package ru.CryptoPro.AdES.certificate;

import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import ru.CryptoPro.AdES.BaseParameterValidator;
import ru.CryptoPro.AdES.exception.AdESException;
import ru.CryptoPro.AdES.tools.AdESUtility;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.JCP.tools.Platform;

/* loaded from: classes4.dex */
public class BaseCertificateChainValidatorImpl extends AbstractCertificateChainBuilder implements BaseCertificateChainValidator {
    private static final String VALIDATE_WARNING = "For online validation (by CRL DP) 'com.sun.security.enableCRLDP' (for Oracle), or 'com.ibm.security.enableCRLDP' (for IBM) must be set to 'true', or 'ocsp.enable' must be set to 'true' (OCSP) with other options (responder etc.), or CRL list must be set for offline validation";
    private final Set<X509CRL> cRLs = new HashSet();
    private boolean enableCertificateValidation = true;

    private boolean isEnabledCRLValidationOnline() {
        return PARAM_SUN_CRL_DP || PARAM_IBM_CRL_DP;
    }

    private void validate(List<X509Certificate> list) throws AdESException {
        JCPLogger.subEnter();
        JCPLogger.subTrace("Check if the certificate chain is valid.");
        ArrayList arrayList = new ArrayList(list);
        if (arrayList.size() == 1) {
            if (!AdESUtility.isSelfSigned(this.targetCert)) {
                throw new AdESException("Certificate: sn " + this.targetCert.getSerialNumber().toString(16) + ", subject " + this.targetCert.getSubjectDN() + " is not root or/and is not found in the list of trusted certificates", AdESException.ecBuilderRootIsUntrusted);
            }
            JCPLogger.subTraceFormat("Skip validation of the certificate:\n\tserial:  {0}\n\tsubject: {1}\n\tissuer:  {2}\n\treason: self-signed in single-certificate chain.", this.targetCert.getSerialNumber().toString(16), this.targetCert.getSubjectDN(), this.targetCert.getIssuerDN());
            return;
        }
        arrayList.remove(this.rootCert);
        arrayList.remove(this.targetCert);
        HashSet hashSet = new HashSet(1);
        hashSet.add(new TrustAnchor(this.rootCert, null));
        if (Platform.isIbm || Platform.isAndroid) {
            JCPLogger.subTrace("IBM JVM or Android detected.");
            for (X509Certificate x509Certificate : arrayList) {
                if (x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                    hashSet.add(new TrustAnchor(x509Certificate, null));
                }
            }
        }
        validate(arrayList, hashSet);
        JCPLogger.subExit();
    }

    @Override // ru.CryptoPro.AdES.certificate.CertificateChainBase
    public String getProvider() {
        return this.provider;
    }

    @Override // ru.CryptoPro.AdES.certificate.CertificateChainBase
    public Date getValidationDate() {
        return this.validationDate;
    }

    @Override // ru.CryptoPro.AdES.tools.CRLUtility
    public void setCRLs(Set<X509CRL> set) {
        this.cRLs.addAll(set);
    }

    @Override // ru.CryptoPro.AdES.certificate.CertificateValidation
    public void setEnableCertificateValidation(boolean z) {
        this.enableCertificateValidation = z;
    }

    @Override // ru.CryptoPro.AdES.tools.ProviderUtility
    public void setProvider(String str) {
        this.provider = str;
    }

    @Override // ru.CryptoPro.AdES.certificate.CertificateChainBase
    public void setValidationDate(Date date) {
        this.validationDate = date;
    }

    @Override // ru.CryptoPro.AdES.certificate.CertificateChainValidator
    public void validate(List<X509Certificate> list, List<BaseParameterValidator<X509Certificate>> list2) throws AdESException {
        JCPLogger.subEnter();
        JCPLogger.subTrace("%%% Verifying certificate chain... %%%");
        if (list == null || list.isEmpty()) {
            throw new AdESException(AdESException.ecCertificateChainIsNull);
        }
        this.targetCert = list.get(0);
        this.rootCert = list.get(list.size() - 1);
        JCPLogger.subTrace("enableCertificateValidation = " + this.enableCertificateValidation);
        if (this.enableCertificateValidation) {
            validate(list);
        } else {
            JCPLogger.subTrace("Warning! Validating of the signer certificate chain has been disabled!");
        }
        if (list2 != null) {
            for (X509Certificate x509Certificate : list) {
                for (BaseParameterValidator<X509Certificate> baseParameterValidator : list2) {
                    JCPLogger.subTraceFormat("Trying to check the certificate parameters:\n\tserial: {0}\n\tsubject: {1}\n\tissuer: {2}\n\tvalidator class: {3}\n\t...", x509Certificate.getSerialNumber().toString(16), x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN(), baseParameterValidator.getClass().getCanonicalName());
                    baseParameterValidator.validate(x509Certificate);
                }
            }
        }
        JCPLogger.subExit();
    }

    protected void validate(List<X509Certificate> list, Set<TrustAnchor> set) throws AdESException {
        JCPLogger.subEnter();
        String str = "\n\tserial:  " + this.targetCert.getSerialNumber().toString(16) + "\n\tsubject: " + this.targetCert.getSubjectDN() + "\n\tissuer:  " + this.targetCert.getIssuerDN() + "\n\tnot before: " + this.targetCert.getNotBefore() + "\n\tnot after:  " + this.targetCert.getNotAfter() + "\n\tsignature provider: " + this.provider + "\n\tvalidation date: " + getValidationDate() + "\n\trevocation algorithm: " + getAlgorithm() + "\n\trevocation validator: " + getRevocationProvider() + "\n\tonline (crl list is empty): " + this.cRLs.isEmpty();
        JCPLogger.subTraceFormat("%%% Verifying the certificate chain for the target: " + str + "\n\t%%%", new Object[0]);
        LinkedList linkedList = new LinkedList();
        linkedList.add(this.targetCert);
        linkedList.addAll(list);
        LinkedList linkedList2 = new LinkedList();
        linkedList2.addAll(linkedList);
        linkedList2.add(this.rootCert);
        try {
            CertPath generateCertPath = AdESUtility.CERT_FACTORY.generateCertPath(linkedList);
            boolean isEmpty = this.cRLs.isEmpty();
            if (!isEmpty) {
                JCPLogger.subTrace("Using local CRLs to verify the certificate chain...");
                linkedList2.addAll(this.cRLs);
            }
            String str2 = "Validation failed for the target: " + str;
            try {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, (CertSelector) null);
                pKIXBuilderParameters.setSigProvider(this.provider);
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(linkedList2)));
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate(this.targetCert);
                pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
                JCPLogger.subTrace("Date for building and validating of the certificate chain: " + getValidationDate());
                pKIXBuilderParameters.setDate(getValidationDate());
                pKIXBuilderParameters.setRevocationEnabled(true);
                if (isEmpty) {
                    JCPLogger.subTrace("Verifying the certificate chain (online) by use of " + (PARAM_OCSP ? "OCSP" : "CRL"));
                    if (!isEnabledCRLValidationOnline() && !PARAM_OCSP) {
                        JCPLogger.error(VALIDATE_WARNING);
                    }
                } else {
                    JCPLogger.subTrace("Verifying the certificate chain (offline) using local CRL(s).");
                }
                CertPathValidator.getInstance(getAlgorithm(), getRevocationProvider()).validate(generateCertPath, pKIXBuilderParameters);
                JCPLogger.subTrace("Certificate chain is valid.");
                JCPLogger.subExit();
            } catch (InvalidAlgorithmParameterException e) {
                throw new AdESException(str2 + "\n" + VALIDATE_WARNING, e, AdESException.ecRevocationCertificateStatusIsUnknownOrRevoked);
            } catch (NoSuchAlgorithmException e2) {
                throw new AdESException(str2 + "\n" + VALIDATE_WARNING, e2, AdESException.ecRevocationCertificateStatusIsUnknownOrRevoked);
            } catch (NoSuchProviderException e3) {
                throw new AdESException(str2 + "\n" + VALIDATE_WARNING, e3, AdESException.ecRevocationCertificateStatusIsUnknownOrRevoked);
            } catch (CertPathValidatorException e4) {
                if (e4.getReason() == CertPathValidatorException.BasicReason.REVOKED) {
                    throw new AdESException(str2, e4, AdESException.ecRevocationCertificateStatusIsRevoked);
                }
                for (Throwable cause = e4.getCause(); cause != null; cause = cause.getCause()) {
                    if (cause instanceof CertificateRevokedException) {
                        throw new AdESException(str2, e4, AdESException.ecRevocationCertificateStatusIsRevoked);
                    }
                }
                throw new AdESException(str2 + "\n" + VALIDATE_WARNING, e4, AdESException.ecRevocationCertificateStatusIsUnknownOrRevoked);
            }
        } catch (CertificateException e5) {
            throw new AdESException(e5, AdESException.ecInternal);
        }
    }
}
