package org.openecard.crypto.tls.verify;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import org.openecard.bouncycastle.asn1.x500.RDN;
import org.openecard.bouncycastle.asn1.x500.style.BCStrictStyle;
import org.openecard.bouncycastle.crypto.tls.Certificate;
import org.openecard.crypto.tls.CertificateVerificationException;
import org.openecard.crypto.tls.CertificateVerifier;
import org.slf4j.Marker;

/* loaded from: input_file:org/openecard/crypto/tls/verify/JavaSecVerifier.class */
public class JavaSecVerifier implements CertificateVerifier {
    private final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    private final CertPathValidator certPathValidator;

    public JavaSecVerifier() throws IOException, GeneralSecurityException {
        this.keyStore.load(null);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        this.certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
        String str = File.separator;
        File keystore = getKeystore(System.getProperty("java.home"), "lib" + str + "security" + str + "cacerts");
        if (keystore == null) {
            throw new FileNotFoundException("Unable to find system keystore in standard locations.");
        }
        keyStore.load(new FileInputStream(keystore), null);
        addKeyStore(keyStore);
    }

    private File getKeystore(String str, String str2) {
        if (str2 == null) {
            return null;
        }
        if (str != null) {
            str2 = str + File.separator + str2;
        }
        File file = new File(str2);
        if (file.canRead()) {
            return file;
        }
        return null;
    }

    public final void addKeyStore(KeyStore keyStore) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isCertificateEntry(nextElement)) {
                this.keyStore.setCertificateEntry(nextElement, keyStore.getCertificate(nextElement));
            }
        }
    }

    public final void addKeyStore(List<KeyStore> list) throws KeyStoreException {
        Iterator<KeyStore> it = list.iterator();
        while (it.hasNext()) {
            addKeyStore(it.next());
        }
    }

    @Override // org.openecard.crypto.tls.CertificateVerifier
    public void isValid(Certificate certificate) throws CertificateVerificationException {
        isValid(certificate, null);
    }

    @Override // org.openecard.crypto.tls.CertificateVerifier
    public void isValid(Certificate certificate, String str) throws CertificateVerificationException {
        if (str != null) {
            RDN[] rDNs = certificate.getCerts()[0].getSubject().getRDNs(BCStrictStyle.CN);
            if (rDNs.length != 1) {
                throw new CertificateVerificationException("Multiple CN entries in certificate's Subject.");
            }
            checkWildcardName(str, rDNs[0].getFirst().getValue().toString());
        }
        try {
            CertPath convertChain = convertChain(certificate);
            PKIXParameters pKIXParameters = new PKIXParameters(this.keyStore);
            pKIXParameters.setRevocationEnabled(false);
            this.certPathValidator.validate(convertChain, pKIXParameters);
        } catch (IOException e) {
            throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
        } catch (CertPathValidatorException e2) {
            throw new CertificateVerificationException(e2.getMessage());
        } catch (GeneralSecurityException e3) {
            throw new CertificateVerificationException(e3.getMessage());
        }
    }

    private CertPath convertChain(Certificate certificate) throws CertificateException, IOException {
        ArrayList arrayList = new ArrayList(certificate.getCerts().length);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        for (org.openecard.bouncycastle.asn1.x509.Certificate certificate2 : certificate.getCerts()) {
            arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(certificate2.getEncoded())));
        }
        return certificateFactory.generateCertPath(arrayList);
    }

    private static void checkWildcardName(String str, String str2) throws CertificateVerificationException {
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        if (split.length != split2.length) {
            throw new CertificateVerificationException("Hostname in certificate differs from actually requested host.");
        }
        for (int i = 0; i < split.length; i++) {
            if (!split2[i].equals(Marker.ANY_MARKER) && !split[i].equals(split2[i])) {
                throw new CertificateVerificationException("Hostname in certificate differs from actually requested host.");
            }
        }
    }
}
