package org.cesecore.keybind.impl;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.cesecore.util.CertTools;
import org.cesecore.util.provider.EkuPKIXCertPathChecker;

/* loaded from: input_file:org/cesecore/keybind/impl/ClientX509TrustManager.class */
public class ClientX509TrustManager implements X509TrustManager {
    private List<Collection<X509Certificate>> trustedCertificatesChains;
    private List<X509Certificate> encounteredServerCertificateChain = null;

    public ClientX509TrustManager(List<Collection<X509Certificate>> list) {
        this.trustedCertificatesChains = null;
        if (list != null) {
            this.trustedCertificatesChains = new ArrayList(list);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (CertTools.verifyWithTrustedCertificates(x509Certificate, this.trustedCertificatesChains, new EkuPKIXCertPathChecker(KeyPurposeId.id_kp_clientAuth.getId()))) {
            return;
        }
        throw new CertificateException("Client certificate with SubjectDN '" + CertTools.getSubjectDN(x509Certificate) + "', IssuerDN '" + CertTools.getIssuerDN(x509Certificate) + "' and serialnumber '" + CertTools.getSerialNumberAsString(x509Certificate) + "' is NOT trusted.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        this.encounteredServerCertificateChain = new ArrayList(Arrays.asList(x509CertificateArr));
        if (CertTools.verifyWithTrustedCertificates(x509Certificate, this.trustedCertificatesChains, new EkuPKIXCertPathChecker(KeyPurposeId.id_kp_serverAuth.getId()))) {
            return;
        }
        throw new CertificateException("Server certificate with SubjectDN '" + CertTools.getSubjectDN(x509Certificate) + "', IssuerDN '" + CertTools.getIssuerDN(x509Certificate) + "' and serialnumber '" + CertTools.getSerialNumberAsString(x509Certificate) + "' is NOT trusted.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        if (this.trustedCertificatesChains == null) {
            return new X509Certificate[0];
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Collection<X509Certificate>> it = this.trustedCertificatesChains.iterator();
        while (it.hasNext()) {
            Iterator<X509Certificate> it2 = it.next().iterator();
            X509Certificate next = it2.next();
            if (CertTools.isCA(next)) {
                arrayList.add(next);
            } else {
                arrayList.add(it2.next());
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    public List<X509Certificate> getEncounteredServerCertificateChain() {
        return this.encounteredServerCertificateChain;
    }
}
