) vector.elementAt(i)).elementAt(0)));
                    }
                }
            } catch (IOException e) {
                throw new CertificateDecodeException(e.toString());
            }
        }
    }

    public PublicKey getPublicKey() {
        return this.pubKey;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public byte[] getDER() {
        return this.DER;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public byte[] getIssuerDER() {
        return this.issuerDER;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public byte[] getSubjectDER() {
        return this.subjectDER;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public DistinguishedName getSubjectName() {
        return this.subjectName;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public DistinguishedName getIssuerName() {
        return this.issuerName;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public Date getValidityNotBefore() {
        return this.notBefore;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public Date getValidityNotAfter() {
        return this.notAfter;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public Vector getExtensions() {
        return this.extensions;
    }

    @Override // com.claymoresystems.sslg.Certificate
    public BigInteger getSerial() {
        return this.serialNumber;
    }

    void checkSignatureKey(PublicKey publicKey, String str) throws CertificateVerifyException {
        if (str.equals("MD2/RSA") || str.equals("MD4/RSA") || str.equals(Sign.Cryptix_MD5withRSA_Name) || str.equals(Sign.Cryptix_SHA1withRSA_Name)) {
            if (!(publicKey instanceof CryptixRSAPublicKey)) {
                throw new CertificateVerifyException("Public key doesn't match algorithm " + str);
            }
        } else {
            if (!str.equals("DSA")) {
                throw new CertificateVerifyException("Unknown algorithm " + str);
            }
            if (!(publicKey instanceof DSAPublicKey)) {
                throw new CertificateVerifyException("Public key doesn't match algorithm " + str);
            }
        }
    }

    public boolean verify(PublicKey publicKey) throws CertificateException {
        try {
            String str = (String) oid2NameMap.get(this.signatureAlgorithm);
            if (str != null) {
                SSLDebug.debug(32, "OID " + this.signatureAlgorithm + "mapped to " + str);
            }
            checkSignatureKey(publicKey, str);
            Signature signature = Signature.getInstance(str != null ? str : this.signatureAlgorithm);
            signature.initVerify(publicKey);
            signature.update(this.unsignedCertDER);
            return signature.verify(this.signature);
        } catch (InvalidKeyException e) {
            if (!SSLDebug.getDebug(32)) {
                return false;
            }
            e.printStackTrace();
            return false;
        } catch (NoSuchAlgorithmException e2) {
            if (SSLDebug.getDebug(32)) {
                e2.printStackTrace();
            }
            throw new CertificateVerifyException(e2.toString());
        } catch (SignatureException e3) {
            if (SSLDebug.getDebug(32)) {
                e3.printStackTrace();
            }
            throw new CertificateVerifyException(e3.toString());
        }
    }

    public static Vector verifyCertChain(CertContext certContext, Vector vector, CertVerifyPolicyInt certVerifyPolicyInt) throws CertificateException {
        int size = vector.size();
        Vector vector2 = new Vector();
        X509Cert x509Cert = null;
        boolean z = false;
        int i = 255;
        for (int i2 = 0; i2 < size; i2++) {
            X509Cert x509Cert2 = (X509Cert) vector.elementAt(i2);
            SSLDebug.debug(32, "Trying to verify", x509Cert2.getDER());
            if (!z) {
                if (certContext.isRoot(x509Cert2.getDER())) {
                    SSLDebug.debug(32, "Is root");
                    x509Cert = x509Cert2;
                    vector2.addElement(x509Cert);
                    z = true;
                } else {
                    SSLDebug.debug(32, "Trying to find root with DN", x509Cert2.getIssuerDER());
                    x509Cert = certContext.signedByRoot(x509Cert2.getIssuerDER());
                    if (x509Cert == null) {
                        SSLDebug.debug(32, "Nope");
                    } else {
                        SSLDebug.debug(32, "Found one");
                        vector2.addElement(x509Cert);
                        z = true;
                    }
                }
            }
            if (!ArrayUtil.areEqual(x509Cert.getSubjectDER(), x509Cert2.getIssuerDER())) {
                throw new CertificateVerifyException("Subject and issuer name don't match");
            }
            if (!x509Cert2.verify(x509Cert.getPublicKey())) {
                throw new CertificateVerifyException("Certificate signature doesn't match");
            }
            if (certVerifyPolicyInt.checkDatesP()) {
                checkExpiry(x509Cert2, new Date());
            }
            if (vector2.size() == 1) {
                int checkBasicConstraintExtension = x509Cert.checkBasicConstraintExtension(false, certVerifyPolicyInt.requireBasicConstraintsCriticalP()) + 1;
                if (checkBasicConstraintExtension != -1) {
                    i = checkBasicConstraintExtension;
                }
                x509Cert.checkKeyUsage(false);
            } else {
                int checkBasicConstraintExtension2 = x509Cert.checkBasicConstraintExtension(certVerifyPolicyInt.requireBasicConstraintsP(), certVerifyPolicyInt.requireBasicConstraintsCriticalP()) + 1;
                if (checkBasicConstraintExtension2 < i) {
                    i = checkBasicConstraintExtension2;
                }
                x509Cert.checkKeyUsage(certVerifyPolicyInt.requireKeyUsageP());
            }
            if (i < 1) {
                throw new CertificateVerifyException("No more certificates allowed. Ran out of pathLen");
            }
            i--;
            x509Cert = x509Cert2;
            vector2.addElement(x509Cert2);
        }
        if (x509Cert != null) {
            return vector2;
        }
        return null;
    }

    static void checkExpiry(Certificate certificate, Date date) throws CertificateVerifyException {
        Date validityNotBefore = certificate.getValidityNotBefore();
        Date validityNotAfter = certificate.getValidityNotAfter();
        if (date.before(validityNotBefore)) {
            throw new CertificateVerifyException("Certificate not yet valid. Not before date " + validityNotBefore);
        }
        if (date.after(validityNotAfter)) {
            throw new CertificateVerifyException("Certificate expired. Not after date " + validityNotAfter);
        }
    }

    private int checkBasicConstraintExtension(boolean z, boolean z2) throws CertificateVerifyException {
        X509BasicConstraints x509BasicConstraints = null;
        try {
            X509Ext extensionFromCert = X509Ext.getExtensionFromCert(this, X509BasicConstraints.oid);
            if (extensionFromCert != null) {
                x509BasicConstraints = new X509BasicConstraints(extensionFromCert);
            }
            if (x509BasicConstraints == null) {
                if (z) {
                    throw new CertificateVerifyException("Basic Constraints not present");
                }
                return 255;
            }
            if (!x509BasicConstraints.isCA()) {
                throw new CertificateVerifyException("Basic Constraints present in signing cert but not a CA");
            }
            if (!z2 || x509BasicConstraints.isCritical()) {
                return x509BasicConstraints.getPathLen();
            }
            throw new CertificateVerifyException("Basic constraints for a CA must be critical");
        } catch (IOException e) {
            throw new CertificateVerifyException("Problem parsing Basic Constraints" + e.toString());
        }
    }

    private void checkKeyUsage(boolean z) throws CertificateVerifyException {
        X509KeyUsage x509KeyUsage = null;
        try {
            X509Ext extensionFromCert = X509Ext.getExtensionFromCert(this, X509KeyUsage.oid);
            if (extensionFromCert != null) {
                x509KeyUsage = new X509KeyUsage(extensionFromCert);
            }
            if (x509KeyUsage == null) {
                if (z) {
                    throw new CertificateVerifyException("Key Usage required for CAs");
                }
            } else if (!x509KeyUsage.isAsserted(X509KeyUsage.BIT_keyCertSign)) {
                throw new CertificateVerifyException("Key Usage present but keyCertSign not asserted");
            }
        } catch (IOException e) {
            throw new CertificateVerifyException("Problem parsing Key Usage" + e.toString());
        }
    }

    static {
        oid2NameMap.put("1.2.840.10040.4.3", "DSA");
        oid2NameMap.put("1.2.840.113549.1.1.2", "MD2/RSA");
        oid2NameMap.put("1.2.840.113549.1.1.3", "MD4/RSA");
        oid2NameMap.put("1.2.840.113549.1.1.4", Sign.Cryptix_MD5withRSA_Name);
        oid2NameMap.put("1.2.840.113549.1.1.5", Sign.Cryptix_SHA1withRSA_Name);
    }
}
