package com.guardtime.ksi.trust;

import com.guardtime.ksi.util.Util;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder;
import org.bouncycastle.util.Store;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/guardtime/ksi/trust/JKSTrustStore.class */
public class JKSTrustStore implements PKITrustStore {
    private static final Logger LOGGER = LoggerFactory.getLogger(JKSTrustStore.class);
    private static final String ALGORITHM_PKIX = "PKIX";
    private static final String KEY_STORE_TYPE_JKS = "JKS";
    private final KeyStore keyStore;
    private final CertSelector certSelector;

    public JKSTrustStore(KeyStore keyStore, CertSelector certSelector) throws InvalidKeyStoreException {
        if (keyStore == null) {
            throw new InvalidKeyStoreException("Invalid input parameter. Key store must be present");
        }
        this.keyStore = keyStore;
        this.certSelector = certSelector;
    }

    public JKSTrustStore(String str, char[] cArr, CertSelector certSelector) throws InvalidKeyStoreException {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Loading JKS key store {}", str);
        }
        if (str == null) {
            throw new InvalidKeyStoreException("Invalid input parameter. Key store path must be present");
        }
        InputStream inputStream = null;
        try {
            try {
                this.keyStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
                inputStream = loadFile(str);
                this.keyStore.load(inputStream, cArr);
                this.certSelector = certSelector;
                Util.closeQuietly(inputStream);
            } catch (IOException e) {
                throw new InvalidKeyStoreException("Loading java key store with path " + str + " failed", e);
            } catch (GeneralSecurityException e2) {
                throw new InvalidKeyStoreException("Loading java key store with path " + str + " failed", e2);
            }
        } catch (Throwable th) {
            Util.closeQuietly(inputStream);
            throw th;
        }
    }

    public JKSTrustStore(String str, CertSelector certSelector) throws InvalidKeyStoreException {
        this(str, null, certSelector);
    }

    @Override // com.guardtime.ksi.trust.PKITrustStore
    public boolean isTrusted(X509Certificate x509Certificate, Store store) throws CryptoException {
        try {
            if (x509Certificate == null) {
                throw new CryptoException("Invalid input parameter. Certificate can not be null");
            }
            LOGGER.info("Checking if certificate with subjectDN={} is trusted", x509Certificate.getSubjectDN());
            Store store2 = store;
            if (store2 == null) {
                store2 = new JcaCertStore(new ArrayList());
            }
            checkConstraints(this.certSelector, x509Certificate);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            CertStore build = new JcaCertStoreBuilder().addCertificates(store2).build();
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.keyStore, x509CertSelector);
            pKIXBuilderParameters.addCertStore(build);
            pKIXBuilderParameters.setRevocationEnabled(false);
            CertPath certPath = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance(ALGORITHM_PKIX).build(pKIXBuilderParameters)).getCertPath();
            PKIXParameters pKIXParameters = new PKIXParameters(this.keyStore);
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance(ALGORITHM_PKIX).validate(certPath, pKIXParameters);
            return true;
        } catch (CertPathBuilderException e) {
            LOGGER.debug("Cert path building failed", e);
            return false;
        } catch (CertPathValidatorException e2) {
            LOGGER.debug("Cert path validation failed", e2);
            return false;
        } catch (GeneralSecurityException e3) {
            throw new CryptoException("General security error occurred. " + e3.getMessage(), e3);
        }
    }

    private InputStream loadFile(String str) throws FileNotFoundException {
        InputStream resourceAsStream;
        try {
            resourceAsStream = new FileInputStream(str);
        } catch (FileNotFoundException e) {
            LOGGER.warn("File {} not found. Fallback to classpath.", str);
            resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
        }
        if (resourceAsStream == null) {
            throw new FileNotFoundException("File " + str + " does not exist");
        }
        return resourceAsStream;
    }

    private void checkConstraints(CertSelector certSelector, X509Certificate x509Certificate) throws CryptoException {
        if (certSelector != null && !certSelector.match(x509Certificate)) {
            throw new InvalidCertificateException(x509Certificate);
        }
    }
}
