package xades4j.providers.impl;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import xades4j.providers.CannotBuildCertificationPathException;
import xades4j.providers.CannotSelectCertificateException;
import xades4j.providers.CertificateValidationException;
import xades4j.providers.CertificateValidationProvider;
import xades4j.providers.ValidationData;
import xades4j.verification.UnexpectedJCAException;

/* loaded from: input_file:xades4j/providers/impl/PKIXCertificateValidationProvider.class */
public final class PKIXCertificateValidationProvider implements CertificateValidationProvider {
    private static final int DEFAULT_MAX_PATH_LENGTH = 6;
    private final KeyStore trustAnchors;
    private final boolean revocationEnabled;
    private final int maxPathLength;
    private final CertStore[] intermCertsAndCrls;
    private final CertPathBuilder certPathBuilder;
    private final String signatureProvider;

    /* loaded from: input_file:xades4j/providers/impl/PKIXCertificateValidationProvider$Builder.class */
    public static final class Builder {
        private final KeyStore trustAnchors;
        private CertStore[] certStores;
        private boolean revocationEnabled;
        private int maxPathLength;
        private String certPathBuilderProvider;
        private String signatureProvider;

        private Builder(KeyStore keyStore) {
            if (null == keyStore) {
                throw new NullPointerException("Trust anchors cannot be null");
            }
            this.trustAnchors = keyStore;
            this.certStores = new CertStore[0];
            this.revocationEnabled = true;
            this.maxPathLength = PKIXCertificateValidationProvider.DEFAULT_MAX_PATH_LENGTH;
        }

        public PKIXCertificateValidationProvider build() throws NoSuchAlgorithmException, NoSuchProviderException {
            return new PKIXCertificateValidationProvider(this);
        }

        public Builder intermediateCertStores(CertStore... certStoreArr) {
            this.certStores = certStoreArr;
            return this;
        }

        public Builder checkRevocation(boolean z) {
            this.revocationEnabled = z;
            return this;
        }

        public Builder maxPathLength(int i) {
            this.maxPathLength = i;
            return this;
        }

        public Builder certPathBuilderProvider(String str) {
            this.certPathBuilderProvider = str;
            return this;
        }

        public Builder signatureProvider(String str) {
            this.signatureProvider = str;
            return this;
        }
    }

    public static Builder builder(KeyStore keyStore) {
        return new Builder(keyStore);
    }

    private PKIXCertificateValidationProvider(Builder builder) throws NoSuchAlgorithmException, NoSuchProviderException {
        this.trustAnchors = builder.trustAnchors;
        this.revocationEnabled = builder.revocationEnabled;
        this.maxPathLength = builder.maxPathLength;
        this.certPathBuilder = builder.certPathBuilderProvider == null ? CertPathBuilder.getInstance("PKIX") : CertPathBuilder.getInstance("PKIX", builder.certPathBuilderProvider);
        this.signatureProvider = builder.signatureProvider;
        this.intermCertsAndCrls = builder.certStores;
    }

    @Override // xades4j.providers.CertificateValidationProvider
    public ValidationData validate(X509CertSelector x509CertSelector, Date date, Collection<X509Certificate> collection) throws CertificateValidationException, UnexpectedJCAException {
        PKIXBuilderParameters pkixBuilderParameters = getPkixBuilderParameters(x509CertSelector);
        if (collection != null) {
            try {
                pkixBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
            } catch (InvalidAlgorithmParameterException e) {
                throw new CannotSelectCertificateException(x509CertSelector, e);
            } catch (NoSuchAlgorithmException e2) {
                throw new UnexpectedJCAException("No provider for Collection CertStore", e2);
            } catch (CertPathBuilderException e3) {
                throw new CannotBuildCertificationPathException(x509CertSelector, e3.getMessage(), e3);
            }
        }
        for (CertStore certStore : this.intermCertsAndCrls) {
            pkixBuilderParameters.addCertStore(certStore);
        }
        pkixBuilderParameters.setRevocationEnabled(this.revocationEnabled);
        pkixBuilderParameters.setMaxPathLength(this.maxPathLength);
        pkixBuilderParameters.setDate(date);
        pkixBuilderParameters.setSigProvider(this.signatureProvider);
        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) this.certPathBuilder.build(pkixBuilderParameters);
        ArrayList arrayList = new ArrayList(pKIXCertPathBuilderResult.getCertPath().getCertificates());
        arrayList.add(pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert());
        return this.revocationEnabled ? new ValidationData(arrayList, getCRLsForCertPath(arrayList, date)) : new ValidationData(arrayList);
    }

    private PKIXBuilderParameters getPkixBuilderParameters(X509CertSelector x509CertSelector) throws CannotBuildCertificationPathException {
        try {
            return new PKIXBuilderParameters(this.trustAnchors, x509CertSelector);
        } catch (InvalidAlgorithmParameterException e) {
            throw new CannotBuildCertificationPathException(x509CertSelector, "Trust anchors KeyStore has no trusted certificate entries", e);
        } catch (KeyStoreException e2) {
            throw new CannotBuildCertificationPathException(x509CertSelector, "Trust anchors KeyStore is not initialized", e2);
        }
    }

    private Collection<X509CRL> getCRLsForCertPath(List<X509Certificate> list, Date date) throws CertificateValidationException {
        HashMap hashMap = new HashMap(list.size() - 1);
        for (int i = 0; i < list.size() - 1; i++) {
            hashMap.put(list.get(i).getIssuerX500Principal(), list.get(i + 1));
        }
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        Iterator it = hashMap.keySet().iterator();
        while (it.hasNext()) {
            x509CRLSelector.addIssuer((X500Principal) it.next());
        }
        x509CRLSelector.setDateAndTime(date);
        HashSet<X509CRL> hashSet = new HashSet();
        try {
            for (CertStore certStore : this.intermCertsAndCrls) {
                hashSet.addAll(Collections.checkedCollection(certStore.getCRLs(x509CRLSelector), X509CRL.class));
            }
            for (X509CRL x509crl : hashSet) {
                try {
                    X509Certificate x509Certificate = (X509Certificate) hashMap.get(x509crl.getIssuerX500Principal());
                    if (null == this.signatureProvider) {
                        x509crl.verify(x509Certificate.getPublicKey());
                    } else {
                        x509crl.verify(x509Certificate.getPublicKey(), this.signatureProvider);
                    }
                } catch (Exception e) {
                    throw new CertificateValidationException(null, "Invalid CRL signature from " + x509crl.getIssuerX500Principal().getName(), e);
                }
            }
            return hashSet;
        } catch (CertStoreException e2) {
            throw new CertificateValidationException(null, "Cannot get CRLs", e2);
        }
    }
}
