package com.netflix.msl.entityauth;

import com.netflix.msl.util.Base64;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:WEB-INF/lib/msl-core-1.2225.0.jar:com/netflix/msl/entityauth/X509Store.class */
public class X509Store {
    private final Map<X500Principal, List<X509Certificate>> store = new HashMap();
    private final Map<X500Principal, PrivateKey> privateKeys = new HashMap();

    private X509Certificate getIssuer(X509Certificate x509Certificate) {
        List<X509Certificate> list = this.store.get(x509Certificate.getIssuerX500Principal());
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                return x509Certificate2;
            } catch (Exception e) {
            }
        }
        return null;
    }

    private List<X509Certificate> getIssuerChain(X509Certificate x509Certificate) throws CertificateException {
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate2 = x509Certificate;
        do {
            X509Certificate issuer = getIssuer(x509Certificate2);
            if (issuer == null) {
                throw new CertificateException("No issuer found for certificate: " + Base64.encode(x509Certificate2.getEncoded()));
            }
            arrayList.add(0, issuer);
            x509Certificate2 = issuer;
        } while (!isSelfSigned(x509Certificate2));
        return arrayList;
    }

    private static boolean isSelfSigned(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal());
    }

    private boolean isVerified(X509Certificate x509Certificate) {
        return getIssuer(x509Certificate) != null;
    }

    private boolean isPermittedByIssuer(X509Certificate x509Certificate) throws CertificateException {
        List<X509Certificate> issuerChain = getIssuerChain(x509Certificate);
        if (issuerChain.isEmpty()) {
            return false;
        }
        int i = -1;
        Iterator<X509Certificate> it = issuerChain.iterator();
        while (it.hasNext()) {
            int basicConstraints = it.next().getBasicConstraints();
            if (basicConstraints == -1) {
                if (i == -1) {
                    return false;
                }
                i--;
            } else if (i == -1) {
                i = basicConstraints;
            } else {
                if (basicConstraints > i) {
                    return false;
                }
                i = basicConstraints;
            }
            if (i == 0) {
                return false;
            }
        }
        int basicConstraints2 = x509Certificate.getBasicConstraints();
        return basicConstraints2 == -1 || basicConstraints2 <= i;
    }

    public void addTrusted(InputStream inputStream) throws CertificateExpiredException, CertificateNotYetValidException, CertificateException, IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException, NoSuchProviderException {
        BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        while (bufferedInputStream.available() > 0) {
            addTrusted((X509Certificate) certificateFactory.generateCertificate(bufferedInputStream));
        }
    }

    public void addTrusted(List<X509Certificate> list) throws CertificateExpiredException, CertificateNotYetValidException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
        if (list == null || list.isEmpty()) {
            return;
        }
        X509Certificate x509Certificate = list.get(0);
        if (!isSelfSigned(x509Certificate)) {
            throw new CertificateException("First certificate is not self-signed: " + Base64.encode(x509Certificate.getEncoded()));
        }
        addTrusted(x509Certificate);
        for (int i = 1; i < list.size(); i++) {
            X509Certificate x509Certificate2 = list.get(i);
            x509Certificate2.verify(x509Certificate.getPublicKey());
            addTrusted(x509Certificate2);
            x509Certificate = x509Certificate2;
        }
    }

    public void addTrusted(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException, CertificateException, SignatureException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        x509Certificate.checkValidity();
        if (x509Certificate.getBasicConstraints() < 0) {
            throw new CertificateException("Certificate is not a CA certificate: " + Base64.encode(x509Certificate.getEncoded()));
        }
        if (isSelfSigned(x509Certificate)) {
            x509Certificate.verify(x509Certificate.getPublicKey());
        } else {
            if (!isVerified(x509Certificate)) {
                throw new CertificateException("Certificate is not self-signed and not trusted by any known CA certificate: " + Base64.encode(x509Certificate.getEncoded()));
            }
            if (!isPermittedByIssuer(x509Certificate)) {
                throw new CertificateException("Certificate appears too far from its issuing CA certificate: " + Base64.encode(x509Certificate.getEncoded()));
            }
        }
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (!this.store.containsKey(subjectX500Principal)) {
            this.store.put(subjectX500Principal, new ArrayList());
        }
        List<X509Certificate> list = this.store.get(subjectX500Principal);
        if (list.contains(x509Certificate)) {
            return;
        }
        list.add(x509Certificate);
    }

    public void addTrusted(X509Certificate x509Certificate, PrivateKey privateKey) throws CertificateExpiredException, CertificateNotYetValidException, CertificateException, SignatureException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        addTrusted(x509Certificate);
        this.privateKeys.put(x509Certificate.getSubjectX500Principal(), privateKey);
    }

    public boolean isAccepted(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        x509Certificate.checkValidity();
        return isVerified(x509Certificate);
    }

    public PrivateKey getPrivateKey(X509Certificate x509Certificate) {
        return this.privateKeys.get(x509Certificate.getSubjectX500Principal());
    }
}
