package sun.security.validator;

import java.security.AlgorithmConstraints;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;

/* loaded from: input_file:META-INF/modules/java.base/classes/sun/security/validator/PKIXValidator.class */
public final class PKIXValidator extends Validator {
    private static final boolean checkTLSRevocation = GetBooleanAction.privilegedGetProperty("com.sun.net.ssl.checkRevocation");
    private final Set<X509Certificate> trustedCerts;
    private final PKIXBuilderParameters parameterTemplate;
    private int certPathLength;
    private final Map<X500Principal, List<PublicKey>> trustedSubjects;
    private final CertificateFactory factory;
    private final boolean plugin;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXValidator(String str, Collection<X509Certificate> collection) {
        super(Validator.TYPE_PKIX, str);
        this.certPathLength = -1;
        this.trustedCerts = collection instanceof Set ? (Set) collection : new HashSet<>(collection);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = collection.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        try {
            this.parameterTemplate = new PKIXBuilderParameters(hashSet, (CertSelector) null);
            this.factory = CertificateFactory.getInstance("X.509");
            setDefaultParameters(str);
            this.plugin = str.equals(Validator.VAR_PLUGIN_CODE_SIGNING);
            this.trustedSubjects = setTrustedSubjects();
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException("Unexpected error: " + e.toString(), e);
        } catch (CertificateException e2) {
            throw new RuntimeException("Internal error", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXValidator(String str, PKIXBuilderParameters pKIXBuilderParameters) {
        super(Validator.TYPE_PKIX, str);
        this.certPathLength = -1;
        this.trustedCerts = new HashSet();
        Iterator<TrustAnchor> it = pKIXBuilderParameters.getTrustAnchors().iterator();
        while (it.hasNext()) {
            X509Certificate trustedCert = it.next().getTrustedCert();
            if (trustedCert != null) {
                this.trustedCerts.add(trustedCert);
            }
        }
        this.parameterTemplate = pKIXBuilderParameters;
        try {
            this.factory = CertificateFactory.getInstance("X.509");
            this.plugin = str.equals(Validator.VAR_PLUGIN_CODE_SIGNING);
            this.trustedSubjects = setTrustedSubjects();
        } catch (CertificateException e) {
            throw new RuntimeException("Internal error", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v21, types: [java.util.List] */
    private Map<X500Principal, List<PublicKey>> setTrustedSubjects() {
        ArrayList arrayList;
        HashMap hashMap = new HashMap();
        for (X509Certificate x509Certificate : this.trustedCerts) {
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            if (hashMap.containsKey(subjectX500Principal)) {
                arrayList = (List) hashMap.get(subjectX500Principal);
            } else {
                arrayList = new ArrayList();
                hashMap.put(subjectX500Principal, arrayList);
            }
            arrayList.add(x509Certificate.getPublicKey());
        }
        return hashMap;
    }

    @Override // sun.security.validator.Validator
    public Collection<X509Certificate> getTrustedCertificates() {
        return this.trustedCerts;
    }

    public int getCertPathLength() {
        return this.certPathLength;
    }

    private void setDefaultParameters(String str) {
        if (str == Validator.VAR_TLS_SERVER || str == Validator.VAR_TLS_CLIENT) {
            this.parameterTemplate.setRevocationEnabled(checkTLSRevocation);
        } else {
            this.parameterTemplate.setRevocationEnabled(false);
        }
    }

    public PKIXBuilderParameters getParameters() {
        return this.parameterTemplate;
    }

    @Override // sun.security.validator.Validator
    X509Certificate[] engineValidate(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, List<byte[]> list, AlgorithmConstraints algorithmConstraints, Object obj) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("null or zero-length certificate chain");
        }
        PKIXExtendedParameters pKIXExtendedParameters = null;
        try {
            pKIXExtendedParameters = new PKIXExtendedParameters((PKIXBuilderParameters) this.parameterTemplate.clone(), obj instanceof Timestamp ? (Timestamp) obj : null, this.variant);
        } catch (InvalidAlgorithmParameterException e) {
        }
        if (algorithmConstraints != null) {
            pKIXExtendedParameters.addCertPathChecker(new AlgorithmChecker(algorithmConstraints, (Timestamp) null, this.variant));
        }
        if (!list.isEmpty()) {
            addResponses(pKIXExtendedParameters, x509CertificateArr, list);
        }
        X500Principal x500Principal = null;
        for (int i = 0; i < x509CertificateArr.length; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            if (i != 0 && !subjectX500Principal.equals(x500Principal)) {
                return doBuild(x509CertificateArr, collection, pKIXExtendedParameters);
            }
            if (this.trustedCerts.contains(x509Certificate) || (this.trustedSubjects.containsKey(subjectX500Principal) && this.trustedSubjects.get(subjectX500Principal).contains(x509Certificate.getPublicKey()))) {
                if (i == 0) {
                    return new X509Certificate[]{x509CertificateArr[0]};
                }
                X509Certificate[] x509CertificateArr2 = new X509Certificate[i];
                System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, i);
                return doValidate(x509CertificateArr2, pKIXExtendedParameters);
            }
            x500Principal = x509Certificate.getIssuerX500Principal();
        }
        X509Certificate x509Certificate2 = x509CertificateArr[x509CertificateArr.length - 1];
        X500Principal issuerX500Principal = x509Certificate2.getIssuerX500Principal();
        x509Certificate2.getSubjectX500Principal();
        if (this.trustedSubjects.containsKey(issuerX500Principal) && isSignatureValid(this.trustedSubjects.get(issuerX500Principal), x509Certificate2)) {
            return doValidate(x509CertificateArr, pKIXExtendedParameters);
        }
        if (!this.plugin) {
            return doBuild(x509CertificateArr, collection, pKIXExtendedParameters);
        }
        if (x509CertificateArr.length > 1) {
            X509Certificate[] x509CertificateArr3 = new X509Certificate[x509CertificateArr.length - 1];
            System.arraycopy(x509CertificateArr, 0, x509CertificateArr3, 0, x509CertificateArr3.length);
            try {
                pKIXExtendedParameters.setTrustAnchors(Collections.singleton(new TrustAnchor(x509CertificateArr[x509CertificateArr.length - 1], null)));
                doValidate(x509CertificateArr3, pKIXExtendedParameters);
            } catch (InvalidAlgorithmParameterException e2) {
                throw new CertificateException(e2);
            }
        }
        throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR);
    }

    private boolean isSignatureValid(List<PublicKey> list, X509Certificate x509Certificate) {
        if (!this.plugin) {
            return true;
        }
        Iterator<PublicKey> it = list.iterator();
        while (it.hasNext()) {
            try {
                x509Certificate.verify(it.next());
                return true;
            } catch (Exception e) {
            }
        }
        return false;
    }

    private static X509Certificate[] toArray(CertPath certPath, TrustAnchor trustAnchor) throws CertificateException {
        List<? extends Certificate> certificates = certPath.getCertificates();
        X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size() + 1];
        certificates.toArray(x509CertificateArr);
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        if (trustedCert == null) {
            throw new ValidatorException("TrustAnchor must be specified as certificate");
        }
        x509CertificateArr[x509CertificateArr.length - 1] = trustedCert;
        return x509CertificateArr;
    }

    private void setDate(PKIXBuilderParameters pKIXBuilderParameters) {
        Date date = this.validationDate;
        if (date != null) {
            pKIXBuilderParameters.setDate(date);
        }
    }

    private X509Certificate[] doValidate(X509Certificate[] x509CertificateArr, PKIXBuilderParameters pKIXBuilderParameters) throws CertificateException {
        try {
            setDate(pKIXBuilderParameters);
            CertPathValidator certPathValidator = CertPathValidator.getInstance(Validator.TYPE_PKIX);
            CertPath generateCertPath = this.factory.generateCertPath(Arrays.asList(x509CertificateArr));
            this.certPathLength = x509CertificateArr.length;
            return toArray(generateCertPath, ((PKIXCertPathValidatorResult) certPathValidator.validate(generateCertPath, pKIXBuilderParameters)).getTrustAnchor());
        } catch (GeneralSecurityException e) {
            throw new ValidatorException("PKIX path validation failed: " + e.toString(), e);
        }
    }

    private X509Certificate[] doBuild(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, PKIXBuilderParameters pKIXBuilderParameters) throws CertificateException {
        try {
            setDate(pKIXBuilderParameters);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509CertificateArr[0]);
            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(Arrays.asList(x509CertificateArr));
            if (collection != null) {
                arrayList.addAll(collection);
            }
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList)));
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance(Validator.TYPE_PKIX).build(pKIXBuilderParameters);
            return toArray(pKIXCertPathBuilderResult.getCertPath(), pKIXCertPathBuilderResult.getTrustAnchor());
        } catch (GeneralSecurityException e) {
            throw new ValidatorException("PKIX path building failed: " + e.toString(), e);
        }
    }

    private static void addResponses(PKIXBuilderParameters pKIXBuilderParameters, X509Certificate[] x509CertificateArr, List<byte[]> list) {
        if (pKIXBuilderParameters.isRevocationEnabled()) {
            try {
                PKIXRevocationChecker pKIXRevocationChecker = null;
                ArrayList arrayList = new ArrayList(pKIXBuilderParameters.getCertPathCheckers());
                Iterator<PKIXCertPathChecker> it = arrayList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    PKIXCertPathChecker next = it.next();
                    if (next instanceof PKIXRevocationChecker) {
                        pKIXRevocationChecker = (PKIXRevocationChecker) next;
                        break;
                    }
                }
                if (pKIXRevocationChecker == null) {
                    pKIXRevocationChecker = (PKIXRevocationChecker) CertPathValidator.getInstance(Validator.TYPE_PKIX).getRevocationChecker();
                    arrayList.add(pKIXRevocationChecker);
                }
                Map<X509Certificate, byte[]> ocspResponses = pKIXRevocationChecker.getOcspResponses();
                int min = Integer.min(x509CertificateArr.length, list.size());
                for (int i = 0; i < min; i++) {
                    byte[] bArr = list.get(i);
                    if (bArr != null && bArr.length > 0 && !ocspResponses.containsKey(x509CertificateArr[i])) {
                        ocspResponses.put(x509CertificateArr[i], bArr);
                    }
                }
                pKIXRevocationChecker.setOcspResponses(ocspResponses);
                pKIXBuilderParameters.setCertPathCheckers(arrayList);
            } catch (NoSuchAlgorithmException e) {
            }
        }
    }
}
