package org.apache.synapse.transport.certificatevalidation.pathvalidation;

import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.commons.crypto.CryptoConstants;
import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
import org.apache.synapse.transport.certificatevalidation.RevocationVerifier;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-2.1.7-wso2v85.jar:org/apache/synapse/transport/certificatevalidation/pathvalidation/CertificatePathValidator.class */
public class CertificatePathValidator {
    private PathChecker pathChecker;
    List<X509Certificate> fullCertChain;
    List<X509Certificate> certChain;
    private static final Log log = LogFactory.getLog(CertificatePathValidator.class);

    public CertificatePathValidator(X509Certificate[] x509CertificateArr, RevocationVerifier revocationVerifier) {
        this.pathChecker = new PathChecker(x509CertificateArr, revocationVerifier);
        init(x509CertificateArr);
    }

    private void init(X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length - 1];
        System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, x509CertificateArr2.length);
        this.certChain = Arrays.asList(x509CertificateArr2);
        this.fullCertChain = Arrays.asList(x509CertificateArr);
    }

    public void validatePath() throws CertificateVerificationException {
        Security.addProvider(new BouncyCastleProvider());
        try {
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.fullCertChain), CryptoConstants.BOUNCY_CASTLE_PROVIDER);
            CertPath generateCertPath = CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID, CryptoConstants.BOUNCY_CASTLE_PROVIDER).generateCertPath(this.certChain);
            Set singleton = Collections.singleton(new TrustAnchor(this.fullCertChain.get(this.fullCertChain.size() - 1), null));
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", CryptoConstants.BOUNCY_CASTLE_PROVIDER);
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) singleton);
            pKIXParameters.addCertPathChecker(this.pathChecker);
            pKIXParameters.setRevocationEnabled(false);
            pKIXParameters.addCertStore(certStore);
            pKIXParameters.setDate(new Date());
            certPathValidator.validate(generateCertPath, pKIXParameters);
            log.info("Certificate path validated");
        } catch (CertPathValidatorException e) {
            throw new CertificateVerificationException("Certificate Path Validation failed on certificate number " + e.getIndex() + ", details: " + e.getMessage(), e);
        } catch (Exception e2) {
            throw new CertificateVerificationException("Certificate Path Validation failed", e2);
        }
    }
}
