package org.glite.security.trustmanager;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import java.util.Set;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.glite.security.util.DN;
import org.glite.security.util.DNHandler;
import org.glite.security.util.FullTrustAnchor;
import org.glite.security.util.TrustStorage;
import org.glite.security.util.namespace.DNCheckerImpl;
import org.glite.security.util.proxy.ProxyCertInfoExtension;
import org.glite.security.util.proxy.ProxyCertificateInfo;

/* loaded from: input_file:org/glite/security/trustmanager/OpensslCertPathValidator.class */
public class OpensslCertPathValidator {
    private static final Logger LOGGER;
    private TrustStorage m_storage;
    private CertificateFactory m_certFact = CertificateFactory.getInstance("X.509", "BC");
    private boolean m_crlRequired;
    static final /* synthetic */ boolean $assertionsDisabled;

    public OpensslCertPathValidator(String str, boolean z) throws CertificateException, NoSuchProviderException, IOException, ParseException {
        this.m_storage = null;
        this.m_crlRequired = true;
        this.m_storage = new TrustStorage(str);
        this.m_crlRequired = z;
    }

    public boolean findAddParent(Vector<X509Certificate> vector) {
        X509Certificate lastElement = vector.lastElement();
        if (DNHandler.getSubject(lastElement).equals(DNHandler.getIssuer(lastElement))) {
            return false;
        }
        FullTrustAnchor[] anchors = this.m_storage.getAnchors(OpensslTrustmanager.getOpenSSLCAHash(lastElement.getIssuerDN()));
        if (anchors == null) {
            return false;
        }
        LOGGER.debug("found " + anchors.length + " CAs that match, cheking which to use");
        for (int i = 0; i < anchors.length; i++) {
            if (DNHandler.getSubject(anchors[i].m_caCert).equals(DNHandler.getIssuer(lastElement))) {
                vector.add(anchors[i].m_caCert);
                return true;
            }
        }
        return false;
    }

    public Vector<X509Certificate> buildPath(X509Certificate[] x509CertificateArr) throws CertPathValidatorException, CertificateException {
        Vector<X509Certificate> vector = new Vector<>();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (x509CertificateArr[i] instanceof X509CertificateObject) {
                vector.add(x509CertificateArr[i]);
            } else {
                vector.add((X509Certificate) this.m_certFact.generateCertificate(new BufferedInputStream(new ByteArrayInputStream(x509CertificateArr[i].getEncoded()))));
            }
        }
        X509Certificate lastElement = vector.lastElement();
        boolean z = false;
        if (lastElement.getBasicConstraints() > -1) {
            FullTrustAnchor[] anchors = this.m_storage.getAnchors(OpensslTrustmanager.getOpenSSLCAHash(lastElement.getSubjectDN()));
            if (anchors != null) {
                LOGGER.debug("found " + anchors.length + " CAs that match, cheking which to use");
                int i2 = 0;
                while (true) {
                    if (i2 >= anchors.length) {
                        break;
                    }
                    if (anchors[i2].m_caCert.getPublicKey().equals(lastElement.getPublicKey()) && DNHandler.getSubject(anchors[i2].m_caCert).equals(DNHandler.getSubject(lastElement))) {
                        FullTrustAnchor fullTrustAnchor = anchors[i2];
                        z = true;
                        vector.remove(lastElement);
                        vector.add(fullTrustAnchor.m_caCert);
                        break;
                    }
                    i2++;
                }
            }
            if (!z && DNHandler.getSubject(lastElement).equals(DNHandler.getIssuer(lastElement))) {
                LOGGER.info("Self-signed CA cert " + DNHandler.getSubject(lastElement) + " is not trusted, rejecting the certificate chain.");
                throw new CertPathValidatorException("Self-signed CA cert " + DNHandler.getSubject(lastElement) + " is not trusted, rejecting the certificate chain.");
            }
        }
        if (z || findAddParent(vector)) {
            do {
            } while (findAddParent(vector));
            return vector;
        }
        LOGGER.info("The root of the cert chain " + DNHandler.getSubject(lastElement) + " is not trusted CA nor issued by one, rejecting the certificate chain.");
        throw new CertPathValidatorException("The root of the cert chain " + DNHandler.getSubject(lastElement) + " is not trusted CA nor issued by one, rejecting the certificate chain.");
    }

    public void check(X509Certificate[] x509CertificateArr) throws CertPathValidatorException, CertificateException {
        if (x509CertificateArr.length == 0) {
            LOGGER.error("No certificates given to check");
            throw new CertPathValidatorException("No certificates given to check");
        }
        if (LOGGER.isDebugEnabled()) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                LOGGER.debug("input path cert type: " + x509CertificateArr[i].getClass().getName() + " DN [" + x509CertificateArr[i].getSubjectDN() + "]");
            }
        }
        Vector<X509Certificate> buildPath = buildPath(x509CertificateArr);
        LOGGER.debug("Given path len is " + x509CertificateArr.length + " and constructed path lenght " + buildPath.size());
        CertPathValidatorState certPathValidatorState = new CertPathValidatorState();
        certPathValidatorState.m_proxyType = 71;
        X509Certificate[] x509CertificateArr2 = (X509Certificate[]) buildPath.toArray(new X509Certificate[0]);
        int length = x509CertificateArr2.length - 1;
        checkValidity(x509CertificateArr2[length]);
        while (length > 0) {
            X509Certificate x509Certificate = x509CertificateArr2[length];
            X509Certificate x509Certificate2 = x509CertificateArr2[length - 1];
            if (x509Certificate.getBasicConstraints() > -1) {
                try {
                    certPathValidatorState = checkAnchorAndCert(x509Certificate2, x509Certificate, certPathValidatorState, length == x509CertificateArr2.length - 1);
                } catch (CRLException e) {
                    LOGGER.info("Certificate for " + DNHandler.getSubject(x509Certificate2) + " revoked by " + DNHandler.getSubject(x509Certificate) + ", rejecting it");
                    throw new CertPathValidatorException("Certificate for " + DNHandler.getSubject(x509Certificate2) + " revoked by " + DNHandler.getSubject(x509Certificate) + ", rejecting it");
                } catch (Exception e2) {
                    LOGGER.info("Certificate checking for " + DNHandler.getSubject(x509Certificate2) + " failed, rejecting it. Error was: " + e2.getMessage());
                    throw new CertPathValidatorException("Certificate checking for " + DNHandler.getSubject(x509Certificate2) + " failed, rejecting it. Error was: " + e2.getMessage(), e2);
                }
            } else {
                try {
                    certPathValidatorState = checkCertificatePair(x509Certificate2, x509Certificate, certPathValidatorState);
                } catch (CertPathValidatorException e3) {
                    LOGGER.info(e3.getMessage());
                    throw e3;
                } catch (CertificateException e4) {
                    LOGGER.info(e4.getMessage());
                    throw e4;
                }
            }
            length--;
        }
        LOGGER.info("certificate path for " + DNHandler.getSubject(x509CertificateArr[0]) + " is valid");
    }

    public void checkValidity(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            LOGGER.info("the Certificate for " + DNHandler.getSubject(x509Certificate) + " expired on " + x509Certificate.getNotAfter());
            throw new CertificateExpiredException("the Certificate for " + DNHandler.getSubject(x509Certificate) + " expired on " + x509Certificate.getNotAfter());
        } catch (CertificateNotYetValidException e2) {
            LOGGER.info("the Certificate for " + DNHandler.getSubject(x509Certificate) + " will only be valid after " + x509Certificate.getNotBefore());
            throw new CertificateNotYetValidException("the Certificate for " + DNHandler.getSubject(x509Certificate) + " will only be valid after " + x509Certificate.getNotBefore());
        }
    }

    public void checkSignature(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException, CertificateException {
        LOGGER.debug("Checking the signature");
        PublicKey publicKey = x509Certificate2.getPublicKey();
        LOGGER.debug("Sub cert is " + x509Certificate.getClass().getName());
        try {
            x509Certificate.verify(publicKey);
        } catch (InvalidKeyException e) {
            LOGGER.info("Invalid public key in \"" + x509Certificate2.getSubjectDN().toString() + "\" error was " + e.getClass().getName() + ":" + e.getMessage());
            throw new CertificateException("Invalid public key in \"" + x509Certificate2.getSubjectDN().toString() + "\" error was " + e.getClass().getName() + ":" + e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.info("Invalid signature algorithm in \"" + x509Certificate.getSubjectDN().toString() + "\" error was " + e2.getClass().getName() + ":" + e2.getMessage());
            throw new CertificateException("Invalid signature algorithm in \"" + x509Certificate.getSubjectDN().toString() + "\" error was " + e2.getClass().getName() + ":" + e2.getMessage());
        } catch (NoSuchProviderException e3) {
            LOGGER.error("Internal error, no crypto provider found. Error was " + e3.getClass().getName() + ":" + e3.getMessage());
            throw new CertificateException("Internal error, no crypto provider found. Error was " + e3.getMessage());
        } catch (SignatureException e4) {
            LOGGER.info("invalid signature in " + x509Certificate.getSubjectDN().toString());
            throw new CertPathValidatorException("invalid signature in " + x509Certificate.getSubjectDN().toString());
        }
    }

    public CertPathValidatorState checkCertificatePair(X509Certificate x509Certificate, X509Certificate x509Certificate2, CertPathValidatorState certPathValidatorState) throws CertPathValidatorException, CertificateException {
        LOGGER.debug("Checking a cert pair");
        checkSignature(x509Certificate, x509Certificate2);
        checkValidity(x509Certificate);
        CertPathValidatorState certPathValidatorState2 = new CertPathValidatorState();
        Object issuer = DNHandler.getIssuer(x509Certificate);
        DN subject = DNHandler.getSubject(x509Certificate2);
        DN subject2 = DNHandler.getSubject(x509Certificate);
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (subject.isEmpty() || subject2.isEmpty()) {
            throw new CertPathValidatorException("Subject DN of " + (subject.isEmpty() ? "parent" : "sub") + " certificate is empty, invalid certificate.");
        }
        LOGGER.debug("Checking cert basic constraints extension and proxy type");
        int basicConstraints = x509Certificate2.getBasicConstraints();
        int basicConstraints2 = x509Certificate.getBasicConstraints();
        if (basicConstraints >= 0) {
            if (basicConstraints2 < 0) {
                certPathValidatorState2.m_proxyType = 72;
            } else {
                if (certPathValidatorState.m_basicConstraintsPathLimit < 0) {
                    throw new CertPathValidatorException("Certificate " + subject2 + " has a CA flag, but path lenght is too long, it was limited by " + certPathValidatorState2.m_basicConstraintsPathLimiter);
                }
                if (basicConstraints2 < certPathValidatorState.m_basicConstraintsPathLimit) {
                    certPathValidatorState2.m_basicConstraintsPathLimit = basicConstraints2 - 1;
                    certPathValidatorState2.m_basicConstraintsPathLimiter = subject2;
                } else {
                    certPathValidatorState2.m_basicConstraintsPathLimit = certPathValidatorState.m_basicConstraintsPathLimit - 1;
                    certPathValidatorState2.m_basicConstraintsPathLimiter = certPathValidatorState.m_basicConstraintsPathLimiter;
                }
                certPathValidatorState2.m_proxyType = 71;
            }
        } else {
            if (!$assertionsDisabled && certPathValidatorState.m_proxyType != 71) {
                throw new AssertionError();
            }
            if (basicConstraints2 != -1) {
                throw new CertPathValidatorException("A certificate " + subject2 + " after non-CA cert " + subject + " has a CA flag, which is not allowed. Rejecting certificate path.");
            }
            if (criticalExtensionOIDs != null) {
                if (criticalExtensionOIDs.contains(ProxyCertInfoExtension.PROXY_CERT_INFO_EXTENSION_OID)) {
                    criticalExtensionOIDs.remove(ProxyCertInfoExtension.PROXY_CERT_INFO_EXTENSION_OID);
                    certPathValidatorState2.m_proxyType = 54;
                } else if (criticalExtensionOIDs.contains(ProxyCertInfoExtension.DRAFT_PROXY_CERT_INFO_EXTENSION_OID)) {
                    criticalExtensionOIDs.remove(ProxyCertInfoExtension.DRAFT_PROXY_CERT_INFO_EXTENSION_OID);
                    certPathValidatorState2.m_proxyType = 53;
                } else {
                    if (!subject2.getLastCNValue().toLowerCase().equals("proxy") && !subject2.getLastCNValue().toLowerCase().equals("limited proxy")) {
                        throw new CertPathValidatorException("Unknown proxy type, no draft or RFC3820 extensions found and subject doesn't follow legacy proxy convention.");
                    }
                    certPathValidatorState2.m_proxyType = 52;
                }
            } else {
                if (!subject2.getLastCNValue().toLowerCase().equals("proxy") && !subject2.getLastCNValue().toLowerCase().equals("limited proxy")) {
                    throw new CertPathValidatorException("Unknown proxy type, no draft or RFC3820 extensions found and subject doesn't follow legacy proxy convention.");
                }
                certPathValidatorState2.m_proxyType = 52;
            }
        }
        LOGGER.debug("Checking cert transitions.");
        if (certPathValidatorState.m_proxyType == 71) {
            if (certPathValidatorState2.m_proxyType != 71 && certPathValidatorState2.m_proxyType != 72) {
                throw new CertPathValidatorException("The CA cert " + subject + " can only sign sub CAs or user certs. The cert " + subject2 + " is neither.");
            }
        } else if (certPathValidatorState.m_proxyType == 72) {
            if (certPathValidatorState2.m_proxyType != 52 && certPathValidatorState2.m_proxyType != 53 && certPathValidatorState2.m_proxyType != 54) {
                throw new CertPathValidatorException("The end entity cert " + subject + " can only sign proxies. The cert " + subject2 + " wasn't recognized as a proxy.");
            }
        } else {
            if (certPathValidatorState.m_proxyType != 52 && certPathValidatorState.m_proxyType != 53 && certPathValidatorState.m_proxyType != 54) {
                throw new CertPathValidatorException("Unknown cert " + subject + " and transition");
            }
            if (certPathValidatorState.m_proxyType != certPathValidatorState2.m_proxyType) {
                throw new CertPathValidatorException("The proxy cert " + subject + " and the sub proxy cert " + subject2 + " are of different type.");
            }
        }
        if (certPathValidatorState2.m_proxyType == 52 || certPathValidatorState2.m_proxyType == 53 || certPathValidatorState2.m_proxyType == 54) {
            LOGGER.debug("Checkin that " + DNHandler.getSubject(x509Certificate2) + " matches end of " + DNHandler.getSubject(x509Certificate) + " because proxy constraints");
            checkDNRestriction(x509Certificate, x509Certificate2, certPathValidatorState.m_proxyType);
            if (certPathValidatorState2.m_proxyType == 54 || certPathValidatorState2.m_proxyType == 53) {
                if (certPathValidatorState.m_proxyInfoPathLimit < 0) {
                    throw new CertPathValidatorException("The proxy certificate path of \"" + subject2 + "\" is longer than allowed by \"" + certPathValidatorState.m_proxyInfoPathLimiter + "\" that set the proxy path length limit.");
                }
                try {
                    int proxyPathLimit = new ProxyCertificateInfo(x509Certificate).getProxyPathLimit();
                    if (proxyPathLimit < certPathValidatorState.m_proxyInfoPathLimit) {
                        certPathValidatorState2.m_proxyInfoPathLimit = proxyPathLimit - 1;
                        certPathValidatorState2.m_proxyInfoPathLimiter = subject2;
                    } else {
                        certPathValidatorState2.m_proxyInfoPathLimit = certPathValidatorState.m_proxyInfoPathLimit - 1;
                        certPathValidatorState2.m_proxyInfoPathLimiter = certPathValidatorState.m_proxyInfoPathLimiter;
                    }
                } catch (IOException e) {
                    throw new CertificateException("Parsing of a proxy certificate \"" + subject2 + "\" failed with: " + e.getMessage());
                }
            }
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage != null && !keyUsage[0]) {
                throw new CertPathValidatorException("The proxy cert " + subject2 + " has keyUsage extension, but the digital signature bit is not set as required.");
            }
        }
        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
            criticalExtensionOIDs.remove(X509Extensions.KeyUsage.toString());
        }
        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
            criticalExtensionOIDs.remove(X509Extensions.BasicConstraints.toString());
        }
        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
            throw new CertPathValidatorException("Certificate " + subject2 + " contains unsupported critical extensions, e.g. " + criticalExtensionOIDs.iterator().next());
        }
        LOGGER.debug("Checking DN match");
        if (!issuer.equals(subject)) {
            throw new CertPathValidatorException("cert issuer DN (" + issuer + ") - Issuer subject DN (" + subject + ") mismatch.");
        }
        if (x509Certificate2.getBasicConstraints() > -1) {
            DNCheckerImpl dNCheckerImpl = new DNCheckerImpl();
            FullTrustAnchor[] fullTrustAnchorArr = (FullTrustAnchor[]) certPathValidatorState.m_anchorStack.toArray(new FullTrustAnchor[0]);
            int length = fullTrustAnchorArr.length - 1;
            while (true) {
                if (length < 0) {
                    break;
                }
                FullTrustAnchor fullTrustAnchor = fullTrustAnchorArr[length];
                if (fullTrustAnchor.m_namespace != null && !fullTrustAnchor.m_namespace.getPolices().isEmpty()) {
                    dNCheckerImpl.check(subject2, subject, fullTrustAnchor.m_namespace.getPolices());
                    break;
                }
                length--;
            }
            certPathValidatorState2.m_anchorStack = certPathValidatorState.m_anchorStack;
        }
        return certPathValidatorState2;
    }

    public CertPathValidatorState checkAnchorAndCert(X509Certificate x509Certificate, X509Certificate x509Certificate2, CertPathValidatorState certPathValidatorState, boolean z) throws CertPathValidatorException, CertificateException, CRLException {
        LOGGER.debug("Checkin cert and anchor");
        FullTrustAnchor fullTrustAnchor = null;
        FullTrustAnchor[] anchors = this.m_storage.getAnchors(OpensslTrustmanager.getOpenSSLCAHash(x509Certificate2.getSubjectDN()));
        if (anchors != null) {
            LOGGER.debug("found " + anchors.length + " CAs that match, cheking which to use");
            for (int i = 0; i < anchors.length; i++) {
                if (anchors[i].m_caCert.getPublicKey().equals(x509Certificate2.getPublicKey())) {
                    fullTrustAnchor = anchors[i];
                }
            }
        }
        if (fullTrustAnchor == null && z) {
            throw new CertPathValidatorException("The CA certificate " + DNHandler.getSubject(x509Certificate2).getRFCDN() + " was not found. Certificate chain isn't based on any trusted CA.");
        }
        certPathValidatorState.m_anchorStack.add(fullTrustAnchor);
        CertPathValidatorState checkCertificatePair = checkCertificatePair(x509Certificate, x509Certificate2, certPathValidatorState);
        String rfcdn = DNHandler.getSubject(x509Certificate2).getRFCDN();
        String rfcdn2 = DNHandler.getSubject(x509Certificate).getRFCDN();
        if (fullTrustAnchor == null) {
            if (this.m_crlRequired) {
                LOGGER.info("The certificate " + rfcdn2 + " is rejected as no CRL was found for CA " + rfcdn);
                throw new CertPathValidatorException("The certificate " + rfcdn2 + " is rejected as no CRL was found for CA " + rfcdn);
            }
        } else if (fullTrustAnchor.m_crl != null) {
            if (fullTrustAnchor.m_crl.getRevokedCertificate(x509Certificate) != null) {
                LOGGER.info("The certificate " + rfcdn2 + " is revoked by " + rfcdn);
                throw new CertPathValidatorException("The certificate " + rfcdn2 + " is revoked by " + rfcdn);
            }
            Date nextUpdate = fullTrustAnchor.m_crl.getNextUpdate();
            if (nextUpdate.before(new Date(System.currentTimeMillis()))) {
                if (this.m_crlRequired) {
                    LOGGER.info("The certificate " + rfcdn2 + " is not in the CRL of " + rfcdn + ", but the CRL has expired on " + nextUpdate + ", so rejecting this certificate.");
                    throw new CertPathValidatorException("The certificate " + rfcdn2 + " is not in the CRL of " + rfcdn + ", but the CRL has expired on " + nextUpdate + ", so rejecting this certificate.");
                }
                LOGGER.warn("The CRL of " + rfcdn + " has expired on " + nextUpdate + ", but as CRLs are not required, the cert is not rejected.");
            }
            Date thisUpdate = fullTrustAnchor.m_crl.getThisUpdate();
            if (thisUpdate.after(new Date(System.currentTimeMillis()))) {
                if (this.m_crlRequired) {
                    LOGGER.info("The certificate " + rfcdn2 + " is not in the CRL of " + rfcdn + ", but the CRL is not yet valid (valid from " + thisUpdate + "), so rejecting this certificate.");
                    throw new CertPathValidatorException("The certificate " + rfcdn2 + " is not in the CRL of " + rfcdn + ", but the CRL is not yet valid (valid from " + thisUpdate + "), so rejecting this certificate.");
                }
                LOGGER.warn("The CRL of " + rfcdn + " is not yet valid (valid from " + thisUpdate + "), but as CRLs are not required, the cert is not rejected.");
            }
        } else {
            if (this.m_crlRequired) {
                LOGGER.info("The certificate " + rfcdn2 + " is rejected as no CRL was found for CA " + rfcdn);
                throw new CertPathValidatorException("The certificate " + rfcdn2 + " is rejected as no CRL was found for CA " + rfcdn);
            }
            LOGGER.info("No CRL was found for CA " + rfcdn + ", but CRLs are not required, so accepting the cert.");
        }
        if (fullTrustAnchor == null || fullTrustAnchor.m_caCert == null) {
            checkCertificatePair.m_basicConstraintsPathLimit = certPathValidatorState.m_basicConstraintsPathLimit;
            checkCertificatePair.m_basicConstraintsPathLimiter = certPathValidatorState.m_basicConstraintsPathLimiter;
        } else {
            boolean[] keyUsage = fullTrustAnchor.m_caCert.getKeyUsage();
            if (keyUsage != null && !keyUsage[5]) {
                throw new CertPathValidatorException("The CA cert " + rfcdn + " has keyUsage extension, but the keyCertSign bit is not set as required.");
            }
            int basicConstraints = fullTrustAnchor.m_caCert.getBasicConstraints();
            if (basicConstraints < certPathValidatorState.m_basicConstraintsPathLimit - 1) {
                checkCertificatePair.m_basicConstraintsPathLimit = basicConstraints - 1;
                checkCertificatePair.m_basicConstraintsPathLimiter = DNHandler.getSubject(fullTrustAnchor.m_caCert);
            } else {
                checkCertificatePair.m_basicConstraintsPathLimit = certPathValidatorState.m_basicConstraintsPathLimit - 1;
                checkCertificatePair.m_basicConstraintsPathLimiter = certPathValidatorState.m_basicConstraintsPathLimiter;
            }
        }
        LOGGER.debug("Certificate for " + rfcdn2 + " is validly issued by CA " + rfcdn);
        return checkCertificatePair;
    }

    public X509Certificate[] getCACerts() {
        FullTrustAnchor[] anchors = this.m_storage.getAnchors();
        if (anchors == null) {
            return null;
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[anchors.length];
        for (int i = 0; i < anchors.length; i++) {
            x509CertificateArr[i] = anchors[i].m_caCert;
        }
        LOGGER.debug("getCACerts: returning " + x509CertificateArr.length + " ca certs");
        return x509CertificateArr;
    }

    public void checkDNRestriction(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i) throws CertificateException {
        LOGGER.debug("Checking dn restriction");
        DN subject = DNHandler.getSubject(x509Certificate);
        DN subject2 = DNHandler.getSubject(x509Certificate2);
        try {
            if (!subject.withoutLastCN(false).equals(subject2)) {
                throw new CertificateException("The DN [" + subject + "] doesn't end with [" + subject2 + "] as required for proxy certs");
            }
            if (i == 52 && !subject.getLastCNValue().toLowerCase().matches("limited proxy|proxy")) {
                throw new CertPathValidatorException("Legacy proxy " + subject.getCanon() + " does not end with \"proxy\" or \"limited proxy\" as required.");
            }
        } catch (Exception e) {
            LOGGER.info("Error while cheking naming constrainst between sub [" + subject + "] and signer [" + subject2 + " error: " + e + e.getMessage());
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("StacTrace: ", e);
            }
            if (!(e instanceof CertificateException)) {
                throw new CertificateException("Error while cheking naming constrainst between sub [" + subject + "] and signer [" + subject2 + "] error: " + e + e.getMessage());
            }
            throw ((CertificateException) e);
        }
    }

    public void checkUpdate() throws IOException, CertificateException, ParseException {
        if (this.m_storage != null) {
            this.m_storage.checkUpdate();
        }
    }

    static {
        $assertionsDisabled = !OpensslCertPathValidator.class.desiredAssertionStatus();
        LOGGER = Logger.getLogger(OpensslCertPathValidator.class.getName());
    }
}
