package org.apache.wss4j.common.crypto;

import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.regex.Pattern;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.x500.X500Principal;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-common-2.3.0.jar:org/apache/wss4j/common/crypto/CertificateStore.class */
public class CertificateStore extends CryptoBase {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CertificateStore.class);
    private X509Certificate[] trustedCerts;

    public CertificateStore(X509Certificate[] x509CertificateArr) {
        this.trustedCerts = x509CertificateArr;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
        if (cryptoType == null) {
            return null;
        }
        X509Certificate[] x509CertificateArr = null;
        switch (cryptoType.getType()) {
            case ISSUER_SERIAL:
                x509CertificateArr = getX509Certificates(cryptoType.getIssuer(), cryptoType.getSerial());
                break;
            case THUMBPRINT_SHA1:
                x509CertificateArr = getX509Certificates(cryptoType.getBytes());
                break;
            case SKI_BYTES:
                x509CertificateArr = getX509CertificatesSKI(cryptoType.getBytes());
                break;
            case ALIAS:
            case SUBJECT_DN:
                x509CertificateArr = getX509CertificatesSubjectDN(cryptoType.getSubjectDN());
                break;
        }
        return x509CertificateArr;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public String getX509Identifier(X509Certificate x509Certificate) throws WSSecurityException {
        return x509Certificate.getSubjectDN().toString();
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public PrivateKey getPrivateKey(X509Certificate x509Certificate, CallbackHandler callbackHandler) throws WSSecurityException {
        return null;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException {
        return null;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public PrivateKey getPrivateKey(String str, String str2) throws WSSecurityException {
        return null;
    }

    protected void verifyTrust(X509Certificate[] x509CertificateArr, boolean z, Collection<Pattern> collection) throws WSSecurityException {
        if (x509CertificateArr.length == 1 && !z) {
            String name = x509CertificateArr[0].getIssuerX500Principal().getName();
            BigInteger serialNumber = x509CertificateArr[0].getSerialNumber();
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
            cryptoType.setIssuerSerial(name, serialNumber);
            X509Certificate[] x509Certificates = getX509Certificates(cryptoType);
            if (x509Certificates != null && x509Certificates[0] != null && x509Certificates[0].equals(x509CertificateArr[0])) {
                LOG.debug("Direct trust for certificate with {}", x509CertificateArr[0].getSubjectX500Principal().getName());
                return;
            }
        }
        String name2 = x509CertificateArr[0].getIssuerX500Principal().getName();
        X509Certificate[] x509CertificateArr2 = new X509Certificate[0];
        if (x509CertificateArr.length == 1) {
            CryptoType cryptoType2 = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
            cryptoType2.setSubjectDN(name2);
            x509CertificateArr2 = getX509Certificates(cryptoType2);
            if (x509CertificateArr2 == null || x509CertificateArr2.length < 1) {
                LOG.debug("No certs found in keystore for issuer {} of certificate for {}", name2, x509CertificateArr[0].getSubjectX500Principal().getName());
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "certpath", new Object[]{"No trusted certs found"});
            }
        }
        LOG.debug("Preparing to validate certificate path for issuer {}", name2);
        try {
            HashSet hashSet = new HashSet();
            if (this.trustedCerts != null) {
                for (X509Certificate x509Certificate : this.trustedCerts) {
                    hashSet.add(new TrustAnchor(x509Certificate, null));
                }
            }
            String cryptoProvider = getCryptoProvider();
            CertPathValidator certPathValidator = (cryptoProvider == null || cryptoProvider.length() == 0) ? CertPathValidator.getInstance("PKIX") : CertPathValidator.getInstance("PKIX", cryptoProvider);
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(z);
            if (x509CertificateArr2.length > 0) {
                X509Certificate[] x509CertificateArr3 = new X509Certificate[x509CertificateArr2.length + 1];
                x509CertificateArr3[0] = x509CertificateArr[0];
                System.arraycopy(x509CertificateArr2, 0, x509CertificateArr3, 1, x509CertificateArr2.length);
                certPathValidator.validate(getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr3)), pKIXParameters);
            } else {
                certPathValidator.validate(getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr)), pKIXParameters);
            }
            if (!matchesSubjectDnPattern(x509CertificateArr[0], collection)) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | CertPathValidatorException | CertificateException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "certpath", new Object[]{e.getMessage()});
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void verifyTrust(X509Certificate[] x509CertificateArr, boolean z, Collection<Pattern> collection, Collection<Pattern> collection2) throws WSSecurityException {
        verifyTrust(x509CertificateArr, z, collection);
        if (!matchesIssuerDnPattern(x509CertificateArr[0], collection2)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void verifyTrust(PublicKey publicKey) throws WSSecurityException {
        if (publicKey == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        for (X509Certificate x509Certificate : this.trustedCerts) {
            if (publicKey.equals(x509Certificate.getPublicKey())) {
                return;
            }
        }
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
    }

    private X509Certificate[] getX509Certificates(String str, BigInteger bigInteger) throws WSSecurityException {
        Object createBCX509Name;
        try {
            createBCX509Name = createBCX509Name(new X500Principal(str).getName());
        } catch (IllegalArgumentException e) {
            createBCX509Name = createBCX509Name(str);
        }
        for (X509Certificate x509Certificate : this.trustedCerts) {
            if (x509Certificate.getSerialNumber().compareTo(bigInteger) == 0 && createBCX509Name(x509Certificate.getIssuerX500Principal().getName()).equals(createBCX509Name)) {
                return new X509Certificate[]{x509Certificate};
            }
        }
        return null;
    }

    private X509Certificate[] getX509Certificates(byte[] bArr) throws WSSecurityException {
        if (this.trustedCerts == null) {
            return null;
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            for (X509Certificate x509Certificate : this.trustedCerts) {
                try {
                    messageDigest.update(x509Certificate.getEncoded());
                    if (Arrays.equals(messageDigest.digest(), bArr)) {
                        return new X509Certificate[]{x509Certificate};
                    }
                } catch (CertificateEncodingException e) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "encodeError");
                }
            }
            return null;
        } catch (NoSuchAlgorithmException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "decoding.general");
        }
    }

    private X509Certificate[] getX509CertificatesSKI(byte[] bArr) throws WSSecurityException {
        if (this.trustedCerts == null) {
            return null;
        }
        for (X509Certificate x509Certificate : this.trustedCerts) {
            byte[] sKIBytesFromCert = getSKIBytesFromCert(x509Certificate);
            if (sKIBytesFromCert.length == bArr.length && Arrays.equals(sKIBytesFromCert, bArr)) {
                return new X509Certificate[]{x509Certificate};
            }
        }
        return null;
    }

    private X509Certificate[] getX509CertificatesSubjectDN(String str) throws WSSecurityException {
        Object createBCX509Name;
        try {
            createBCX509Name = createBCX509Name(new X500Principal(str).getName());
        } catch (IllegalArgumentException e) {
            createBCX509Name = createBCX509Name(str);
        }
        if (this.trustedCerts == null) {
            return null;
        }
        for (X509Certificate x509Certificate : this.trustedCerts) {
            if (createBCX509Name.equals(createBCX509Name(x509Certificate.getSubjectX500Principal().getName()))) {
                return new X509Certificate[]{x509Certificate};
            }
        }
        return null;
    }
}
