package net.ripe.rpki.commons.crypto.x509cert;

import com.google.common.io.Closer;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
import net.ripe.rpki.commons.crypto.rfc8209.RouterExtensionEncoder;
import net.ripe.rpki.commons.crypto.util.KeyPairFactory;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapper;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.apache.commons.lang.ArrayUtils;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509CertificateParser.class */
public abstract class X509CertificateParser<T extends AbstractX509CertificateWrapper> {
    private static final String[] ALLOWED_SIGNATURE_ALGORITHM_OIDS = {PKCSObjectIdentifiers.sha256WithRSAEncryption.getId()};
    protected X509Certificate certificate;
    protected ValidationResult result;

    public void parse(String str, byte[] bArr) {
        parse(ValidationResult.withLocation(str), bArr);
    }

    public void parse(ValidationResult validationResult, byte[] bArr) {
        this.result = validationResult;
        validateX509Certificate(validationResult, parseEncoded(bArr, this.result));
    }

    public void validateX509Certificate(ValidationResult validationResult, X509Certificate x509Certificate) {
        this.certificate = x509Certificate;
        this.result = validationResult;
        if (validationResult.hasFailureForCurrentLocation()) {
            return;
        }
        validateSignatureAlgorithm();
        validatePublicKey();
        doTypeSpecificValidation();
    }

    public static X509GenericCertificate parseCertificate(ValidationResult validationResult, byte[] bArr) {
        X509Certificate parseEncoded = parseEncoded(bArr, validationResult);
        if (validationResult.hasFailureForCurrentLocation()) {
            return null;
        }
        if (X509CertificateUtil.isRouter(parseEncoded)) {
            X509RouterCertificateParser x509RouterCertificateParser = new X509RouterCertificateParser();
            x509RouterCertificateParser.validateX509Certificate(validationResult, parseEncoded);
            return x509RouterCertificateParser.getCertificate();
        }
        if (!X509CertificateUtil.isCa(parseEncoded) && !X509CertificateUtil.isEe(parseEncoded) && !X509CertificateUtil.isRoot(parseEncoded) && !X509CertificateUtil.isObjectIssuer(parseEncoded)) {
            return null;
        }
        X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
        x509ResourceCertificateParser.validateX509Certificate(validationResult, parseEncoded);
        return x509ResourceCertificateParser.getCertificate();
    }

    protected void validatePublicKey() {
        validateRsaPk();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validateRsaPk() {
        PublicKey publicKey = this.certificate.getPublicKey();
        boolean isRsaPk = isRsaPk(publicKey);
        this.result.rejectIfFalse(isRsaPk, ValidationString.PUBLIC_KEY_CERT_ALGORITHM, publicKey.getAlgorithm());
        if (isRsaPk) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            this.result.warnIfFalse(2048 == rSAPublicKey.getModulus().bitLength(), ValidationString.PUBLIC_KEY_CERT_SIZE, String.valueOf(rSAPublicKey.getModulus().bitLength()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isRsaPk(PublicKey publicKey) {
        return KeyPairFactory.ALGORITHM.equals(publicKey.getAlgorithm()) && (publicKey instanceof RSAPublicKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isEcPk(PublicKey publicKey) {
        return "EC".equals(publicKey.getAlgorithm()) && (publicKey instanceof ECPublicKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validateEcPk() {
        PublicKey publicKey = this.certificate.getPublicKey();
        this.result.rejectIfFalse(isEcPk(publicKey), ValidationString.PUBLIC_KEY_CERT_ALGORITHM, publicKey.getAlgorithm());
    }

    protected void doTypeSpecificValidation() {
    }

    public ValidationResult getValidationResult() {
        return this.result;
    }

    public boolean isSuccess() {
        return !this.result.hasFailures();
    }

    public abstract T getCertificate();

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate getX509Certificate() {
        return this.certificate;
    }

    private static X509Certificate parseEncoded(byte[] bArr, ValidationResult validationResult) {
        X509Certificate parseX509Certificate = parseX509Certificate(bArr);
        validationResult.rejectIfNull(parseX509Certificate, ValidationString.CERTIFICATE_PARSED, new String[0]);
        return parseX509Certificate;
    }

    public static X509Certificate parseX509Certificate(byte[] bArr) {
        try {
            Closer create = Closer.create();
            try {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate((InputStream) create.register(new ByteArrayInputStream(bArr)));
            } catch (CertificateException e) {
                return null;
            } catch (Throwable th) {
                throw create.rethrow(th);
            }
        } catch (IOException e2) {
            return null;
        }
    }

    private void validateSignatureAlgorithm() {
        this.result.rejectIfFalse(ArrayUtils.contains(ALLOWED_SIGNATURE_ALGORITHM_OIDS, this.certificate.getSigAlgOID()), ValidationString.CERTIFICATE_SIGNATURE_ALGORITHM, this.certificate.getSigAlgOID());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isResourceExtensionPresent() {
        if (this.certificate.getCriticalExtensionOIDs() == null) {
            return false;
        }
        return this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId()) || this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isIpResourceExtensionPresent() {
        if (this.certificate.getCriticalExtensionOIDs() == null) {
            return false;
        }
        return this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAsResourceExtensionPresent() {
        if (this.certificate.getCriticalExtensionOIDs() == null) {
            return false;
        }
        return this.certificate.getCriticalExtensionOIDs().contains(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isBgpSecExtensionPresent() {
        try {
            List<String> extendedKeyUsage = this.certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null) {
                if (extendedKeyUsage.contains(RouterExtensionEncoder.OID_KP_BGPSEC_ROUTER.getId())) {
                    return true;
                }
            }
            return false;
        } catch (CertificateParsingException e) {
            return false;
        }
    }
}
