package br.net.woodstock.rockframework.security.cert.impl;

import br.net.woodstock.rockframework.security.cert.CertificateException;
import br.net.woodstock.rockframework.security.cert.CertificateValidator;
import br.net.woodstock.rockframework.security.cert.ValidationError;
import br.net.woodstock.rockframework.security.config.SecurityLog;
import br.net.woodstock.rockframework.util.Assert;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;

/* loaded from: input_file:br/net/woodstock/rockframework/security/cert/impl/PKIXCertificateValidator.class */
public class PKIXCertificateValidator implements CertificateValidator {
    public static final String VALIDATOR_NAME = "PKIX Validator";
    private static final String CERTSTORE_TYPE = "Collection";
    private static final String CERTPATH_TYPE = "PKIX";
    private static final String OSCP_ENABLE_PROPERTY = "ocsp.enable";
    private static final String OSCP_ENABLE_VALUE = "true";
    private static final String OSCP_URL_PROPERTY = "ocsp.responderURL";
    private static final String OSCP_SUBJECT_PROPERTY = "ocsp.responderCertSubjectName";
    private OCSP ocsp;

    public PKIXCertificateValidator() {
    }

    public PKIXCertificateValidator(OCSP ocsp) {
        Assert.notNull(ocsp, "ocsp");
        this.ocsp = ocsp;
    }

    @Override // br.net.woodstock.rockframework.security.cert.CertificateValidator
    public ValidationError[] validate(Certificate[] certificateArr) {
        Assert.notEmpty(certificateArr, "chain");
        if (certificateArr.length < 2) {
            return new ValidationError[]{new ValidationError(VALIDATOR_NAME, "Certificate chain must be greater than 1(certificate and issuer certificate")};
        }
        try {
            SecurityLog.getInstance().getLogger().trace("Result: " + getValidatorResult(certificateArr));
            return new ValidationError[0];
        } catch (CertPathBuilderException e) {
            SecurityLog.getInstance().getLogger().info("Validation error: " + e.getMessage());
            return new ValidationError[]{new ValidationError(VALIDATOR_NAME, "Invalid certificate infrastructure")};
        } catch (Exception e2) {
            throw new CertificateException(e2);
        }
    }

    protected PKIXCertPathValidatorResult getValidatorResult(Certificate[] certificateArr) throws GeneralSecurityException {
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        if (certificateArr.length > 1) {
            for (int i = 1; i < certificateArr.length; i++) {
                hashSet.add(new TrustAnchor((X509Certificate) certificateArr[i], null));
            }
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        if (certificateArr.length > 1) {
            ArrayList arrayList = new ArrayList();
            for (int i2 = 1; i2 < certificateArr.length; i2++) {
                arrayList.add(certificateArr[i2]);
            }
            pKIXBuilderParameters.addCertStore(CertStore.getInstance(CERTSTORE_TYPE, new CollectionCertStoreParameters(arrayList)));
        }
        if (this.ocsp != null) {
            Security.setProperty(OSCP_ENABLE_PROPERTY, OSCP_ENABLE_VALUE);
            Security.setProperty(OSCP_URL_PROPERTY, this.ocsp.getUrl());
            Security.setProperty(OSCP_SUBJECT_PROPERTY, ((X509Certificate) this.ocsp.getCertificate()).getSubjectX500Principal().getName());
        }
        return (PKIXCertPathValidatorResult) CertPathValidator.getInstance(CERTPATH_TYPE).validate(((PKIXCertPathBuilderResult) CertPathBuilder.getInstance(CERTPATH_TYPE).build(pKIXBuilderParameters)).getCertPath(), pKIXBuilderParameters);
    }
}
