package org.nhindirect.stagent.trust;

import java.security.Security;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.mail.internet.AddressException;
import javax.mail.internet.InternetAddress;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nhindirect.stagent.CryptoExtensions;
import org.nhindirect.stagent.cert.CertificateResolver;
import org.nhindirect.stagent.cert.Thumbprint;
import org.nhindirect.stagent.mail.MimeStandard;

/* loaded from: input_file:org/nhindirect/stagent/trust/TrustChainValidator.class */
public class TrustChainValidator {
    private static final int RFC822Name_TYPE = 1;
    private static final int DNSName_TYPE = 2;
    private Collection<CertificateResolver> certResolvers;
    private int maxIssuerChainLength = DefaultMaxIssuerChainLength;
    private static int DefaultMaxIssuerChainLength = 5;
    private static final Log LOGGER = LogFactory.getFactory().getInstance(TrustChainValidator.class);

    public boolean isCertificateResolver() {
        return this.certResolvers != null;
    }

    public Collection<CertificateResolver> getCertificateResolver() {
        return this.certResolvers;
    }

    public void setCertificateResolver(Collection<CertificateResolver> collection) {
        this.certResolvers = collection;
    }

    public boolean isTrusted(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        Collection<X509Certificate> resolveIntermediateIssuers;
        if (x509Certificate == null) {
            throw new IllegalArgumentException();
        }
        if (collection == null || collection.size() == 0) {
            return false;
        }
        try {
            if (isIssuerInAnchors(collection, x509Certificate)) {
                return true;
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
            ArrayList arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            if (this.certResolvers != null && (resolveIntermediateIssuers = resolveIntermediateIssuers(x509Certificate, collection)) != null && resolveIntermediateIssuers.size() > 0) {
                arrayList.addAll(resolveIntermediateIssuers);
            }
            HashSet hashSet = new HashSet();
            Iterator<X509Certificate> it = collection.iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor(it.next(), null));
            }
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance("PKIX", CryptoExtensions.getJCEProviderName()).validate(certificateFactory.generateCertPath(arrayList), pKIXParameters);
            return true;
        } catch (Exception e) {
            LOGGER.warn("Certificate " + x509Certificate.getSubjectX500Principal().getName() + " is not trusted.", e);
            return false;
        }
    }

    private Collection<X509Certificate> resolveIntermediateIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        ArrayList arrayList = new ArrayList();
        resolveIntermediateIssuers(x509Certificate, arrayList, collection);
        return arrayList;
    }

    private void resolveIntermediateIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection, Collection<X509Certificate> collection2) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        if (collection == null) {
            throw new IllegalArgumentException("Issuers collection cannot be null.");
        }
        resolveIssuers(x509Certificate, collection, 0, collection2);
    }

    private boolean isIssuerInCollection(Collection<X509Certificate> collection, X509Certificate x509Certificate) {
        for (X509Certificate x509Certificate2 : collection) {
            if (x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getSubjectX500Principal()) && Thumbprint.toThumbprint(x509Certificate2).equals(Thumbprint.toThumbprint(x509Certificate))) {
                return true;
            }
        }
        return false;
    }

    private boolean isIssuerInAnchors(Collection<X509Certificate> collection, X509Certificate x509Certificate) {
        Iterator<X509Certificate> it = collection.iterator();
        while (it.hasNext()) {
            if (Thumbprint.toThumbprint(it.next()).equals(Thumbprint.toThumbprint(x509Certificate))) {
                return true;
            }
        }
        return false;
    }

    private void resolveIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection, int i, Collection<X509Certificate> collection2) {
        String issuerAddress;
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        if (issuerX500Principal.equals(x509Certificate.getSubjectX500Principal())) {
            return;
        }
        Iterator<X509Certificate> it = collection.iterator();
        while (it.hasNext()) {
            if (issuerX500Principal.equals(it.next().getSubjectX500Principal())) {
                return;
            }
        }
        if (i >= this.maxIssuerChainLength || (issuerAddress = getIssuerAddress(x509Certificate)) == null || issuerAddress.isEmpty()) {
            return;
        }
        ArrayList<X509Certificate> arrayList = new ArrayList();
        Iterator<CertificateResolver> it2 = this.certResolvers.iterator();
        while (it2.hasNext()) {
            try {
                Collection<X509Certificate> certificates = it2.next().getCertificates(new InternetAddress(issuerAddress));
                if (certificates != null && certificates.size() > 0) {
                    arrayList.addAll(certificates);
                }
            } catch (AddressException e) {
            }
        }
        if (arrayList.size() == 0) {
            return;
        }
        for (X509Certificate x509Certificate2 : arrayList) {
            if (x509Certificate2.getSubjectX500Principal().equals(issuerX500Principal) && !isIssuerInCollection(collection, x509Certificate2) && !isIssuerInAnchors(collection2, x509Certificate2)) {
                collection.add(x509Certificate2);
                resolveIssuers(x509Certificate2, collection, i + RFC822Name_TYPE, collection2);
            }
        }
    }

    private String getIssuerAddress(X509Certificate x509Certificate) {
        String str = "";
        Collection<List<?>> collection = null;
        try {
            collection = x509Certificate.getIssuerAlternativeNames();
        } catch (CertificateParsingException e) {
        }
        if (collection != null) {
            for (List<?> list : collection) {
                if (list.size() >= DNSName_TYPE) {
                    Integer num = (Integer) list.get(0);
                    if (num.intValue() == RFC822Name_TYPE) {
                        str = (String) list.get(RFC822Name_TYPE);
                    } else if (num.intValue() == DNSName_TYPE && str.isEmpty()) {
                        str = (String) list.get(RFC822Name_TYPE);
                    }
                }
            }
        }
        if (!str.isEmpty()) {
            return str;
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        HashMap hashMap = new HashMap();
        hashMap.put("1.2.840.113549.1.9.1", "EMAILADDRESS");
        String name = issuerX500Principal.getName("RFC1779", hashMap);
        String str2 = "EMAILADDRESS=";
        int indexOf = name.indexOf(str2);
        if (indexOf == -1) {
            str2 = "CN=";
            indexOf = name.indexOf(str2);
            if (indexOf == -1) {
                return "";
            }
        }
        int indexOf2 = name.indexOf(MimeStandard.MailAddressSeparator, indexOf);
        return indexOf2 > -1 ? name.substring(indexOf + str2.length(), indexOf2) : name.substring(indexOf + str2.length());
    }

    static {
        Security.setProperty("ocsp.enable", "true");
    }
}
