package org.appng.core.security.signing;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.core.net.ssl.SslConfigurationDefaults;
import org.appng.core.security.signing.SigningException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/appng-core-2.0.0-SNAPSHOT.jar:org/appng/core/security/signing/CertChainValidator.class */
public class CertChainValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CertChainValidator.class);
    private static final String DEFAULT_PASS = "changeit";
    private List<X509Certificate> trustedCerts;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertChainValidator(InputStream inputStream, char[] cArr) throws SigningException {
        init(inputStream, cArr);
    }

    CertChainValidator() throws SigningException, FileNotFoundException {
        File file = new File(new File(System.getProperty("java.home") + File.separatorChar + "lib" + File.separatorChar + "security"), "cacerts");
        LOGGER.info("using truststore {}", file.getAbsolutePath());
        init(new FileInputStream(file), DEFAULT_PASS.toCharArray());
    }

    CertChainValidator(KeyStore keyStore) throws SigningException {
        try {
            init(keyStore);
        } catch (KeyStoreException e) {
            throw new SigningException(SigningException.ErrorType.VERIFY, "error while loading keystore", e);
        }
    }

    protected void init(InputStream inputStream, char[] cArr) throws SigningException {
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(SslConfigurationDefaults.KEYSTORE_TYPE);
                keyStore.load(inputStream, cArr);
                init(keyStore);
                if (inputStream != null) {
                    inputStream.close();
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new SigningException(SigningException.ErrorType.VERIFY, "error while loading keystore", e);
        }
    }

    protected void init(KeyStore keyStore) throws KeyStoreException {
        this.trustedCerts = new ArrayList(keyStore.size());
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            this.trustedCerts.add((X509Certificate) keyStore.getCertificate(aliases.nextElement()));
        }
        LOGGER.debug("found {} certificates in truststore", Integer.valueOf(this.trustedCerts.size()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean validateKeyChain(InputStream inputStream) {
        try {
            ArrayList arrayList = new ArrayList();
            CertTools.addCerts(inputStream, arrayList);
            for (int i = 0; i < arrayList.size() - 1; i++) {
                X509Certificate x509Certificate = (X509Certificate) arrayList.get(i);
                X509Certificate x509Certificate2 = (X509Certificate) arrayList.get(i + 1);
                if (!x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                    LOGGER.error("'{}' should be signed by '{}', but is signed by '{}'", x509Certificate.getSubjectX500Principal(), x509Certificate2.getSubjectX500Principal(), x509Certificate.getIssuerX500Principal());
                    return false;
                }
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                X509Certificate x509Certificate3 = (X509Certificate) ((Certificate) it.next());
                if (validateKeyChain(x509Certificate3, this.trustedCerts)) {
                    return true;
                }
                LOGGER.info("'{}' is not trusted, trying with issuer '{}'", x509Certificate3.getSubjectX500Principal(), x509Certificate3.getIssuerX500Principal());
            }
            LOGGER.info("can not trust {}", ((X509Certificate) arrayList.get(0)).getSubjectX500Principal());
            return false;
        } catch (GeneralSecurityException e) {
            LOGGER.warn("error while validating keychain", (Throwable) e);
            return false;
        }
    }

    private boolean validateKeyChain(X509Certificate x509Certificate, List<X509Certificate> list) throws GeneralSecurityException {
        LOGGER.debug("validating '{}' against truststore", x509Certificate.getSubjectX500Principal());
        CertificateFactory x509CertFactory = CertTools.getX509CertFactory();
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        boolean z = false;
        int size = list.size();
        while (!z && size > 0) {
            size--;
            Set singleton = Collections.singleton(new TrustAnchor(list.get(size), null));
            CertPath generateCertPath = x509CertFactory.generateCertPath(Collections.singletonList(x509Certificate));
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) singleton);
            pKIXParameters.setRevocationEnabled(false);
            X509Certificate x509Certificate2 = list.get(size);
            if (x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN())) {
                try {
                    certPathValidator.validate(generateCertPath, pKIXParameters);
                    if (isSelfSigned(x509Certificate2)) {
                        z = true;
                        LOGGER.debug("'{}' can be trusted (expires: {})", x509Certificate2.getSubjectX500Principal(), x509Certificate2.getNotAfter());
                    } else if (!x509Certificate.equals(x509Certificate2)) {
                        LOGGER.debug("validating '{}' via '{}'", x509Certificate.getSubjectX500Principal(), x509Certificate2.getSubjectX500Principal());
                        z = validateKeyChain(x509Certificate2, list);
                    }
                } catch (CertPathValidatorException e) {
                    LOGGER.warn("error while validating certification path", (Throwable) e);
                }
            }
        }
        return z;
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (GeneralSecurityException e) {
            return false;
        }
    }
}
