package org.jivesoftware.openfire.keystore;

import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import org.jivesoftware.util.CertificateManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/keystore/TrustStore.class */
public class TrustStore extends CertificateStore {
    private static final Logger Log = LoggerFactory.getLogger(TrustStore.class);

    public TrustStore(CertificateStoreConfiguration certificateStoreConfiguration, boolean z) throws CertificateStoreConfigException {
        super(certificateStoreConfiguration, z);
    }

    public void installCertificate(String str, String str2) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'alias' cannot be null or an empty String.");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("Argument 'pemRepresentation' cannot be null.");
        }
        String trim = str.trim();
        try {
            try {
                if (this.store.containsAlias(trim)) {
                    throw new CertificateStoreConfigException("Certificate already exists for alias: " + trim);
                }
                Collection<X509Certificate> parseCertificates = CertificateManager.parseCertificates(str2);
                if (parseCertificates.isEmpty()) {
                    throw new CertificateStoreConfigException("No certificate was found in the input.");
                }
                if (parseCertificates.size() != 1) {
                    throw new CertificateStoreConfigException("More than one certificate was found in the input.");
                }
                this.store.setCertificateEntry(trim, parseCertificates.iterator().next());
                persist();
                reload();
            } catch (IOException | KeyStoreException | CertificateException e) {
                throw new CertificateStoreConfigException("Unable to install a certificate into a trust store.", e);
            }
        } catch (Throwable th) {
            reload();
            throw th;
        }
    }

    public boolean isTrusted(Certificate[] certificateArr) {
        return getEndEntityCertificate(certificateArr) != null;
    }

    public X509Certificate getEndEntityCertificate(Certificate[] certificateArr) {
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        try {
            x509Certificate.checkValidity();
            if (certificateArr.length == 1 && x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                try {
                    if (this.store.getCertificateAlias(x509Certificate) != null) {
                        return x509Certificate;
                    }
                    return null;
                } catch (KeyStoreException e) {
                    Log.warn("Keystore error while looking for self-signed cert; assuming untrusted.");
                    return null;
                }
            }
            ArrayList arrayList = new ArrayList();
            try {
                Enumeration<String> aliases = this.store.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (this.store.isCertificateEntry(nextElement)) {
                        arrayList.add((X509Certificate) this.store.getCertificate(nextElement));
                    }
                }
                arrayList.addAll(Arrays.asList(certificateArr));
                CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate(x509Certificate);
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.store, x509CertSelector);
                pKIXBuilderParameters.addCertStore(certStore);
                pKIXBuilderParameters.setDate(new Date());
                pKIXBuilderParameters.setRevocationEnabled(false);
                CertPath certPath = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()).build(pKIXBuilderParameters).getCertPath();
                CertPathValidator.getInstance("PKIX").validate(certPath, pKIXBuilderParameters);
                return (X509Certificate) certPath.getCertificates().get(0);
            } catch (CertPathBuilderException e2) {
                Log.warn("Path builder exception while validating certificate chain:", e2);
                return null;
            } catch (CertPathValidatorException e3) {
                Log.warn("Path exception while validating certificate chain:", e3);
                return null;
            } catch (Exception e4) {
                Log.warn("Unknown exception while validating certificate chain:", e4);
                return null;
            }
        } catch (CertificateException e5) {
            Log.warn("EE Certificate not valid: " + e5.getMessage());
            return null;
        }
    }
}
