package org.eclipse.milo.opcua.stack.core.util.validation;

import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/util/validation/OpcUaCertificateRevocationChecker.class */
public class OpcUaCertificateRevocationChecker extends PKIXRevocationChecker {
    private static final Logger LOGGER;
    private final PKIXRevocationChecker checker;
    private final CertPath certPath;
    private final TrustAnchor trustAnchor;
    private final PKIXParameters parameters;
    private final Set<ValidationCheck> validationChecks;
    static final /* synthetic */ boolean $assertionsDisabled;

    public OpcUaCertificateRevocationChecker(CertPath certPath, TrustAnchor trustAnchor, PKIXParameters pKIXParameters, Set<ValidationCheck> set) throws Exception {
        this.certPath = certPath;
        this.trustAnchor = trustAnchor;
        this.parameters = pKIXParameters;
        this.validationChecks = set;
        HashSet newHashSet = Sets.newHashSet(new PKIXRevocationChecker.Option[]{PKIXRevocationChecker.Option.NO_FALLBACK, PKIXRevocationChecker.Option.PREFER_CRLS});
        if (!set.contains(ValidationCheck.REVOCATION_LISTS)) {
            newHashSet.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        this.checker = (PKIXRevocationChecker) CertPathValidator.getInstance("PKIX", "SUN").getRevocationChecker();
        this.checker.setOptions(newHashSet);
        initRevocationChecker();
    }

    private void initRevocationChecker() throws Exception {
        Class<?> cls = Class.forName("sun.security.provider.certpath.PKIX");
        Class<?> cls2 = Class.forName("sun.security.provider.certpath.PKIX$ValidatorParams");
        Class<?> cls3 = Class.forName("sun.security.provider.certpath.RevocationChecker");
        Method declaredMethod = cls.getDeclaredMethod("checkParams", CertPath.class, CertPathParameters.class);
        declaredMethod.setAccessible(true);
        Object invoke = declaredMethod.invoke(null, this.certPath, this.parameters);
        Method declaredMethod2 = cls3.getDeclaredMethod("init", TrustAnchor.class, cls2);
        declaredMethod2.setAccessible(true);
        declaredMethod2.invoke(this.checker, this.trustAnchor, invoke);
    }

    @Override // java.security.cert.PKIXRevocationChecker
    public List<CertPathValidatorException> getSoftFailExceptions() {
        return this.checker.getSoftFailExceptions();
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        this.checker.init(z);
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return this.checker.isForwardCheckingSupported();
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return this.checker.getSupportedExtensions();
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        try {
            initRevocationChecker();
            this.checker.check(certificate, collection);
        } catch (CertPathValidatorException e) {
            CertPath certPath = e.getCertPath();
            CertPathValidatorException.Reason reason = e.getReason();
            int index = e.getIndex();
            if (index < 0) {
                throw e;
            }
            X509Certificate x509Certificate = (X509Certificate) certPath.getCertificates().get(index);
            if (reason == CertPathValidatorException.BasicReason.REVOKED) {
                if (this.validationChecks.contains(ValidationCheck.REVOCATION)) {
                    throw e;
                }
                LOGGER.warn("check suppressed: certificate failed revocation check: {}", x509Certificate.getSubjectX500Principal().getName());
            } else {
                if (reason != CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
                    throw e;
                }
                if (!$assertionsDisabled && getOptions().contains(PKIXRevocationChecker.Option.SOFT_FAIL)) {
                    throw new AssertionError();
                }
                if (!$assertionsDisabled && !this.validationChecks.contains(ValidationCheck.REVOCATION_LISTS)) {
                    throw new AssertionError();
                }
                throw e;
            }
        } catch (Exception e2) {
            throw new CertPathValidatorException("revocation checker initialization failed", e2);
        }
    }

    static {
        $assertionsDisabled = !OpcUaCertificateRevocationChecker.class.desiredAssertionStatus();
        LOGGER = LoggerFactory.getLogger(OpcUaCertificateRevocationChecker.class);
    }
}
