package org.apache.qpid.server.security;

import java.security.GeneralSecurityException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.class */
class TrustAnchorValidatingTrustManager implements X509TrustManager {
    private static Logger LOGGER = LoggerFactory.getLogger(TrustAnchorValidatingTrustManager.class);
    private String _trustStoreName;
    private final X509TrustManager _x509TrustManager;
    private final Set<TrustAnchor> _trustAnchors;
    private final Set<Certificate> _otherCerts;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TrustAnchorValidatingTrustManager(String str, X509TrustManager x509TrustManager, Set<TrustAnchor> set, Set<Certificate> set2) {
        this._trustStoreName = str;
        this._x509TrustManager = x509TrustManager;
        this._trustAnchors = set;
        this._otherCerts = set2;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this._x509TrustManager.checkClientTrusted(x509CertificateArr, str);
        X509Certificate x509Certificate = x509CertificateArr[0];
        try {
            X509Certificate trustedCert = getPkixCertPathBuilderResult(x509CertificateArr, this._trustAnchors, this._otherCerts).getTrustAnchor().getTrustedCert();
            try {
                trustedCert.checkValidity();
            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                LOGGER.warn("Authentication failed for peer bearing certificate (subject DN '{}') as the trust anchor (subject DN '{}') within truststore '{}' is either expired or not yet valid. Validity range {} - {}", new Object[]{x509Certificate.getSubjectDN(), trustedCert.getSubjectDN(), this._trustStoreName, trustedCert.getNotBefore(), trustedCert.getNotAfter()});
                throw e;
            }
        } catch (GeneralSecurityException e2) {
            throw new CertificateException("Unexpected error whilst validating trust-anchor", e2);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this._x509TrustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this._x509TrustManager.getAcceptedIssuers();
    }

    private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(X509Certificate[] x509CertificateArr, Set<TrustAnchor> set, Set<Certificate> set2) throws GeneralSecurityException {
        HashSet hashSet = new HashSet();
        hashSet.addAll(set2);
        Iterator it = Arrays.asList(x509CertificateArr).iterator();
        if (!it.hasNext()) {
            throw new IllegalArgumentException("Peer certificate not found");
        }
        X509Certificate x509Certificate = (X509Certificate) it.next();
        while (it.hasNext()) {
            hashSet.add((X509Certificate) it.next());
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        hashSet.add(x509Certificate);
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet)));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
    }
}
