package org.eclipse.milo.opcua.stack.core.util.validation;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509CertificateHolder;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/stack-core-0.5.2.jar:org/eclipse/milo/opcua/stack/core/util/validation/CertificateValidationUtil.class */
public class CertificateValidationUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CertificateValidationUtil.class);
    private static final String KEY_USAGE_OID = "2.5.29.15";
    private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
    private static final String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
    private static final String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
    private static final int SUBJECT_ALT_NAME_URI = 6;
    private static final int SUBJECT_ALT_NAME_DNS_NAME = 2;
    private static final int SUBJECT_ALT_NAME_IP_ADDRESS = 7;

    public static PKIXCertPathBuilderResult buildTrustedCertPath(List<X509Certificate> list, Collection<X509Certificate> collection, Collection<X509Certificate> collection2) throws UaException {
        Preconditions.checkArgument(!list.isEmpty(), "certificateChain must not be empty");
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("certificateChain: {}", list);
            LOGGER.trace("trustedCertificates: {}", collection);
            LOGGER.trace("issuerCertificates: {}", collection2);
        }
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : collection) {
            if (certificateIsCa(x509Certificate) && certificateIsSelfSigned(x509Certificate)) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
        }
        for (X509Certificate x509Certificate2 : collection2) {
            if (certificateIsCa(x509Certificate2) && certificateIsSelfSigned(x509Certificate2)) {
                hashSet.add(new TrustAnchor(x509Certificate2, null));
            }
        }
        PKIXCertPathBuilderResult buildCertPath = buildCertPath(list, collection, collection2, hashSet);
        CertPath certPath = buildCertPath.getCertPath();
        TrustAnchor trustAnchor = buildCertPath.getTrustAnchor();
        ArrayList arrayList = new ArrayList();
        Stream<? extends Certificate> stream = certPath.getCertificates().stream();
        Class<X509Certificate> cls = X509Certificate.class;
        X509Certificate.class.getClass();
        Stream<R> map = stream.map((v1) -> {
            return r1.cast(v1);
        });
        arrayList.getClass();
        map.forEach((v1) -> {
            r1.add(v1);
        });
        arrayList.add(trustAnchor.getTrustedCert());
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("certificate path: {}", (List) arrayList.stream().map(x509Certificate3 -> {
                return x509Certificate3.getSubjectX500Principal().getName();
            }).collect(Collectors.toList()));
        }
        Stream stream2 = arrayList.stream();
        collection.getClass();
        if (stream2.noneMatch((v1) -> {
            return r1.contains(v1);
        })) {
            throw new UaException(StatusCodes.Bad_CertificateUntrusted, "certificate chain did not contain a trusted certificate");
        }
        return buildCertPath;
    }

    public static void validateTrustedCertPath(CertPath certPath, TrustAnchor trustAnchor, Collection<X509CRL> collection, Set<ValidationCheck> set, boolean z) throws UaException {
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        boolean isEmpty = certPath.getCertificates().isEmpty();
        checkAnchorValidity(trustedCert, set, isEmpty, z);
        if (isEmpty) {
            return;
        }
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", "SUN");
            PKIXParameters pKIXParameters = new PKIXParameters(Sets.newHashSet(trustAnchor));
            pKIXParameters.addCertPathChecker(new OpcUaCertificateUsageChecker(certPath, set, z));
            try {
                pKIXParameters.setRevocationEnabled(true);
                if (!collection.isEmpty()) {
                    pKIXParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
                }
                pKIXParameters.addCertPathChecker(new OpcUaCertificateRevocationChecker(certPath, trustAnchor, pKIXParameters, set));
            } catch (Exception e) {
                if (set.contains(ValidationCheck.REVOCATION)) {
                    pKIXParameters.setRevocationEnabled(true);
                    ((PKIXRevocationChecker) certPathValidator.getRevocationChecker()).setOptions(Sets.newHashSet(PKIXRevocationChecker.Option.NO_FALLBACK, PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.SOFT_FAIL));
                } else {
                    pKIXParameters.setRevocationEnabled(false);
                }
                LOGGER.warn("Failed to add custom revocation checker; REVOCATION_LIST_FOUND check will be ignored.");
            }
            certPathValidator.validate(certPath, pKIXParameters);
        } catch (CertPathValidatorException e2) {
            CertPath certPath2 = e2.getCertPath();
            CertPathValidatorException.Reason reason = e2.getReason();
            int index = e2.getIndex();
            if (index < 0) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e2);
            }
            LOGGER.debug("cert path validation failed at index={} reason={}, certificate={}", Integer.valueOf(index), reason, ((X509Certificate) certPath2.getCertificates().get(index)).getSubjectX500Principal().getName());
            if (reason == CertPathValidatorException.BasicReason.REVOKED) {
                if (index != 0) {
                    throw new UaException(StatusCodes.Bad_CertificateIssuerRevoked, e2);
                }
                throw new UaException(StatusCodes.Bad_CertificateRevoked, e2);
            }
            if (reason == CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
                if (index != 0) {
                    throw new UaException(StatusCodes.Bad_CertificateIssuerRevocationUnknown, e2);
                }
                throw new UaException(StatusCodes.Bad_CertificateRevocationUnknown, e2);
            }
            if (reason != CertPathValidatorException.BasicReason.EXPIRED && reason != CertPathValidatorException.BasicReason.NOT_YET_VALID) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e2);
            }
            if (index != 0) {
                throw new UaException(StatusCodes.Bad_CertificateIssuerTimeInvalid, e2);
            }
            throw new UaException(StatusCodes.Bad_CertificateTimeInvalid, e2);
        } catch (GeneralSecurityException e3) {
            throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e3);
        }
    }

    private static void checkAnchorValidity(X509Certificate x509Certificate, Set<ValidationCheck> set, boolean z, boolean z2) throws UaException {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.emptySet();
        }
        try {
            checkValidity(x509Certificate, z);
        } catch (UaException e) {
            if (set.contains(ValidationCheck.VALIDITY)) {
                throw e;
            }
            LOGGER.warn("check suppressed: certificate failed end-entity validity check: {}", x509Certificate.getSubjectX500Principal().getName());
        }
        if (!z) {
            try {
                checkIssuerKeyUsage(x509Certificate);
                return;
            } catch (UaException e2) {
                if (set.contains(ValidationCheck.KEY_USAGE_ISSUER)) {
                    throw e2;
                }
                LOGGER.warn("check suppressed: certificate failed issuer KeyUsage check: {}", x509Certificate.getSubjectX500Principal().getName());
                return;
            }
        }
        try {
            checkEndEntityKeyUsage(x509Certificate);
        } catch (UaException e3) {
            if (set.contains(ValidationCheck.KEY_USAGE_END_ENTITY) || criticalExtensionOIDs.contains(KEY_USAGE_OID)) {
                throw e3;
            }
            LOGGER.warn("check suppressed: certificate failed end-entity KeyUsage check: {}", x509Certificate.getSubjectX500Principal().getName());
        }
        try {
            checkEndEntityExtendedKeyUsage(x509Certificate, z2);
        } catch (UaException e4) {
            if (set.contains(ValidationCheck.EXTENDED_KEY_USAGE_END_ENTITY) || criticalExtensionOIDs.contains(EXTENDED_KEY_USAGE_OID)) {
                throw e4;
            }
            LOGGER.warn("check suppressed: certificate failed end-entity ExtendedKeyUsage check: {}", x509Certificate.getSubjectX500Principal().getName());
        }
    }

    private static PKIXCertPathBuilderResult buildCertPath(List<X509Certificate> list, Collection<X509Certificate> collection, Collection<X509Certificate> collection2, Set<TrustAnchor> set) throws UaException {
        X509Certificate x509Certificate = list.get(0);
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, x509CertSelector);
            ArrayList newArrayList = Lists.newArrayList();
            newArrayList.addAll(list.subList(1, list.size()));
            for (X509Certificate x509Certificate2 : collection) {
                if (certificateIsCa(x509Certificate2) && !certificateIsSelfSigned(x509Certificate2)) {
                    newArrayList.add(x509Certificate2);
                }
            }
            for (X509Certificate x509Certificate3 : collection2) {
                if (certificateIsCa(x509Certificate3) && !certificateIsSelfSigned(x509Certificate3)) {
                    newArrayList.add(x509Certificate3);
                }
            }
            if (newArrayList.size() > 0) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(newArrayList)));
            }
            pKIXBuilderParameters.setRevocationEnabled(false);
            return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        } catch (GeneralSecurityException e) {
            throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e);
        }
    }

    static boolean certificateIsCa(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (keyUsage == null) {
            return basicConstraints >= 0;
        }
        if (keyUsage[5] && basicConstraints == -1) {
            LOGGER.debug("'{}' violates RFC 5280: KeyUsage keyCertSign bit set without BasicConstraint cA bit set", x509Certificate.getSubjectX500Principal().getName());
        }
        return keyUsage[5] || basicConstraints >= 0;
    }

    private static boolean certificateIsSelfSigned(X509Certificate x509Certificate) throws UaException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return Objects.equals(x509Certificate.getSubjectX500Principal(), x509Certificate.getIssuerX500Principal());
        } catch (InvalidKeyException | SignatureException e) {
            return false;
        } catch (Exception e2) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e2);
        }
    }

    public static void checkValidity(X509Certificate x509Certificate, boolean z) throws UaException {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            throw new UaException(z ? StatusCodes.Bad_CertificateTimeInvalid : StatusCodes.Bad_CertificateIssuerTimeInvalid, String.format("certificate is expired: %s - %s", x509Certificate.getNotBefore(), x509Certificate.getNotAfter()));
        } catch (CertificateNotYetValidException e2) {
            throw new UaException(z ? StatusCodes.Bad_CertificateTimeInvalid : StatusCodes.Bad_CertificateIssuerTimeInvalid, String.format("certificate not yet valid: %s - %s", x509Certificate.getNotBefore(), x509Certificate.getNotAfter()));
        }
    }

    public static void checkHostnameOrIpAddress(X509Certificate x509Certificate, String... strArr) throws UaException {
        boolean anyMatch = Arrays.stream(strArr).anyMatch(str -> {
            try {
                str.getClass();
                return checkSubjectAltNameField(x509Certificate, 2, str::equals);
            } catch (Throwable th) {
                return false;
            }
        });
        boolean anyMatch2 = Arrays.stream(strArr).anyMatch(str2 -> {
            try {
                str2.getClass();
                return checkSubjectAltNameField(x509Certificate, 7, str2::equals);
            } catch (Throwable th) {
                return false;
            }
        });
        if (!anyMatch && !anyMatch2) {
            throw new UaException(StatusCodes.Bad_CertificateHostNameInvalid);
        }
    }

    public static void checkEndEntityKeyUsage(X509Certificate x509Certificate) throws UaException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "KeyUsage extension not found");
        }
        boolean z = keyUsage[0];
        boolean z2 = keyUsage[1];
        boolean z3 = keyUsage[2];
        boolean z4 = keyUsage[3];
        if (!z) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'digitalSignature' not found");
        }
        if (!z2) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'nonRepudiation' not found");
        }
        if (!z3) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'keyEncipherment' not found");
        }
        if (!z4) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'dataEncipherment' not found");
        }
    }

    public static void checkEndEntityExtendedKeyUsage(X509Certificate x509Certificate, boolean z) throws UaException {
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "ExtendedKeyUsage extension not found");
            }
            if (z && !extendedKeyUsage.contains(CLIENT_AUTH_OID)) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required ExtendedKeyUsage 'clientAuth' not found");
            }
            if (!z && !extendedKeyUsage.contains(SERVER_AUTH_OID)) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required ExtendedKeyUsage 'serverAuth' not found");
            }
        } catch (CertificateParsingException e) {
            throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed);
        }
    }

    public static void checkIssuerKeyUsage(X509Certificate x509Certificate) throws UaException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            throw new UaException(StatusCodes.Bad_CertificateIssuerUseNotAllowed, "KeyUsage extension not found");
        }
        boolean z = keyUsage[0];
        boolean z2 = keyUsage[5];
        boolean z3 = keyUsage[6];
        if (!z) {
            throw new UaException(StatusCodes.Bad_CertificateIssuerUseNotAllowed, "required KeyUsage 'digitalSignature' not found");
        }
        if (!z2) {
            throw new UaException(StatusCodes.Bad_CertificateIssuerUseNotAllowed, "required KeyUsage 'keyCertSign' not found");
        }
        if (!z3) {
            throw new UaException(StatusCodes.Bad_CertificateIssuerUseNotAllowed, "required KeyUsage 'cRLSign' not found");
        }
    }

    public static void checkApplicationUri(X509Certificate x509Certificate, String str) throws UaException {
        str.getClass();
        if (checkSubjectAltNameField(x509Certificate, 6, str::equals)) {
            return;
        }
        try {
            GeneralNames fromExtensions = GeneralNames.fromExtensions(new X509CertificateHolder(x509Certificate.getEncoded()).getExtensions(), Extension.subjectAlternativeName);
            if (fromExtensions != null) {
                for (GeneralName generalName : fromExtensions.getNames()) {
                    if (generalName.getTagNo() == 6) {
                        if (!Objects.equals(str, generalName.getName().toString())) {
                            throw new UaException(StatusCodes.Bad_CertificateUriInvalid);
                        }
                        return;
                    }
                }
            }
            throw new UaException(StatusCodes.Bad_CertificateUriInvalid);
        } catch (Exception e) {
            throw new UaException(StatusCodes.Bad_CertificateUriInvalid);
        }
    }

    private static boolean checkSubjectAltNameField(X509Certificate x509Certificate, int i, Predicate<Object> predicate) throws UaException {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                subjectAlternativeNames = Collections.emptyList();
            }
            for (List<?> list : subjectAlternativeNames) {
                if (list != null && list.size() == 2 && list.get(0).equals(Integer.valueOf(i)) && predicate.test(list.get(1))) {
                    return true;
                }
            }
            return false;
        } catch (CertificateParsingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }

    public static String getSubjectAltNameUri(X509Certificate x509Certificate) throws UaException {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                subjectAlternativeNames = Collections.emptyList();
            }
            for (List<?> list : subjectAlternativeNames) {
                if (list != null && list.size() == 2 && list.get(0).equals(6)) {
                    Object obj = list.get(1);
                    if (obj != null) {
                        return obj.toString();
                    }
                    return null;
                }
            }
            return null;
        } catch (CertificateParsingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }
}
