package cfca.sadk.tls.sun.security.validator;

import cfca.sadk.tls.util.Loggings;
import cfca.sadk.x509.certificate.X509Cert;
import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TrustAnchorHelper.class */
public abstract class TrustAnchorHelper {
    TrustAnchorHelper() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static TrustAnchor findTrustAnchor(X509Certificate x509Certificate, Set<TrustAnchor> set) throws Exception {
        TrustAnchor trustAnchor = null;
        PublicKey publicKey = null;
        Exception exc = null;
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        try {
            x509CertSelector.setSubject(issuerX500Principal.getEncoded());
            Iterator<TrustAnchor> it = set.iterator();
            while (it.hasNext() && trustAnchor == null) {
                trustAnchor = it.next();
                if (trustAnchor.getTrustedCert() != null) {
                    if (match(x509CertSelector.getCertificate(), trustAnchor.getTrustedCert())) {
                        publicKey = trustAnchor.getTrustedCert().getPublicKey();
                    } else {
                        trustAnchor = null;
                    }
                } else if (trustAnchor.getCAName() == null || trustAnchor.getCAPublicKey() == null) {
                    trustAnchor = null;
                } else {
                    try {
                        if (issuerX500Principal.equals(new X500Principal(trustAnchor.getCAName()))) {
                            publicKey = trustAnchor.getCAPublicKey();
                        } else {
                            trustAnchor = null;
                        }
                    } catch (IllegalArgumentException e) {
                        trustAnchor = null;
                    }
                }
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                    } catch (Exception e2) {
                        exc = e2;
                        trustAnchor = null;
                        publicKey = null;
                    }
                }
            }
            if (trustAnchor != null || exc == null) {
                return trustAnchor;
            }
            throw new CertificateException("TrustAnchor found but certificate validation failed.", exc);
        } catch (IOException e3) {
            throw new CertificateException("Cannot set subject search criteria for trust anchor.", e3);
        }
    }

    public static boolean match(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws Exception {
        X509Cert x509Cert = new X509Cert(x509Certificate.getEncoded());
        X509Cert x509Cert2 = new X509Cert(x509Certificate2.getEncoded());
        boolean z = true;
        if (x509Cert2.getSubjectKeyIdentifier() != null) {
            z = x509Cert2.getSubjectKeyIdentifier().equals(x509Cert.getAuthorityKeyIdentifier());
        }
        if (!x509Cert2.getSubjectX500Name().equals(x509Cert.getIssuerX500Name()) && !z) {
            Loggings.INFO.info("ValidatorHelper.match:  issuer DNs and KeyIdentifiers don't match");
            return false;
        }
        try {
            TLSValidator.validate(x509Cert);
            if (x509Cert.verify(x509Cert2.getPublicKey())) {
                return true;
            }
            String format = String.format("SN:%s@DN:%s not trust by IssuerDN:%s", x509Cert.getStringSerialNumber(), x509Cert.getSubject(), x509Cert.getIssuer());
            Loggings.handshaker.warn(format);
            throw new GMCertificateSignatureException(format);
        } catch (GMCertificateExpiredException e) {
            Loggings.handshaker.warn("peer validate failed: {}", e.getMessage());
            throw e;
        } catch (GMCertificateNotYetValidException e2) {
            Loggings.handshaker.warn("peer validate failed: {}", e2.getMessage());
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final X509Certificate[] toArray(CertPath certPath, TrustAnchor trustAnchor) throws CertificateException {
        X509Certificate[] x509CertificateArr;
        if (certPath == null || trustAnchor == null) {
            x509CertificateArr = TLSValidator.CHAIN0;
        } else {
            List<? extends Certificate> certificates = certPath.getCertificates();
            x509CertificateArr = new X509Certificate[certificates.size() + 1];
            certificates.toArray(x509CertificateArr);
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert == null) {
                throw new TLSValidatorException("TrustAnchor must be specified as certificate");
            }
            x509CertificateArr[x509CertificateArr.length - 1] = trustedCert;
        }
        return x509CertificateArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final X509Certificate[] toArray(X509Certificate[] x509CertificateArr, TrustAnchor trustAnchor) throws CertificateException {
        X509Certificate[] x509CertificateArr2;
        if (x509CertificateArr == null || trustAnchor == null) {
            x509CertificateArr2 = TLSValidator.CHAIN0;
        } else {
            List asList = Arrays.asList(x509CertificateArr);
            x509CertificateArr2 = new X509Certificate[asList.size() + 1];
            asList.toArray(x509CertificateArr2);
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert == null) {
                throw new TLSValidatorException("TrustAnchor must be specified as certificate");
            }
            x509CertificateArr2[x509CertificateArr2.length - 1] = trustedCert;
        }
        return x509CertificateArr2;
    }
}
