package org.bouncycastle.jsse.provider;

import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Provider;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import org.jruby.ext.openssl.impl.ASN1Registry;

/* loaded from: input_file:/home/enebo/work/release/lib/target/classes/META-INF/jruby.home/lib/ruby/stdlib/org/bouncycastle/bctls-jdk15on/1.59/bctls-jdk15on-1.59.jar:org/bouncycastle/jsse/provider/ProvX509TrustManagerImpl.class */
class ProvX509TrustManagerImpl implements ProvX509TrustManager {
    private final Provider pkixProvider;
    private final Set<X509Certificate> trustedCerts;
    private final PKIXParameters baseParameters;

    private Set<X509Certificate> getTrustedCerts(Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        for (TrustAnchor trustAnchor : set) {
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvX509TrustManagerImpl(Provider provider, Set<TrustAnchor> set) throws InvalidAlgorithmParameterException {
        this.pkixProvider = provider;
        this.trustedCerts = getTrustedCerts(set);
        this.baseParameters = new PKIXBuilderParameters(set, new X509CertSelector());
        this.baseParameters.setRevocationEnabled(false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvX509TrustManagerImpl(Provider provider, PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        this.pkixProvider = provider;
        this.trustedCerts = getTrustedCerts(pKIXParameters.getTrustAnchors());
        if (pKIXParameters instanceof PKIXBuilderParameters) {
            this.baseParameters = pKIXParameters;
            return;
        }
        this.baseParameters = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), pKIXParameters.getTargetCertConstraints());
        this.baseParameters.setCertStores(pKIXParameters.getCertStores());
        this.baseParameters.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
        this.baseParameters.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
        this.baseParameters.setDate(pKIXParameters.getDate());
        this.baseParameters.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
        this.baseParameters.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
        this.baseParameters.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // org.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // org.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // org.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // org.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return (X509Certificate[]) this.trustedCerts.toArray(new X509Certificate[this.trustedCerts.size()]);
    }

    protected void validatePath(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            throw new IllegalArgumentException("'x509Certificates' must be a chain of at least one certificate");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (this.trustedCerts.contains(x509Certificate)) {
            return;
        }
        try {
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr)), this.pkixProvider);
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(ASN1Registry.SN_id_pkix, this.pkixProvider);
            X509CertSelector x509CertSelector = (X509CertSelector) this.baseParameters.getTargetCertConstraints().clone();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.baseParameters.clone();
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
        } catch (GeneralSecurityException e) {
            throw new CertificateException("unable to process certificates: " + e.getMessage(), e);
        }
    }
}
