package org.apache.tsik.verifier;

import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.tsik.common.Logger;
import org.apache.tsik.common.LoggerFactory;

/* loaded from: input_file:org/apache/tsik/verifier/X509TrustVerifier.class */
public class X509TrustVerifier implements TrustVerifier {
    private static Logger log;
    private Set certs;
    private Map certsByEncodedKey;
    private Map certsBySubjectDN;
    static Class class$org$apache$tsik$verifier$X509TrustVerifier;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/tsik/verifier/X509TrustVerifier$EncodedKey.class */
    public class EncodedKey {
        byte[] encodedForm;
        int hashCode;
        private final X509TrustVerifier this$0;

        EncodedKey(X509TrustVerifier x509TrustVerifier, Key key) {
            this.this$0 = x509TrustVerifier;
            this.encodedForm = key.getEncoded();
            if (this.encodedForm == null) {
                throw new IllegalArgumentException("encodedForm is null");
            }
            this.hashCode = 0;
        }

        public int hashCode() {
            if (this.hashCode == 0) {
                synchronized (this) {
                    if (this.hashCode == 0) {
                        for (int i = 0; i < this.encodedForm.length; i++) {
                            this.hashCode = (31 * this.hashCode) + (this.encodedForm[i] & 255);
                        }
                        if (this.hashCode == 0) {
                            this.hashCode = -1;
                        }
                    }
                }
            }
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj == null || !(obj instanceof EncodedKey)) {
                return false;
            }
            EncodedKey encodedKey = (EncodedKey) obj;
            if (this.encodedForm.length != encodedKey.encodedForm.length) {
                return false;
            }
            for (int i = 0; i < this.encodedForm.length; i++) {
                if (this.encodedForm[i] != encodedKey.encodedForm[i]) {
                    return false;
                }
            }
            return true;
        }
    }

    private X509TrustVerifier() {
        this.certs = new HashSet();
        this.certsByEncodedKey = new HashMap();
        this.certsBySubjectDN = new HashMap();
    }

    public X509TrustVerifier(Collection collection) throws GeneralSecurityException {
        this();
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            addCert((Certificate) it.next());
        }
    }

    public X509TrustVerifier(KeyStore keyStore) throws GeneralSecurityException, KeyStoreException {
        this();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            addCert(keyStore.getCertificate(aliases.nextElement()));
        }
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust() throws TrustVerificationException {
        throw new TrustVerificationException();
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public synchronized void verifyTrust(PublicKey publicKey) throws TrustVerificationException {
        if (!this.certsByEncodedKey.containsKey(new EncodedKey(this, publicKey))) {
            throw new TrustVerificationException("Public key is not in the set of trusted certificates");
        }
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust(PublicKey publicKey, String str) throws TrustVerificationException {
        verifyTrust(publicKey);
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public synchronized void verifyTrust(X509Certificate[] x509CertificateArr) throws TrustVerificationException {
        try {
            verifyTrust(x509CertificateArr, 0);
        } catch (TrustVerificationException e) {
            throw e;
        } catch (GeneralSecurityException e2) {
            throw new TrustVerificationException(e2);
        }
    }

    private void addCert(Certificate certificate) throws GeneralSecurityException {
        X509Certificate x509Certificate = null;
        if (certificate instanceof X509Certificate) {
            x509Certificate = (X509Certificate) certificate;
        }
        if (x509Certificate != null) {
            x509Certificate.checkValidity();
        }
        this.certs.add(certificate);
        this.certsByEncodedKey.put(new EncodedKey(this, certificate.getPublicKey()), certificate);
        if (x509Certificate != null) {
            this.certsBySubjectDN.put(x509Certificate.getSubjectDN(), certificate);
        }
    }

    private void verifyTrust(Certificate[] certificateArr, int i) throws GeneralSecurityException {
        if (i >= certificateArr.length) {
            log.info("depth exceeded");
            throw new TrustVerificationException(new StringBuffer().append("Certificate chain does not connect to a trusted authority. DN=").append(((X509Certificate) certificateArr[0]).getSubjectDN()).toString());
        }
        Certificate certificate = certificateArr[i];
        X509Certificate x509Certificate = null;
        if (certificate instanceof X509Certificate) {
            x509Certificate = (X509Certificate) certificate;
        }
        log.debug(new StringBuffer().append("checking cert: ").append(certificate).toString());
        if (x509Certificate != null) {
            checkX509Certificate(x509Certificate, i);
        }
        if (this.certs.contains(certificate)) {
            log.debug("known trusted");
            return;
        }
        try {
            log.debug("recursing");
            verifyTrust(certificateArr, i + 1);
            certificate.verify(certificateArr[i + 1].getPublicKey());
            addCert(certificate);
        } catch (GeneralSecurityException e) {
            log.debug("recursion failed");
            GeneralSecurityException generalSecurityException = e;
            if (x509Certificate != null) {
                try {
                    log.debug("trying X.509 chaining");
                    X509Certificate x509Certificate2 = (X509Certificate) this.certsBySubjectDN.get(x509Certificate.getIssuerDN());
                    if (x509Certificate2 != null) {
                        checkX509Certificate(x509Certificate2, i + 1);
                        certificate.verify(x509Certificate2.getPublicKey());
                        log.debug("X.509 match succeeded");
                        addCert(certificate);
                        return;
                    }
                } catch (GeneralSecurityException e2) {
                    generalSecurityException = e2;
                }
            }
            log.debug("giving up");
            throw generalSecurityException;
        }
    }

    private void checkX509Certificate(X509Certificate x509Certificate, int i) throws GeneralSecurityException, TrustVerificationException {
        x509Certificate.checkValidity();
        if (i > 0) {
            if (x509Certificate.getVersion() < 3) {
                if (!x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
                    throw new TrustVerificationException(new StringBuffer().append("Intermediate CA requires v3 certificate, found v").append(x509Certificate.getVersion()).append(" certificate for CA ").append(i).append(" [").append(x509Certificate.getSubjectDN().getName()).append("]").toString());
                }
            } else if (x509Certificate.getBasicConstraints() < i - 1) {
                throw new TrustVerificationException(new StringBuffer().append("Certificate chain length constraint violated: CA ").append(i).append(" [").append(x509Certificate.getSubjectDN().getName()).append("] limits path length to ").append(x509Certificate.getBasicConstraints()).append(" subordinate intermediate CAs").toString());
            }
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$tsik$verifier$X509TrustVerifier == null) {
            cls = class$("org.apache.tsik.verifier.X509TrustVerifier");
            class$org$apache$tsik$verifier$X509TrustVerifier = cls;
        } else {
            cls = class$org$apache$tsik$verifier$X509TrustVerifier;
        }
        log = LoggerFactory.getLogger(cls);
    }
}
