package org.adullact.parapheur.applets.splittedsign;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:org/adullact/parapheur/applets/splittedsign/CertificateVerifier.class */
public class CertificateVerifier {
    public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<X509Certificate> set, List<String> list) throws CertificateVerificationException, CertificateRevokedException, CertPathBuilderException, CRLNotFoundException {
        try {
            if (isSelfSigned(x509Certificate)) {
                throw new CertificateVerificationException("The certificate is self-signed.");
            }
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (X509Certificate x509Certificate2 : set) {
                if (isSelfSigned(x509Certificate2)) {
                    hashSet.add(x509Certificate2);
                } else {
                    hashSet2.add(x509Certificate2);
                }
            }
            PKIXCertPathBuilderResult verifyCertificate = verifyCertificate(x509Certificate, hashSet, hashSet2);
            for (Certificate certificate : verifyCertificate.getCertPath().getCertificates()) {
                System.out.println("\t Found in chain : " + (certificate instanceof X509Certificate ? (X509Certificate) certificate : (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(certificate.getEncoded()))).getSubjectX500Principal().getName());
            }
            CRLVerifier.verifyCertificateCRLs(x509Certificate, list);
            return verifyCertificate;
        } catch (CertPathBuilderException e) {
            throw e;
        } catch (CertificateRevokedException e2) {
            throw e2;
        } catch (GeneralSecurityException e3) {
            throw new CertificateVerificationException("Error verifying the certificate: " + x509Certificate.getSubjectX500Principal(), e3);
        } catch (CRLNotFoundException e4) {
            throw e4;
        } catch (CertificateVerificationException e5) {
            throw e5;
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        }
    }

    private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<X509Certificate> set, Set<X509Certificate> set2) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2), "SUN"));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", "SUN").build(pKIXBuilderParameters);
    }

    public static void validateCertAndACsAgainstProvidedCRL(X509Certificate x509Certificate, KeyStore keyStore, List<String> list) throws CertificateException, CRLNotFoundException, KeyStoreException, CertificateVerificationException, CertPathBuilderException {
        Enumeration<String> aliases = keyStore.aliases();
        HashSet hashSet = new HashSet();
        if (aliases != null) {
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    hashSet.add((X509Certificate) keyStore.getCertificate(nextElement));
                }
            }
        }
        verifyCertificate(x509Certificate, hashSet, list);
    }

    public static ArrayList<X509Extension> loadCRLsFromStreamAndCheckCert(X509Certificate x509Certificate, InputStream inputStream, List<String> list) throws CertificateRevokedException, CRLException, CRLNotFoundException {
        InputStream openStream;
        ArrayList<X509Extension> arrayList = new ArrayList<>();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        return arrayList;
                    }
                    String trim = readLine.trim();
                    if (!trim.isEmpty() && !trim.startsWith("#")) {
                        try {
                            if (trim.startsWith("http")) {
                                openStream = new URL(trim).openStream();
                            } else if (trim.startsWith("file://")) {
                                System.out.println("Info: loading local CRL: " + trim.substring("file://".length()));
                                openStream = Main.class.getResourceAsStream(trim.substring("file://".length()));
                            }
                            X509CRL x509crl = (X509CRL) certificateFactory.generateCRL(openStream);
                            arrayList.add(x509crl);
                            if (x509crl.isRevoked(x509Certificate)) {
                                throw new CertificateRevokedException("Certificate is revoked");
                                break;
                            }
                            if (openStream != null) {
                                openStream.close();
                            }
                        } catch (IOException e) {
                            if (!list.contains(trim)) {
                                throw new CRLNotFoundException(e.getMessage(), trim);
                            }
                        }
                    }
                }
            } catch (IOException e2) {
                System.err.println("Error reading embed CRL list");
                throw new RuntimeException("Error reading embed CRL list", e2);
            }
        } catch (CertificateException e3) {
            System.err.println("Fatal : Error trying to load internal x509 factory");
            throw new RuntimeException("Error trying to load internal x509 factory", e3);
        }
    }
}
