package org.apache.wss4j.common.crypto;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Properties;
import java.util.regex.Pattern;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.jruby.ext.openssl.impl.ASN1Registry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-07.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-common-2.1.7.jar:org/apache/wss4j/common/crypto/MerlinAKI.class */
public class MerlinAKI extends Merlin {
    private static final Logger LOG = LoggerFactory.getLogger(MerlinAKI.class);

    public MerlinAKI() {
    }

    public MerlinAKI(boolean z, String str) {
        super(z, str);
    }

    public MerlinAKI(Properties properties, ClassLoader classLoader, PasswordEncryptor passwordEncryptor) throws WSSecurityException, IOException {
        super(properties, classLoader, passwordEncryptor);
    }

    @Override // org.apache.wss4j.common.crypto.Merlin, org.apache.wss4j.common.crypto.Crypto
    public void verifyTrust(X509Certificate[] x509CertificateArr, boolean z, Collection<Pattern> collection) throws WSSecurityException {
        if (x509CertificateArr.length == 1 && !z) {
            String name = x509CertificateArr[0].getIssuerX500Principal().getName();
            BigInteger serialNumber = x509CertificateArr[0].getSerialNumber();
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
            cryptoType.setIssuerSerial(name, serialNumber);
            X509Certificate[] x509Certificates = getX509Certificates(cryptoType);
            if (x509Certificates != null && x509Certificates[0] != null && x509Certificates[0].equals(x509CertificateArr[0])) {
                try {
                    x509CertificateArr[0].checkValidity();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Direct trust for certificate with " + x509CertificateArr[0].getSubjectX500Principal().getName());
                        return;
                    }
                    return;
                } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e, "invalidCert");
                }
            }
        }
        X509Certificate[] x509CertificateArr2 = x509CertificateArr;
        String name2 = x509CertificateArr[0].getIssuerX500Principal().getName();
        try {
            if (x509CertificateArr.length == 1) {
                X509Certificate[] x509CertificatesFromKeyIdentifier = getX509CertificatesFromKeyIdentifier(BouncyCastleUtils.getAuthorityKeyIdentifierBytes(x509CertificateArr[0]));
                if (x509CertificatesFromKeyIdentifier == null || x509CertificatesFromKeyIdentifier.length < 1) {
                    String name3 = x509CertificateArr[0].getSubjectX500Principal().getName();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("No certs found in keystore for issuer " + name2 + " of certificate for " + name3);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "certpath", new Object[]{"No trusted certs found"});
                }
                x509CertificateArr2 = new X509Certificate[x509CertificatesFromKeyIdentifier.length + 1];
                x509CertificateArr2[0] = x509CertificateArr[0];
                System.arraycopy(x509CertificatesFromKeyIdentifier, 0, x509CertificateArr2, 1, x509CertificatesFromKeyIdentifier.length);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Preparing to validate certificate path for issuer " + name2);
            }
            try {
                CertPath generateCertPath = getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr2));
                HashSet hashSet = new HashSet();
                if (this.truststore != null) {
                    Enumeration<String> aliases = this.truststore.aliases();
                    while (aliases.hasMoreElements()) {
                        X509Certificate x509Certificate = (X509Certificate) this.truststore.getCertificate(aliases.nextElement());
                        if (x509Certificate != null) {
                            hashSet.add(new TrustAnchor(x509Certificate, x509Certificate.getExtensionValue("2.5.29.30")));
                        }
                    }
                }
                if (this.keystore != null && (this.truststore == null || this.loadCACerts)) {
                    Enumeration<String> aliases2 = this.keystore.aliases();
                    while (aliases2.hasMoreElements()) {
                        X509Certificate x509Certificate2 = (X509Certificate) this.keystore.getCertificate(aliases2.nextElement());
                        if (x509Certificate2 != null) {
                            hashSet.add(new TrustAnchor(x509Certificate2, x509Certificate2.getExtensionValue("2.5.29.30")));
                        }
                    }
                }
                String cryptoProvider = getCryptoProvider();
                ((cryptoProvider == null || cryptoProvider.length() == 0) ? CertPathValidator.getInstance(ASN1Registry.SN_id_pkix) : CertPathValidator.getInstance(ASN1Registry.SN_id_pkix, cryptoProvider)).validate(generateCertPath, createPKIXParameters(hashSet, z));
                if (!matches(x509CertificateArr[0], collection)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                }
            } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertPathValidatorException | CertificateException e2) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "certpath");
            }
        } catch (NoSuchAlgorithmException | CertificateException e3) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e3, "certpath");
        }
    }

    private X509Certificate[] getX509CertificatesFromKeyIdentifier(byte[] bArr) throws WSSecurityException, NoSuchAlgorithmException, CertificateEncodingException {
        if (bArr == null) {
            return null;
        }
        Certificate[] certificateArr = null;
        if (this.keystore != null) {
            certificateArr = getCertificates(bArr, this.keystore);
        }
        if ((certificateArr == null || certificateArr.length == 0) && this.truststore != null) {
            certificateArr = getCertificates(bArr, this.truststore);
        }
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        return (X509Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length, X509Certificate[].class);
    }

    private Certificate[] getCertificates(byte[] bArr, KeyStore keyStore) throws WSSecurityException, NoSuchAlgorithmException, CertificateEncodingException {
        Certificate certificate;
        byte[] subjectKeyIdentifierBytes;
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate) && (subjectKeyIdentifierBytes = BouncyCastleUtils.getSubjectKeyIdentifierBytes((X509Certificate) certificateChain[0])) != null && Arrays.equals(subjectKeyIdentifierBytes, bArr)) {
                    return certificateChain;
                }
            }
            return new Certificate[0];
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }
}
