package signgate.provider.ec.codec.util;

import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;

/* loaded from: input_file:signgate/provider/ec/codec/util/CertificateChainVerifier.class */
public class CertificateChainVerifier {
    private CertificateSource trusted_;

    public CertificateChainVerifier(CertificateSource certificateSource) {
        if (certificateSource == null) {
            throw new NullPointerException("Trusted cert source");
        }
        this.trusted_ = certificateSource;
    }

    public void verify(X509Certificate x509Certificate, CertificateSource certificateSource) throws GeneralSecurityException {
        if (x509Certificate == null) {
            throw new NullPointerException("Certificate");
        }
        HashSet hashSet = new HashSet(8);
        x509Certificate.checkValidity();
        int i = 0;
        while (!hashSet.contains(x509Certificate)) {
            if (checkIssuer(x509Certificate, this.trusted_, i) != null) {
                return;
            }
            X509Certificate checkIssuer = checkIssuer(x509Certificate, certificateSource, i);
            if (checkIssuer == null) {
                fail("Untrusted certificate: %s", x509Certificate);
            }
            x509Certificate = checkIssuer;
            i++;
        }
        throw new CertificateException("Circular chain!");
    }

    public void verify(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (x509Certificate == null) {
            throw new NullPointerException("Certificate");
        }
        x509Certificate.checkValidity();
        if (checkIssuer(x509Certificate, this.trusted_, 0) == null) {
            fail("Untrusted certificate: %s", x509Certificate);
        }
    }

    public void verifyChain(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("Chain");
        }
        if (x509CertificateArr.length < 1 || x509CertificateArr[0] == null) {
            throw new CertificateException("Chain is empty or element 0 is null!");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        x509Certificate.checkValidity();
        if (isTrusted(x509Certificate)) {
            return;
        }
        for (int i = 1; i < x509CertificateArr.length; i++) {
            X509Certificate x509Certificate2 = x509CertificateArr[i];
            if (x509Certificate2 == null) {
                throw new CertificateException(new StringBuffer().append("Null cert at ").append(i).toString());
            }
            x509Certificate2.checkValidity();
            boolean[] keyUsage = x509Certificate2.getKeyUsage();
            if (keyUsage == null || keyUsage.length < 6 || !keyUsage[5]) {
                fail("Not a key signing certificate: %s", x509Certificate2);
            }
            int basicConstraints = x509Certificate2.getBasicConstraints();
            if (basicConstraints < 0) {
                fail("Chain contains non CA cert: %s", x509Certificate2);
            }
            if (basicConstraints + 1 < i) {
                fail("Chain too long at %s", x509Certificate2);
            }
            if (!x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN())) {
                fail("Issuer vs. subject mismatch in cert: %s", x509Certificate);
            }
            x509Certificate.verify(x509Certificate2.getPublicKey());
            if (isTrusted(x509Certificate2)) {
                return;
            }
        }
        fail("Chain of %s is not trusted!", x509CertificateArr[0]);
    }

    public boolean isTrusted(X509Certificate x509Certificate) {
        X509Certificate certificate;
        if (x509Certificate == null || (certificate = this.trusted_.getCertificate(x509Certificate.getIssuerDN(), x509Certificate.getSerialNumber())) == null) {
            return false;
        }
        return certificate.equals(x509Certificate);
    }

    private X509Certificate checkIssuer(X509Certificate x509Certificate, CertificateSource certificateSource, int i) throws GeneralSecurityException {
        Iterator certificates = certificateSource.certificates(x509Certificate.getIssuerDN(), 32);
        while (certificates.hasNext()) {
            X509Certificate x509Certificate2 = (X509Certificate) certificates.next();
            try {
                x509Certificate2.checkValidity();
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    int basicConstraints = x509Certificate2.getBasicConstraints();
                    if (basicConstraints < 0) {
                        fail("Trusted cert is not a CA cert: %s", x509Certificate2);
                    }
                    if (basicConstraints < i) {
                        fail(new StringBuffer().append("Certificate chain too long (").append(basicConstraints).append(" > ").append(i).append(") at %s").toString(), x509Certificate2);
                    }
                    return x509Certificate2;
                } catch (InvalidKeyException e) {
                }
            } catch (CertificateException e2) {
                System.err.println(new StringBuffer().append("Warning, trusted cert is not current:\n").append(x509Certificate2).toString());
            }
        }
        return null;
    }

    private void fail(String str, X509Certificate x509Certificate) throws CertificateException {
        int indexOf = str.indexOf("%s");
        if (indexOf >= 0) {
            str = new StringBuffer().append(str.substring(0, indexOf)).append("issuer=\"").append(x509Certificate.getIssuerDN().getName()).append("\", serial=").append(x509Certificate.getSerialNumber()).append(str.substring(indexOf + 2)).toString();
        }
        throw new CertificateException(str);
    }
}
