package net.ripe.rpki.commons.validation.objectvalidators;

import java.util.Arrays;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.CertificateRepositoryObjectFile;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateParser;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;

/* loaded from: input_file:net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.class */
public class X509ResourceCertificateBottomUpValidator implements X509ResourceCertificateValidator {
    private static final int MAX_CHAIN_LENGTH = 30;
    private X509ResourceCertificate certificate;
    private Collection<X509ResourceCertificate> trustAnchors;
    private ResourceCertificateLocator locator;
    private List<CertificateWithLocation> certificates;
    private ValidationOptions options;
    private ValidationResult result;
    private ValidationLocation location;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator$CertificateWithLocation.class */
    public static class CertificateWithLocation {
        private final X509ResourceCertificate certificate;
        private final ValidationLocation location;

        public CertificateWithLocation(X509ResourceCertificate x509ResourceCertificate, ValidationLocation validationLocation) {
            this.location = validationLocation;
            this.certificate = x509ResourceCertificate;
        }

        public X509ResourceCertificate getCertificate() {
            return this.certificate;
        }

        public ValidationLocation getLocation() {
            return this.location;
        }
    }

    public X509ResourceCertificateBottomUpValidator(ResourceCertificateLocator resourceCertificateLocator, X509ResourceCertificate... x509ResourceCertificateArr) {
        this(resourceCertificateLocator, Arrays.asList(x509ResourceCertificateArr));
    }

    public X509ResourceCertificateBottomUpValidator(ResourceCertificateLocator resourceCertificateLocator, Collection<X509ResourceCertificate> collection) {
        this(ValidationOptions.strictValidation(), ValidationResult.withLocation("unknown.cer"), resourceCertificateLocator, collection);
    }

    public X509ResourceCertificateBottomUpValidator(ValidationOptions validationOptions, ValidationResult validationResult, ResourceCertificateLocator resourceCertificateLocator, Collection<X509ResourceCertificate> collection) {
        this.certificates = new LinkedList();
        this.options = validationOptions;
        this.result = validationResult;
        this.location = new ValidationLocation("unknown.cer");
        this.locator = resourceCertificateLocator;
        this.trustAnchors = collection;
    }

    @Override // net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateValidator, net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidator
    public ValidationResult getValidationResult() {
        return this.result;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateValidator, net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidator
    public void validate(String str, X509ResourceCertificate x509ResourceCertificate) {
        this.location = new ValidationLocation(str);
        this.certificate = x509ResourceCertificate;
        buildCertificationList();
        if (this.result.hasFailures()) {
            return;
        }
        checkTrustAnchor();
        X509ResourceCertificate certificate = this.certificates.get(0).getCertificate();
        this.certificates.remove(0);
        IpResourceSet resources = certificate.getResources();
        for (CertificateWithLocation certificateWithLocation : this.certificates) {
            String name = certificateWithLocation.getLocation().getName();
            X509ResourceCertificate certificate2 = certificateWithLocation.getCertificate();
            X509Crl crl = getCRL(certificate2, this.result);
            if (this.result.hasFailures()) {
                return;
            }
            ResourceValidatorFactory.getX509ResourceCertificateParentChildStrictValidator(this.options, this.result, certificate, resources, crl).validate(name, certificate2);
            resources = certificate2.deriveResources(resources);
            certificate = certificate2;
        }
    }

    private void buildCertificationList() {
        this.certificates.add(0, new CertificateWithLocation(this.certificate, this.location));
        this.result.setLocation(this.location);
        if (this.result.rejectIfFalse(this.certificates.size() <= MAX_CHAIN_LENGTH, ValidationString.CERT_CHAIN_LENGTH, Integer.toString(MAX_CHAIN_LENGTH))) {
            X509ResourceCertificate x509ResourceCertificate = this.certificate;
            while (!x509ResourceCertificate.isRoot()) {
                CertificateRepositoryObjectFile<X509ResourceCertificate> findParent = this.locator.findParent(x509ResourceCertificate);
                if (!this.result.rejectIfNull(findParent, ValidationString.CERT_CHAIN_COMPLETE)) {
                    return;
                }
                ValidationLocation validationLocation = new ValidationLocation(findParent.getName());
                this.result.setLocation(validationLocation);
                X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
                x509ResourceCertificateParser.parse(this.result, findParent.getContent());
                if (this.result.hasFailures()) {
                    return;
                }
                x509ResourceCertificate = x509ResourceCertificateParser.getCertificate();
                this.certificates.add(0, new CertificateWithLocation(x509ResourceCertificate, validationLocation));
                if (!this.result.rejectIfFalse(this.certificates.size() <= MAX_CHAIN_LENGTH, ValidationString.CERT_CHAIN_LENGTH, Integer.toString(MAX_CHAIN_LENGTH))) {
                    return;
                }
            }
        }
    }

    private X509Crl getCRL(X509ResourceCertificate x509ResourceCertificate, ValidationResult validationResult) {
        CertificateRepositoryObjectFile<X509Crl> findCrl = this.locator.findCrl(x509ResourceCertificate);
        if (findCrl == null) {
            return null;
        }
        return X509Crl.parseDerEncoded(findCrl.getContent(), validationResult);
    }

    private void checkTrustAnchor() {
        if (this.trustAnchors == null || this.trustAnchors.isEmpty()) {
            return;
        }
        this.result.rejectIfFalse(this.trustAnchors.contains(this.certificates.get(0).getCertificate()), ValidationString.ROOT_IS_TA);
    }
}
