package no.digipost.security.cert;

import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import no.digipost.security.DigipostSecurity;
import no.digipost.security.DigipostSecurityException;
import no.digipost.security.keystore.KeyStoreType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/digipost/security/cert/Trust.class */
public final class Trust {
    private static final Logger LOG = LoggerFactory.getLogger(Trust.class);
    private final Map<X500Principal, Set<X509Certificate>> trustAnchorCerts;
    private final Map<X500Principal, Set<X509Certificate>> trustedIntermediateCerts;
    private final Clock clock;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:no/digipost/security/cert/Trust$TrustBasis.class */
    public enum TrustBasis {
        ANCHOR,
        DERIVED;

        static TrustBasis determineFrom(X509Certificate x509Certificate) {
            return x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal()) ? ANCHOR : DERIVED;
        }
    }

    public static Trust from(Clock clock, X509Certificate... x509CertificateArr) {
        return from(clock, (Stream<X509Certificate>) Stream.of((Object[]) x509CertificateArr));
    }

    public static Trust from(Clock clock, Stream<X509Certificate> stream) {
        Map map = (Map) stream.collect(Collectors.groupingBy(TrustBasis::determineFrom, Collectors.toSet()));
        return new Trust((Stream<X509Certificate>) ((Set) map.getOrDefault(TrustBasis.ANCHOR, Collections.emptySet())).stream(), (Stream<X509Certificate>) ((Set) map.getOrDefault(TrustBasis.DERIVED, Collections.emptySet())).stream(), clock);
    }

    public static Trust merge(Trust trust, Trust trust2) {
        if (Objects.equals(trust.clock, trust2.clock)) {
            return new Trust((Map<X500Principal, Set<X509Certificate>>) mergeMultimaps(trust.trustAnchorCerts, trust2.trustAnchorCerts), (Map<X500Principal, Set<X509Certificate>>) mergeMultimaps(trust.trustedIntermediateCerts, trust2.trustedIntermediateCerts), trust.clock);
        }
        throw new NonMatchingClocksException(trust.clock, trust2.clock);
    }

    private static <K, V> Map<K, Set<V>> mergeMultimaps(Map<K, Set<V>> map, Map<K, Set<V>> map2) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<K, Set<V>> entry : map.entrySet()) {
            K key = entry.getKey();
            HashSet hashSet = new HashSet(entry.getValue());
            hashSet.addAll(map2.getOrDefault(key, Collections.emptySet()));
            hashMap.put(key, Collections.unmodifiableSet(hashSet));
        }
        for (Map.Entry<K, Set<V>> entry2 : map2.entrySet()) {
            K key2 = entry2.getKey();
            if (!hashMap.containsKey(key2)) {
                hashMap.put(key2, entry2.getValue());
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    public Trust(Stream<X509Certificate> stream, Stream<X509Certificate> stream2) {
        this(stream, stream2, Clock.systemDefaultZone());
    }

    public Trust(Stream<X509Certificate> stream, Stream<X509Certificate> stream2, Clock clock) {
        this((Map<X500Principal, Set<X509Certificate>>) Collections.unmodifiableMap((Map) stream.collect(Collectors.groupingBy((v0) -> {
            return v0.getSubjectX500Principal();
        }, Collectors.toSet()))), (Map<X500Principal, Set<X509Certificate>>) Collections.unmodifiableMap((Map) stream2.collect(Collectors.groupingBy((v0) -> {
            return v0.getSubjectX500Principal();
        }, Collectors.toSet()))), clock);
    }

    private Trust(Map<X500Principal, Set<X509Certificate>> map, Map<X500Principal, Set<X509Certificate>> map2, Clock clock) {
        this.trustAnchorCerts = (Map) Objects.requireNonNull(map, "trust anchor certificates");
        this.trustedIntermediateCerts = (Map) Objects.requireNonNull(map2, "intermediate certificates");
        this.clock = (Clock) Objects.requireNonNull(clock, "clock");
        validate();
    }

    private void validate() {
        List list = (List) this.trustedIntermediateCerts.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).filter(x509Certificate -> {
            return !this.trustAnchorCerts.containsKey(x509Certificate.getIssuerX500Principal());
        }).collect(Collectors.toList());
        if (!list.isEmpty()) {
            throw new MissingTrustAnchorException(list);
        }
    }

    public ReviewedCertPath resolveCertPath(X509Certificate x509Certificate) {
        try {
            CollectionCertStoreParameters collectionCertStoreParameters = new CollectionCertStoreParameters((Collection) getTrustAnchorsAndAnyIntermediateCertificatesFor(x509Certificate.getIssuerX500Principal()).collect(Collectors.toSet()));
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal());
            x509CertSelector.setCertificateValid(Date.from(this.clock.instant()));
            CertStore certStore = CertStore.getInstance("Collection", collectionCertStoreParameters);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(getTrustAnchors(), x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setSigProvider(DigipostSecurity.PROVIDER_NAME);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.setDate(Date.from(this.clock.instant()));
            CertPath certPath = CertPathBuilder.getInstance(DigipostSecurity.PKIX).build(pKIXBuilderParameters).getCertPath();
            if (certPath.getCertificates().size() > 1) {
                return new ReviewedCertPath(certPath, this::trusts);
            }
            CertificateFactory x509CertificateFactory = DigipostSecurity.getX509CertificateFactory();
            Optional<X509Certificate> findTrustAnchorCert = CertHelper.findTrustAnchorCert(x509Certificate, getTrustAnchors());
            return new ReviewedCertPath(x509CertificateFactory.generateCertPath((List<? extends Certificate>) Stream.concat(Stream.of(x509Certificate), (Stream) findTrustAnchorCert.map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty())).collect(Collectors.toList())), certPath2 -> {
                return findTrustAnchorCert.isPresent();
            });
        } catch (GeneralSecurityException e) {
            LOG.warn("Error generating cert path for certificate, because the issuer is not trusted. {}: {}. certificate: {}", new Object[]{e.getClass().getSimpleName(), e.getMessage(), DigipostSecurity.describe(x509Certificate)});
            if (LOG.isDebugEnabled()) {
                LOG.debug(e.getClass().getSimpleName() + ": '" + e.getMessage() + "'", e);
            }
            return new ReviewedCertPath(e);
        }
    }

    public boolean trusts(CertPath certPath) {
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(getTrustAnchors());
            pKIXParameters.setSigProvider(DigipostSecurity.PROVIDER_NAME);
            pKIXParameters.setRevocationEnabled(false);
            pKIXParameters.setDate(Date.from(this.clock.instant()));
            CertPathValidator.getInstance(DigipostSecurity.PKIX).validate(certPath, pKIXParameters);
            return true;
        } catch (CertPathValidatorException e) {
            return false;
        } catch (GeneralSecurityException e2) {
            throw new DigipostSecurityException(e2);
        }
    }

    public Set<TrustAnchor> getTrustAnchors() {
        return (Set) getTrustAnchorCertificates().stream().map(x509Certificate -> {
            return new TrustAnchor(x509Certificate, null);
        }).collect(Collectors.toSet());
    }

    public Set<X509Certificate> getTrustAnchorCertificates() {
        return (Set) this.trustAnchorCerts.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
    }

    public KeyStore getTrustAnchorsKeyStore() {
        return KeyStoreType.JCEKS.newKeyStore().containing(getTrustAnchorCertificates()).withNoPassword();
    }

    public Map<X500Principal, Set<X509Certificate>> getTrustedIntermediateCertificates() {
        return this.trustedIntermediateCerts;
    }

    Stream<X509Certificate> getTrustAnchorsAndAnyIntermediateCertificatesFor(X500Principal x500Principal) {
        return Stream.concat(getTrustAnchorCertificates().stream(), getTrustedIntermediateCertificates().getOrDefault(x500Principal, Collections.emptySet()).stream());
    }

    public boolean equals(Object obj) {
        if (!(obj instanceof Trust)) {
            return false;
        }
        Trust trust = (Trust) obj;
        return Objects.equals(this.clock, trust.clock) && Objects.equals(this.trustAnchorCerts, trust.trustAnchorCerts) && Objects.equals(this.trustedIntermediateCerts, trust.trustedIntermediateCerts);
    }

    public int hashCode() {
        return Objects.hash(this.clock, this.trustAnchorCerts, this.trustedIntermediateCerts);
    }
}
