package com.github.toolarium.security.certificate.impl;

import com.github.toolarium.security.certificate.ICertificateChainAnalyzer;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/github/toolarium/security/certificate/impl/CertificateChainAnalyzer.class */
public class CertificateChainAnalyzer implements ICertificateChainAnalyzer {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CertificateChainAnalyzer.class);
    private static final boolean ALLOW_LOG_SELF_SIGN_TESTS = false;

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public List<X509Certificate> buildChainFor(KeyPair keyPair, Collection<X509Certificate> collection) {
        return buildChainFor(keyPair.getPublic(), collection);
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public List<X509Certificate> buildChainFor(PublicKey publicKey, Collection<X509Certificate> collection) throws IllegalArgumentException, IllegalStateException {
        ArrayList arrayList = new ArrayList(collection.size());
        X509Certificate certificateFor = getCertificateFor(publicKey, collection);
        if (certificateFor == null) {
            throw new IllegalArgumentException("Cannot find X509Certificate which corresponds to " + publicKey);
        }
        arrayList.add(certificateFor);
        X509Certificate x509Certificate = null;
        Object obj = certificateFor;
        while (obj != null && ((x509Certificate == null || !x509Certificate.equals(obj)) && !isSelfSigned(obj))) {
            x509Certificate = obj;
            obj = getIssuer(obj, collection);
            if (obj == null) {
                LOG.warn("Building chain for " + collection.size() + " cert[s] but had to stop after " + arrayList.size() + " because I could not find the issuer for " + x509Certificate.getSubjectX500Principal());
                throw new IllegalArgumentException("Could not determine issuer for certificate: " + x509Certificate.getSubjectX500Principal() + ". Please ensure certificate list contains all certificates back to the CA's self-signed root!");
            }
            arrayList.add(obj);
            if (arrayList.size() > collection.size()) {
                LOG.warn("Too many certificates in chain. Chain: " + Arrays.toString(getPrincipals(arrayList)) + ", Source: " + Arrays.toString(getPrincipals(new ArrayList(collection))));
                throw new IllegalStateException("Chain build failed: too many certs in chain (greater than number of input certs)! Chain: " + Arrays.toString(getPrincipals(arrayList)));
            }
        }
        return normaliseChain(arrayList);
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public X509Certificate getCertificateFor(PublicKey publicKey, Collection<X509Certificate> collection) {
        for (X509Certificate x509Certificate : collection) {
            if (x509Certificate.getPublicKey().equals(publicKey)) {
                return x509Certificate;
            }
        }
        return null;
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public boolean isSelfSigned(X509Certificate x509Certificate) {
        return isSignedBy(x509Certificate, x509Certificate.getPublicKey());
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public boolean isSignedBy(X509Certificate x509Certificate, PublicKey publicKey) {
        try {
            x509Certificate.verify(publicKey);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public X509Certificate getIssuer(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        for (X509Certificate x509Certificate2 : collection) {
            if (x509Certificate2.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal()) && isSignedBy(x509Certificate, x509Certificate2.getPublicKey())) {
                return x509Certificate2;
            }
        }
        return null;
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public X500Principal[] getPrincipals(List<X509Certificate> list) {
        if (list.contains(null)) {
            throw new IllegalArgumentException("Certificate chain contains null!");
        }
        X500Principal[] x500PrincipalArr = new X500Principal[list.size()];
        for (int i = 0; i < x500PrincipalArr.length; i++) {
            x500PrincipalArr[i] = list.get(i).getSubjectX500Principal();
        }
        return x500PrincipalArr;
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public List<X509Certificate> normaliseChain(List<X509Certificate> list) {
        return toRootFirst(list);
    }

    @Override // com.github.toolarium.security.certificate.ICertificateChainAnalyzer
    public List<X509Certificate> toRootFirst(List<X509Certificate> list) {
        List<X509Certificate> list2;
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("Must provide a chain that is non-null and non-empty");
        }
        if (isSelfSigned(list.get(0))) {
            list2 = list;
        } else {
            list2 = new ArrayList(list);
            Collections.reverse(list2);
            if (!isSelfSigned(list2.get(0))) {
                throw new IllegalArgumentException("Neither end of the certificate chain has a Root! " + list);
            }
        }
        return Collections.unmodifiableList(list2);
    }
}
