package eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle;

import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsFatalAlert;
import eu.cec.digit.ecas.util.commons.lang.CommonUtils;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;

/* loaded from: input_file:eu/cec/digit/ecas/util/httpclient/protocol/bouncycastle/IdentityAndTrust.class */
final class IdentityAndTrust {
    private final Set<X509Certificate> trustedCertificates;
    private final X509Certificate[] identityCertificateChain;
    private final PrivateKey identityPrivateKey;
    private final PKIXParameters pkixParameters;
    private final CertificateFactory certificateFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentityAndTrust(Collection<X509Certificate> collection, X509Certificate[] x509CertificateArr, PrivateKey privateKey) {
        CommonUtils.checkNotNull(collection, "trustedCertificates");
        if ((null != privateKey && (null == x509CertificateArr || x509CertificateArr.length == 0)) || (null == privateKey && null != x509CertificateArr && x509CertificateArr.length > 0)) {
            throw new IllegalArgumentException("identityCertificateChain and identityPrivateKey must be both null or both non-null and non-empty");
        }
        try {
            HashSet hashSet = new HashSet();
            Iterator<X509Certificate> it = collection.iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor(it.next(), null));
            }
            this.pkixParameters = new PKIXParameters(hashSet);
            this.pkixParameters.setRevocationEnabled(false);
            this.certificateFactory = CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID);
            this.trustedCertificates = Collections.unmodifiableSet(new HashSet(collection));
            this.identityCertificateChain = x509CertificateArr;
            this.identityPrivateKey = privateKey;
        } catch (GeneralSecurityException e) {
            throw new SecurityException(e);
        }
    }

    private PKIXParameters copyPKIXParameters(PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        PKIXParameters pKIXParameters2 = new PKIXParameters(pKIXParameters.getTrustAnchors());
        pKIXParameters2.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
        pKIXParameters2.setDate(new Date());
        return pKIXParameters2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate[] getIdentityCertificateChain() {
        if (null == this.identityCertificateChain || this.identityCertificateChain.length == 0) {
            return null;
        }
        return (X509Certificate[]) this.identityCertificateChain.clone();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrivateKey getIdentityPrivateKey() {
        return this.identityPrivateKey;
    }

    X509Certificate getLocalCertificate() {
        if (null == this.identityCertificateChain || this.identityCertificateChain.length == 0) {
            return null;
        }
        return this.identityCertificateChain[0];
    }

    Set<X509Certificate> getTrustedCertificates() {
        return this.trustedCertificates;
    }

    public X509Certificate isDirectlyTrusted(X509Certificate[] x509CertificateArr) throws TlsFatalAlert {
        X509Certificate x509Certificate = x509CertificateArr[0];
        for (X509Certificate x509Certificate2 : this.trustedCertificates) {
            if (x509Certificate2.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                try {
                    x509Certificate.checkValidity();
                    try {
                        x509Certificate.verify(x509Certificate2.getPublicKey());
                        if (JsseUtil.isJsseDebugEnabled()) {
                            StringBuilder sb = new StringBuilder("TLS client is trusting server certificate:\n");
                            CertificateUtil.appendCertificateDetails(x509Certificate, sb, "\t", "\n");
                            sb.append("\nissued by trusted Certificate Authority: \n");
                            CertificateUtil.appendCertificateDetails(x509Certificate2, sb, "\t", "\n");
                            System.out.println(sb.toString());
                        }
                        return x509Certificate2;
                    } catch (Exception e) {
                        StringBuilder sb2 = new StringBuilder("TLS client is not trusting server certificate (the public key does not match the certificate):\n");
                        CertificateUtil.appendCertificateDetails(x509Certificate, sb2, "\t", "\n");
                        sb2.append("\nissued by trusted Certificate Authority: \n");
                        CertificateUtil.appendCertificateDetails(x509Certificate2, sb2, "\t", "\n");
                        String sb3 = sb2.toString();
                        if (JsseUtil.isJsseDebugEnabled()) {
                            System.out.println(sb3);
                        }
                    }
                } catch (CertificateExpiredException e2) {
                    StringBuilder sb4 = new StringBuilder("TLS client is not trusting expired server certificate (expired on " + x509Certificate.getNotAfter() + "):\n");
                    CertificateUtil.appendCertificateDetails(x509Certificate, sb4, "\t", "\n");
                    sb4.append("\nissued by trusted Certificate Authority: \n");
                    CertificateUtil.appendCertificateDetails(x509Certificate2, sb4, "\t", "\n");
                    String sb5 = sb4.toString();
                    if (JsseUtil.isJsseDebugEnabled()) {
                        System.out.println(sb5);
                    }
                } catch (CertificateNotYetValidException e3) {
                    StringBuilder sb6 = new StringBuilder("TLS client is not trusting not-yet-valid server certificate (not valid before " + x509Certificate.getNotBefore() + "):\n");
                    CertificateUtil.appendCertificateDetails(x509Certificate, sb6, "\t", "\n");
                    sb6.append("\nissued by trusted Certificate Authority: \n");
                    CertificateUtil.appendCertificateDetails(x509Certificate2, sb6, "\t", "\n");
                    String sb7 = sb6.toString();
                    if (JsseUtil.isJsseDebugEnabled()) {
                        System.out.println(sb7);
                    }
                }
            }
        }
        if (!this.trustedCertificates.contains(x509Certificate)) {
            return null;
        }
        if (JsseUtil.isJsseDebugEnabled()) {
            StringBuilder sb8 = new StringBuilder("TLS client is trusting server certificate:\n");
            CertificateUtil.appendCertificateDetails(x509Certificate, sb8, "\t", "\n");
            sb8.append("\npresent in the configured trusted Certificates");
            System.out.println(sb8.toString());
        }
        return x509Certificate;
    }

    public X509Certificate isIssuedByTrustedCA(X509Certificate[] x509CertificateArr) throws CertificateException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, CertPathValidatorException {
        return ((PKIXCertPathValidatorResult) newCertPathValidator().validate(this.certificateFactory.generateCertPath(Arrays.asList(x509CertificateArr)), copyPKIXParameters(this.pkixParameters))).getTrustAnchor().getTrustedCert();
    }

    private CertPathValidator newCertPathValidator() throws NoSuchAlgorithmException {
        return CertPathValidator.getInstance("PKIX");
    }
}
