package org.soulwing.jwt.api.locator;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Date;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import org.soulwing.jwt.api.X509CertificateValidator;
import org.soulwing.jwt.api.exceptions.CertificateException;
import org.soulwing.jwt.api.exceptions.CertificateValidationException;

/* loaded from: input_file:org/soulwing/jwt/api/locator/JcaX509CertificateValidator.class */
public class JcaX509CertificateValidator implements X509CertificateValidator {
    private boolean checkRevocation;
    private boolean checkExpiration;
    private boolean checkSubjectOnly;
    private Clock clock;
    private KeyStore trustStore;

    /* loaded from: input_file:org/soulwing/jwt/api/locator/JcaX509CertificateValidator$Builder.class */
    public static class Builder {
        private final JcaX509CertificateValidator validator;

        private Builder() {
            this.validator = new JcaX509CertificateValidator();
        }

        public Builder clock(Clock clock) {
            this.validator.clock = clock;
            return this;
        }

        public Builder checkRevocation(boolean z) {
            this.validator.checkRevocation = z;
            return this;
        }

        public Builder checkExpiration(boolean z) {
            this.validator.checkExpiration = z;
            return this;
        }

        public Builder checkSubjectOnly(boolean z) {
            this.validator.checkSubjectOnly = z;
            return this;
        }

        public Builder trustStore(KeyStore keyStore) {
            this.validator.trustStore = keyStore;
            return this;
        }

        public X509CertificateValidator build() {
            if (this.validator.clock == null) {
                throw new IllegalArgumentException("clock is required");
            }
            if (this.validator.trustStore == null) {
                throw new IllegalArgumentException("trustStore is required");
            }
            return this.validator;
        }
    }

    private JcaX509CertificateValidator() {
        this.checkRevocation = true;
        this.checkExpiration = true;
        this.checkSubjectOnly = false;
        this.clock = Clock.systemUTC();
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // org.soulwing.jwt.api.X509CertificateValidator
    public void validate(List<X509Certificate> list) throws CertificateValidationException {
        Date validityBasis = validityBasis(list);
        checkExpiration(list, validityBasis);
        validateCertPath(list, this.trustStore, validityBasis);
    }

    private Date validityBasis(List<X509Certificate> list) {
        Date date = new Date(this.clock.instant().toEpochMilli());
        if (!this.checkExpiration) {
            for (X509Certificate x509Certificate : list) {
                if (x509Certificate.getNotAfter().before(date)) {
                    date = x509Certificate.getNotAfter();
                }
            }
        }
        return date;
    }

    private void checkExpiration(List<X509Certificate> list, Date date) throws CertificateValidationException {
        int i = 0;
        try {
            Iterator<X509Certificate> it = list.iterator();
            while (it.hasNext()) {
                it.next().checkValidity(date);
                if (this.checkSubjectOnly) {
                    return;
                } else {
                    i++;
                }
            }
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            if (i >= list.size() - 1) {
                throw new CertificateValidationException("root " + e.getMessage(), e);
            }
            if (i <= 0) {
                throw new CertificateValidationException(e.getMessage(), e);
            }
            throw new CertificateValidationException("issuer " + e.getMessage(), e);
        }
    }

    private void validateCertPath(List<X509Certificate> list, KeyStore keyStore, Date date) throws CertificateValidationException {
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(list.get(0));
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, x509CertSelector);
            if (this.checkExpiration) {
                pKIXBuilderParameters.setDate(date);
            } else {
                Date date2 = date;
                for (X509Certificate x509Certificate : list) {
                    if (x509Certificate.getNotAfter().before(date2)) {
                        date2 = x509Certificate.getNotAfter();
                    }
                }
                pKIXBuilderParameters.setDate(date2);
            }
            pKIXBuilderParameters.setRevocationEnabled(this.checkRevocation);
            if (this.checkRevocation) {
                PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
                if (this.checkSubjectOnly) {
                    pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.ONLY_END_ENTITY));
                }
                pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            }
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(list.subList(1, list.size()))));
            certPathBuilder.build(pKIXBuilderParameters);
        } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException e) {
            throw new CertificateException(e);
        } catch (CertPathBuilderException e2) {
            throw new CertificateValidationException(e2.getMessage(), e2);
        }
    }
}
