package org.wildfly.security.ssl;

import java.io.InputStream;
import java.net.Socket;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.Assert;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-ssl-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager.class */
public class X509RevocationTrustManager extends X509ExtendedTrustManager {
    private static final int DEFAULT_MAX_CERT_PATH_LENGTH = 5;
    private X509Certificate[] acceptedIssuers;
    private final X509TrustManager trustManager;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/wildfly-elytron-ssl-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager$Builder.class
     */
    /* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager$Builder.class */
    public static class Builder {
        private X509Certificate[] acceptedIssuers;
        private KeyStore trustStore;
        private TrustManagerFactory trustManagerFactory;
        private URI responderUri;
        private InputStream crlStream;
        private X509Certificate ocspResponderCert;
        private int maxCertPath;
        private boolean preferCrls;
        private boolean onlyEndEntity;
        private boolean softFail;
        private boolean noFallback;

        private Builder() {
            this.acceptedIssuers = null;
            this.trustStore = null;
            this.trustManagerFactory = null;
            this.responderUri = null;
            this.crlStream = null;
            this.ocspResponderCert = null;
            this.maxCertPath = 5;
            this.preferCrls = false;
            this.onlyEndEntity = false;
            this.softFail = false;
            this.noFallback = false;
        }

        @Deprecated
        public Builder setAcceptedIssuers(X509Certificate[] x509CertificateArr) {
            this.acceptedIssuers = x509CertificateArr;
            return this;
        }

        public Builder setTrustStore(KeyStore keyStore) {
            this.trustStore = keyStore;
            return this;
        }

        public Builder setTrustManagerFactory(TrustManagerFactory trustManagerFactory) {
            this.trustManagerFactory = trustManagerFactory;
            return this;
        }

        public Builder setResponderURI(URI uri) {
            this.responderUri = uri;
            return this;
        }

        public Builder setCrlStream(InputStream inputStream) {
            this.crlStream = inputStream;
            return this;
        }

        public Builder setMaxCertPath(int i) {
            this.maxCertPath = i;
            return this;
        }

        public Builder setPreferCrls(boolean z) {
            this.preferCrls = z;
            return this;
        }

        public Builder setOnlyEndEntity(boolean z) {
            this.onlyEndEntity = z;
            return this;
        }

        public Builder setSoftFail(boolean z) {
            this.softFail = z;
            return this;
        }

        public Builder setNoFallback(boolean z) {
            this.noFallback = z;
            return this;
        }

        public Builder setOcspResponderCert(X509Certificate x509Certificate) {
            this.ocspResponderCert = x509Certificate;
            return this;
        }

        public X509RevocationTrustManager build() {
            Assert.checkNotNullParam("trustStore", this.trustStore);
            Assert.checkNotNullParam("trustManagerFactory", this.trustManagerFactory);
            return new X509RevocationTrustManager(this);
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/wildfly-elytron-ssl-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager$MaxPathLengthChecker.class
     */
    /* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.3.Final.jar:org/wildfly/security/ssl/X509RevocationTrustManager$MaxPathLengthChecker.class */
    private class MaxPathLengthChecker extends PKIXCertPathChecker {
        private int maxPathLength;
        private int i;

        MaxPathLengthChecker(int i) {
            this.maxPathLength = i;
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public void init(boolean z) {
            this.i = 0;
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public boolean isForwardCheckingSupported() {
            return false;
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public Set<String> getSupportedExtensions() {
            return null;
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
            this.i++;
            checkCertPathLength((X509Certificate) certificate);
        }

        private void checkCertPathLength(X509Certificate x509Certificate) throws CertPathValidatorException {
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
            int i = -1;
            if (x509Certificate.getVersion() >= 3) {
                i = x509Certificate.getBasicConstraints();
            } else if (this.i == 1 && subjectX500Principal.equals(issuerX500Principal)) {
                i = Integer.MAX_VALUE;
            }
            if (i == -1) {
                i = this.maxPathLength;
            }
            if (!subjectX500Principal.equals(issuerX500Principal) && i < this.i) {
                throw new CertPathValidatorException("check failed: pathLenConstraint violated - this cert must be the last cert in the certification path", null, null, -1, PKIXReason.PATH_TOO_LONG);
            }
            if (i < this.maxPathLength) {
                this.maxPathLength = i;
            }
        }
    }

    private X509RevocationTrustManager(Builder builder) {
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(builder.trustStore, new X509CertSelector());
            if (builder.crlStream != null) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs(builder.crlStream))));
            }
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance("PKIX").getRevocationChecker();
            if (builder.ocspResponderCert != null) {
                pKIXRevocationChecker.setOcspResponderCert(builder.ocspResponderCert);
            }
            EnumSet noneOf = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
            if (builder.onlyEndEntity) {
                noneOf.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            if (builder.preferCrls) {
                noneOf.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (builder.softFail) {
                noneOf.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            if (builder.noFallback) {
                noneOf.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }
            pKIXRevocationChecker.setOptions(noneOf);
            pKIXRevocationChecker.setOcspResponder(builder.responderUri);
            pKIXBuilderParameters.setRevocationEnabled(true);
            pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            pKIXBuilderParameters.addCertPathChecker(new MaxPathLengthChecker(builder.maxCertPath));
            pKIXBuilderParameters.setMaxPathLength(builder.maxCertPath);
            builder.trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            X509TrustManager[] x509TrustManagerArr = (X509TrustManager[]) Stream.of((Object[]) builder.trustManagerFactory.getTrustManagers()).map(trustManager -> {
                if (trustManager instanceof X509TrustManager) {
                    return (X509TrustManager) trustManager;
                }
                return null;
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toArray(i -> {
                return new X509TrustManager[i];
            });
            if (x509TrustManagerArr.length == 0) {
                throw ElytronMessages.log.noDefaultTrustManager();
            }
            this.trustManager = x509TrustManagerArr[0];
            if (builder.acceptedIssuers != null) {
                this.acceptedIssuers = builder.acceptedIssuers;
            }
        } catch (GeneralSecurityException e) {
            throw ElytronMessages.log.sslErrorCreatingRevocationTrustManager(builder.trustManagerFactory.getAlgorithm(), e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.acceptedIssuers != null ? this.acceptedIssuers : this.trustManager.getAcceptedIssuers();
    }

    private Collection<? extends CRL> getCRLs(InputStream inputStream) throws GeneralSecurityException {
        try {
            return CertificateFactory.getInstance("X.509").generateCRLs(inputStream);
        } finally {
            try {
                inputStream.close();
            } catch (Exception e) {
            }
        }
    }

    public static Builder builder() {
        return new Builder();
    }
}
