package org.eclipse.milo.opcua.stack.core.util.validation;

import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/stack-core-0.5.2.jar:org/eclipse/milo/opcua/stack/core/util/validation/OpcUaCertificateValidityChecker.class */
public class OpcUaCertificateValidityChecker extends PKIXCertPathChecker {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OpcUaCertificateValidityChecker.class);
    private X500Principal previousSubject;
    private PublicKey previousPublicKey;
    private final CertPath certPath;
    private final TrustAnchor trustAnchor;
    private final Set<ValidationCheck> validationChecks;

    public OpcUaCertificateValidityChecker(CertPath certPath, TrustAnchor trustAnchor, Set<ValidationCheck> set) {
        this.certPath = certPath;
        this.trustAnchor = trustAnchor;
        this.validationChecks = set;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        if (this.trustAnchor.getTrustedCert() != null) {
            this.previousPublicKey = this.trustAnchor.getTrustedCert().getPublicKey();
            this.previousSubject = this.trustAnchor.getTrustedCert().getSubjectX500Principal();
        } else {
            this.previousPublicKey = this.trustAnchor.getCAPublicKey();
            this.previousSubject = this.trustAnchor.getCA();
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        try {
            verifyValidity(x509Certificate);
            verifyNameChaining(x509Certificate);
            verifySignature(x509Certificate);
        } catch (CertPathValidatorException e) {
            if (this.validationChecks.contains(ValidationCheck.VALIDITY)) {
                throw e;
            }
            LOGGER.warn("check suppressed: certificate failed validity check: {}", x509Certificate.getSubjectX500Principal().getName());
        }
        updateInternalState(x509Certificate);
    }

    private void updateInternalState(X509Certificate x509Certificate) {
        this.previousPublicKey = x509Certificate.getPublicKey();
        this.previousSubject = x509Certificate.getSubjectX500Principal();
    }

    private void verifyValidity(X509Certificate x509Certificate) throws CertPathValidatorException {
        try {
            x509Certificate.checkValidity(new Date());
        } catch (CertificateExpiredException e) {
            throw new CertPathValidatorException("validity check failed (expired)", e, null, this.certPath.getCertificates().indexOf(x509Certificate), CertPathValidatorException.BasicReason.EXPIRED);
        } catch (CertificateNotYetValidException e2) {
            throw new CertPathValidatorException("validity check failed (not yet valid)", e2, null, this.certPath.getCertificates().indexOf(x509Certificate), CertPathValidatorException.BasicReason.NOT_YET_VALID);
        }
    }

    private void verifyNameChaining(X509Certificate x509Certificate) throws CertPathValidatorException {
        if (this.previousSubject != null) {
            X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
            if (issuerX500Principal.getName() == null || issuerX500Principal.getName().isEmpty()) {
                throw new CertPathValidatorException("subject/issuer name chaining check failed: null/empty issuer DN", null, null, this.certPath.getCertificates().indexOf(x509Certificate), PKIXReason.NAME_CHAINING);
            }
            if (!Objects.equals(issuerX500Principal, this.previousSubject)) {
                throw new CertPathValidatorException("subject/issuer name chaining check failed", null, null, this.certPath.getCertificates().indexOf(x509Certificate), PKIXReason.NAME_CHAINING);
            }
        }
    }

    private void verifySignature(X509Certificate x509Certificate) throws CertPathValidatorException {
        try {
            x509Certificate.verify(this.previousPublicKey);
        } catch (SignatureException e) {
            throw new CertPathValidatorException("signature check failed", e, null, this.certPath.getCertificates().indexOf(x509Certificate), CertPathValidatorException.BasicReason.INVALID_SIGNATURE);
        } catch (GeneralSecurityException e2) {
            throw new CertPathValidatorException("signature check failed", e2);
        }
    }
}
