package cfca.sadk.tls.sun.security.validator;

import cfca.org.slf4j.Logger;
import cfca.org.slf4j.LoggerFactory;
import cfca.sadk.tls.java.security.CFCAAlgorithmConstraints;
import cfca.sadk.tls.sun.security.provider.certpath.CFCAAlgorithmChecker;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.ssl.sec.JSSEJCE;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;

/* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TLSPKIXValidator.class */
public final class TLSPKIXValidator extends TLSValidator {
    private static final Logger logger = LoggerFactory.getLogger(TLSPKIXValidator.class);
    private static final boolean checkTLSRevocation = ((Boolean) AccessController.doPrivileged((PrivilegedAction) new GetBooleanAction("com.sun.net.ssl.checkRevocation"))).booleanValue();
    private final Set<X509Certificate> trustedCerts;
    private final PKIXBuilderParameters parameterTemplate;
    private int certPathLength;
    private PluginValidator plugin;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TLSPKIXValidator$PluginValidator.class */
    public static final class PluginValidator {
        Map<X500Principal, List<PublicKey>> trustedSubjects;
        CertificateFactory factory;

        PluginValidator() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSPKIXValidator(TLSValidatorVariant tLSValidatorVariant, Collection<X509Certificate> collection) {
        super(tLSValidatorVariant);
        this.certPathLength = -1;
        this.trustedCerts = buildTrustedCerts(collection);
        this.parameterTemplate = buildBuilderParameters(collection);
        setDefaultParameters(tLSValidatorVariant);
        this.plugin = initialValidator();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSPKIXValidator(TLSValidatorVariant tLSValidatorVariant, PKIXBuilderParameters pKIXBuilderParameters) {
        super(tLSValidatorVariant);
        this.certPathLength = -1;
        this.trustedCerts = buildTrustedCerts(pKIXBuilderParameters);
        this.parameterTemplate = pKIXBuilderParameters;
        this.plugin = initialValidator();
    }

    private final PluginValidator initialValidator() {
        PluginValidator pluginValidator = new PluginValidator();
        pluginValidator.trustedSubjects = buildTrustedSubjects(this.trustedCerts);
        pluginValidator.factory = buildCertificateFactory();
        return pluginValidator;
    }

    @Override // cfca.sadk.tls.sun.security.validator.TLSValidator
    public final Collection<X509Certificate> getTrustedCertificates() {
        return this.trustedCerts;
    }

    public final int getCertPathLength() {
        return this.certPathLength;
    }

    private final void setDefaultParameters(TLSValidatorVariant tLSValidatorVariant) {
        if (tLSValidatorVariant == TLSValidatorVariant.TLS_SERVER || tLSValidatorVariant == TLSValidatorVariant.TLS_CLIENT) {
            this.parameterTemplate.setRevocationEnabled(checkTLSRevocation);
        } else {
            this.parameterTemplate.setRevocationEnabled(false);
        }
    }

    public final PKIXBuilderParameters getParameters() {
        return this.parameterTemplate;
    }

    @Override // cfca.sadk.tls.sun.security.validator.TLSValidator
    X509Certificate[] engineValidate(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, CFCAAlgorithmConstraints cFCAAlgorithmConstraints, Object obj) throws CertificateException {
        if (logger.isInfoEnabled()) {
            logger.info("engineValidate<<<<<<Running\n cert: " + Debugger.dump(x509CertificateArr));
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("null or zero-length certificate chain");
        }
        if (this.parameterTemplate == null) {
            throw new CertificateException("null builder parameters");
        }
        if (this.plugin == null || this.plugin.trustedSubjects == null || this.plugin.factory == null) {
            throw new CertificateException("plugin is null or the param of plugin missing");
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.parameterTemplate.clone();
        if (cFCAAlgorithmConstraints != null) {
            pKIXBuilderParameters.addCertPathChecker(new CFCAAlgorithmChecker(cFCAAlgorithmConstraints));
        }
        X509Certificate[] checkOrder = checkOrder(x509CertificateArr, collection, pKIXBuilderParameters);
        if (checkOrder != null) {
            return checkOrder;
        }
        return this.plugin.trustedSubjects.containsKey(x509CertificateArr[x509CertificateArr.length - 1].getIssuerX500Principal()) ? doValidate(x509CertificateArr, pKIXBuilderParameters, this.plugin.factory) : doBuild(x509CertificateArr, collection, pKIXBuilderParameters);
    }

    private X509Certificate[] checkOrder(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, PKIXBuilderParameters pKIXBuilderParameters) throws CertificateException {
        X500Principal x500Principal = null;
        for (int i = 0; i < x509CertificateArr.length; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            if (x509Certificate != null) {
                X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                if (i != 0 && !subjectX500Principal.equals(x500Principal)) {
                    return doBuild(x509CertificateArr, collection, pKIXBuilderParameters);
                }
                if (this.trustedCerts.contains(x509Certificate) || (this.plugin.trustedSubjects.containsKey(subjectX500Principal) && this.plugin.trustedSubjects.get(subjectX500Principal).contains(x509Certificate.getPublicKey()))) {
                    if (i == 0) {
                        return new X509Certificate[]{x509CertificateArr[0]};
                    }
                    X509Certificate[] x509CertificateArr2 = new X509Certificate[i];
                    System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, i);
                    return doValidate(x509CertificateArr2, pKIXBuilderParameters, this.plugin.factory);
                }
                x500Principal = x509Certificate.getIssuerX500Principal();
            }
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v6, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.util.Set] */
    private final Set<X509Certificate> buildTrustedCerts(Collection<X509Certificate> collection) {
        return collection == null ? Collections.emptySet() : collection instanceof Set ? (Set) collection : new HashSet(collection);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v18, types: [java.util.Set] */
    private final Set<X509Certificate> buildTrustedCerts(PKIXBuilderParameters pKIXBuilderParameters) {
        HashSet hashSet;
        X509Certificate trustedCert;
        if (pKIXBuilderParameters == null) {
            hashSet = Collections.emptySet();
        } else {
            hashSet = new HashSet();
            for (TrustAnchor trustAnchor : pKIXBuilderParameters.getTrustAnchors()) {
                if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                    hashSet.add(trustedCert);
                }
            }
        }
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.util.Set] */
    private final PKIXBuilderParameters buildBuilderParameters(Collection<X509Certificate> collection) {
        HashSet hashSet;
        if (collection == null) {
            hashSet = Collections.emptySet();
        } else {
            hashSet = new HashSet();
            for (X509Certificate x509Certificate : collection) {
                if (x509Certificate != null) {
                    hashSet.add(new TrustAnchor(x509Certificate, null));
                }
            }
        }
        try {
            return new PKIXBuilderParameters(hashSet, (CertSelector) null);
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException("Unexpected error: " + e.toString(), e);
        }
    }

    private final CertificateFactory buildCertificateFactory() {
        try {
            return JSSEJCE.getCertificateFactory("X.509");
        } catch (CertificateException e) {
            throw new RuntimeException("Internal error", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v24, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.util.Map] */
    private final Map<X500Principal, List<PublicKey>> buildTrustedSubjects(Collection<X509Certificate> collection) {
        HashMap hashMap;
        ArrayList arrayList;
        if (collection == null) {
            hashMap = Collections.emptyMap();
        } else {
            hashMap = new HashMap();
            for (X509Certificate x509Certificate : collection) {
                if (x509Certificate != null) {
                    X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                    if (hashMap.containsKey(subjectX500Principal)) {
                        arrayList = (List) hashMap.get(subjectX500Principal);
                    } else {
                        arrayList = new ArrayList();
                        hashMap.put(subjectX500Principal, arrayList);
                    }
                    arrayList.add(x509Certificate.getPublicKey());
                }
            }
        }
        return hashMap;
    }

    private final X509Certificate[] doValidate(X509Certificate[] x509CertificateArr, PKIXBuilderParameters pKIXBuilderParameters, CertificateFactory certificateFactory) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new TLSValidatorException("PKIX path building failed: null or zero-length certificate chain");
        }
        if (certificateFactory == null) {
            throw new TLSValidatorException("PKIX path building failed: null certificate factory");
        }
        try {
            pKIXBuilderParameters.setDate(new Date());
            CertPath generateCertPath = certificateFactory.generateCertPath(Arrays.asList(x509CertificateArr));
            this.certPathLength = x509CertificateArr.length;
            List<? extends Certificate> certificates = generateCertPath.getCertificates();
            return TrustAnchorHelper.toArray(generateCertPath, TrustAnchorHelper.findTrustAnchor((X509Certificate) certificates.get(certificates.size() - 1), pKIXBuilderParameters.getTrustAnchors()));
        } catch (Exception e) {
            throw new TLSValidatorException("PKIX path validation failed: " + e.toString(), e);
        }
    }

    private final X509Certificate[] doBuild(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, PKIXBuilderParameters pKIXBuilderParameters) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new TLSValidatorException("PKIX path building failed: null or zero-length certificate chain");
        }
        try {
            pKIXBuilderParameters.setDate(new Date());
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509CertificateArr[0]);
            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(Arrays.asList(x509CertificateArr));
            if (collection != null) {
                arrayList.addAll(collection);
            }
            pKIXBuilderParameters.addCertStore(JSSEJCE.getCertStore("Collection", new CollectionCertStoreParameters(arrayList)));
            X509Certificate x509Certificate = (X509Certificate) arrayList.toArray()[0];
            TrustAnchor findTrustAnchor = TrustAnchorHelper.findTrustAnchor(x509Certificate, pKIXBuilderParameters.getTrustAnchors());
            if (findTrustAnchor == null) {
                throw new TLSValidatorException("findTrustAnchor failed: TrustAnchor is null! IssuerDN= " + x509Certificate.getIssuerDN());
            }
            return TrustAnchorHelper.toArray(x509CertificateArr, findTrustAnchor);
        } catch (Exception e) {
            throw new TLSValidatorException("PKIX path building failed: " + e.toString(), e);
        }
    }
}
