package org.eclipse.californium.elements.util;

import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/californium/elements/util/CertPathUtil.class */
public class CertPathUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(CertPathUtil.class);
    private static final String TYPE_X509 = "X.509";
    private static final String SERVER_AUTHENTICATION = "1.3.6.1.5.5.7.3.1";
    private static final String CLIENT_AUTHENTICATION = "1.3.6.1.5.5.7.3.2";
    private static final int KEY_USAGE_SIGNATURE = 0;
    private static final int KEY_USAGE_CERTIFICATE_SIGNING = 5;

    public static boolean canBeUsedToVerifySignature(X509Certificate x509Certificate) {
        if (x509Certificate.getBasicConstraints() < 0) {
            LOGGER.debug("certificate: {}, not for CA!", x509Certificate.getSubjectDN());
            return false;
        }
        if (x509Certificate.getKeyUsage() == null || x509Certificate.getKeyUsage()[KEY_USAGE_CERTIFICATE_SIGNING]) {
            return true;
        }
        LOGGER.debug("certificate: {}, not for certificate signing!", x509Certificate.getSubjectDN());
        return false;
    }

    public static boolean canBeUsedForAuthentication(X509Certificate x509Certificate, boolean z) {
        if (x509Certificate.getKeyUsage() != null && !x509Certificate.getKeyUsage()[0]) {
            LOGGER.debug("certificate: {}, not for signing!", x509Certificate.getSubjectDN());
            return false;
        }
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null || extendedKeyUsage.isEmpty()) {
                LOGGER.debug("certificate: {}, no extkeyusage!", x509Certificate.getSubjectDN());
            } else {
                LOGGER.trace("certificate: {}", x509Certificate.getSubjectDN());
                String str = z ? CLIENT_AUTHENTICATION : SERVER_AUTHENTICATION;
                boolean z2 = false;
                for (String str2 : extendedKeyUsage) {
                    LOGGER.trace("   extkeyusage {}", str2);
                    if (str.equals(str2)) {
                        z2 = true;
                    }
                }
                if (!z2) {
                    LOGGER.debug("certificate: {}, not for {}!", x509Certificate.getSubjectDN(), z ? "client" : "server");
                    return false;
                }
            }
            return true;
        } catch (CertificateParsingException e) {
            LOGGER.warn("x509 certificate:", e);
            return true;
        }
    }

    public static CertPath generateCertPath(List<X509Certificate> list) {
        if (list == null) {
            throw new NullPointerException("Certificate chain must not be null!");
        }
        return generateCertPath(list, list.size());
    }

    public static CertPath generateCertPath(List<X509Certificate> list, int i) {
        if (list == null) {
            throw new NullPointerException("Certificate chain must not be null!");
        }
        if (i > list.size()) {
            throw new IllegalArgumentException("size must not be larger then certificate chain!");
        }
        try {
            if (!list.isEmpty()) {
                int size = list.size() - 1;
                X500Principal x500Principal = null;
                for (int i2 = 0; i2 <= size; i2++) {
                    X509Certificate x509Certificate = list.get(i2);
                    LOGGER.debug("Current Subject DN: {}", x509Certificate.getSubjectX500Principal().getName());
                    if (x500Principal != null && !x500Principal.equals(x509Certificate.getSubjectX500Principal())) {
                        LOGGER.debug("Actual Issuer DN: {}", x509Certificate.getSubjectX500Principal().getName());
                        throw new IllegalArgumentException("Given certificates do not form a chain");
                    }
                    x500Principal = x509Certificate.getIssuerX500Principal();
                    LOGGER.debug("Expected Issuer DN: {}", x500Principal.getName());
                    if (x500Principal.equals(x509Certificate.getSubjectX500Principal()) && i2 != size) {
                        throw new IllegalArgumentException("Given certificates do not form a chain, root is not the last!");
                    }
                }
                if (i < list.size()) {
                    ArrayList arrayList = new ArrayList();
                    for (int i3 = 0; i3 < i; i3++) {
                        arrayList.add(list.get(i3));
                    }
                    list = arrayList;
                }
            }
            return CertificateFactory.getInstance(TYPE_X509).generateCertPath(list);
        } catch (CertificateException e) {
            throw new IllegalArgumentException("could not create X.509 certificate factory", e);
        }
    }

    public static CertPath generateValidatableCertPath(List<X509Certificate> list, List<X500Principal> list2) {
        if (list == null) {
            throw new NullPointerException("Certificate chain must not be null!");
        }
        int size = list.size();
        if (size > 0) {
            int i = size;
            if (list2 != null && !list2.isEmpty()) {
                i = 0;
                int i2 = 0;
                while (true) {
                    if (i2 >= size) {
                        break;
                    }
                    if (list2.contains(list.get(i2).getIssuerX500Principal())) {
                        i = i2 + 1;
                        break;
                    }
                    i2++;
                }
            }
            if (size > 1 && i == size) {
                int i3 = size - 1;
                X509Certificate x509Certificate = list.get(i3);
                if (x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                    i = i3;
                }
            }
            size = i;
        }
        return generateCertPath(list, size);
    }

    public static CertPath validateCertificatePath(boolean z, CertPath certPath, X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        CertPath generateCertPath;
        if (x509CertificateArr == null) {
            throw new CertPathValidatorException("certificates are not trusted!");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        if (certificates.isEmpty()) {
            return certPath;
        }
        List<X509Certificate> x509CertificatesList = toX509CertificatesList(certificates);
        int size = x509CertificatesList.size();
        int i = size - 1;
        X509Certificate x509Certificate = (X509Certificate) certificates.get(i);
        HashSet hashSet = new HashSet();
        if (x509CertificateArr.length == 0) {
            if (i == 0) {
                if (!x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                    return certPath;
                }
                i++;
            }
            hashSet.add(new TrustAnchor(x509Certificate, null));
            generateCertPath = generateCertPath(x509CertificatesList, i);
        } else if (z) {
            X509Certificate x509Certificate2 = null;
            int i2 = 0;
            while (true) {
                if (i2 >= size) {
                    break;
                }
                x509Certificate2 = search(x509CertificatesList.get(i2).getIssuerX500Principal(), x509CertificateArr);
                if (x509Certificate2 != null) {
                    size = i2 + 1;
                    break;
                }
                i2++;
            }
            if (x509Certificate2 != null) {
                hashSet.add(new TrustAnchor(x509Certificate2, null));
            } else {
                hashSet.add(new TrustAnchor(x509CertificateArr[0], null));
            }
            generateCertPath = generateCertPath(x509CertificatesList, size);
            certPath = generateCertPath;
        } else {
            X509Certificate search = search(x509Certificate.getIssuerX500Principal(), x509CertificateArr);
            if (search == null) {
                search = search(x509Certificate.getSubjectX500Principal(), x509CertificateArr);
            }
            if (search != null) {
                hashSet.add(new TrustAnchor(search, null));
            } else {
                hashSet.add(new TrustAnchor(x509CertificateArr[0], null));
            }
            generateCertPath = generateCertPath(x509CertificatesList, size);
        }
        if (LOGGER.isDebugEnabled()) {
            List<X509Certificate> x509CertificatesList2 = toX509CertificatesList(generateCertPath.getCertificates());
            LOGGER.debug("verify: certificate path {} (orig. {})", Integer.valueOf(x509CertificatesList2.size()), Integer.valueOf(certificates.size()));
            Iterator<X509Certificate> it = x509CertificatesList2.iterator();
            while (it.hasNext()) {
                LOGGER.debug("   cert: {}", it.next().getSubjectX500Principal());
            }
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                LOGGER.debug("   trust: {}", ((TrustAnchor) it2.next()).getTrustedCert().getIssuerX500Principal());
            }
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        certPathValidator.validate(generateCertPath, pKIXParameters);
        return certPath;
    }

    public static List<X509Certificate> toX509CertificatesList(List<? extends Certificate> list) {
        if (list == null) {
            throw new NullPointerException("Certificates list must not be null!");
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Certificate certificate : list) {
            if (!(certificate instanceof X509Certificate)) {
                throw new IllegalArgumentException("Given certificate is not X.509! " + certificate);
            }
            arrayList.add((X509Certificate) certificate);
        }
        return arrayList;
    }

    public static List<X500Principal> toSubjects(List<X509Certificate> list) {
        if (list == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getSubjectX500Principal());
        }
        return arrayList;
    }

    private static X509Certificate search(X500Principal x500Principal, X509Certificate[] x509CertificateArr) {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (x509Certificate != null && x500Principal.equals(x509Certificate.getSubjectX500Principal())) {
                return x509Certificate;
            }
        }
        return null;
    }
}
