package com.floragunn.searchguard.ssl.util;

import java.security.GeneralSecurityException;
import java.security.InvalidParameterException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;

/* loaded from: input_file:WEB-INF/lib/search-guard-ssl-5.6.2-23.jar:com/floragunn/searchguard/ssl/util/CertificateValidator.class */
public class CertificateValidator {
    private KeyStore _trustStore;
    private X509Certificate[] _trustedCert;
    private Collection<? extends CRL> _crls;
    private String _ocspResponderURL;
    private int _maxCertPathLength = -1;
    private boolean _enableCRLDP = false;
    private boolean _enableOCSP = false;
    private boolean preferCrl = false;
    private boolean checkOnlyEndEntities = true;
    private Date date = null;

    boolean isPreferCrl() {
        return this.preferCrl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setPreferCrl(boolean z) {
        this.preferCrl = z;
    }

    boolean isCheckOnlyEndEntities() {
        return this.checkOnlyEndEntities;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setCheckOnlyEndEntities(boolean z) {
        this.checkOnlyEndEntities = z;
    }

    public CertificateValidator(KeyStore keyStore, Collection<? extends CRL> collection) {
        if (keyStore == null) {
            throw new InvalidParameterException("TrustStore must be specified for CertificateValidator.");
        }
        this._trustStore = keyStore;
        this._crls = collection;
    }

    public CertificateValidator(X509Certificate[] x509CertificateArr, Collection<? extends CRL> collection) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new InvalidParameterException("trustedCert must be specified for CertificateValidator.");
        }
        this._trustedCert = x509CertificateArr;
        this._crls = collection;
    }

    public void validate(Certificate[] certificateArr) throws CertificateException {
        PKIXBuilderParameters pKIXBuilderParameters;
        try {
            ArrayList arrayList = new ArrayList();
            for (Certificate certificate : certificateArr) {
                if (certificate != null) {
                    if (!(certificate instanceof X509Certificate)) {
                        throw new IllegalStateException("Invalid certificate type in chain");
                    }
                    arrayList.add((X509Certificate) certificate);
                }
            }
            if (arrayList.isEmpty()) {
                throw new IllegalStateException("Invalid certificate chain");
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) arrayList.get(0));
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance("PKIX").getRevocationChecker();
            HashSet hashSet = new HashSet();
            if (this.preferCrl) {
                hashSet.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (this.checkOnlyEndEntities) {
                hashSet.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            pKIXRevocationChecker.setOptions(hashSet);
            if (this._trustStore != null) {
                pKIXBuilderParameters = new PKIXBuilderParameters(this._trustStore, x509CertSelector);
            } else {
                HashSet hashSet2 = new HashSet();
                for (int i = 0; i < this._trustedCert.length; i++) {
                    hashSet2.add(new TrustAnchor(this._trustedCert[i], null));
                }
                pKIXBuilderParameters = new PKIXBuilderParameters(hashSet2, x509CertSelector);
            }
            pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            pKIXBuilderParameters.setDate(this.date);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList)));
            pKIXBuilderParameters.setMaxPathLength(this._maxCertPathLength);
            pKIXBuilderParameters.setRevocationEnabled(true);
            if (this._crls != null && !this._crls.isEmpty()) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this._crls)));
            }
            if (this._enableOCSP) {
                Security.setProperty("ocsp.enable", "true");
            }
            if (this._enableCRLDP) {
                System.setProperty("com.sun.security.enableCRLDP", "true");
            }
            CertPathValidator.getInstance("PKIX").validate(CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters).getCertPath(), pKIXBuilderParameters);
        } catch (GeneralSecurityException e) {
            throw new CertificateException("Unable to validate certificate: " + e.getMessage(), e);
        }
    }

    public Collection<? extends CRL> getCrls() {
        return this._crls;
    }

    public int getMaxCertPathLength() {
        return this._maxCertPathLength;
    }

    public void setMaxCertPathLength(int i) {
        this._maxCertPathLength = i;
    }

    public boolean isEnableCRLDP() {
        return this._enableCRLDP;
    }

    public void setEnableCRLDP(boolean z) {
        this._enableCRLDP = z;
    }

    public boolean isEnableOCSP() {
        return this._enableOCSP;
    }

    public void setEnableOCSP(boolean z) {
        this._enableOCSP = z;
    }

    public String getOcspResponderURL() {
        return this._ocspResponderURL;
    }

    public void setOcspResponderURL(String str) {
        this._ocspResponderURL = str;
    }

    public Date getDate() {
        if (this.date == null) {
            return null;
        }
        return (Date) this.date.clone();
    }

    public void setDate(Date date) {
        this.date = date == null ? null : (Date) date.clone();
    }
}
