package com.ibm.security.validator;

import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:efixes/PK42528_Linux_ppc32/components/prereq.jdk/update.jar:/java/jre/lib/ibmpkcs.jar:com/ibm/security/validator/PKIXValidator.class */
public final class PKIXValidator extends Validator {
    private static final boolean TRY_VALIDATOR = true;
    private final Set trustedCerts;
    private final PKIXBuilderParameters parameterTemplate;
    private Set trustedSubjects;
    private CertificateFactory factory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXValidator(String str, Collection collection) {
        super(Validator.TYPE_PKIX, str);
        if (collection instanceof Set) {
            this.trustedCerts = (Set) collection;
        } else {
            this.trustedCerts = new HashSet(collection);
        }
        HashSet hashSet = new HashSet();
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor((X509Certificate) it.next(), null));
        }
        try {
            this.parameterTemplate = new PKIXBuilderParameters(hashSet, (CertSelector) null);
            setDefaultParameters(str);
            initCommon();
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException(new StringBuffer().append("Unexpected error: ").append(e.toString()).toString(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXValidator(String str, PKIXBuilderParameters pKIXBuilderParameters) {
        super(Validator.TYPE_PKIX, str);
        this.trustedCerts = new HashSet();
        Iterator it = pKIXBuilderParameters.getTrustAnchors().iterator();
        while (it.hasNext()) {
            X509Certificate trustedCert = ((TrustAnchor) it.next()).getTrustedCert();
            if (trustedCert != null) {
                this.trustedCerts.add(trustedCert);
            }
        }
        this.parameterTemplate = pKIXBuilderParameters;
        initCommon();
    }

    private void initCommon() {
        this.trustedSubjects = new HashSet();
        Iterator it = this.trustedCerts.iterator();
        while (it.hasNext()) {
            this.trustedSubjects.add(((X509Certificate) it.next()).getSubjectX500Principal());
        }
        try {
            this.factory = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new RuntimeException("Internal error", e);
        }
    }

    @Override // com.ibm.security.validator.Validator
    public Collection getTrustedCertificates() {
        return this.trustedCerts;
    }

    private void setDefaultParameters(String str) {
        this.parameterTemplate.setRevocationEnabled(false);
    }

    public PKIXBuilderParameters getParameters() {
        return this.parameterTemplate;
    }

    @Override // com.ibm.security.validator.Validator
    X509Certificate[] engineValidate(X509Certificate[] x509CertificateArr, Collection collection, Object obj) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("null or zero-length certificate chain");
        }
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (this.trustedCerts.contains(x509CertificateArr[i])) {
                if (i == 0) {
                    return new X509Certificate[]{x509CertificateArr[0]};
                }
                X509Certificate[] x509CertificateArr2 = new X509Certificate[i];
                System.arraycopy((Object) x509CertificateArr, 0, (Object) x509CertificateArr2, 0, i);
                return doValidate(x509CertificateArr2);
            }
        }
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        return (!this.trustedSubjects.contains(issuerX500Principal) || issuerX500Principal.equals(x509Certificate.getSubjectX500Principal())) ? doBuild(x509CertificateArr, collection) : doValidate(x509CertificateArr);
    }

    private static X509Certificate[] toArray(CertPath certPath, TrustAnchor trustAnchor) throws CertificateException {
        List certificates = certPath.getCertificates();
        X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size() + 1];
        certificates.toArray(x509CertificateArr);
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        if (trustedCert == null) {
            throw new ValidatorException("TrustAnchor must be specified as certificate");
        }
        x509CertificateArr[x509CertificateArr.length - 1] = trustedCert;
        return x509CertificateArr;
    }

    private void setDate(PKIXBuilderParameters pKIXBuilderParameters) {
        Date date = this.validationDate;
        if (date != null) {
            pKIXBuilderParameters.setDate(date);
        }
    }

    private X509Certificate[] doValidate(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.parameterTemplate.clone();
            setDate(pKIXBuilderParameters);
            CertPathValidator certPathValidator = CertPathValidator.getInstance(Validator.TYPE_PKIX);
            CertPath generateCertPath = this.factory.generateCertPath(Arrays.asList(x509CertificateArr));
            return toArray(generateCertPath, ((PKIXCertPathValidatorResult) certPathValidator.validate(generateCertPath, pKIXBuilderParameters)).getTrustAnchor());
        } catch (GeneralSecurityException e) {
            throw new ValidatorException(new StringBuffer().append("PKIX path validation failed: ").append(e.toString()).toString(), e);
        }
    }

    private X509Certificate[] doBuild(X509Certificate[] x509CertificateArr, Collection collection) throws CertificateException {
        try {
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.parameterTemplate.clone();
            setDate(pKIXBuilderParameters);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509CertificateArr[0]);
            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(Arrays.asList(x509CertificateArr));
            if (collection != null) {
                arrayList.addAll(collection);
            }
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList)));
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance(Validator.TYPE_PKIX).build(pKIXBuilderParameters);
            return toArray(pKIXCertPathBuilderResult.getCertPath(), pKIXCertPathBuilderResult.getTrustAnchor());
        } catch (GeneralSecurityException e) {
            throw new ValidatorException(new StringBuffer().append("PKIX path building failed: ").append(e.toString()).toString(), e);
        }
    }
}
