package org.zowe.apiml.security.common.verify;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.List;
import java.util.Set;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;

@Service
/* loaded from: input_file:BOOT-INF/lib/apiml-security-common-2.16.1.jar:org/zowe/apiml/security/common/verify/CertificateValidator.class */
public class CertificateValidator {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertificateValidator.class);
    final TrustedCertificatesProvider trustedCertificatesProvider;

    @InjectApimlLogger
    private final ApimlLogger apimlLog = ApimlLogger.empty();

    @Value("${apiml.security.x509.acceptForwardedCert:false}")
    private boolean forwardingEnabled;

    @Value("${apiml.security.x509.certificatesUrl:}")
    private String proxyCertificatesEndpoint;
    private final Set<String> publicKeyCertificatesBase64;

    @Autowired
    public CertificateValidator(TrustedCertificatesProvider trustedCertificatesProvider, @Qualifier("publicKeyCertificatesBase64") Set<String> set) {
        this.trustedCertificatesProvider = trustedCertificatesProvider;
        this.publicKeyCertificatesBase64 = set;
    }

    public boolean isTrusted(X509Certificate[] x509CertificateArr) {
        List<Certificate> trustedCerts = this.trustedCertificatesProvider.getTrustedCerts(this.proxyCertificatesEndpoint);
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (!trustedCerts.contains(x509Certificate)) {
                this.apimlLog.log("org.zowe.apiml.security.common.verify.untrustedCert", new Object[0]);
                log.debug("Untrusted certificate is {}", x509Certificate);
                return false;
            }
        }
        log.debug("All certificates are trusted.");
        return true;
    }

    public void updateAPIMLPublicKeyCertificates(X509Certificate[] x509CertificateArr) {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            this.publicKeyCertificatesBase64.add(Base64.getEncoder().encodeToString(x509Certificate.getPublicKey().getEncoded()));
        }
    }

    @Generated
    public boolean isForwardingEnabled() {
        return this.forwardingEnabled;
    }
}
