package org.cesecore.util.provider;

import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.x509.Extension;
import org.cesecore.util.CertTools;

/* loaded from: input_file:org/cesecore/util/provider/EkuPKIXCertPathChecker.class */
public class EkuPKIXCertPathChecker extends PKIXCertPathChecker {
    private static final Logger log = Logger.getLogger(EkuPKIXCertPathChecker.class);
    private static final List<String> EMPTY = new ArrayList(0);
    private final List<String> requiredKeyPurposeOids;

    public EkuPKIXCertPathChecker(String... strArr) {
        if (strArr == null) {
            this.requiredKeyPurposeOids = EMPTY;
        } else {
            this.requiredKeyPurposeOids = Arrays.asList(strArr);
        }
    }

    public EkuPKIXCertPathChecker(List<String> list) {
        if (list == null) {
            this.requiredKeyPurposeOids = EMPTY;
        } else {
            this.requiredKeyPurposeOids = list;
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        if (CertTools.isCA(certificate) || !(certificate instanceof X509Certificate)) {
            return;
        }
        try {
            List<String> extendedKeyUsage = ((X509Certificate) certificate).getExtendedKeyUsage();
            if (extendedKeyUsage == null) {
                extendedKeyUsage = EMPTY;
            }
            if (extendedKeyUsage.containsAll(this.requiredKeyPurposeOids)) {
                collection.remove(Extension.extendedKeyUsage.getId());
                return;
            }
            ArrayList arrayList = new ArrayList(this.requiredKeyPurposeOids);
            arrayList.removeAll(extendedKeyUsage);
            if (log.isDebugEnabled()) {
                log.debug("EKUs in certificate: " + Arrays.toString(extendedKeyUsage.toArray()) + " EKUs required: " + Arrays.toString(this.requiredKeyPurposeOids.toArray()));
            }
            log.info("Validation of certificate with subject " + CertTools.getSubjectDN(certificate) + " failed critical EKU validation. The missing EKUs were: " + Arrays.toString(arrayList.toArray()));
        } catch (CertificateParsingException e) {
            throw new CertPathValidatorException(e);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return Collections.singleton(Extension.extendedKeyUsage.getId());
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return true;
    }
}
