package no.difi.certvalidator.rule;

import java.security.GeneralSecurityException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import no.difi.certvalidator.api.CertificateBucket;
import no.difi.certvalidator.api.CertificateValidationException;
import no.difi.certvalidator.api.FailedValidationException;
import no.difi.certvalidator.api.ValidatorRule;
import no.difi.certvalidator.util.BCHelper;

/* loaded from: input_file:BOOT-INF/lib/commons-certvalidator-2.1.1.jar:no/difi/certvalidator/rule/ChainRule.class */
public class ChainRule implements ValidatorRule {
    private CertificateBucket rootCertificates;
    private CertificateBucket intermediateCertificates;
    private Set<String> policies = new HashSet();

    public ChainRule(CertificateBucket certificateBucket, CertificateBucket certificateBucket2, String... strArr) {
        this.rootCertificates = certificateBucket;
        this.intermediateCertificates = certificateBucket2;
        this.policies.addAll(Arrays.asList(strArr));
    }

    @Override // no.difi.certvalidator.api.ValidatorRule
    public void validate(X509Certificate x509Certificate) throws CertificateValidationException {
        try {
            verifyCertificate(x509Certificate);
        } catch (GeneralSecurityException e) {
            throw new FailedValidationException(e.getMessage(), e);
        }
    }

    private PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = this.rootCertificates.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        if (!this.policies.isEmpty()) {
            pKIXBuilderParameters.setInitialPolicies(this.policies);
            pKIXBuilderParameters.setExplicitPolicyRequired(true);
        }
        pKIXBuilderParameters.setRevocationEnabled(false);
        HashSet hashSet2 = new HashSet();
        Iterator<X509Certificate> it2 = this.intermediateCertificates.iterator();
        while (it2.hasNext()) {
            hashSet2.add(it2.next());
        }
        hashSet2.add(x509Certificate);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet2), BCHelper.PROVIDER));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", BCHelper.PROVIDER).build(pKIXBuilderParameters);
    }
}
