package org.apache.shiro.authc.x509;

import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.X509Certificate;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.CertPathReviewerException;
import org.bouncycastle.x509.ExtendedPKIXBuilderParameters;
import org.bouncycastle.x509.PKIXCertPathReviewer;

/* loaded from: input_file:org/apache/shiro/authc/x509/X509CredentialsPKIXPathMatcher.class */
public class X509CredentialsPKIXPathMatcher extends AbstractX509CredentialsMatcher {
    @Override // org.apache.shiro.authc.x509.AbstractX509CredentialsMatcher
    public boolean doX509CredentialsMatch(X509AuthenticationToken x509AuthenticationToken, X509AuthenticationInfo x509AuthenticationInfo) {
        try {
            ExtendedPKIXBuilderParameters extendedPKIXBuilderParameters = new ExtendedPKIXBuilderParameters(x509AuthenticationInfo.getGrantedTrustAnchors(), x509AuthenticationToken.getX509CertSelector());
            extendedPKIXBuilderParameters.addStore(x509AuthenticationToken.getX509CertChainStore());
            extendedPKIXBuilderParameters.setRevocationEnabled(false);
            CertPathBuilderResult build = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME).build(extendedPKIXBuilderParameters);
            if (!LOGGER.isDebugEnabled()) {
                return true;
            }
            PKIXCertPathReviewer pKIXCertPathReviewer = new PKIXCertPathReviewer(build.getCertPath(), extendedPKIXBuilderParameters);
            LOGGER.debug("A valid ({}) certification path (length: {}) was found for the following certificate: '{}' ending on: '{}'", new Object[]{Boolean.valueOf(pKIXCertPathReviewer.isValidCertPath()), Integer.valueOf(pKIXCertPathReviewer.getCertPathSize()), x509AuthenticationToken.getX509Certificate().getSubjectX500Principal().getName(), ((X509Certificate) pKIXCertPathReviewer.getCertPath().getCertificates().get(pKIXCertPathReviewer.getCertPathSize() - 1)).getSubjectX500Principal().getName()});
            return true;
        } catch (GeneralSecurityException e) {
            LOGGER.trace("Unable to do credentials matching", e);
            return false;
        } catch (CertPathReviewerException e2) {
            LOGGER.trace("Unable to do credentials matching", e2);
            return false;
        }
    }

    static {
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
            LOGGER.warn("BouncyCastle Provider was not registered, forced registration. That's certainly something you wanna do yourself.");
        }
    }
}
