package org.wildfly.security.ssl;

import java.io.InputStream;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Objects;
import java.util.stream.Stream;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.x500.X500;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.2.1.Final.jar:org/wildfly/security/ssl/X509CRLExtendedTrustManager.class */
public final class X509CRLExtendedTrustManager extends X509ExtendedTrustManager {
    private static final int DEFAULT_MAX_CERT_PATH_LENGTH = 5;
    private final X509TrustManager trustManager;
    private final X509Certificate[] acceptedIssuers;

    public X509CRLExtendedTrustManager(KeyStore keyStore, TrustManagerFactory trustManagerFactory, InputStream inputStream, int i, X509Certificate[] x509CertificateArr) {
        Assert.checkNotNullParam("trustStore", keyStore);
        Assert.checkNotNullParam("trustManagerFactory", trustManagerFactory);
        Assert.checkMinimumParameter("maxCertPath", 1, i);
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            if (inputStream != null) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs(inputStream))));
            }
            pKIXBuilderParameters.setRevocationEnabled(true);
            pKIXBuilderParameters.setMaxPathLength(i);
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            X509TrustManager[] x509TrustManagerArr = (X509TrustManager[]) Stream.of((Object[]) trustManagerFactory.getTrustManagers()).map(trustManager -> {
                if (trustManager instanceof X509TrustManager) {
                    return (X509TrustManager) trustManager;
                }
                return null;
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toArray(i2 -> {
                return new X509TrustManager[i2];
            });
            if (x509TrustManagerArr.length == 0) {
                throw ElytronMessages.log.noDefaultTrustManager();
            }
            this.trustManager = x509TrustManagerArr[0];
            if (x509CertificateArr != null) {
                this.acceptedIssuers = x509CertificateArr;
            } else {
                this.acceptedIssuers = X500.NO_CERTIFICATES;
            }
        } catch (GeneralSecurityException e) {
            throw ElytronMessages.log.sslErrorCreatingTrustManager(getClass().getName(), e);
        }
    }

    public X509CRLExtendedTrustManager(KeyStore keyStore, InputStream inputStream) throws NoSuchAlgorithmException {
        this(keyStore, TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()), inputStream, 5, null);
    }

    public X509CRLExtendedTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException {
        this(keyStore, null);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.acceptedIssuers;
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    private Collection<? extends CRL> getCRLs(InputStream inputStream) throws GeneralSecurityException {
        try {
            return CertificateFactory.getInstance("X.509").generateCRLs(inputStream);
        } finally {
            try {
                inputStream.close();
            } catch (Exception e) {
            }
        }
    }
}
