package no.digipost.signature.client.core.internal.http;

import java.security.cert.X509Certificate;
import no.digipost.signature.client.core.exceptions.SecurityException;
import no.digipost.signature.client.security.CertificateChainValidation;
import org.apache.hc.core5.ssl.TrustStrategy;

/* loaded from: input_file:no/digipost/signature/client/core/internal/http/SignatureApiTrustStrategy.class */
public final class SignatureApiTrustStrategy implements TrustStrategy {
    private final CertificateChainValidation certificateChainValidation;

    public SignatureApiTrustStrategy(CertificateChainValidation certificateChainValidation) {
        this.certificateChainValidation = certificateChainValidation;
    }

    public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) {
        switch (this.certificateChainValidation.validate(x509CertificateArr)) {
            case TRUSTED_AND_SKIP_FURTHER_VALIDATION:
                return true;
            case TRUSTED:
                return false;
            case UNTRUSTED:
            default:
                throw new SecurityException("Untrusted server certificate, according to " + this.certificateChainValidation + ". Make sure the server URI is correct. Actual certificate: " + x509CertificateArr[0].getSubjectX500Principal().getName() + ". This could indicate a misconfiguration of the client or server, or potentially a man-in-the-middle attack.");
        }
    }
}
