package org.nhindirect.stagent.trust;

import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.security.Security;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.mail.internet.AddressException;
import javax.mail.internet.InternetAddress;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.nhindirect.common.crypto.CryptoExtensions;
import org.nhindirect.policy.PolicyProcessException;
import org.nhindirect.policy.x509.AuthorityInfoAccessExtentionField;
import org.nhindirect.policy.x509.AuthorityInfoAccessMethodIdentifier;
import org.nhindirect.stagent.NHINDException;
import org.nhindirect.stagent.cert.CertificateResolver;
import org.nhindirect.stagent.cert.Thumbprint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/agent-8.0.0.jar:org/nhindirect/stagent/trust/TrustChainValidator.class */
public class TrustChainValidator {
    private static final int RFC822Name_TYPE = 1;
    private static final int DNSName_TYPE = 2;
    protected static final int DEFAULT_URL_CONNECTION_TIMEOUT = 10000;
    protected static final int DEFAULT_URL_READ_TIMEOUT = 10000;
    private Collection<CertificateResolver> certResolvers = Collections.emptyList();
    private int maxIssuerChainLength = DefaultMaxIssuerChainLength;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TrustChainValidator.class);
    private static final String CA_ISSUER_CHECK_STRING = AuthorityInfoAccessMethodIdentifier.CA_ISSUERS.getName() + ":";
    private static int DefaultMaxIssuerChainLength = 5;

    public boolean isCertificateResolver() {
        return this.certResolvers != null && this.certResolvers.size() > 0;
    }

    public Collection<CertificateResolver> getCertificateResolver() {
        return this.certResolvers;
    }

    public void setCertificateResolver(Collection<CertificateResolver> collection) {
        this.certResolvers = collection;
    }

    public boolean isTrusted(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        Collection<X509Certificate> resolveIntermediateIssuers;
        if (x509Certificate == null) {
            throw new IllegalArgumentException();
        }
        if (collection == null || collection.size() == 0) {
            return false;
        }
        try {
            if (isIssuerInAnchors(collection, x509Certificate)) {
                return true;
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
            ArrayList arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            if (this.certResolvers != null && (resolveIntermediateIssuers = resolveIntermediateIssuers(x509Certificate, collection)) != null && resolveIntermediateIssuers.size() > 0) {
                arrayList.addAll(resolveIntermediateIssuers);
            }
            HashSet hashSet = new HashSet();
            Iterator<X509Certificate> it = collection.iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor(it.next(), null));
            }
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance("PKIX", CryptoExtensions.getJCEProviderNameForTypeAndAlgorithm("CertPathValidator", "PKIX")).validate(certificateFactory.generateCertPath(arrayList), pKIXParameters);
            return true;
        } catch (Exception e) {
            log.warn("Certificate {} is not trusted.", x509Certificate.getSubjectX500Principal().getName(), e);
            return false;
        }
    }

    private Collection<X509Certificate> resolveIntermediateIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        ArrayList arrayList = new ArrayList();
        resolveIntermediateIssuers(x509Certificate, arrayList, collection);
        return arrayList;
    }

    private void resolveIntermediateIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection, Collection<X509Certificate> collection2) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        if (collection == null) {
            throw new IllegalArgumentException("Issuers collection cannot be null.");
        }
        resolveIssuers(x509Certificate, collection, 0, collection2);
    }

    private boolean isIssuerInCollection(Collection<X509Certificate> collection, X509Certificate x509Certificate) {
        for (X509Certificate x509Certificate2 : collection) {
            if (x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getSubjectX500Principal()) && Thumbprint.toThumbprint(x509Certificate2).equals(Thumbprint.toThumbprint(x509Certificate))) {
                return true;
            }
        }
        return false;
    }

    private boolean isIssuerInAnchors(Collection<X509Certificate> collection, X509Certificate x509Certificate) {
        ASN1Object extensionValue = getExtensionValue(x509Certificate, "2.5.29.14");
        for (X509Certificate x509Certificate2 : collection) {
            if (Thumbprint.toThumbprint(x509Certificate2).equals(Thumbprint.toThumbprint(x509Certificate))) {
                return true;
            }
            ASN1Object extensionValue2 = getExtensionValue(x509Certificate2, "2.5.29.14");
            if (extensionValue != null && extensionValue2 != null && extensionValue2.equals(extensionValue)) {
                return true;
            }
        }
        return false;
    }

    protected void resolveIssuers(X509Certificate x509Certificate, Collection<X509Certificate> collection, int i, Collection<X509Certificate> collection2) {
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        if (issuerX500Principal.equals(x509Certificate.getSubjectX500Principal())) {
            return;
        }
        Iterator<X509Certificate> it = collection.iterator();
        while (it.hasNext()) {
            if (issuerX500Principal.equals(it.next().getSubjectX500Principal())) {
                return;
            }
        }
        if (i >= this.maxIssuerChainLength) {
            return;
        }
        Collection<X509Certificate> intermediateCertsByAIA = getIntermediateCertsByAIA(x509Certificate);
        if (intermediateCertsByAIA.isEmpty()) {
            String issuerAddress = getIssuerAddress(x509Certificate);
            if (issuerAddress == null || issuerAddress.isEmpty()) {
                return;
            }
            Iterator<CertificateResolver> it2 = this.certResolvers.iterator();
            while (it2.hasNext()) {
                Collection<X509Certificate> collection3 = null;
                try {
                    collection3 = it2.next().getCertificates(new InternetAddress(issuerAddress));
                } catch (AddressException e) {
                } catch (Exception e2) {
                }
                if (collection3 != null && collection3.size() > 0) {
                    intermediateCertsByAIA.addAll(collection3);
                }
            }
        }
        if (intermediateCertsByAIA.size() == 0) {
            return;
        }
        boolean z = false;
        ArrayList<X509Certificate> arrayList = new ArrayList();
        Iterator<X509Certificate> it3 = intermediateCertsByAIA.iterator();
        while (true) {
            if (!it3.hasNext()) {
                break;
            }
            X509Certificate next = it3.next();
            if (!next.getSubjectX500Principal().equals(issuerX500Principal) || isIssuerInCollection(collection, next) || isIssuerInAnchors(collection2, next)) {
                if (isIssuerInAnchors(collection2, next)) {
                    z = true;
                    break;
                }
            } else {
                arrayList.add(next);
            }
        }
        if (z) {
            return;
        }
        for (X509Certificate x509Certificate2 : arrayList) {
            collection.add(x509Certificate2);
            resolveIssuers(x509Certificate2, collection, i + 1, collection2);
        }
    }

    protected Collection<X509Certificate> getIntermediateCertsByAIA(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        AuthorityInfoAccessExtentionField authorityInfoAccessExtentionField = new AuthorityInfoAccessExtentionField(false);
        try {
            authorityInfoAccessExtentionField.injectReferenceValue(x509Certificate);
            for (String str : authorityInfoAccessExtentionField.getPolicyValue().getPolicyValue()) {
                if (str.startsWith(CA_ISSUER_CHECK_STRING)) {
                    try {
                        arrayList.addAll(downloadCertsFromAIA(str.substring(CA_ISSUER_CHECK_STRING.length())));
                    } catch (NHINDException e) {
                        log.warn("Intermediate cert cannot be resolved from AIA extension.", (Throwable) e);
                    }
                }
            }
        } catch (PolicyProcessException e2) {
            log.warn("Intermediate cert cannot be resolved from AIA extension.", (Throwable) e2);
        }
        return arrayList;
    }

    protected X509Certificate downloadCertFromAIA(String str) throws NHINDException {
        InputStream inputStream = null;
        try {
            try {
                URLConnection openConnection = new URL(str).openConnection();
                openConnection.setConnectTimeout(10000);
                openConnection.setReadTimeout(10000);
                inputStream = openConnection.getInputStream();
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
                IOUtils.closeQuietly(inputStream);
                return x509Certificate;
            } catch (Exception e) {
                throw new NHINDException("Failed to download certificate from AIA extension.", e);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            throw th;
        }
    }

    protected Collection<X509Certificate> downloadCertsFromAIA(String str) throws NHINDException {
        InputStream inputStream = null;
        try {
            try {
                URLConnection openConnection = new URL(str).openConnection();
                openConnection.setConnectTimeout(10000);
                openConnection.setReadTimeout(10000);
                inputStream = openConnection.getInputStream();
                Collection generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(inputStream);
                IOUtils.closeQuietly(inputStream);
                return generateCertificates;
            } catch (Exception e) {
                throw new NHINDException("Failed to download certificates from AIA extension (URL: " + str + ")", e);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            throw th;
        }
    }

    private String getIssuerAddress(X509Certificate x509Certificate) {
        String str = "";
        Collection<List<?>> collection = null;
        try {
            collection = x509Certificate.getIssuerAlternativeNames();
        } catch (CertificateParsingException e) {
        }
        if (collection != null) {
            for (List<?> list : collection) {
                if (list.size() >= 2) {
                    Integer num = (Integer) list.get(0);
                    if (num.intValue() == 1) {
                        str = (String) list.get(1);
                    } else if (num.intValue() == 2 && str.isEmpty()) {
                        str = (String) list.get(1);
                    }
                }
            }
        }
        return str;
    }

    private ASN1Object getExtensionValue(X509Certificate x509Certificate, String str) {
        byte[] extensionValue = x509Certificate.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        return getObject(extensionValue);
    }

    private ASN1Object getObject(byte[] bArr) {
        ASN1InputStream aSN1InputStream = null;
        try {
            try {
                ASN1InputStream aSN1InputStream2 = new ASN1InputStream(bArr);
                ASN1OctetString aSN1OctetString = (ASN1OctetString) aSN1InputStream2.readObject();
                IOUtils.closeQuietly((InputStream) aSN1InputStream2);
                aSN1InputStream = new ASN1InputStream(aSN1OctetString.getOctets());
                ASN1Primitive readObject = aSN1InputStream.readObject();
                IOUtils.closeQuietly((InputStream) aSN1InputStream);
                return readObject;
            } catch (Exception e) {
                throw new IllegalArgumentException("Exception processing data ", e);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly((InputStream) aSN1InputStream);
            throw th;
        }
    }

    static {
        Security.setProperty("ocsp.enable", "true");
    }
}
