package de.rub.nds.tlsscanner.serverscanner.probe.certificate;

import de.rub.nds.tlsattacker.core.constants.HashAlgorithm;
import de.rub.nds.tlsscanner.serverscanner.trust.TrustAnchorManager;
import de.rub.nds.tlsscanner.serverscanner.trust.TrustPlatform;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ContentVerifierProviderBuilder;
import org.bouncycastle.cert.path.CertPath;
import org.bouncycastle.cert.path.CertPathValidation;
import org.bouncycastle.cert.path.CertPathValidationException;
import org.bouncycastle.cert.path.CertPathValidationResult;
import org.bouncycastle.cert.path.validations.BasicConstraintsValidation;
import org.bouncycastle.cert.path.validations.KeyUsageValidation;
import org.bouncycastle.cert.path.validations.ParentCertIssuedValidation;
import org.bouncycastle.crypto.tls.Certificate;
import sun.security.util.HostnameChecker;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/probe/certificate/CertificateChain.class */
public class CertificateChain {
    private static final Logger LOGGER = LogManager.getLogger();
    private final Certificate certificate;
    private Boolean generallyTrusted;
    private Boolean containsTrustAnchor;
    private Boolean chainIsComplete;
    private Boolean chainIsOrdered;
    private Boolean containsMultipleLeafs;
    private Boolean containsValidLeaf;
    private Boolean containsNotYetValid;
    private Boolean containsExpired;
    private Boolean containsWeakSignedNonTruststoresCertificates;
    private List<TrustPlatform> platformsTrustingCertificate;
    private List<TrustPlatform> platformsNotTrustingCertificate;
    private List<TrustPlatform> platformsBlacklistingCertificate;
    private List<CertificateReport> certificateReportList;
    private CertificateReport trustAnchor;
    private List<CertificateIssue> certificateIssues;

    private CertificateChain() {
        this.generallyTrusted = null;
        this.containsTrustAnchor = null;
        this.chainIsComplete = null;
        this.chainIsOrdered = null;
        this.containsMultipleLeafs = null;
        this.containsValidLeaf = null;
        this.certificate = null;
    }

    public CertificateChain(Certificate certificate, String str) {
        CertPathValidationException[] causes;
        this.generallyTrusted = null;
        this.containsTrustAnchor = null;
        this.chainIsComplete = null;
        this.chainIsOrdered = null;
        this.containsMultipleLeafs = null;
        this.containsValidLeaf = null;
        this.certificateIssues = new LinkedList();
        LinkedList linkedList = new LinkedList();
        this.certificate = certificate;
        this.certificateReportList = new LinkedList();
        for (org.bouncycastle.asn1.x509.Certificate certificate2 : certificate.getCertificateList()) {
            this.certificateReportList.add(CertificateReportGenerator.generateReport(certificate2));
        }
        LOGGER.debug("Certificate Reports:" + this.certificateReportList.size());
        this.containsTrustAnchor = false;
        Iterator<CertificateReport> it = this.certificateReportList.iterator();
        while (it.hasNext()) {
            if (Objects.equals(it.next().isTrustAnchor(), Boolean.TRUE)) {
                this.containsTrustAnchor = true;
            }
        }
        CertificateReport certificateReport = null;
        for (CertificateReport certificateReport2 : this.certificateReportList) {
            if (isCertificateSuiteableForHost(certificateReport2.convertToX509Certificate(), str)) {
                certificateReport2.setLeafCertificate(true);
                if (certificateReport == null) {
                    certificateReport = certificateReport2;
                } else {
                    this.containsMultipleLeafs = true;
                }
            }
        }
        if (this.containsMultipleLeafs == null) {
            this.containsMultipleLeafs = false;
        }
        this.containsValidLeaf = Boolean.valueOf(certificateReport != null);
        if (certificateReport != null) {
            if (this.certificateReportList.isEmpty() || !this.certificateReportList.get(0).getSHA256Fingerprint().equals(certificateReport.getSHA256Fingerprint())) {
                this.chainIsOrdered = false;
            } else {
                this.chainIsOrdered = Boolean.valueOf(checkCertifiteChainIsOrdered(this.certificateReportList));
            }
            CertificateReport certificateReport3 = certificateReport;
            linkedList.add(certificateReport3);
            while (true) {
                if (certificateReport3.getIssuer().equals(certificateReport3.getSubject())) {
                    break;
                }
                CertificateReport certificateReport4 = null;
                for (CertificateReport certificateReport5 : this.certificateReportList) {
                    if (certificateReport5.getSubject().equals(certificateReport3.getIssuer())) {
                        certificateReport4 = certificateReport5;
                    }
                }
                if (certificateReport4 != null) {
                    LOGGER.debug("Found next certificate");
                    linkedList.add(certificateReport4);
                    certificateReport3 = certificateReport4;
                } else {
                    LOGGER.debug("Could not find next certificate");
                    if (!TrustAnchorManager.getInstance().isInitialized()) {
                        LOGGER.error("Cannot check if the chain is complete since the trust manager is not initalized");
                    } else if (TrustAnchorManager.getInstance().isTrustAnchor(certificateReport3.convertToX509Certificate().getIssuerX500Principal())) {
                        LOGGER.debug("Could find issuer");
                        this.chainIsComplete = true;
                        org.bouncycastle.asn1.x509.Certificate trustAnchorCertificate = TrustAnchorManager.getInstance().getTrustAnchorCertificate(certificateReport3.convertToX509Certificate().getIssuerX500Principal());
                        if (trustAnchorCertificate != null) {
                            CertificateReport generateReport = CertificateReportGenerator.generateReport(trustAnchorCertificate);
                            linkedList.add(generateReport);
                            generateReport.setTrustAnchor(true);
                            this.trustAnchor = generateReport;
                        }
                    } else {
                        LOGGER.debug("Could not find issuer");
                        this.chainIsComplete = false;
                    }
                }
            }
        } else {
            this.chainIsOrdered = true;
            this.containsValidLeaf = false;
        }
        this.containsNotYetValid = false;
        this.containsExpired = false;
        this.containsWeakSignedNonTruststoresCertificates = false;
        for (CertificateReport certificateReport6 : this.certificateReportList) {
            if (certificateReport6.getValidFrom().after(new Date())) {
                this.containsNotYetValid = true;
            }
            if (certificateReport6.getValidTo().before(new Date())) {
                this.containsExpired = true;
            }
            if ((Objects.equals(certificateReport6.isTrustAnchor(), Boolean.FALSE) && Objects.equals(certificateReport6.getSelfSigned(), Boolean.FALSE) && certificateReport6.getSignatureAndHashAlgorithm().getHashAlgorithm() == HashAlgorithm.MD5) || certificateReport6.getSignatureAndHashAlgorithm().getHashAlgorithm() == HashAlgorithm.SHA1) {
                this.containsWeakSignedNonTruststoresCertificates = true;
            }
        }
        Iterator<CertificateReport> it2 = this.certificateReportList.iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            CertificateReport next = it2.next();
            if (Objects.equals(next.isTrustAnchor(), Boolean.FALSE) && Objects.equals(next.getSelfSigned(), Boolean.TRUE) && Objects.equals(next.getLeafCertificate(), Boolean.TRUE)) {
                this.certificateIssues.add(CertificateIssue.SELF_SIGNED);
                break;
            }
        }
        if (Objects.equals(this.chainIsComplete, Boolean.FALSE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_NOT_COMPLETE);
        }
        if (Objects.equals(this.containsValidLeaf, Boolean.FALSE)) {
            this.certificateIssues.add(CertificateIssue.COMMON_NAME_MISMATCH);
        }
        if (Objects.equals(this.containsExpired, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_CONTAINS_EXPIRED);
        }
        if (Objects.equals(this.containsNotYetValid, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_CONTAINS_NOT_YET_VALID);
        }
        if (Objects.equals(this.containsMultipleLeafs, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.MULTIPLE_LEAFS);
        }
        if (Objects.equals(this.containsWeakSignedNonTruststoresCertificates, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.WEAK_SIGNATURE_OR_HASH_ALGORITHM);
        }
        if (!Objects.equals(this.chainIsComplete, Boolean.TRUE) || !Objects.equals(this.containsValidLeaf, Boolean.TRUE) || !Objects.equals(this.containsExpired, Boolean.FALSE) || !Objects.equals(this.containsNotYetValid, Boolean.FALSE)) {
            this.generallyTrusted = false;
            return;
        }
        CertPathValidationResult evaluateGeneralTrust = evaluateGeneralTrust(linkedList);
        this.generallyTrusted = Boolean.valueOf(evaluateGeneralTrust.isValid());
        if (this.generallyTrusted.booleanValue() || (causes = evaluateGeneralTrust.getCauses()) == null) {
            return;
        }
        for (CertPathValidationException certPathValidationException : causes) {
            if (certPathValidationException.getCause().getMessage().contains("Unhandled Critical Extensions")) {
                this.certificateIssues.add(CertificateIssue.UNHANDLED_CRITICAL_EXTENSIONS);
            } else {
                LOGGER.error("Unknown path validation issue", certPathValidationException);
            }
        }
    }

    public List<CertificateIssue> getCertificateIssues() {
        return this.certificateIssues;
    }

    public void setCertificateIssues(List<CertificateIssue> list) {
        this.certificateIssues = list;
    }

    public Boolean getContainsNotYetValid() {
        return this.containsNotYetValid;
    }

    public void setContainsNotYetValid(Boolean bool) {
        this.containsNotYetValid = bool;
    }

    public Boolean getContainsExpired() {
        return this.containsExpired;
    }

    public void setContainsExpired(Boolean bool) {
        this.containsExpired = bool;
    }

    public Boolean getContainsWeakSignedNonTruststoresCertificates() {
        return this.containsWeakSignedNonTruststoresCertificates;
    }

    public void setContainsWeakSignedNonTruststoresCertificates(Boolean bool) {
        this.containsWeakSignedNonTruststoresCertificates = bool;
    }

    public CertificateReport getTrustAnchor() {
        return this.trustAnchor;
    }

    public void setTrustAnchor(CertificateReport certificateReport) {
        this.trustAnchor = certificateReport;
    }

    public Certificate getCertificate() {
        return this.certificate;
    }

    public Boolean getGenerallyTrusted() {
        return this.generallyTrusted;
    }

    public Boolean getContainsTrustAnchor() {
        return this.containsTrustAnchor;
    }

    public Boolean getChainIsComplete() {
        return this.chainIsComplete;
    }

    public Boolean getChainIsOrdered() {
        return this.chainIsOrdered;
    }

    public Boolean getContainsMultipleLeafs() {
        return this.containsMultipleLeafs;
    }

    public Boolean getContainsValidLeaf() {
        return this.containsValidLeaf;
    }

    public List<TrustPlatform> getPlatformsTrustingCertificate() {
        return this.platformsTrustingCertificate;
    }

    public List<TrustPlatform> getPlatformsNotTrustingCertificate() {
        return this.platformsNotTrustingCertificate;
    }

    public List<TrustPlatform> getPlatformsBlacklistingCertificate() {
        return this.platformsBlacklistingCertificate;
    }

    public List<CertificateReport> getCertificateReportList() {
        return this.certificateReportList;
    }

    public final boolean checkCertifiteChainIsOrdered(List<CertificateReport> list) {
        if (list.isEmpty()) {
            return true;
        }
        CertificateReport certificateReport = list.get(0);
        for (int i = 1; i < list.size(); i++) {
            if (!list.get(i).getSubject().equals(certificateReport.getIssuer())) {
                return false;
            }
            certificateReport = list.get(i);
        }
        return true;
    }

    public final boolean isCertificateSuiteableForHost(X509Certificate x509Certificate, String str) {
        try {
            HostnameChecker.getInstance((byte) 1).match(str, x509Certificate);
            return true;
        } catch (CertificateException e) {
            LOGGER.debug("Cert is not valid for " + str + ":" + str);
            return false;
        }
    }

    private CertPathValidationResult evaluateGeneralTrust(List<CertificateReport> list) {
        if (list.size() < 2) {
            return null;
        }
        X509CertificateHolder[] x509CertificateHolderArr = new X509CertificateHolder[list.size()];
        for (int i = 0; i < list.size(); i++) {
            x509CertificateHolderArr[i] = new X509CertificateHolder(list.get(i).getCertificate());
        }
        return new CertPath(x509CertificateHolderArr).validate(new CertPathValidation[]{new ParentCertIssuedValidation(new JcaX509ContentVerifierProviderBuilder().setProvider("BC")), new BasicConstraintsValidation(), new KeyUsageValidation()});
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        CertificateChain certificateChain = (CertificateChain) obj;
        if (this.certificateReportList.size() != certificateChain.getCertificateReportList().size() || !Objects.equals(this.generallyTrusted, certificateChain.getGenerallyTrusted()) || !Objects.equals(this.containsTrustAnchor, certificateChain.getContainsTrustAnchor()) || !Objects.equals(this.chainIsComplete, certificateChain.getChainIsComplete()) || !Objects.equals(this.chainIsOrdered, certificateChain.getChainIsOrdered()) || !Objects.equals(this.containsMultipleLeafs, certificateChain.getContainsMultipleLeafs()) || !Objects.equals(this.containsValidLeaf, certificateChain.getContainsValidLeaf()) || !Objects.equals(this.containsNotYetValid, certificateChain.getContainsNotYetValid()) || !Objects.equals(this.containsExpired, certificateChain.getContainsExpired()) || !Objects.equals(this.containsWeakSignedNonTruststoresCertificates, certificateChain.getContainsWeakSignedNonTruststoresCertificates())) {
            return false;
        }
        for (int i = 0; i < this.certificateReportList.size(); i++) {
            if (!this.certificateReportList.get(i).equals(certificateChain.getCertificateReportList().get(i))) {
                return false;
            }
        }
        return true;
    }

    public int hashCode() {
        return (29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * 5) + Objects.hashCode(this.generallyTrusted))) + Objects.hashCode(this.containsTrustAnchor))) + Objects.hashCode(this.chainIsComplete))) + Objects.hashCode(this.chainIsOrdered))) + Objects.hashCode(this.containsMultipleLeafs))) + Objects.hashCode(this.containsValidLeaf))) + Objects.hashCode(this.containsNotYetValid))) + Objects.hashCode(this.containsExpired))) + Objects.hashCode(this.containsWeakSignedNonTruststoresCertificates))) + Objects.hashCode(this.certificateReportList))) + Objects.hashCode(this.trustAnchor))) + Objects.hashCode(this.certificateIssues);
    }
}
