package eu.cec.digit.ecas.util.httpclient.protocol;

import eu.cec.digit.ecas.client.logging.Logger;
import eu.cec.digit.ecas.client.resolver.logging.LoggerFactory;
import eu.cec.digit.ecas.util.Line;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;

/* loaded from: input_file:eu/cec/digit/ecas/util/httpclient/protocol/EmbeddedTrustManager.class */
final class EmbeddedTrustManager implements X509TrustManager {
    private static final Logger LOG = LoggerFactory.getInstance().getLogger(EmbeddedTrustManager.class);
    private final X509TrustManager[] standardTrustManagers;
    private final Set<X509Certificate> defaultEcasTrustedIssuers;
    private final PKIXParameters pkixParameters;
    private final CertificateFactory certificateFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public EmbeddedTrustManager(KeyStore keyStore, KeyStore keyStore2, List<X509Certificate> list) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, InvalidAlgorithmParameterException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
        trustManagerFactory.init(keyStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        if (trustManagers.length == 0) {
            throw new NoSuchAlgorithmException("SunX509 trust manager not supported");
        }
        this.standardTrustManagers = new X509TrustManager[trustManagers.length];
        for (int i = 0; i < trustManagers.length; i++) {
            this.standardTrustManagers[i] = (X509TrustManager) trustManagers[i];
        }
        this.defaultEcasTrustedIssuers = initEcasTrust(keyStore2, list);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = this.defaultEcasTrustedIssuers.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        this.pkixParameters = new PKIXParameters(hashSet);
        this.pkixParameters.setRevocationEnabled(false);
        if (LOG.isDebugEnabled()) {
            Iterator<TrustAnchor> it2 = this.pkixParameters.getTrustAnchors().iterator();
            while (it2.hasNext()) {
                LOG.debug("Added trust anchor from embedded keystore: " + it2.next().getTrustedCert());
            }
        }
        this.certificateFactory = CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID);
    }

    private Set<X509Certificate> initEcasTrust(KeyStore keyStore, List<X509Certificate> list) throws KeyStoreException {
        boolean isDebugEnabled = LOG.isDebugEnabled();
        HashSet hashSet = new HashSet();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
            if (null == certificateChain) {
                certificateChain = new Certificate[]{keyStore.getCertificate(nextElement)};
            }
            for (Certificate certificate : certificateChain) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                if (x509Certificate.getBasicConstraints() != -1) {
                    boolean add = hashSet.add(x509Certificate);
                    if (isDebugEnabled && add) {
                        LOG.debug("Trusting EuropeanCommission-related certificate \"" + x509Certificate.getSubjectX500Principal().getName() + "\" : " + x509Certificate);
                    }
                }
            }
        }
        if (null != list) {
            for (X509Certificate x509Certificate2 : list) {
                if (null != x509Certificate2) {
                    boolean add2 = hashSet.add(x509Certificate2);
                    if (isDebugEnabled && add2) {
                        LOG.debug("Trusting additional custom certificate from configuration \"" + x509Certificate2.getSubjectX500Principal().getName() + "\" : " + x509Certificate2);
                    }
                }
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        CertificateException certificateException = null;
        boolean z = false;
        for (int i = 0; !z && i < this.standardTrustManagers.length; i++) {
            try {
                this.standardTrustManagers[i].checkClientTrusted(x509CertificateArr, str);
                z = true;
            } catch (CertificateException e) {
                if (null == certificateException) {
                    certificateException = e;
                }
            }
        }
        if (!z) {
            throw certificateException;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean isDebugEnabled = LOG.isDebugEnabled();
        if (null != x509CertificateArr && isDebugEnabled) {
            StringBuilder sb = new StringBuilder();
            sb.append("ECAS Client trying to establish SSL connection with server using the following certificate chain:").append(Line.EOL);
            for (int i = 0; i < x509CertificateArr.length; i++) {
                sb.append("\t-X509Certificate[").append(i).append("]=").append(x509CertificateArr[i]).append(Line.EOL);
            }
            LOG.debug(sb.toString());
        }
        CertificateException certificateException = null;
        boolean z = false;
        for (int i2 = 0; !z && i2 < this.standardTrustManagers.length; i2++) {
            try {
                this.standardTrustManagers[i2].checkServerTrusted(x509CertificateArr, str);
                z = true;
            } catch (CertificateException e) {
                if (null == certificateException) {
                    certificateException = e;
                }
            }
        }
        if (isDebugEnabled && z) {
            LOG.debug("Server Certificate trusted by standard TrustManager");
        }
        if (!z && null != x509CertificateArr && x509CertificateArr.length > 0) {
            try {
                z = isTrustedEcasServer(x509CertificateArr);
                if (isDebugEnabled && z) {
                    LOG.debug("Server Certificate trusted by ECAS-client-embedded TrustManager");
                }
            } catch (Exception e2) {
                if (isDebugEnabled || LOG.isErrorEnabled()) {
                    LOG.error("The certificate chain received from the SSL server is not valid: " + Arrays.asList(x509CertificateArr) + " because: " + e2.toString(), e2);
                }
                if (e2 instanceof CertificateException) {
                    certificateException = (CertificateException) e2;
                } else if (e2 instanceof CertPathValidatorException) {
                    certificateException = new CertificateException(e2);
                }
            }
        }
        if (isDebugEnabled) {
            if (z) {
                LOG.debug((null == x509CertificateArr || x509CertificateArr.length <= 0) ? "An empty certificate chain is trusted" : "Server Certificate " + x509CertificateArr[0] + " is trusted");
            } else {
                LOG.debug((null == x509CertificateArr || x509CertificateArr.length <= 0) ? "The empty certificate chain is NOT trusted" : "Server Certificate " + x509CertificateArr[0] + " is NOT trusted");
            }
        }
        if (z) {
            return;
        }
        if (null == certificateException) {
            certificateException = new CertificateException("The server certificate chain is not trusted: " + Arrays.toString(x509CertificateArr));
        }
        throw certificateException;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        HashSet hashSet = new HashSet();
        for (X509TrustManager x509TrustManager : this.standardTrustManagers) {
            hashSet.addAll(Arrays.asList(x509TrustManager.getAcceptedIssuers()));
        }
        Iterator<X509Certificate> it = this.defaultEcasTrustedIssuers.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("getAcceptedIssuers() returns " + hashSet);
        }
        return (X509Certificate[]) hashSet.toArray(new X509Certificate[hashSet.size()]);
    }

    private boolean isTrustedEcasServer(X509Certificate[] x509CertificateArr) throws CertificateException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, CertPathValidatorException {
        X509Certificate trustedCert = ((PKIXCertPathValidatorResult) newCertPathValidator().validate(this.certificateFactory.generateCertPath(Arrays.asList(x509CertificateArr)), copyPKIXParameters(this.pkixParameters))).getTrustAnchor().getTrustedCert();
        if (!LOG.isDebugEnabled()) {
            return true;
        }
        LOG.debug("Certificate path " + Arrays.toString(x509CertificateArr) + " is trusted and validated by CA \"" + trustedCert + "\"");
        return true;
    }

    private PKIXParameters copyPKIXParameters(PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        PKIXParameters pKIXParameters2 = new PKIXParameters(pKIXParameters.getTrustAnchors());
        pKIXParameters2.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
        pKIXParameters2.setDate(new Date());
        return pKIXParameters2;
    }

    private CertPathValidator newCertPathValidator() throws NoSuchAlgorithmException {
        return CertPathValidator.getInstance("PKIX");
    }
}
