package de.rub.nds.tlsscanner.serverscanner.trust;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import de.rub.nds.tlsattacker.core.certificate.PemUtil;
import de.rub.nds.tlsscanner.serverscanner.probe.certificate.CertificateReport;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.jce.provider.X509CertificateObject;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/trust/TrustAnchorManager.class */
public class TrustAnchorManager {
    private List<TrustPlatform> trustPlatformList;
    private HashMap<String, CertificateEntry> trustAnchors;
    private Set<TrustAnchor> trustAnchorSet;
    private Set<Certificate> asn1CaCertificateSet;
    private static final Logger LOGGER = LogManager.getLogger();
    private static TrustAnchorManager INSTANCE = null;

    public static synchronized TrustAnchorManager getInstance() {
        if (INSTANCE == null) {
            INSTANCE = new TrustAnchorManager();
        }
        return INSTANCE;
    }

    private TrustAnchorManager() {
        this.trustPlatformList = new LinkedList();
        try {
            this.trustPlatformList.add(readPlatform("google_aosp.yaml"));
            this.trustPlatformList.add(readPlatform("microsoft_windows.yaml"));
            this.trustPlatformList.add(readPlatform("mozilla_nss.yaml"));
            this.trustPlatformList.add(readPlatform("openjdk.yaml"));
            this.trustPlatformList.add(readPlatform("oracle_java.yaml"));
            this.trustPlatformList.add(readPlatform("apple.yaml"));
            this.trustAnchors = new HashMap<>();
            for (TrustPlatform trustPlatform : this.trustPlatformList) {
                for (CertificateEntry certificateEntry : trustPlatform.getCertificateEntries()) {
                    if (!this.trustAnchors.containsKey(certificateEntry.getFingerprint())) {
                        this.trustAnchors.put(certificateEntry.getFingerprint(), certificateEntry);
                    }
                }
                for (CertificateEntry certificateEntry2 : trustPlatform.getBlockedCertificateEntries()) {
                    if (!this.trustAnchors.containsKey(certificateEntry2.getFingerprint())) {
                        this.trustAnchors.put(certificateEntry2.getFingerprint(), certificateEntry2);
                    }
                }
            }
            this.trustAnchorSet = getFullTrustAnchorSet();
            this.asn1CaCertificateSet = getFullCaCertificateSet();
        } catch (IOException | IllegalArgumentException e) {
            this.trustAnchorSet = null;
            this.trustAnchors = null;
            this.trustPlatformList = null;
            this.asn1CaCertificateSet = null;
            LOGGER.error("Could not load TrustAnchors. This means that you are running TLS-Scanner without its submodules. If you want to evaluate if certificates are trusted by browsers you need to initialize submodules.You can do this by running the following command:'git submodule update --init --recursive'");
            LOGGER.debug(e);
        }
    }

    public boolean isInitialized() {
        return (this.trustAnchorSet == null || this.trustPlatformList == null || this.trustAnchors == null) ? false : true;
    }

    private TrustPlatform readPlatform(String str) throws IOException {
        return (TrustPlatform) new ObjectMapper(new YAMLFactory()).readValue(TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + str), TrustPlatform.class);
    }

    public List<TrustPlatform> getTrustPlatformList() {
        return this.trustPlatformList;
    }

    public boolean isTrustAnchor(CertificateReport certificateReport) {
        if (!this.trustAnchors.containsKey(certificateReport.getIssuer())) {
            return false;
        }
        LOGGER.debug("Found a trustAnchor for Issuer report");
        if (this.trustAnchors.get(certificateReport.getIssuer()).getFingerprint().equals(certificateReport.getSHA256Fingerprint())) {
            return true;
        }
        LOGGER.warn("TrustAnchor hash does not match stored fingerprint");
        return false;
    }

    public boolean isTrustAnchor(X500Principal x500Principal) {
        Iterator<TrustAnchor> it = this.trustAnchorSet.iterator();
        while (it.hasNext()) {
            if (it.next().getTrustedCert().getSubjectX500Principal().equals(x500Principal)) {
                return true;
            }
        }
        return false;
    }

    private Set<TrustAnchor> getFullTrustAnchorSet() {
        try {
            int i = 0;
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            for (CertificateEntry certificateEntry : this.trustAnchors.values()) {
                try {
                    keyStore.setCertificateEntry("" + i, (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new BufferedInputStream(TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + certificateEntry.getFingerprint() + ".pem"))));
                } catch (CertificateException e) {
                    LOGGER.error("Could not load Certificate:" + certificateEntry.getSubjectName() + "/" + certificateEntry.getFingerprint(), e);
                }
                i++;
            }
            return new PKIXParameters(keyStore).getTrustAnchors();
        } catch (IOException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            LOGGER.error("Could not build TrustAnchorSet", e2);
            return new HashSet();
        }
    }

    public Set<TrustAnchor> getTrustAnchorSet() {
        return this.trustAnchorSet;
    }

    public X509Certificate getTrustAnchorX509Certificate(X500Principal x500Principal) {
        for (TrustAnchor trustAnchor : this.trustAnchorSet) {
            if (trustAnchor.getTrustedCert().getSubjectX500Principal().equals(x500Principal)) {
                return trustAnchor.getTrustedCert();
            }
        }
        return null;
    }

    public Certificate getTrustAnchorCertificate(X500Principal x500Principal) {
        for (Certificate certificate : this.asn1CaCertificateSet) {
            try {
            } catch (CertificateParsingException e) {
                LOGGER.error("Could not parse Certificate", e);
            }
            if (x500Principal.equals(new X509CertificateObject(certificate).getSubjectX500Principal())) {
                return certificate;
            }
        }
        return null;
    }

    private Set<Certificate> getFullCaCertificateSet() {
        HashSet hashSet = new HashSet();
        for (CertificateEntry certificateEntry : this.trustAnchors.values()) {
            try {
                hashSet.add(PemUtil.readCertificate(TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + certificateEntry.getFingerprint() + ".pem")).getCertificateAt(0));
            } catch (IOException | CertificateException e) {
                LOGGER.error("Could not load Certificate:" + certificateEntry.getSubjectName() + "/" + certificateEntry.getFingerprint(), e);
            }
        }
        return hashSet;
    }
}
