package io.spiffe.svid.x509svid;

import io.spiffe.bundle.BundleSource;
import io.spiffe.bundle.x509bundle.X509Bundle;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.internal.CertificateUtils;
import io.spiffe.spiffeid.SpiffeId;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import lombok.NonNull;

/* loaded from: input_file:io/spiffe/svid/x509svid/X509SvidValidator.class */
public final class X509SvidValidator {
    private X509SvidValidator() {
    }

    public static void verifyChain(@NonNull List<X509Certificate> list, @NonNull BundleSource<X509Bundle> bundleSource) throws CertificateException, BundleNotFoundException {
        if (list == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        if (bundleSource == null) {
            throw new NullPointerException("x509BundleSource is marked non-null but is null");
        }
        try {
            CertificateUtils.validate(list, bundleSource.getBundleForTrustDomain(CertificateUtils.getTrustDomain(list)).getX509Authorities());
        } catch (CertPathValidatorException e) {
            throw new CertificateException("Cert chain cannot be verified", e);
        }
    }

    public static void verifySpiffeId(@NonNull X509Certificate x509Certificate, @NonNull Supplier<Set<SpiffeId>> supplier) throws CertificateException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509Certificate is marked non-null but is null");
        }
        if (supplier == null) {
            throw new NullPointerException("acceptedSpiffeIdsSupplier is marked non-null but is null");
        }
        Set<SpiffeId> set = supplier.get();
        SpiffeId spiffeId = CertificateUtils.getSpiffeId(x509Certificate);
        if (!set.contains(spiffeId)) {
            throw new CertificateException(String.format("SPIFFE ID %s in X.509 certificate is not accepted", spiffeId));
        }
    }
}
