package ca.nrc.cadc.cred.client;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.auth.SSOCookieCredential;
import ca.nrc.cadc.auth.X509CertificateChain;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import java.io.File;
import java.security.AccessControlException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.Iterator;
import javax.naming.InitialContext;
import javax.naming.NameNotFoundException;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/cred/client/CredUtil.class */
public class CredUtil {
    private static final Logger log = Logger.getLogger(CredUtil.class);
    public static final double PROXY_CERT_DURATION = 0.1d;
    public static final String SERVOPS_JNDI_NAME = "servops-cert";

    private CredUtil() {
    }

    public static Subject createOpsSubject() {
        Subject createServopsSubjectFromJNDI = createServopsSubjectFromJNDI();
        log.debug("servops subject from JNDI: " + createServopsSubjectFromJNDI);
        if (createServopsSubjectFromJNDI == null) {
            createServopsSubjectFromJNDI = createServopsSubjectFromFile();
            log.debug("servops subject from disk: " + createServopsSubjectFromJNDI);
        }
        if (createServopsSubjectFromJNDI == null) {
            throw new IllegalStateException("servops.pem not found in JNDI or on disk.");
        }
        try {
            X509CertificateChain.findPrivateKeyChain(createServopsSubjectFromJNDI.getPublicCredentials()).getChain()[0].checkValidity();
            return createServopsSubjectFromJNDI;
        } catch (Exception e) {
            throw new RuntimeException("CONFIG: servops certificate is invalid", e);
        }
    }

    private static Subject createServopsSubjectFromJNDI() {
        try {
            Object lookup = new InitialContext().lookup(SERVOPS_JNDI_NAME);
            if (lookup == null) {
                return null;
            }
            return AuthenticationUtil.getSubject((X509CertificateChain) lookup);
        } catch (NamingException e) {
            log.warn("Unexpected JNDI exception.", e);
            return null;
        } catch (NameNotFoundException e2) {
            return null;
        }
    }

    private static Subject createServopsSubjectFromFile() {
        return SSLUtil.createSubject(new File(System.getProperty("user.home") + "/.ssl/cadcproxy.pem"));
    }

    public static boolean checkCredentials() throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException {
        return checkCredentials(AuthenticationUtil.getCurrentSubject());
    }

    public static boolean checkCredentials(final Subject subject) throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException {
        log.debug("check for valid cookie credentials...");
        for (SSOCookieCredential sSOCookieCredential : subject.getPublicCredentials(SSOCookieCredential.class)) {
            log.debug("Checking cookie credential: " + sSOCookieCredential);
            if (!sSOCookieCredential.isExpired()) {
                return true;
            }
        }
        log.debug("... no valid cookies");
        log.debug("check for a valid X509CertificateChain...");
        X509CertificateChain findPrivateKeyChain = X509CertificateChain.findPrivateKeyChain(subject.getPublicCredentials());
        if (findPrivateKeyChain != null) {
            try {
                findPrivateKeyChain.getChain()[0].checkValidity();
                return true;
            } catch (CertificateException e) {
                log.debug("invalid X509CertificateChain: removing");
            }
        }
        log.debug("... no valid X509CertificateChain");
        if (subject.getPrincipals().isEmpty()) {
            log.debug("no principals: return false");
            return false;
        }
        final CredClient credClient = new CredClient(new LocalAuthority().getServiceURI(Standards.CRED_PROXY_10.toASCIIString()));
        try {
            X509CertificateChain x509CertificateChain = (X509CertificateChain) Subject.doAs(createOpsSubject(), new PrivilegedExceptionAction<X509CertificateChain>() { // from class: ca.nrc.cadc.cred.client.CredUtil.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public X509CertificateChain run() throws Exception {
                    return CredClient.this.getProxyCertificate(subject, 0.1d);
                }
            });
            if (x509CertificateChain == null) {
                throw new AccessControlException("credential service did not return a delegated certificate");
            }
            x509CertificateChain.getChain()[0].checkValidity();
            Iterator<Object> it = subject.getPublicCredentials().iterator();
            while (it.hasNext()) {
                if (it.next() instanceof X509CertificateChain) {
                    it.remove();
                }
            }
            subject.getPublicCredentials().add(x509CertificateChain);
            return true;
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException("CredClient.getProxyCertficate failed", e2.getException());
        }
    }
}
