package br.net.woodstock.rockframework.security.cert.impl;

import br.net.woodstock.rockframework.config.CoreLog;
import br.net.woodstock.rockframework.security.cert.CertificateException;
import br.net.woodstock.rockframework.security.cert.CertificateVerifier;
import br.net.woodstock.rockframework.util.Assert;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;

/* loaded from: input_file:br/net/woodstock/rockframework/security/cert/impl/PKIXCertificateVerifier.class */
public class PKIXCertificateVerifier implements CertificateVerifier {
    private static final String CERTSTORE_TYPE = "Collection";
    private static final String CERTPATH_TYPE = "PKIX";
    private static final String OSCP_ENABLE_PROPERTY = "ocsp.enable";
    private static final String OSCP_ENABLE_VALUE = "true";
    private static final String OSCP_URL_PROPERTY = "ocsp.responderURL";
    private static final String OSCP_SUBJECT_PROPERTY = "ocsp.responderCertSubjectName";
    private Certificate[] trustedCertificates;
    private Certificate[] chain;
    private OCSP ocsp;

    public PKIXCertificateVerifier(Certificate[] certificateArr) {
        Assert.notEmpty(certificateArr, "trustedCertificates");
        this.trustedCertificates = certificateArr;
    }

    public PKIXCertificateVerifier(Certificate[] certificateArr, OCSP ocsp) {
        Assert.notEmpty(certificateArr, "trustedCertificates");
        Assert.notNull(ocsp, "ocsp");
        this.trustedCertificates = certificateArr;
        this.ocsp = ocsp;
    }

    public PKIXCertificateVerifier(Certificate[] certificateArr, Certificate[] certificateArr2) {
        Assert.notEmpty(certificateArr, "trustedCertificates");
        Assert.notEmpty(certificateArr2, "chain");
        this.trustedCertificates = certificateArr;
        this.chain = certificateArr2;
    }

    public PKIXCertificateVerifier(Certificate[] certificateArr, Certificate[] certificateArr2, OCSP ocsp) {
        Assert.notEmpty(certificateArr, "trustedCertificates");
        Assert.notEmpty(certificateArr2, "chain");
        Assert.notNull(ocsp, "ocsp");
        this.trustedCertificates = certificateArr;
        this.chain = certificateArr2;
        this.ocsp = ocsp;
    }

    @Override // br.net.woodstock.rockframework.security.cert.CertificateVerifier
    public boolean verify(Certificate certificate) {
        Assert.notNull(certificate, "certificate");
        try {
            X509Certificate x509Certificate = (X509Certificate) certificate;
            if (isSelfSigned(x509Certificate)) {
                return false;
            }
            CoreLog.getInstance().getLog().info("Result: " + getValidatorResult(x509Certificate, this.trustedCertificates, this.chain));
            return true;
        } catch (CertPathBuilderException e) {
            throw new CertificateException(e);
        } catch (Exception e2) {
            throw new CertificateException(e2);
        }
    }

    protected boolean isSelfSigned(X509Certificate x509Certificate) throws GeneralSecurityException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (SignatureException e) {
            return false;
        }
    }

    protected PKIXCertPathValidatorResult getValidatorResult(X509Certificate x509Certificate, Certificate[] certificateArr, Certificate[] certificateArr2) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        for (Certificate certificate : certificateArr) {
            hashSet.add(new TrustAnchor((X509Certificate) certificate, null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        if (this.chain != null) {
            pKIXBuilderParameters.addCertStore(CertStore.getInstance(CERTSTORE_TYPE, new CollectionCertStoreParameters(Arrays.asList(certificateArr2))));
        }
        if (this.ocsp != null) {
            Security.setProperty(OSCP_ENABLE_PROPERTY, OSCP_ENABLE_VALUE);
            Security.setProperty(OSCP_URL_PROPERTY, this.ocsp.getUrl());
            Security.setProperty(OSCP_SUBJECT_PROPERTY, ((X509Certificate) this.ocsp.getCertificate()).getSubjectX500Principal().getName());
        }
        return (PKIXCertPathValidatorResult) CertPathValidator.getInstance(CERTPATH_TYPE).validate(((PKIXCertPathBuilderResult) CertPathBuilder.getInstance(CERTPATH_TYPE).build(pKIXBuilderParameters)).getCertPath(), pKIXBuilderParameters);
    }
}
