package org.gluu.oxauth.fido2.service;

import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/CertificateValidator.class */
public class CertificateValidator {

    @Inject
    private Logger log;

    @Inject
    private Base64Service base64Service;

    public void saveCertificate(X509Certificate x509Certificate) {
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(IOUtils.buffer(new FileWriter(new File("/tmp/cert-" + x509Certificate.getSerialNumber() + ".crt"))));
            try {
                jcaPEMWriter.writeObject(x509Certificate);
                jcaPEMWriter.flush();
                IOUtils.closeQuietly(jcaPEMWriter);
            } catch (Throwable th) {
                IOUtils.closeQuietly(jcaPEMWriter);
                throw th;
            }
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Failed to write root certificate");
        }
    }

    public void checkForTrustedCertsInAttestation(List<X509Certificate> list, List<X509Certificate> list2) {
        List list3 = (List) list2.stream().map(x509Certificate -> {
            return this.base64Service.encodeToString(x509Certificate.getSignature());
        }).collect(Collectors.toList());
        if (!((List) list.stream().map(x509Certificate2 -> {
            return this.base64Service.encodeToString(x509Certificate2.getSignature());
        }).filter(str -> {
            return list3.contains(str);
        }).collect(Collectors.toList())).isEmpty()) {
            throw new Fido2RPRuntimeException("Root certificate in the attestation");
        }
    }

    public X509Certificate verifyAttestationCertificates(List<X509Certificate> list, List<X509Certificate> list2) {
        try {
            checkForTrustedCertsInAttestation(list, list2);
            Set set = (Set) list2.parallelStream().map(x509Certificate -> {
                return new TrustAnchor(x509Certificate, null);
            }).collect(Collectors.toSet());
            if (set.isEmpty()) {
                this.log.warn("Empty list of trust managers");
                return list.get(0);
            }
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) set);
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL, PKIXRevocationChecker.Option.PREFER_CRLS));
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(list);
            X509Certificate verifyPath = verifyPath(certPathValidator, generateCertPath, pKIXParameters);
            if (verifyPath != null) {
                return verifyPath;
            }
            PKIXParameters pKIXParameters2 = new PKIXParameters((Set<TrustAnchor>) set);
            CertPathValidator certPathValidator2 = CertPathValidator.getInstance("PKIX");
            ((PKIXRevocationChecker) certPathValidator2.getRevocationChecker()).setOptions(Collections.emptySet());
            pKIXParameters2.setRevocationEnabled(false);
            pKIXParameters2.addCertPathChecker(null);
            return verifyPath(certPathValidator2, generateCertPath, pKIXParameters2);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException e) {
            this.log.warn("Cert verification problem {}", e.getMessage(), e);
            throw new Fido2RPRuntimeException("Problem with certificate");
        }
    }

    private X509Certificate verifyPath(CertPathValidator certPathValidator, CertPath certPath, PKIXParameters pKIXParameters) {
        try {
            certPathValidator.validate(certPath, pKIXParameters);
            return (X509Certificate) certPath.getCertificates().get(0);
        } catch (InvalidAlgorithmParameterException e) {
            this.log.warn("Cert verification problem {}", e.getMessage(), e);
            throw new Fido2RPRuntimeException("Problem with certificate");
        } catch (CertPathValidatorException e2) {
            if (e2.getReason() == CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
                this.log.info("Cert not validated against the root {}", e2.getMessage());
                return null;
            }
            this.log.warn("Cert not validated against the root {}", e2.getMessage());
            throw new Fido2RPRuntimeException("Problem with certificate " + e2.getMessage());
        }
    }

    public boolean isSelfSigned(X509Certificate x509Certificate) {
        return isSelfSigned(x509Certificate, x509Certificate.getPublicKey());
    }

    public boolean isSelfSigned(X509Certificate x509Certificate, PublicKey publicKey) {
        try {
            x509Certificate.verify(publicKey);
            return x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN());
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            this.log.warn("Probably not self signed cert. Cert verification problem {}", e.getMessage());
            return false;
        }
    }
}
