package com.webauthn4j.validator.attestation.trustworthiness.certpath;

import com.webauthn4j.anchor.TrustAnchorProvider;
import com.webauthn4j.attestation.statement.CertificateBaseAttestationStatement;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.CertificateUtil;
import com.webauthn4j.validator.exception.CertificateException;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.util.EnumSet;
import java.util.Set;

/* loaded from: input_file:com/webauthn4j/validator/attestation/trustworthiness/certpath/TrustAnchorCertPathTrustworthinessValidator.class */
public class TrustAnchorCertPathTrustworthinessValidator implements CertPathTrustworthinessValidator {
    private final TrustAnchorProvider trustAnchorProvider;
    private boolean isRevocationCheckEnabled = false;

    public TrustAnchorCertPathTrustworthinessValidator(TrustAnchorProvider trustAnchorProvider) {
        AssertUtil.notNull(trustAnchorProvider, "trustAnchorProvider must not be null");
        this.trustAnchorProvider = trustAnchorProvider;
    }

    @Override // com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidator
    public void validate(CertificateBaseAttestationStatement certificateBaseAttestationStatement) {
        CertPath createCertPath = certificateBaseAttestationStatement.getX5c().createCertPath();
        Set<TrustAnchor> provide = this.trustAnchorProvider.provide();
        CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
        PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(provide);
        if (isRevocationCheckEnabled()) {
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) createCertPathValidator.getRevocationChecker();
            pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS));
            createPKIXParameters.addCertPathChecker(pKIXRevocationChecker);
        } else {
            createPKIXParameters.setRevocationEnabled(false);
        }
        try {
            createCertPathValidator.validate(createCertPath, createPKIXParameters);
        } catch (InvalidAlgorithmParameterException e) {
            throw new CertificateException("invalid algorithm parameter", e);
        } catch (CertPathValidatorException e2) {
            throw new CertificateException("invalid cert path", e2);
        }
    }

    public boolean isRevocationCheckEnabled() {
        return this.isRevocationCheckEnabled;
    }

    public void setRevocationCheckEnabled(boolean z) {
        this.isRevocationCheckEnabled = z;
    }
}
