package org.josso.auth.scheme.validation;

import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:WEB-INF/lib/josso-strong-authscheme-1.8.9-SNAPSHOT.jar:org/josso/auth/scheme/validation/OCSPX509CertificateValidator.class */
public class OCSPX509CertificateValidator extends AbstractX509CertificateValidator {
    private static final Log log = LogFactory.getLog(OCSPX509CertificateValidator.class);
    private String _ocspResponderCertificateAlias;
    private X509Certificate _ocspCert;

    @Override // org.josso.auth.scheme.validation.X509CertificateValidator
    public void validate(X509Certificate x509Certificate) throws X509CertificateValidationException {
        try {
            if (this._url != null) {
                log.debug("Using the OCSP server at: " + this._url);
                Security.setProperty("ocsp.responderURL", this._url);
            } else {
                log.debug("Using the OCSP server specified in the Authority Info Access (AIA) extension of the certificate");
            }
            if (this._httpProxyHost == null || this._httpProxyPort == null) {
                System.clearProperty("http.proxyHost");
                System.clearProperty("http.proxyPort");
            } else {
                System.setProperty("http.proxyHost", this._httpProxyHost);
                System.setProperty("http.proxyPort", this._httpProxyPort);
            }
            CertPath generateCertificatePath = generateCertificatePath(x509Certificate);
            PKIXParameters pKIXParameters = new PKIXParameters(generateTrustAnchors());
            HashSet hashSet = new HashSet();
            if (this._ocspCert == null) {
                this._ocspCert = getCertificate(this._ocspResponderCertificateAlias);
            }
            if (this._ocspCert != null) {
                hashSet.add(this._ocspCert);
                pKIXParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet)));
                Security.setProperty("ocsp.responderCertSubjectName", this._ocspCert.getSubjectX500Principal().getName());
            }
            pKIXParameters.setRevocationEnabled(true);
            Security.setProperty("ocsp.enable", "true");
            X509Certificate trustedCert = ((PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(generateCertificatePath, pKIXParameters)).getTrustAnchor().getTrustedCert();
            if (trustedCert == null) {
                log.debug("Trsuted Cert = NULL");
            } else {
                log.debug("Trusted CA DN = " + trustedCert.getSubjectDN());
            }
            log.debug("CERTIFICATE VALIDATION SUCCEEDED");
        } catch (CertPathValidatorException e) {
            log.error(e, e);
            throw new X509CertificateValidationException(e);
        } catch (Exception e2) {
            log.error(e2, e2);
            throw new X509CertificateValidationException(e2);
        }
    }

    public String getOcspResponderCertificateAlias() {
        return this._ocspResponderCertificateAlias;
    }

    public void setOcspResponderCertificateAlias(String str) {
        this._ocspResponderCertificateAlias = str;
    }
}
