package net.ripe.rpki.commons.crypto.x509cert;

import com.google.common.io.Closer;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
import net.ripe.rpki.commons.crypto.util.KeyPairFactory;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapper;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.apache.commons.lang.ArrayUtils;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509CertificateParser.class */
public abstract class X509CertificateParser<T extends AbstractX509CertificateWrapper> {
    private static final String[] ALLOWED_SIGNATURE_ALGORITHM_OIDS = {PKCSObjectIdentifiers.sha256WithRSAEncryption.getId()};
    private byte[] encoded;
    protected X509Certificate certificate;
    protected ValidationResult result;

    public void parse(String str, byte[] bArr) {
        parse(ValidationResult.withLocation(str), bArr);
    }

    public void parse(ValidationResult validationResult, byte[] bArr) {
        this.result = validationResult;
        this.encoded = bArr;
        parse();
        if (this.result.hasFailureForCurrentLocation()) {
            return;
        }
        validateSignatureAlgorithm();
        validatePublicKey();
        doTypeSpecificValidation();
    }

    private void validatePublicKey() {
        PublicKey publicKey = this.certificate.getPublicKey();
        this.result.rejectIfFalse(KeyPairFactory.ALGORITHM.equals(publicKey.getAlgorithm()) && (publicKey instanceof RSAPublicKey), ValidationString.PUBLIC_KEY_CERT_ALGORITHM, publicKey.getAlgorithm());
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            this.result.warnIfFalse(2048 == rSAPublicKey.getModulus().bitLength(), ValidationString.PUBLIC_KEY_CERT_SIZE, String.valueOf(rSAPublicKey.getModulus().bitLength()));
        }
    }

    protected void doTypeSpecificValidation() {
    }

    public ValidationResult getValidationResult() {
        return this.result;
    }

    public boolean isSuccess() {
        return !this.result.hasFailures();
    }

    public abstract T getCertificate();

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate getX509Certificate() {
        return this.certificate;
    }

    private void parse() {
        try {
            Closer create = Closer.create();
            try {
                try {
                    this.certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate((InputStream) create.register(new ByteArrayInputStream(this.encoded)));
                    create.close();
                } catch (Throwable th) {
                    create.close();
                    throw th;
                }
            } catch (CertificateException e) {
                this.certificate = null;
                create.close();
            } catch (Throwable th2) {
                throw create.rethrow(th2);
            }
        } catch (IOException e2) {
            this.certificate = null;
        }
        this.result.rejectIfNull(this.certificate, ValidationString.CERTIFICATE_PARSED, new String[0]);
    }

    private void validateSignatureAlgorithm() {
        this.result.rejectIfFalse(ArrayUtils.contains(ALLOWED_SIGNATURE_ALGORITHM_OIDS, this.certificate.getSigAlgOID()), ValidationString.CERTIFICATE_SIGNATURE_ALGORITHM, this.certificate.getSigAlgOID());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isResourceExtensionPresent() {
        if (this.certificate.getCriticalExtensionOIDs() == null) {
            return false;
        }
        return this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId()) || this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId());
    }
}
