package org.eclipse.milo.opcua.stack.client.security;

import com.google.common.collect.ImmutableSet;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.security.TrustListManager;
import org.eclipse.milo.opcua.stack.core.util.validation.CertificateValidationUtil;
import org.eclipse.milo.opcua.stack.core.util.validation.ValidationCheck;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/client/security/DefaultClientCertificateValidator.class */
public class DefaultClientCertificateValidator implements ClientCertificateValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultClientCertificateValidator.class);
    private final TrustListManager trustListManager;
    private final ImmutableSet<ValidationCheck> validationChecks;

    public DefaultClientCertificateValidator(TrustListManager trustListManager) {
        this(trustListManager, ValidationCheck.NO_OPTIONAL_CHECKS);
    }

    public DefaultClientCertificateValidator(TrustListManager trustListManager, Set<ValidationCheck> set) {
        this.trustListManager = trustListManager;
        this.validationChecks = ImmutableSet.copyOf(set);
    }

    public void validateCertificateChain(List<X509Certificate> list) throws UaException {
        try {
            PKIXCertPathBuilderResult buildTrustedCertPath = CertificateValidationUtil.buildTrustedCertPath(list, this.trustListManager.getTrustedCertificates(), this.trustListManager.getIssuerCertificates());
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(this.trustListManager.getTrustedCrls());
            arrayList.addAll(this.trustListManager.getIssuerCrls());
            CertificateValidationUtil.validateTrustedCertPath(buildTrustedCertPath.getCertPath(), buildTrustedCertPath.getTrustAnchor(), arrayList, this.validationChecks, false);
        } catch (UaException e) {
            TrustListManager trustListManager = this.trustListManager;
            trustListManager.getClass();
            list.forEach(trustListManager::addRejectedCertificate);
            throw e;
        }
    }

    @Override // org.eclipse.milo.opcua.stack.client.security.ClientCertificateValidator
    public void validateCertificateChain(List<X509Certificate> list, String str, String... strArr) throws UaException {
        validateCertificateChain(list);
        X509Certificate x509Certificate = list.get(0);
        try {
            CertificateValidationUtil.checkApplicationUri(x509Certificate, str);
        } catch (UaException e) {
            if (this.validationChecks.contains(ValidationCheck.APPLICATION_URI)) {
                throw e;
            }
            LOGGER.warn("check suppressed: certificate failed application uri check: {} != {}", str, CertificateValidationUtil.getSubjectAltNameUri(x509Certificate));
        }
        try {
            CertificateValidationUtil.checkHostnameOrIpAddress(x509Certificate, strArr);
        } catch (UaException e2) {
            if (this.validationChecks.contains(ValidationCheck.HOSTNAME)) {
                throw e2;
            }
            LOGGER.warn("check suppressed: certificate failed hostname check: {}", x509Certificate.getSubjectX500Principal().getName());
        }
    }
}
