package org.eclipse.milo.opcua.stack.core.util;

import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/util/CertificateValidationUtil.class */
public class CertificateValidationUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(CertificateValidationUtil.class);
    private static final String KEY_USAGE_OID = "2.5.29.15";
    private static final int SUBJECT_ALT_NAME_URI = 6;
    private static final int SUBJECT_ALT_NAME_DNS_NAME = 2;
    private static final int SUBJECT_ALT_NAME_IP_ADDRESS = 7;

    public static void validateTrustChain(X509Certificate x509Certificate, List<X509Certificate> list, Set<X509Certificate> set, Set<X509Certificate> set2) throws UaException {
        if (set.stream().anyMatch(x509Certificate2 -> {
            return Arrays.equals(x509Certificate.getSignature(), x509Certificate2.getSignature());
        })) {
            return;
        }
        try {
            HashSet hashSet = new HashSet();
            set2.forEach(x509Certificate3 -> {
                hashSet.add(new TrustAnchor(x509Certificate3, null));
            });
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(list)));
            LOGGER.debug("Validated certificate chain: {}", ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters)).getCertPath());
        } catch (Throwable th) {
            throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
        }
    }

    public static void validateCertificateValidity(X509Certificate x509Certificate) throws UaException {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            throw new UaException(StatusCodes.Bad_CertificateTimeInvalid, String.format("certificate is expired: %s - %s", x509Certificate.getNotBefore(), x509Certificate.getNotAfter()));
        } catch (CertificateNotYetValidException e2) {
            throw new UaException(StatusCodes.Bad_CertificateTimeInvalid, String.format("certificate not yet valid: %s - %s", x509Certificate.getNotBefore(), x509Certificate.getNotAfter()));
        }
    }

    public static void validateHostnameOrIpAddress(X509Certificate x509Certificate, String str) throws UaException {
        str.getClass();
        boolean validateSubjectAltNameField = validateSubjectAltNameField(x509Certificate, 2, str::equals);
        str.getClass();
        boolean validateSubjectAltNameField2 = validateSubjectAltNameField(x509Certificate, 7, str::equals);
        if (!validateSubjectAltNameField && !validateSubjectAltNameField2) {
            throw new UaException(StatusCodes.Bad_CertificateHostNameInvalid);
        }
    }

    public static void validateApplicationUri(X509Certificate x509Certificate, String str) throws UaException {
        str.getClass();
        if (!validateSubjectAltNameField(x509Certificate, 6, str::equals)) {
            throw new UaException(StatusCodes.Bad_CertificateUriInvalid);
        }
    }

    public static void validateApplicationCertificateUsage(X509Certificate x509Certificate) throws UaException {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = new HashSet();
        }
        if (criticalExtensionOIDs.contains(KEY_USAGE_OID)) {
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            boolean z = keyUsage[0];
            boolean z2 = keyUsage[1];
            boolean z3 = keyUsage[2];
            boolean z4 = keyUsage[3];
            if (!z) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'digitalSignature' not found");
            }
            if (!z2) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'nonRepudiation' not found");
            }
            if (!z3) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'keyEncipherment' not found");
            }
            if (!z4) {
                throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed, "required KeyUsage 'dataEncipherment' not found");
            }
        }
    }

    public static boolean validateSubjectAltNameField(X509Certificate x509Certificate, int i, Predicate<Object> predicate) throws UaException {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                subjectAlternativeNames = Collections.emptyList();
            }
            for (List<?> list : subjectAlternativeNames) {
                if (list != null && list.size() == 2 && list.get(0).equals(Integer.valueOf(i)) && predicate.test(list.get(1))) {
                    return true;
                }
            }
            return false;
        } catch (CertificateParsingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }
}
