package org.xdi.oxauth.cert.validation;

import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.xdi.oxauth.cert.validation.model.ValidationStatus;
import org.xdi.oxauth.model.util.SecurityProviderUtility;

/* loaded from: input_file:org/xdi/oxauth/cert/validation/PathCertificateVerifier.class */
public class PathCertificateVerifier implements CertificateVerifier {
    private static final Logger log = Logger.getLogger(PathCertificateVerifier.class);
    private boolean verifySelfSignedCertificate;

    public PathCertificateVerifier(boolean z) {
        SecurityProviderUtility.installBCProvider(true);
        this.verifySelfSignedCertificate = z;
    }

    @Override // org.xdi.oxauth.cert.validation.CertificateVerifier
    public ValidationStatus validate(X509Certificate x509Certificate, List<X509Certificate> list, Date date) {
        ArrayList arrayList;
        X500Principal subjectX500Principal;
        ValidationStatus validationStatus = new ValidationStatus(x509Certificate, list.get(0), date, ValidationStatus.ValidatorSourceType.CHAIN, ValidationStatus.CertificateValidity.UNKNOWN);
        try {
            arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            arrayList.addAll(list);
            subjectX500Principal = x509Certificate.getSubjectX500Principal();
        } catch (Exception e) {
            log.error("OCSP exception: ", e);
        }
        if (verifyCertificate(x509Certificate, arrayList) == null) {
            log.warn("Chain status is not valid for '" + subjectX500Principal + "'");
            validationStatus.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return validationStatus;
        }
        log.debug("Chain status is valid for '" + subjectX500Principal + "'");
        validationStatus.setValidity(ValidationStatus.CertificateValidity.VALID);
        return validationStatus;
    }

    public PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, List<X509Certificate> list) {
        try {
            if (!this.verifySelfSignedCertificate && isSelfSigned(x509Certificate)) {
                log.error("The certificate is self-signed!");
                return null;
            }
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (X509Certificate x509Certificate2 : list) {
                if (isSelfSigned(x509Certificate2)) {
                    hashSet.add(x509Certificate2);
                } else {
                    hashSet2.add(x509Certificate2);
                }
            }
            PKIXCertPathBuilderResult verifyCertificate = verifyCertificate(x509Certificate, hashSet, hashSet2);
            if (((X509Certificate) verifyCertificate.getCertPath().getCertificates().get(0)).getBasicConstraints() == -1) {
                return verifyCertificate;
            }
            log.error("Target certificate is not an EE certificate!");
            return null;
        } catch (CertPathBuilderException e) {
            log.error("Failed to build certificate path", e);
            return null;
        } catch (GeneralSecurityException e2) {
            log.error("Failed to build certificate path", e2);
            return null;
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        }
    }

    private PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<X509Certificate> set, Set<X509Certificate> set2) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setBasicConstraints(-2);
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2)));
        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", "BC").build(pKIXBuilderParameters);
        return pKIXCertPathBuilderResult;
    }

    @Override // org.xdi.oxauth.cert.validation.CertificateVerifier
    public void destroy() {
    }
}
