package uk.gov.ida.common.shared.security.verification;

import com.google.common.collect.ImmutableList;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.List;
import javax.inject.Inject;
import uk.gov.ida.common.shared.security.X509CertificateFactory;
import uk.gov.ida.common.shared.security.verification.exceptions.CertificateChainValidationException;

/* loaded from: input_file:uk/gov/ida/common/shared/security/verification/CertificateChainValidator.class */
public class CertificateChainValidator {
    private static final String PKIX_ALGORITHM = "PKIX";
    private static final String X509_CERTIFICATE_TYPE = "X.509";
    private final CertificateFactory certificateFactory;
    private final CertPathValidator certPathValidator;
    private final PKIXParametersProvider pkixParametersProvider;
    private final X509CertificateFactory x509certificateFactory;

    @Inject
    public CertificateChainValidator(PKIXParametersProvider pKIXParametersProvider, X509CertificateFactory x509CertificateFactory) {
        this.pkixParametersProvider = pKIXParametersProvider;
        this.x509certificateFactory = x509CertificateFactory;
        try {
            this.certificateFactory = CertificateFactory.getInstance(X509_CERTIFICATE_TYPE);
            try {
                this.certPathValidator = CertPathValidator.getInstance(PKIX_ALGORITHM);
            } catch (NoSuchAlgorithmException e) {
                throw new CertificateChainValidationException(MessageFormat.format("Error retrieving {0} certificate path validator instance.", PKIX_ALGORITHM), e);
            }
        } catch (CertificateException e2) {
            throw new CertificateChainValidationException(MessageFormat.format("Error retrieving {0} certificate factory instance.", X509_CERTIFICATE_TYPE), e2);
        }
    }

    public CertificateValidity validate(X509Certificate x509Certificate, KeyStore keyStore) {
        try {
            try {
                this.certPathValidator.validate(this.certificateFactory.generateCertPath((List<? extends Certificate>) ImmutableList.of(x509Certificate)), this.pkixParametersProvider.getPkixParameters(keyStore));
                return CertificateValidity.valid();
            } catch (InvalidAlgorithmParameterException e) {
                throw new CertificateChainValidationException("Unable to proceed in validating certificate chain: " + getDnForCertificate(x509Certificate), e);
            } catch (CertPathValidatorException e2) {
                return CertificateValidity.invalid(e2);
            }
        } catch (CertificateException e3) {
            throw new CertificateChainValidationException("Error generating certificate path for certificate: " + getDnForCertificate(x509Certificate), e3);
        }
    }

    public CertificateValidity validate(String str, KeyStore keyStore) {
        return validate(this.x509certificateFactory.createCertificate(str), keyStore);
    }

    private String getDnForCertificate(X509Certificate x509Certificate) {
        return (x509Certificate == null || x509Certificate.getSubjectDN() == null) ? "Unable to get DN" : x509Certificate.getSubjectDN().getName();
    }
}
