package org.zuinnote.hadoop.office.format.common.util;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:org/zuinnote/hadoop/office/format/common/util/CertificateChainVerificationUtil.class */
public class CertificateChainVerificationUtil {
    private static final Log LOG = LogFactory.getLog(CertificateChainVerificationUtil.class.getName());

    public static boolean verifyCertificateChain(X509Certificate x509Certificate, Set<X509Certificate> set) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
        if (isSelfSigned(x509Certificate)) {
            LOG.error("Certificate is self-signed - no trust chain can be established with provided truststore");
            return false;
        }
        if (set.size() < 2) {
            LOG.error("One needs at least three certificates (including certificate used for signing to establish a trust chain. Please check that you included them");
            return false;
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        hashSet2.add(x509Certificate);
        for (X509Certificate x509Certificate2 : set) {
            if (isSelfSigned(x509Certificate2)) {
                LOG.debug("Root: " + x509Certificate2.getSubjectDN().getName());
                hashSet.add(x509Certificate2);
            } else {
                LOG.debug("Sub: " + x509Certificate2.getSubjectDN().getName());
                hashSet2.add(x509Certificate2);
            }
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
        HashSet hashSet3 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            hashSet3.add(new TrustAnchor((X509Certificate) it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet3, x509CertSelector);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet2), "BC"));
        try {
            return true;
        } catch (CertPathBuilderException e) {
            LOG.error("Exception: ", e);
            LOG.error("Cannot verify certification chain for " + x509Certificate.getSubjectX500Principal());
            return false;
        }
    }

    private static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException | SignatureException e) {
            return false;
        }
    }
}
