package kz.gov.pki.provider.utils;

import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.security.auth.x500.X500Principal;
import kz.gov.pki.kalkan.jce.provider.KalkanProvider;
import kz.gov.pki.kalkan.pkix.checker.KNCAOCSPChecker;
import kz.gov.pki.kalkan.x509.ExtendedPKIXBuilderParameters;
import kz.gov.pki.kalkan.x509.X509CertStoreSelector;
import kz.gov.pki.provider.exception.ProviderUtilException;
import kz.gov.pki.provider.exception.ProviderUtilExceptionCode;

/* loaded from: input_file:kz/gov/pki/provider/utils/PKIXUtil.class */
public class PKIXUtil {
    private KNCAOCSPChecker ocspChecker;
    private X509Certificate targetCert;
    private Collection<X509Certificate> caCertList;
    private List<PKIXCertPathChecker> checkerList;
    private Collection<X509CRL> crlList;
    private Date checkDate;
    private Map<X500Principal, X509Certificate> caCertsMap = new HashMap();
    private List<X509Certificate> certificateChain = new ArrayList();
    private boolean allowExpired = false;

    public PKIXUtil(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        this.targetCert = x509Certificate;
        this.caCertList = collection == null ? new ArrayList<>() : collection;
        for (X509Certificate x509Certificate2 : this.caCertList) {
            this.caCertsMap.put(x509Certificate2.getSubjectX500Principal(), x509Certificate2);
        }
    }

    public PKIXUtil withDate(Date date) {
        this.checkDate = date;
        return this;
    }

    public PKIXUtil withOCSP() {
        this.ocspChecker = new KNCAOCSPChecker(this.caCertsMap);
        return this;
    }

    public PKIXUtil withExtraCheckers(List<PKIXCertPathChecker> list) {
        this.checkerList = list;
        return this;
    }

    public PKIXUtil withCRL(Collection<X509CRL> collection) {
        this.crlList = collection == null ? new ArrayList<>() : collection;
        return this;
    }

    public PKIXUtil allowExpired() {
        this.allowExpired = true;
        return this;
    }

    public CertPathBuilderResult validate() throws ProviderUtilException {
        X509Certificate x509Certificate;
        if (this.caCertList.size() == 0) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.NO_CACERT_LIST);
        }
        LinkedList linkedList = new LinkedList();
        linkedList.add(this.targetCert);
        X509Certificate x509Certificate2 = this.caCertsMap.get(this.targetCert.getIssuerX500Principal());
        if (x509Certificate2 == null) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.ISSUER_CERT_NOT_FOUND);
        }
        linkedList.add(x509Certificate2);
        for (int i = 0; i < this.caCertsMap.size(); i++) {
            X509Certificate x509Certificate3 = (X509Certificate) linkedList.peekLast();
            if (x509Certificate3.getIssuerX500Principal().equals(x509Certificate3.getSubjectX500Principal()) || (x509Certificate = this.caCertsMap.get(x509Certificate3.getIssuerX500Principal())) == null) {
                break;
            }
            linkedList.add(x509Certificate);
        }
        this.certificateChain = (List) linkedList.stream().map(x509Extension -> {
            return (X509Certificate) x509Extension;
        }).collect(Collectors.toList());
        Collections.reverse(linkedList);
        HashSet hashSet = new HashSet();
        hashSet.add(new TrustAnchor((X509Certificate) linkedList.getFirst(), null));
        X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
        x509CertStoreSelector.setCertificate(this.targetCert);
        try {
            ExtendedPKIXBuilderParameters extendedPKIXBuilderParameters = new ExtendedPKIXBuilderParameters(hashSet, x509CertStoreSelector);
            extendedPKIXBuilderParameters.setSigProvider(KalkanProvider.PROVIDER_NAME);
            extendedPKIXBuilderParameters.setUseDeltasEnabled(true);
            if (this.allowExpired && this.targetCert.getNotAfter().before(new Date())) {
                extendedPKIXBuilderParameters.setDate(this.targetCert.getNotAfter());
            }
            if (this.checkDate != null) {
                extendedPKIXBuilderParameters.setDate(this.checkDate);
            }
            if (this.crlList == null) {
                extendedPKIXBuilderParameters.setRevocationEnabled(false);
            } else {
                if (this.crlList.size() == 0) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.NO_CRL_LIST);
                }
                Date date = this.checkDate == null ? new Date() : this.checkDate;
                Iterator<X509CRL> it = this.crlList.iterator();
                while (it.hasNext()) {
                    if (date.after(it.next().getNextUpdate())) {
                        throw new ProviderUtilException(ProviderUtilExceptionCode.OUTDATED_CRL);
                    }
                }
                linkedList.addAll(this.crlList);
            }
            try {
                extendedPKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(linkedList), KalkanProvider.PROVIDER_NAME));
                extendedPKIXBuilderParameters.setCertPathCheckers(this.checkerList);
                extendedPKIXBuilderParameters.addCertPathChecker(this.ocspChecker);
                return CertPathBuilder.getInstance("PKIX", KalkanProvider.PROVIDER_NAME).build(extendedPKIXBuilderParameters);
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.PROVIDER_INVOCATION_FAILURE, e);
            } catch (CertPathBuilderException e2) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.CERTPATH_BUILDING_FAILURE, e2);
            }
        } catch (InvalidAlgorithmParameterException e3) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.PROVIDER_INVOCATION_FAILURE, e3);
        }
    }

    @Deprecated
    public static CertPathBuilderResult validate(X509Certificate x509Certificate, Collection<X509Certificate> collection, boolean z) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertPathBuilderException, ProviderUtilException {
        return validate(x509Certificate, collection, new ArrayList(), null, z);
    }

    @Deprecated
    public static CertPathBuilderResult validate(X509Certificate x509Certificate, Collection<X509Certificate> collection, Collection<X509CRL> collection2, boolean z) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertPathBuilderException, ProviderUtilException {
        return validate(x509Certificate, collection, collection2, null, z);
    }

    @Deprecated
    public static CertPathBuilderResult validate(X509Certificate x509Certificate, Collection<X509Certificate> collection, Collection<X509CRL> collection2, Date date, boolean z) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertPathBuilderException, ProviderUtilException {
        X509Certificate x509Certificate2;
        if (collection == null) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.NO_CACERT_LIST);
        }
        HashMap hashMap = new HashMap();
        LinkedList linkedList = new LinkedList();
        linkedList.add(x509Certificate);
        for (X509Certificate x509Certificate3 : collection) {
            hashMap.put(x509Certificate3.getSubjectX500Principal(), x509Certificate3);
        }
        X509Certificate x509Certificate4 = (X509Certificate) hashMap.get(x509Certificate.getIssuerX500Principal());
        if (x509Certificate4 == null) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.ISSUER_CERT_NOT_FOUND);
        }
        linkedList.add(x509Certificate4);
        for (int i = 0; i < hashMap.size(); i++) {
            X509Certificate x509Certificate5 = (X509Certificate) linkedList.peekLast();
            if (x509Certificate5.getIssuerX500Principal().equals(x509Certificate5.getSubjectX500Principal()) || (x509Certificate2 = (X509Certificate) hashMap.get(x509Certificate5.getIssuerX500Principal())) == null) {
                break;
            }
            linkedList.add(x509Certificate2);
        }
        Collections.reverse(linkedList);
        HashSet hashSet = new HashSet();
        hashSet.add(new TrustAnchor((X509Certificate) linkedList.getFirst(), null));
        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(linkedList), KalkanProvider.PROVIDER_NAME);
        X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
        x509CertStoreSelector.setCertificate(x509Certificate);
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", KalkanProvider.PROVIDER_NAME);
        ExtendedPKIXBuilderParameters extendedPKIXBuilderParameters = new ExtendedPKIXBuilderParameters(hashSet, x509CertStoreSelector);
        extendedPKIXBuilderParameters.setSigProvider(KalkanProvider.PROVIDER_NAME);
        extendedPKIXBuilderParameters.addCertStore(certStore);
        extendedPKIXBuilderParameters.setUseDeltasEnabled(true);
        extendedPKIXBuilderParameters.setDate(date);
        if (z) {
            extendedPKIXBuilderParameters.addCertPathChecker(new KNCAOCSPChecker(hashMap));
        }
        if (collection2 == null) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.NO_CRL_LIST);
        }
        if (collection2.size() == 0) {
            extendedPKIXBuilderParameters.setRevocationEnabled(false);
        } else {
            Date date2 = date == null ? new Date() : date;
            Iterator<X509CRL> it = collection2.iterator();
            while (it.hasNext()) {
                if (date2.after(it.next().getNextUpdate())) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.OUTDATED_CRL);
                }
            }
            linkedList.addAll(collection2);
        }
        return certPathBuilder.build(extendedPKIXBuilderParameters);
    }

    public List<X509Certificate> getCertificateChain() {
        return Collections.unmodifiableList(this.certificateChain);
    }
}
