package org.cesecore.keybind.impl;

import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.cesecore.util.CertTools;
import org.cesecore.util.provider.EkuPKIXCertPathChecker;

/* loaded from: input_file:org/cesecore/keybind/impl/ClientX509TrustManager.class */
public class ClientX509TrustManager implements X509TrustManager {
    private Collection<Collection<Certificate>> trustedCertificatesChains;

    public ClientX509TrustManager(Collection<Collection<Certificate>> collection) {
        this.trustedCertificatesChains = null;
        if (collection != null) {
            this.trustedCertificatesChains = new ArrayList();
            Iterator<Collection<Certificate>> it = collection.iterator();
            while (it.hasNext()) {
                this.trustedCertificatesChains.add(it.next());
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (CertTools.verifyWithTrustedCertificates(x509Certificate, this.trustedCertificatesChains, new EkuPKIXCertPathChecker(KeyPurposeId.id_kp_clientAuth.getId()))) {
            return;
        }
        throw new CertificateException("Certificate with SubjectDN '" + CertTools.getSubjectDN(x509Certificate) + "', IssuerDN '" + CertTools.getIssuerDN(x509Certificate) + "' and serialnumber '" + CertTools.getSerialNumberAsString(x509Certificate) + "' is NOT trusted.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (CertTools.verifyWithTrustedCertificates(x509Certificate, this.trustedCertificatesChains, new EkuPKIXCertPathChecker(KeyPurposeId.id_kp_serverAuth.getId()))) {
            return;
        }
        throw new CertificateException("Certificate with SubjectDN '" + CertTools.getSubjectDN(x509Certificate) + "', IssuerDN '" + CertTools.getIssuerDN(x509Certificate) + "' and serialnumber '" + CertTools.getSerialNumberAsString(x509Certificate) + "' is NOT trusted.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        if (this.trustedCertificatesChains == null) {
            return new X509Certificate[0];
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Collection<Certificate>> it = this.trustedCertificatesChains.iterator();
        while (it.hasNext()) {
            Iterator<Certificate> it2 = it.next().iterator();
            X509Certificate x509Certificate = (X509Certificate) it2.next();
            if (CertTools.isCA(x509Certificate)) {
                arrayList.add(x509Certificate);
            } else {
                arrayList.add((X509Certificate) it2.next());
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }
}
